Wat

The action runs trivy twice when the format is set to sarif, so some options are not respected (including timeouts)

imo we should remove the second trivy run altogether, since it's mostly duplication, but thought I should open an issue before a PR 😄 .. any concerns?

Similar #95 and #153

Expectation

Given the following step:

- name: Run Trivy image scanner
  uses: aquasecurity/trivy-action@0.5.1
  timeout-minutes: 10
  with:
    scan-type: image
    vuln-type: os
    image-ref: ${{inputs.repository}}/${{ inputs.image }}
    format: sarif
    output: trivy-image.sarif
    ignore-unfixed: true
    hide-progress: false
    security-checks: vuln
    timeout: 10m0s

I was expecting the step to succeed in under 10 minutes.

Reality

It fails with a timeout after 8 minutes.

2022-07-04T20:38:08.520Z	FATAL	image scan error: scan error: image scan failed: failed analysis: analyze error: timeout: context deadline exceeded

Cause

It runs trivy twice. Once with a timeout, and one without.

Additionally, the timeouts in my case are caused by secret scanning on a large image, which would not be disabled when trivy runs the second time.

Resolves to: trivy image --format sarif --ignore-unfixed --vuln-type os --security-checks vuln --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL --output trivy-image.sarif --timeout 10m library/alpine

Resolves to: trivy --quiet image --format sarif --output trivy-image.sarif --ignore-unfixed --vuln-type os library/alpine