Skip to content
Latchkey

aquasecurity/trivy-action

Scan container images, filesystems, and IaC for vulnerabilities with Trivy.

Official actionCategory: Security & Supply ChainLatest v0.36View on GitHub

What it does

aquasecurity/trivy-action wraps the Trivy scanner. It can scan a container image (scan-type: image), the repo filesystem (fs), a remote repo, or IaC config files, and report OS and library vulnerabilities.

With format: sarif the results can be uploaded to GitHub code scanning so findings appear in the Security tab.

Usage

workflow (.yml)
permissions:
  contents: read
  security-events: write   # for SARIF upload
steps:
  - uses: actions/checkout@v4
  - uses: aquasecurity/trivy-action@0.36.0
    with:
      scan-type: fs
      scan-ref: .
      format: sarif
      output: trivy-results.sarif
      severity: HIGH,CRITICAL
  - uses: github/codeql-action/upload-sarif@v3
    with:
      sarif_file: trivy-results.sarif

Inputs

InputDescriptionDefaultRequired
scan-typeScan type to use for scanning vulnerability.imageNo
image-refImage reference to scan (for image scans).-No
scan-refScan reference (path for fs/config scans)..No
formatOutput format (table, json, template).tableNo
severitySeverities of vulnerabilities to be displayed.UNKNOWN,LOW,MEDIUM,HIGH,CRITICALNo
exit-codeExit code when vulnerabilities were found.-No
ignore-unfixedIgnore unfixed vulnerabilities.falseNo
outputWrites results to a file with the specified file name.-No

Notes

By default the step succeeds even when vulnerabilities are found. Set exit-code: 1 (usually with severity: HIGH,CRITICAL and ignore-unfixed: true) to make findings fail the build.

The vulnerability DB is cached per day under cache-dir; leave cache: true on to avoid re-downloading it every run.

Common errors

  • Vulnerability-DB download failures (rate limiting pulling trivy-db from the public registry) intermittently fail runs. Keeping the built-in cache enabled makes this rare, and a retry usually clears it.
  • An image scan that cannot find the image usually means the image was built in a different job (no shared Docker daemon) or the registry needs a login step before scanning.
  • The build passing despite CRITICAL findings is not an error: exit-code is unset by default, so Trivy reports and exits 0 unless you set exit-code: 1.

Security and pinning

  • Pin the action to a commit SHA (the project itself pins its internal setup-trivy dependency by hash for exactly this reason) and pin version rather than floating on latest Trivy.
  • SARIF upload needs security-events: write; grant it on the job, not workflow-wide, and keep the rest of the token read-only.

Alternatives and related

Frequently asked questions

How do I make Trivy fail the build only on serious, fixable issues?
Set exit-code: 1, severity: HIGH,CRITICAL, and ignore-unfixed: true. The default configuration only reports and never fails the step.
How do I get Trivy findings into the GitHub Security tab?
Use format: sarif with an output file, then upload it with github/codeql-action/upload-sarif and security-events: write permission.
Running aquasecurity/trivy-action? Run it on Latchkey managed runners - self-healing and caching included. Start free → 30-day trial · No credit card