NO-JIRA: chore(workflows): add Trivy scan action for container image and filesystem vulnerability scanning

jiridanek · jiridanek · commit dd962fd5b3f5 · 2025-12-19T13:00:58.000+01:00
diff --git a/.github/actions/trivy-scan-action/action.yml b/.github/actions/trivy-scan-action/action.yml
@@ -0,0 +1,132 @@
+name: 'Trivy Vulnerability Scanner'
+description: |
+  Run [Trivy](https://trivy.dev) vulnerability scanner on container images or filesystems.
+
+  Features
+  - Supports both container image and filesystem scanning
+  - Configurable Trivy version
+  - Customizable scan parameters (scanners, timeout, exit codes)
+  - Generates markdown reports
+  - Automatically adds reports to GitHub job summary
+
+  Requirements
+  - Podman must be installed and running (for image scans)
+  - The Trivy report template must exist at the specified path
+  - For image scans, the image must be available in the local Podman storage
+
+inputs:
+  # https://trivy.dev/docs/latest/guide/target/container_image/#vulnerabilities
+  scan-type:
+    description: 'Type of scan to perform: "image" or "fs" (filesystem)'
+    required: true
+  scan-target:
+    description: 'Target to scan (image name or filesystem path)'
+    required: true
+  trivy-version:
+    description: 'Version of Trivy to use'
+    required: false
+    default: '0.68.2'
+  podman-socket:
+    description: 'Path to Podman socket (required for image scans)'
+    required: false
+    default: '/var/run/podman/podman.sock'
+  workspace-path:
+    description: 'Workspace path for filesystem scans'
+    required: false
+    default: ${{ github.workspace }}
+  report-template:
+    description: 'Path to Trivy report template'
+    required: false
+    default: 'ci/trivy-markdown.tpl'
+  scanners:
+    description: 'Comma-separated list of scanners to use'
+    required: false
+    default: 'vuln'
+  ignore-unfixed:
+    description: 'Ignore unfixed vulnerabilities'
+    required: false
+    default: 'true'
+  timeout:
+    description: 'Scan timeout'
+    required: false
+    default: '30m'
+  exit-code:
+    description: 'Exit code when vulnerabilities are found'
+    required: false
+    default: '0'
+
+outputs:
+  report-file:
+    description: 'Path to the generated report file'
+    value: ${{ steps.scan.outputs.report-file }}
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Setup report directory
+      id: setup
+      shell: bash
+      run: |
+        REPORT_FOLDER=${{ inputs.workspace-path }}/trivy-report
+        REPORT_FILE=trivy-report.md
+        REPORT_TEMPLATE=$(basename ${{ inputs.report-template }})
+
+        mkdir -p $REPORT_FOLDER
+        cp ${{ inputs.report-template }} $REPORT_FOLDER/
+
+        echo "report-folder=$REPORT_FOLDER" >> $GITHUB_OUTPUT
+        echo "report-file=$REPORT_FILE" >> $GITHUB_OUTPUT
+        echo "report-template=$REPORT_TEMPLATE" >> $GITHUB_OUTPUT
+
+    - name: Run Trivy vulnerability scanner
+      id: scan
+      shell: bash
+      run: |
+        REPORT_FOLDER=${{ steps.setup.outputs.report-folder }}
+        REPORT_FILE=${{ steps.setup.outputs.report-file }}
+        REPORT_TEMPLATE=${{ steps.setup.outputs.report-template }}
+
+        SCAN_TARGET=${{ inputs.scan-target }}
+        SCAN_TYPE=${{ inputs.scan-type }}
+
+        echo "Scanning $SCAN_TARGET ($SCAN_TYPE)"
+
+        # Configure scan arguments based on type
+        if [[ "$SCAN_TYPE" == "image" ]]; then
+          SCAN_ARGS="--image-src podman --podman-host /var/run/podman/podman.sock"
+          PODMAN_ARGS="-v ${{ inputs.podman-socket }}:/var/run/podman/podman.sock"
+        elif [[ "$SCAN_TYPE" == "fs" ]]; then
+          WORKSPACE_FOLDER="/workspace"
+          SCAN_TARGET="$WORKSPACE_FOLDER/$SCAN_TARGET"
+          PODMAN_ARGS="-v ${{ inputs.workspace-path }}:$WORKSPACE_FOLDER"
+        else
+          echo "Error: Invalid scan type '$SCAN_TYPE'. Must be 'image' or 'fs'"
+          exit 1
+        fi
+
+        # Run Trivy scan in container
+        podman run --rm \
+            $PODMAN_ARGS \
+            -v ${REPORT_FOLDER}:/report \
+            docker.io/aquasec/trivy:${{ inputs.trivy-version }} \
+              $SCAN_TYPE \
+              $SCAN_ARGS \
+              --scanners ${{ inputs.scanners }} \
+              ${{ inputs.ignore-unfixed == 'true' && '--ignore-unfixed' || '' }} \
+              --exit-code ${{ inputs.exit-code }} \
+              --timeout ${{ inputs.timeout }} \
+              --format template --template "@/report/$REPORT_TEMPLATE" \
+              -o /report/$REPORT_FILE \
+              $SCAN_TARGET
+
+        echo "report-file=$REPORT_FOLDER/$REPORT_FILE" >> $GITHUB_OUTPUT
+
+    - name: Add report to job summary
+      shell: bash
+      run: |
+        REPORT_FILE=${{ steps.scan.outputs.report-file }}
+        if [[ -f "$REPORT_FILE" ]]; then
+          cat $REPORT_FILE >> $GITHUB_STEP_SUMMARY
+        else
+          echo "Warning: Report file not found at $REPORT_FILE"
+        fi
diff --git a/.github/workflows/build-notebooks-TEMPLATE.yaml b/.github/workflows/build-notebooks-TEMPLATE.yaml
@@ -363,41 +363,12 @@ jobs:
 
       - name: Run Trivy vulnerability scanner
         if: ${{ steps.resolve-target.outputs.target }}
-        run: |
-          REPORT_FOLDER=${{ github.workspace }}/report
-          REPORT_FILE=trivy-report.md
-          REPORT_TEMPLATE=trivy-markdown.tpl
-
-          mkdir -p $REPORT_FOLDER
-          cp ci/$REPORT_TEMPLATE $REPORT_FOLDER
-
-          SCAN_TARGET=${{ steps.resolve-target.outputs.target }}
-          SCAN_TYPE=${{ steps.resolve-target.outputs.type }}
-          echo "Scanning $SCAN_TARGET ($SCAN_TYPE)"
-
-          if [[ "$SCAN_TYPE" == "image" ]]; then
-            SCAN_ARGS="--image-src podman --podman-host /var/run/podman/podman.sock"
-            PODMAN_ARGS="-v ${PODMAN_SOCK}:/var/run/podman/podman.sock"
-          elif [[ "$SCAN_TYPE" == "fs" ]]; then
-            WORKSPACE_FOLDER="/workspace"
-            SCAN_TARGET="$WORKSPACE_FOLDER/$SCAN_TARGET"
-            PODMAN_ARGS="-v ${{ github.workspace }}:$WORKSPACE_FOLDER"
-          fi
-
-          # have trivy access podman socket,
-          # https://github.com/aquasecurity/trivy/issues/580#issuecomment-666423279
-          podman run --rm \
-              $PODMAN_ARGS \
-              -v ${REPORT_FOLDER}:/report \
-              docker.io/aquasec/trivy:$TRIVY_VERSION \
-                $SCAN_TYPE \
-                $SCAN_ARGS \
-                --scanners vuln --ignore-unfixed \
-                --exit-code 0 --timeout 30m \
-                --format template --template "@/report/$REPORT_TEMPLATE" -o /report/$REPORT_FILE \
-                $SCAN_TARGET
-
-          cat $REPORT_FOLDER/$REPORT_FILE >> $GITHUB_STEP_SUMMARY
+        uses: ./.github/actions/trivy-scan-action
+        with:
+          scan-type: ${{ steps.resolve-target.outputs.type }}
+          scan-target: ${{ steps.resolve-target.outputs.target }}
+          trivy-version: ${{ env.TRIVY_VERSION }}
+          podman-socket: /var/run/podman/podman.sock
 
       # endregion
 
diff --git a/.github/workflows/test-trivy-scan-action.yaml b/.github/workflows/test-trivy-scan-action.yaml
@@ -0,0 +1,68 @@
+---
+name: Test Trivy Scan Action
+"on":
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - '.github/actions/trivy-scan-action/**'
+      - '.github/workflows/test-trivy-scan-action.yaml'
+      - 'ci/trivy-markdown.tpl'
+  push:
+    paths:
+      - '.github/actions/trivy-scan-action/**'
+      - '.github/workflows/test-trivy-scan-action.yaml'
+      - 'ci/trivy-markdown.tpl'
+
+jobs:
+  test-scan-type-image:
+    name: Test Image Scan
+    runs-on: ubuntu-24.04
+    env:
+      TEST_IMAGE: docker.io/library/alpine:latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Install and configure Podman
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y podman
+
+          # Start podman socket for rootful podman
+          sudo systemctl enable --now podman.socket
+          sudo systemctl status podman.socket
+
+          # Verify socket is accessible
+          ls -la /var/run/podman/podman.sock || true
+
+      - name: Pull test image
+        run: |
+          sudo podman pull ${{ env.TEST_IMAGE }}
+          sudo podman images
+
+      - name: Test Trivy scan on container image
+        uses: ./.github/actions/trivy-scan-action
+        with:
+          scan-type: image
+          scan-target: ${{ env.TEST_IMAGE }}
+          podman-socket: /var/run/podman/podman.sock
+
+  test-scan-type-fs:
+    name: Test Multiple Targets
+    runs-on: ubuntu-24.04
+    strategy:
+      matrix:
+        target:
+          - jupyter/minimal/ubi9-python-3.12
+          - jupyter/datascience/ubi9-python-3.12
+          - codeserver/ubi9-python-3.12
+      fail-fast: false
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Test Trivy scan on ${{ matrix.target }}
+        uses: ./.github/actions/trivy-scan-action
+        with:
+          scan-type: fs
+          scan-target: ${{ github.workspace }}
