aquasecurity/trivy-action in GitHub Actions
The aquasecurity/trivy-action runs Trivy as a GitHub Actions step with inputs that map to the CLI flags.
Rather than installing Trivy by hand, most GitHub workflows use the official action. Its inputs mirror the CLI, and its SARIF output integrates with code scanning.
What it does
aquasecurity/trivy-action installs Trivy and runs a scan based on its inputs. scan-type selects image, fs, or config; image-ref or scan-ref names the target; severity, exit-code, and format map to the matching CLI flags. With format: sarif it produces a file you upload via github/codeql-action/upload-sarif.
Common usage
- uses: aquasecurity/trivy-action@master
with:
scan-type: image
image-ref: myorg/app:${{ github.sha }}
severity: HIGH,CRITICAL
exit-code: '1'
ignore-unfixed: true
- uses: aquasecurity/trivy-action@master
with:
scan-type: fs
format: sarif
output: trivy.sarifOptions
| Input | What it does |
|---|---|
| scan-type | image, fs, config, repo, or sbom |
| image-ref / scan-ref | Target image or path to scan |
| severity | Comma list of severities to report |
| exit-code | Exit code on findings (string, e.g. '1') |
| format | table, json, sarif, cyclonedx |
| ignore-unfixed | Skip vulnerabilities with no fix |
In CI
Set exit-code: 1 with severity: HIGH,CRITICAL to gate, and pass ignore-unfixed: true to avoid blocking on unfixable CVEs. To use code scanning, set format: sarif and a fixed output: path, then run github/codeql-action/upload-sarif with that file and if: always() so it uploads even when the gate fails.
Common errors in CI
"Resource not accessible by integration" on the SARIF upload means the job lacks security-events: write permission; add it to the workflow or job. A gate that does not fail often passes exit-code as a number where the action expects a string. The SARIF upload step is skipped when the scan step fails unless you add if: always().