schubergphilis · sbp-bvanb · Sep 26, 2024 · Sep 26, 2024
@@ -0,0 +1 @@
+.vscode
@@ -1,4 +1,4 @@
-# mcvs-docker-action
+# MCVS-docker-action
 
 Mission Critical Vulnerability Scanner (MCVS) Docker Action is a custom
 [GitHub Action](https://github.com/features/actions) that consists of the
@@ -13,12 +13,17 @@ following steps:
 - Code and docker image security scanning using Grype and Trivy.
 - Logging in and pushing the image to GitHub packages.
 
+## Usage
+
 Create a `.github/workflows/docker.yml` file with the following content:
 
-```bash
+```yaml
 ---
 name: Docker
 "on": push
+permissions:
+  contents: read
+  packages: write
 jobs:
   mcvs-docker-action:
     runs-on: ubuntu-20.04
@@ -29,3 +34,14 @@ jobs:
           dockle-accept-key: libcrypto3,libssl3
           token: ${{ secrets.GITHUB_TOKEN }}
 ```
+
+<!-- markdownlint-disable MD013 -->
+
+| Option               | Default                              | Required | Description                                                                                                      |
+| :------------------- | :----------------------------------- | -------- | :--------------------------------------------------------------------------------------------------------------- |
+| dockle-accept-key    | 80                                   |          | Suppress certain environment variables in a docker image that are seen as secrets, but are not                   |
+| token                | ' '                                  | x        | GitHub token that is required to push an image to the registry of the project and to pull cached Trivy DB images |
+| trivy-action-db      | ghcr.io/aquasecurity/trivy-db:2      |          | Replace this with a cached image to prevent bump into pull rate limiting issues                                  |
+| trivy-action-java-db | ghcr.io/aquasecurity/trivy-java-db:1 |          | Replace this with a cached image to prevent bump into pull rate limiting issues                                  |
+
+<!-- markdownlint-enable MD013 -->
@@ -11,6 +11,14 @@ inputs:
       will be installed then an error will be thrown by Dockle, which is
       incorrect. To mitigate this one has to specify the packages that are
       applicable, e.g.: `libcrypto3,libssl3`.
+  trivy-action-db:
+    default: "ghcr.io/aquasecurity/trivy-db:2"
+    description: |
+      OCI repository to retrieve trivy-db from.
+  trivy-action-java-db:
+    description: |
+      OCI repository to retrieve trivy-java-db from.
+    default: "ghcr.io/aquasecurity/trivy-java-db:1"
   token:
     description: |
       A token is required to allow the mcvs-docker-action to push the
@@ -87,6 +95,11 @@ runs:
         severity-cutoff: high
     - uses: 030/[email protected]
     - uses: aquasecurity/[email protected]
+      env:
+        TRIVY_DB_REPOSITORY: ${{ inputs.trivy-action-db }}
+        TRIVY_JAVA_DB_REPOSITORY: ${{ inputs.trivy-action-java-db }}
+        TRIVY_PASSWORD: ${{ inputs.token }}
+        TRIVY_USERNAME: ${{ github.actor }}
       with:
         scan-type: "fs"
         scan-ref: "."
@@ -95,6 +108,11 @@ runs:
         severity: "CRITICAL,HIGH"
         trivyignores: .trivyignore
     - uses: aquasecurity/[email protected]
+      env:
+        TRIVY_DB_REPOSITORY: ${{ inputs.trivy-action-db }}
+        TRIVY_JAVA_DB_REPOSITORY: ${{ inputs.trivy-action-java-db }}
+        TRIVY_PASSWORD: ${{ inputs.token }}
+        TRIVY_USERNAME: ${{ github.actor }}
       with:
         image-ref: ${{ steps.meta.outputs.tags }}
         format: "table"