Skip to content
Latchkey

aquasecurity/trivy-action in GitHub Actions

The aquasecurity/trivy-action runs Trivy as a GitHub Actions step with inputs that map to the CLI flags.

Rather than installing Trivy by hand, most GitHub workflows use the official action. Its inputs mirror the CLI, and its SARIF output integrates with code scanning.

What it does

aquasecurity/trivy-action installs Trivy and runs a scan based on its inputs. scan-type selects image, fs, or config; image-ref or scan-ref names the target; severity, exit-code, and format map to the matching CLI flags. With format: sarif it produces a file you upload via github/codeql-action/upload-sarif.

Common usage

YAML
- uses: aquasecurity/trivy-action@master
  with:
    scan-type: image
    image-ref: myorg/app:${{ github.sha }}
    severity: HIGH,CRITICAL
    exit-code: '1'
    ignore-unfixed: true
- uses: aquasecurity/trivy-action@master
  with:
    scan-type: fs
    format: sarif
    output: trivy.sarif

Options

InputWhat it does
scan-typeimage, fs, config, repo, or sbom
image-ref / scan-refTarget image or path to scan
severityComma list of severities to report
exit-codeExit code on findings (string, e.g. '1')
formattable, json, sarif, cyclonedx
ignore-unfixedSkip vulnerabilities with no fix

In CI

Set exit-code: 1 with severity: HIGH,CRITICAL to gate, and pass ignore-unfixed: true to avoid blocking on unfixable CVEs. To use code scanning, set format: sarif and a fixed output: path, then run github/codeql-action/upload-sarif with that file and if: always() so it uploads even when the gate fails.

Common errors in CI

"Resource not accessible by integration" on the SARIF upload means the job lacks security-events: write permission; add it to the workflow or job. A gate that does not fail often passes exit-code as a number where the action expects a string. The SARIF upload step is skipped when the scan step fails unless you add if: always().

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →