Skip to content

Trivy Container Scanner

Trivy Container Scanner - Reusable Workflow

Runs the Trivy container scanner via the argus Python CLI. Equivalent to: python -m argus scan container --image --scanners trivy

For GHES users: Use the composite action directly instead of this workflow. See: examples/github-enterprise/container-scanning.yml

uses: huntridge-labs/argus/.github/workflows/scanner-trivy-container.yml@1.8.1

Triggers

  • Manual dispatch
  • Reusable (called by other workflows)

Permissions

Scope Access
contents read
security-events write
actions read
pull-requests write
packages read

Inputs

Input Description Required Default
image_ref Container image reference to scan (e.g., nginx:latest, ghcr.io/owner/image:tag) string Yes โ€”
scan_name Name for the scan artifacts string No container
registry_username Username for registry authentication (leave empty for public images) string No โ€”
enable_code_security Whether to upload SARIF to GitHub Security boolean No False
post_pr_comment Whether to post PR comments boolean No False
fail_on_severity Fail the job if vulnerabilities at or above this severity are found. Options: none, low, medium, high, critical. Set ... string No none

Secrets

Secret Description Required
registry_password Password/token for registry authentication No

Jobs

trivy-container-scan โ€” Trivy Container Scan

Runs on: ubuntu-latest ยท Timeout: 20 minutes ยท Continue on error: Yes

Steps:

  1. Checkout repository โ€” actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
  2. Set up Python โ€” actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1
  3. Install Argus โ€” huntridge-labs/argus/.github/actions/setup-argus@1.8.1
  4. Run scan
  5. Upload artifacts โ€” actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
  6. Upload SARIF โ€” github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a
  7. Comment PR with results โ€” huntridge-labs/argus/.github/actions/comment-pr@1.8.1