This repository contains a collection of shared GitHub Actions that extend and augment the capabilities of aquasecurity/trivy-action. These actions provide streamlined workflows for security scanning in CI/CD pipelines.
When referencing these actions in your workflows, always use a specific release tag rather than @main for production environments. This ensures stability and prevents unexpected breaking changes from affecting your CI/CD pipelines.
# ✅ Good - Use specific release tag
uses: nhs-england-tools/trivy-action/iac-scan@v1.1.0
# ❌ Avoid - Using main branch in production
uses: nhs-england-tools/trivy-action/iac-scan@mainCheck the Releases page for the latest stable version and release notes.
Path: ./iac-scan
Performs comprehensive Trivy Infrastructure as Code scanning and reporting for Terraform and other IaC files.
- name: Run Trivy IaC Scan
uses: nhs-england-tools/trivy-action/iac-scan@v1.1.0
with:
scan-ref: './terraform'
severity: 'HIGH,CRITICAL'
fail-on-critical-high: 'true'| Input | Description | Required | Default |
|---|---|---|---|
scan-ref |
Directory or file to scan | No | ./terraform |
severity |
Comma-separated list of severity levels | No | HIGH,CRITICAL,MEDIUM,LOW,UNKNOWN |
trivy-config |
Path to Trivy configuration file | No | trivy.yaml |
artifact-name |
Name for the uploaded artifact | No | trivy-iac-scan-results |
fail-on-critical-high |
Fail action on critical/high findings | No | true |
| Output | Description |
|---|---|
critical-count |
Number of critical severity findings |
high-count |
Number of high severity findings |
report-path |
Path to the generated markdown report |
Path: ./sbom-scan
Performs Software Bill of Materials (SBOM) scanning and reporting with optional GitHub Dependency Graph integration.
- name: Generate SBOM
uses: nhs-england-tools/trivy-action/sbom-scan@v1.1.0
with:
image-ref: "myapp:latest" # scan your docker image, or
repo-path: "." # scan your git repo
publish-to-dependency-graph: "true"
github-token: ${{ secrets.GITHUB_TOKEN }}| Input | Description | Required | Default |
|---|---|---|---|
image-ref |
Docker image reference to scan | Must provide either image-ref or repo-path | - |
repo-path |
Path to git repo to scan (local or remote) | Must provide either image-ref or repo-path | - |
github-token |
GitHub token for dependency graph upload | No | - |
publish-to-dependency-graph |
Publish SBOM to GitHub Dependency Graph | No | false |
artifact-name |
Name for the uploaded SBOM artifact | No | sbom |
| Output | Description |
|---|---|
sbom-path |
Path to the generated SBOM file |
Path: ./image-scan
Performs comprehensive Trivy security scanning for Docker container images with detailed vulnerability reporting.
- name: Run Container Image Security Scan
uses: nhs-england-tools/trivy-action/image-scan@v1.1.0
with:
image-ref: 'myapp:latest'
severity: 'HIGH,CRITICAL'
fail-on-critical-high: 'true'| Input | Description | Required | Default |
|---|---|---|---|
image-ref |
Docker image reference to scan | Yes | - |
severity |
Comma-separated list of severity levels | No | HIGH,CRITICAL,MEDIUM,LOW,UNKNOWN |
trivy-config |
Path to Trivy configuration file | No | trivy.yaml |
artifact-name |
Name for the uploaded artifact | No | trivy-image-scan-results |
fail-on-critical-high |
Fail action on critical/high findings | No | true |
ignore-unfixed |
Ignore unfixed vulnerabilities | No | true |
| Output | Description |
|---|---|
critical-count |
Number of critical severity findings |
high-count |
Number of high severity findings |
report-path |
Path to the generated markdown report |
name: Security Scanning
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
iac-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run IaC Security Scan
uses: nhs-england-tools/trivy-action/iac-scan@v1.1.0
with:
scan-ref: './infrastructure'
severity: 'HIGH,CRITICAL'
fail-on-critical-high: 'true'
image-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build Docker Image
run: docker build -t myapp:${{ github.sha }} .
- name: Run Container Image Security Scan
uses: nhs-england-tools/trivy-action/image-scan@v1.1.0
with:
image-ref: 'myapp:${{ github.sha }}'
severity: 'HIGH,CRITICAL'
fail-on-critical-high: 'true'
sbom-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build Docker Image
run: docker build -t myapp:${{ github.sha }} .
- name: Generate SBOM
uses: nhs-england-tools/trivy-action/sbom-scan@v1.1.0
with:
image-ref: 'myapp:${{ github.sha }}'
publish-to-dependency-graph: 'true'
github-token: ${{ secrets.GITHUB_TOKEN }}- IaC Security Scanning: Comprehensive security analysis for Infrastructure as Code
- Container Image Scanning: Vulnerability scanning for Docker images and containers
- SBOM Generation: Software Bill of Materials creation in SPDX format
- GitHub Integration: Optional dependency graph publishing
- Artifact Upload: Automatic upload of scan results and SBOMs
- Configurable Severity: Customizable severity level filtering
- Flexible Configuration: Support for custom Trivy configuration files
- GitHub Actions environment
- Docker images (for image and SBOM scanning)
- Terraform/IaC files (for infrastructure scanning)
Related Projects:
- Trivy - Main security scanner
- Trivy Action - Base GitHub Action