Trivy Container Scanner
Trivy Container Scanner - Reusable Workflow
Runs the Trivy container scanner via the argus Python CLI. Equivalent to: python -m argus scan container --image --scanners trivy
For GHES users: Use the composite action directly instead of this workflow. See: examples/github-enterprise/container-scanning.yml
uses: huntridge-labs/argus/.github/workflows/scanner-trivy-container.yml@1.1.0
Triggers
- Manual dispatch
- Reusable (called by other workflows)
Permissions
| Scope | Access |
|---|---|
contents |
read |
security-events |
write |
actions |
read |
pull-requests |
write |
packages |
read |
Inputs
| Input | Description | Required | Default |
|---|---|---|---|
image_ref |
Container image reference to scan (e.g., nginx:latest, ghcr.io/owner/image:tag) string | Yes | โ |
scan_name |
Name for the scan artifacts string | No | container |
registry_username |
Username for registry authentication (leave empty for public images) string | No | โ |
enable_code_security |
Whether to upload SARIF to GitHub Security boolean | No | False |
post_pr_comment |
Whether to post PR comments boolean | No | False |
fail_on_severity |
Fail the job if vulnerabilities at or above this severity are found. Options: none, low, medium, high, critical. Set ... string | No | none |
Secrets
| Secret | Description | Required |
|---|---|---|
registry_password |
Password/token for registry authentication | No |
Jobs
trivy-container-scan โ Trivy Container Scan
Runs on: ubuntu-latest ยท Timeout: 20 minutes ยท Continue on error: Yes
Steps:
- Checkout repository โ
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - Set up Python โ
actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 - Install Argus
- Run scan
- Upload artifacts โ
actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f - Upload SARIF โ
github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 - Comment PR with results โ
huntridge-labs/argus/.github/actions/comment-pr@1.1.0