Big News: Socket raises $60M Series C at a $1B valuation to secure software supply chains for AI-driven development.Announcement →

aquasecurity/setup-trivy

Install Socket

Detect and block malicious and high-risk dependencies

Install

This package has malicious versions linked to the ongoing "Trivy Github Actions Compromise" supply chain attack.

Affected versions:

6d8d730153d6151e03549f276faca0275ed9c7b2 7a4b6f31edb8db48cc22a1d41e298b38c4a6417e 8afa9b9f9183b4e00c46e2b82d34047e3c177bd0

+4 more

View campaign page

aquasecurity/setup-trivy

GitHub Actions

Version: ff1b8b0

Source

setup-trivy

Set up your GitHub Actions workflow with a specific version of Trivy

Usage

Install the latest Trivy version

# ...
steps:
  - name: Install Trivy
    uses: aquasecurity/setup-trivy@v0.2.2

Install a specific Trivy version

# ...
steps:
  - name: Install Trivy
    uses: aquasecurity/setup-trivy@v0.2.2
    with:
      version: v0.56.2

Caching

setup-trivy uses actions/cache under the hood but requires less configuration settings. This caches the trivy binary so that next time you run, instead of downloading the binary it is loaded from the cache. This is not the same cache as other Trivy artifacts such as trivy-db and trivy-java-db.

The cache input is optional, and caching is turned off by default.

Caching is not supported for empty and latest versions!

Enable caching

If you want to enable caching for Linux and MacOS runners, set the cache input to true and specify the version.

steps:
  - name: Install Trivy
    uses: aquasecurity/setup-trivy@v0.2.2
    with:
      version: v0.56.2
      cache: true

Custom path to Trivy binary

action/cache doesn't support absolute path for Windows runners (see here for more details).

To enable caching for Windows runner or if you need to change the Trivy installation directory for other reasons - use path input.

setup-trivy adds trivy-bin directory to avoid caching unnecessary files

steps:
  - name: Install Trivy
    uses: aquasecurity/setup-trivy@v0.2.2
    with:
      version: v0.56.2
      cache: true
      path: "./bins"

Install Trivy with non-default token

There are cases when github.token (default value for actions/checkout) contains an invalid token for http://github.com. One of example for this when using GitHub Enterprise Server (GHES). See more info in https://github.com/aquasecurity/setup-trivy/issues/10

To properly install Trivy, you need to populate token from a secret or another step (e.g. from https://github.com/actions/create-github-app-token)

steps:
  - name: Install Trivy
    uses: aquasecurity/setup-trivy@v0.2.2
    with:
      version: v0.56.2
      cache: true
      token: ${{ secrets.GITHUB_PAT }}

FAQs

What is aquasecurity/setup-trivy?

Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install