Modern-day CI/CD pipelines enable new security approaches and transform the DevOps landscape to accommodate a variety of safety nets into the software supply chain. GitHub Actions is an example of one of those safety nets, making it possible to perform a variety of pipeline steps (build, test, and deploy) from within GitHub. We saw this as an opportunity to seamlessly incorporate container image security without creating friction. To do this, we combined the flexibility of GitHub Actions with the high performance of our easy-to-use Trivy vulnerability scanner in the Aqua Security Trivy GitHub Action.
This Action integrates with GitHub’s new code scanning feature so that you can read vulnerability scanning results for your images directly in the GitHub code scanning UI.
Visualizing Vulnerability Results with GitHub Code Scanning
With the launch of GitHub code scanning, it’s easy to see security issues through a single dashboard integrated directly in the GitHub UI, and it makes sense for container image vulnerability issues to be included in this view. You can read more about the code scanning capabilities on GitHub’s website.
Here’s an example of how to configure a Trivy Action to send results to the GitHub code scanning dashboard:
The Trivy Action performs four simple steps. First, we check out the code. The second step builds the code into a docker image. We then use Trivy to scan this docker image for vulnerabilities and finish by uploading the results into GitHub.
Since GitHub code scanning supports the industry-standard SARIF format for vulnerability reports, we’ve also added support to Trivy to output results in the SARIF format for consumption.
Once Trivy Action finishes and sends results to the GitHub code scanning dashboard, here’s how it looks:
You can also drill down into the various vulnerabilities that were found and get specific details for each one of them as shown below:
The vulnerabilities are tagged by Severity level and package. This makes it easier for you to filter and prioritize a subset of vulnerabilities that you might act on first.
GitHub code scanning also maintains a track record of past vulnerabilities that you can access for any particular project. This can help you track down where/when the vulnerability was first introduced, if it was fixed, and whether it was re-introduced as a regression.
Trying the Trivy GitHub Action
The Aqua Security Trivy GitHub Action is available today through the GitHub Marketplace.
We’ve also open-sourced the Trivy Action code on our GitHub repo.
We look forward to you using this on your projects. As always, we welcome any feedback or pull requests that you may have!