This action runs trivy with reviewdog on pull requests to enforce best practices.
By default, with reporter: github-pr-check an annotation is added to
the line:
With reporter: github-pr-review a comment is added to
the Pull Request Conversation:
Required.
The default is ${{ github.token }}.
Required. Trivy command [aws, config, filesystem, image, kubernetes, rootfs, sbom, vm].
You can see this with trivy --help
Required. Target to scan.
Varies depending on the trivy_command chosen. Please check Trivy Docs
Optional. Directory to run the action on, from the repo root.
The default is . (root of the repository).
Optional. Report level for reviewdog [info, warning, error].
It's same as -level flag of reviewdog.
The default is error.
Optional. Name of the tool being used. This controls how it will show up in the GitHub UI.
The default is trivy.
Optional. Reporter of reviewdog command [github-pr-check, github-pr-review].
The default is github-pr-check.
Optional. Filtering for the reviewdog command [added, diff_context, file, nofilter].
The default is added.
See reviewdog documentation for filter mode for details.
Deprecated. This option is no longer recommended for use and will be removed in future versions.
Optional. Exit code for reviewdog when errors are found [true, false].
The default is false.
See reviewdog documentation for exit codes for details.
Optional. If set to none, always use exit code 0 for reviewdog. Otherwise, exit code 1 for reviewdog if it finds at least 1 issue with severity greater than or equal to the given level. Possible values: [none, any, info, warning, error] Default is none.
The default is none.
See reviewdog documentation for fail level for details.
Optional. Additional reviewdog flags. Useful for debugging errors, when it can be set to -tee.
The default is ``.
Optional. The version of trivy to install.
The default is latest.
Optional. List of arguments to send to trivy.
The default is ``.
The trivy command return code.
The reviewdog command return code.
name: trivy
on: [pull_request]
jobs:
trivy:
name: runner / trivy
runs-on: ubuntu-latest # Windows and macOS are also supported
steps:
- name: Clone repo
uses: actions/checkout@v4
- name: Run trivy with reviewdog output on the PR
uses: reviewdog/action-trivy@v1
with:
github_token: ${{ secrets.github_token }}
trivy_command: config # Change trivy command
trivy_target: . # Change trivy target directory
working_directory: my_directory # Change working directory
level: info # Get more output from reviewdog
reporter: github-pr-review # Change reviewdog reporter
filter_mode: nofilter # Check all files, not just the diff
fail_on_error: true # Fail action if errors are found
fail_level: any # Fail action if any level of failures are found
flags: -tee # Add debug flag to reviewdog
trivy_flags: "" # OptionalYou can add the test files under the ./testdata without any other changes. You need to create a directory with following naming rules and put the test files.
./testdata/<trivy_target>/<data_type>/[with_detecitons|without_detections]
For example, files in ./testdata/config/terraform/without_detecions runs trivy config ./testdata/config/terraform/without_detections expecting without any detections.
You can bump version on merging Pull Requests with specific labels (bump:major,bump:minor,bump:patch). Pushing tag manually by yourself also work.
This action updates major/minor release tags on a tag push. e.g. Update v1 and v1.2 tag when released v1.2.3. ref: https://help.github.com/en/articles/about-actions#versioning-your-action
This reviewdog action template itself is integrated with reviewdog to run lints which is useful for Docker container based actions.
Supported linters:
This repository uses haya14busa/action-depup to update reviewdog version.
