Skip to content

Aqua Security Trivy installer

Actions
Install Trivy binary from release page
v0.2.5
Latest
By aquasecurity
Verified creator
Star (6)

Tags

 (2)
securityutilities

Verified

GitHub has manually verified the creator of the action as an official partner organization. For more info see About badges in GitHub Marketplace.

setup-trivy

Set up your GitHub Actions workflow with a specific version of Trivy

Usage

Install the latest Trivy version

# ...
steps:
  - name: Install Trivy
    uses: aquasecurity/setup-trivy@e07451d2e059ed86c2870430ea286b3a9e0bf241

Install a specific Trivy version

# ...
steps:
  - name: Install Trivy
    uses: aquasecurity/setup-trivy@e07451d2e059ed86c2870430ea286b3a9e0bf241
    with:
      version: v0.68.2

Caching

setup-trivy uses actions/cache under the hood but requires less configuration settings. This caches the trivy binary so that next time you run, instead of downloading the binary it is loaded from the cache. This is not the same cache as other Trivy artifacts such as trivy-db and trivy-java-db.

The cache input is optional, and caching is turned off by default.

Caching is not supported for empty and latest versions!

Enable caching

If you want to enable caching for Linux and MacOS runners, set the cache input to true and specify the version.

steps:
  - name: Install Trivy
    uses: aquasecurity/setup-trivy@e07451d2e059ed86c2870430ea286b3a9e0bf241
    with:
      version: v0.68.2
      cache: true

Custom path to Trivy binary

action/cache doesn't support absolute path for Windows runners (see here for more details).

To enable caching for Windows runner or if you need to change the Trivy installation directory for other reasons - use path input.

setup-trivy adds trivy-bin directory to avoid caching unnecessary files

steps:
  - name: Install Trivy
    uses: aquasecurity/setup-trivy@e07451d2e059ed86c2870430ea286b3a9e0bf241
    with:
      version: v0.68.2
      cache: true
      path: "./bins"

Install Trivy with non-default token

There are cases when github.token (default value for actions/checkout) contains an invalid token for http://github.com. One of example for this when using GitHub Enterprise Server (GHES). See more info in #10

To properly install Trivy, you need to populate token from a secret or another step (e.g. from https://github.com/actions/create-github-app-token)

steps:
  - name: Install Trivy
    uses: aquasecurity/setup-trivy@e07451d2e059ed86c2870430ea286b3a9e0bf241
    with:
      version: v0.68.2
      cache: true
      token: ${{ secrets.GITHUB_PAT }}

Install Trivy with non-default github-server-url

In some cases, GHES deployments are isolated and don't use GitHub Connect. It uses the actions-sync process to mirror allowed actions into the GHES instance.

Set github-server-url to change the mirror of Trivy repository.

steps:
  - name: Install Trivy
    uses: aquasecurity/setup-trivy@e07451d2e059ed86c2870430ea286b3a9e0bf241
    with:
      version: v0.68.2
      github-server-url: 'https://example.com'

Contributors (9)

@DmitriyLewen@simar7@stefan0xC@thara@rvesse@knqyf263@owenrumney@dnwe@afdesk

Resources

Aqua Security Trivy installer is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.

About

Install Trivy binary from release page
v0.2.5
Latest
By aquasecurity

Verified

GitHub has manually verified the creator of the action as an official partner organization. For more info see About badges in GitHub Marketplace.

Tags

 (2)
securityutilities

Contributors (9)

@DmitriyLewen@simar7@stefan0xC@thara@rvesse@knqyf263@owenrumney@dnwe@afdesk

Resources

Aqua Security Trivy installer is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.