Avoid repeatedly setting up Trivy if called multiple times with same args in same workflow #6
Description
We have a number of workflows with steps like the following:
- Pre-download the Trivy Java DB (so we can cache it - this part of our workflow predates the introduction of caching directly into
trivy-actionand we may remove this in the future) - Run a Trivy scan with
exit-code: 0to get a full report of all vulnerabilities - Run another Trivy scan with
exit-code: 1andseverity: HIGH,CRITICALto fail our build if any High/Critical vulnerabilities are present
Here's an example of this - https://github.com/telicent-oss/shared-workflows/blob/main/.github/workflows/maven.yml#L230-L268
Since trivy-action refactored itself to be a composite action it now uses this setup-trivy action to ensure trivy is installed and available. However it doesn't include any logic to avoid repeated work so this now results in our workflows downloading and installing Trivy 3 times e.g.
2024-10-14T08:41:24.5563308Z ##[group]Run aquasecurity/trivy-action@master
2024-10-14T08:41:24.5563720Z with:
2024-10-14T08:41:24.5563952Z scan-type: fs
2024-10-14T08:41:24.5564228Z output: trivy-report.json
2024-10-14T08:41:24.5564523Z format: json
2024-10-14T08:41:24.5564779Z scan-ref: .
2024-10-14T08:41:24.5565016Z exit-code: 0
2024-10-14T08:41:24.5565270Z cache-dir: .trivy
2024-10-14T08:41:24.5565544Z ignore-unfixed: false
2024-10-14T08:41:24.5565827Z vuln-type: os,library
2024-10-14T08:41:24.5566154Z severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2024-10-14T08:41:24.5566537Z list-all-pkgs: false
2024-10-14T08:41:24.5566815Z version: v0.56.1
2024-10-14T08:41:24.5567065Z cache: true
2024-10-14T08:41:24.5567480Z env:
2024-10-14T08:41:24.5567709Z MAVEN_USERNAME:
2024-10-14T08:41:24.5567978Z MAVEN_PASSWORD:
2024-10-14T08:41:24.5568395Z JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:24.5569080Z JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:24.5569577Z ##[endgroup]
2024-10-14T08:41:24.5802835Z ##[group]Run aquasecurity/setup-trivy@v0.1.0
2024-10-14T08:41:24.5803202Z with:
2024-10-14T08:41:24.5803436Z version: v0.56.1
2024-10-14T08:41:24.5803691Z cache: true
2024-10-14T08:41:24.5804113Z env:
2024-10-14T08:41:24.5804332Z MAVEN_USERNAME:
2024-10-14T08:41:24.5804590Z MAVEN_PASSWORD:
2024-10-14T08:41:24.5805002Z JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:24.5805651Z JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:24.5806143Z ##[endgroup]
2024-10-14T08:41:24.5823288Z ##[group]Run lowercase_repo=$(echo "Linux" | tr '[:upper:]' '[:lower:]')
2024-10-14T08:41:24.5823898Z �[36;1mlowercase_repo=$(echo "Linux" | tr '[:upper:]' '[:lower:]')�[0m
2024-10-14T08:41:24.5824447Z �[36;1mecho "PLATFORM=${lowercase_repo}" >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:24.5872887Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-10-14T08:41:24.5873322Z env:
2024-10-14T08:41:24.5873557Z MAVEN_USERNAME:
2024-10-14T08:41:24.5873822Z MAVEN_PASSWORD:
2024-10-14T08:41:24.5874238Z JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:24.5874887Z JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:24.5875394Z ##[endgroup]
2024-10-14T08:41:24.5985515Z ##[group]Run if [ "X64" == "X86" ]; then
2024-10-14T08:41:24.5985891Z �[36;1mif [ "X64" == "X86" ]; then�[0m
2024-10-14T08:41:24.5986268Z �[36;1m echo "ARCH=32bit" >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:24.5986653Z �[36;1melif [ "X64" == "X64" ]; then�[0m
2024-10-14T08:41:24.5987014Z �[36;1m echo "ARCH=64bit" >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:24.5987656Z �[36;1melif [ "X64" == "ARM" ]; then�[0m
2024-10-14T08:41:24.5988040Z �[36;1m echo "ARCH=arm" >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:24.5988418Z �[36;1melif [ "X64" == "ARM64" ]; then�[0m
2024-10-14T08:41:24.5988802Z �[36;1m echo "ARCH=arm64" >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:24.5989149Z �[36;1melse�[0m
2024-10-14T08:41:24.5989432Z �[36;1m echo "Unsupported architecture"�[0m
2024-10-14T08:41:24.5989785Z �[36;1m exit 1�[0m
2024-10-14T08:41:24.5990028Z �[36;1mfi�[0m
2024-10-14T08:41:24.6032768Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-10-14T08:41:24.6033207Z env:
2024-10-14T08:41:24.6033434Z MAVEN_USERNAME:
2024-10-14T08:41:24.6033702Z MAVEN_PASSWORD:
2024-10-14T08:41:24.6034115Z JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:24.6034754Z JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:24.6035238Z ##[endgroup]
2024-10-14T08:41:24.6118607Z ##[group]Run if [ "true" == "true" ]; then
2024-10-14T08:41:24.6119001Z �[36;1mif [ "true" == "true" ]; then�[0m
2024-10-14T08:41:24.6119384Z �[36;1m if [ "v0.56.1" == "latest" ]; then�[0m
2024-10-14T08:41:24.6120073Z �[36;1m echo "Trivy binaries caching for 'latest' tag is not supported"�[0m
2024-10-14T08:41:24.6120561Z �[36;1m else�[0m
2024-10-14T08:41:24.6120874Z �[36;1m echo "CACHE=enable" >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:24.6121243Z �[36;1m fi�[0m
2024-10-14T08:41:24.6121483Z �[36;1mfi�[0m
2024-10-14T08:41:24.6164121Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-10-14T08:41:24.6164558Z env:
2024-10-14T08:41:24.6164784Z MAVEN_USERNAME:
2024-10-14T08:41:24.6165051Z MAVEN_PASSWORD:
2024-10-14T08:41:24.6165460Z JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:24.6166106Z JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:24.6166591Z ##[endgroup]
2024-10-14T08:41:24.6294662Z ##[group]Run jaxxstorm/action-install-gh-release@v1.10.0
2024-10-14T08:41:24.6295098Z with:
2024-10-14T08:41:24.6295347Z repo: aquasecurity/trivy
2024-10-14T08:41:24.6295644Z tag: v0.56.1
2024-10-14T08:41:24.6295902Z platform: linux
2024-10-14T08:41:24.6296165Z arch: 64bit
2024-10-14T08:41:24.6296416Z cache: enable
2024-10-14T08:41:24.6296783Z token: ***
2024-10-14T08:41:24.6297050Z extension-matching: enable
2024-10-14T08:41:24.6297540Z env:
2024-10-14T08:41:24.6297886Z MAVEN_USERNAME:
2024-10-14T08:41:24.6298162Z MAVEN_PASSWORD:
2024-10-14T08:41:24.6298796Z JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:24.6299441Z JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:24.6299926Z ##[endgroup]
2024-10-14T08:41:24.7829091Z ==> System reported platform: linux
2024-10-14T08:41:24.7830022Z ==> Using platform: linux
2024-10-14T08:41:24.7833496Z ==> System reported arch: x64
2024-10-14T08:41:24.7834076Z ==> Using arch: 64bit
2024-10-14T08:41:24.7834698Z ==> Using default file extension matching: .(tar.gz|zip)
2024-10-14T08:41:24.7836195Z ==> Binaries will be located at: /opt/hostedtoolcache/aquasecurity/trivy/v0.56.1/linux-64bit
2024-10-14T08:41:26.3406901Z Received 8388608 of 37531381 (22.4%), 8.0 MBs/sec
2024-10-14T08:41:26.6215209Z Received 37531381 of 37531381 (100.0%), 27.9 MBs/sec
2024-10-14T08:41:26.6216011Z Cache Size: ~36 MB (37531381 B)
2024-10-14T08:41:26.6243645Z [command]/usr/bin/tar -xf /home/runner/work/_temp/e6c64f2f-bf83-4065-83de-aed179a3e0db/cache.tzst -P -C /home/runner/work/jwt-servlet-auth/jwt-servlet-auth --use-compress-program unzstd
2024-10-14T08:41:26.8141151Z Cache restored successfully
2024-10-14T08:41:26.8221317Z Found trivy in the cache: /opt/hostedtoolcache/aquasecurity/trivy/v0.56.1/linux-64bit
2024-10-14T08:41:26.8369138Z ##[group]Run echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
2024-10-14T08:41:26.8369678Z �[36;1mecho "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:26.8418194Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-10-14T08:41:26.8418623Z env:
2024-10-14T08:41:26.8418853Z MAVEN_USERNAME:
2024-10-14T08:41:26.8419126Z MAVEN_PASSWORD:
2024-10-14T08:41:26.8419560Z JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:26.8420200Z JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:26.8420690Z ##[endgroup]
2024-10-14T08:41:26.8541854Z ##[group]Run actions/cache@v4
2024-10-14T08:41:26.8542162Z with:
2024-10-14T08:41:26.8542407Z path: .trivy
2024-10-14T08:41:26.8542683Z key: cache-trivy-2024-10-14
2024-10-14T08:41:26.8543006Z restore-keys: cache-trivy-
2024-10-14T08:41:26.8543328Z enableCrossOsArchive: false
2024-10-14T08:41:26.8543646Z fail-on-cache-miss: false
2024-10-14T08:41:26.8543944Z lookup-only: false
2024-10-14T08:41:26.8544224Z save-always: false
2024-10-14T08:41:26.8544494Z env:
2024-10-14T08:41:26.8544721Z MAVEN_USERNAME:
2024-10-14T08:41:26.8544991Z MAVEN_PASSWORD:
2024-10-14T08:41:26.8545410Z JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:26.8546060Z JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:26.8546726Z ##[endgroup]
2024-10-14T08:41:28.5101466Z Received 0 of 685706255 (0.0%), 0.0 MBs/sec
2024-10-14T08:41:29.5106134Z Received 100663296 of 685706255 (14.7%), 48.0 MBs/sec
2024-10-14T08:41:30.5104546Z Received 234881024 of 685706255 (34.3%), 74.6 MBs/sec
2024-10-14T08:41:31.5105159Z Received 343932928 of 685706255 (50.2%), 82.0 MBs/sec
2024-10-14T08:41:32.5108432Z Received 457179136 of 685706255 (66.7%), 87.2 MBs/sec
2024-10-14T08:41:33.5134853Z Received 583008256 of 685706255 (85.0%), 92.7 MBs/sec
2024-10-14T08:41:34.3444738Z Cache Size: ~654 MB (685706255 B)
2024-10-14T08:41:34.3484991Z [command]/usr/bin/tar -xf /home/runner/work/_temp/94eb8c78-35ce-48c5-a51f-38ff8153d958/cache.tzst -P -C /home/runner/work/jwt-servlet-auth/jwt-servlet-auth --use-compress-program unzstd
2024-10-14T08:41:34.5109939Z Received 685706255 of 685706255 (100.0%), 93.4 MBs/sec
2024-10-14T08:41:37.3680404Z Cache restored successfully
2024-10-14T08:41:37.6671034Z Cache restored from key: cache-trivy-2024-10-14
2024-10-14T08:41:37.6789128Z ##[group]Run echo "$GITHUB_ACTION_PATH" >> $GITHUB_PATH
2024-10-14T08:41:37.6789620Z �[36;1mecho "$GITHUB_ACTION_PATH" >> $GITHUB_PATH�[0m
2024-10-14T08:41:37.6838672Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-10-14T08:41:37.6839116Z env:
2024-10-14T08:41:37.6839359Z MAVEN_USERNAME:
2024-10-14T08:41:37.6839843Z MAVEN_PASSWORD:
2024-10-14T08:41:37.6840270Z JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:37.6840920Z JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:37.6841603Z GITHUB_ACTION_PATH: /home/runner/work/_actions/aquasecurity/trivy-action/master
2024-10-14T08:41:37.6842114Z ##[endgroup]
2024-10-14T08:41:37.9639832Z ##[group]Run # Note: There is currently no way to distinguish between undefined variables and empty strings in GitHub Actions.
2024-10-14T08:41:37.9640965Z �[36;1m# Note: There is currently no way to distinguish between undefined variables and empty strings in GitHub Actions.�[0m
2024-10-14T08:41:37.9641865Z �[36;1m# This limitation affects how we handle default values and empty inputs.�[0m
2024-10-14T08:41:37.9642585Z �[36;1m# For more information, see: https://github.com/actions/runner/issues/924�[0m
2024-10-14T08:41:37.9643112Z �[36;1m�[0m
2024-10-14T08:41:37.9643653Z �[36;1m# Function to set environment variable only if the input is provided and different from default�[0m
2024-10-14T08:41:37.9644283Z �[36;1mset_env_var_if_provided() {�[0m
2024-10-14T08:41:37.9644639Z �[36;1m local var_name="$1"�[0m
2024-10-14T08:41:37.9644969Z �[36;1m local input_value="$2"�[0m
2024-10-14T08:41:37.9645314Z �[36;1m local default_value="$3"�[0m
2024-10-14T08:41:37.9645641Z �[36;1m�[0m
2024-10-14T08:41:37.9646035Z �[36;1m if [ ! -z "$input_value" ] && [ "$input_value" != "$default_value" ]; then�[0m
2024-10-14T08:41:37.9646600Z �[36;1m echo "$var_name=$input_value" >> $GITHUB_ENV�[0m
2024-10-14T08:41:37.9647004Z �[36;1m fi�[0m
2024-10-14T08:41:37.9647248Z �[36;1m}�[0m
2024-10-14T08:41:37.9647705Z �[36;1m�[0m
2024-10-14T08:41:37.9648096Z �[36;1m# Set environment variables, handling those with default values�[0m
2024-10-14T08:41:37.9648897Z �[36;1m# cf. https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables�[0m
2024-10-14T08:41:37.9649594Z �[36;1mset_env_var_if_provided "TRIVY_INPUT" "" ""�[0m
2024-10-14T08:41:37.9650074Z �[36;1mset_env_var_if_provided "TRIVY_EXIT_CODE" "0" ""�[0m
2024-10-14T08:41:37.9650639Z �[36;1mset_env_var_if_provided "TRIVY_IGNORE_UNFIXED" "false" "false"�[0m
2024-10-14T08:41:37.9651263Z �[36;1mset_env_var_if_provided "TRIVY_PKG_TYPES" "os,library" "os,library"�[0m
2024-10-14T08:41:37.9652087Z �[36;1mset_env_var_if_provided "TRIVY_SEVERITY" "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"�[0m
2024-10-14T08:41:37.9652865Z �[36;1mset_env_var_if_provided "TRIVY_FORMAT" "json" "table"�[0m
2024-10-14T08:41:37.9653370Z �[36;1mset_env_var_if_provided "TRIVY_TEMPLATE" "" ""�[0m
2024-10-14T08:41:37.9654078Z �[36;1mset_env_var_if_provided "TRIVY_OUTPUT" "trivy-report.json" ""�[0m
2024-10-14T08:41:37.9654636Z �[36;1mset_env_var_if_provided "TRIVY_SKIP_DIRS" "" ""�[0m
2024-10-14T08:41:37.9655127Z �[36;1mset_env_var_if_provided "TRIVY_SKIP_FILES" "" ""�[0m
2024-10-14T08:41:37.9655610Z �[36;1mset_env_var_if_provided "TRIVY_TIMEOUT" "" ""�[0m
2024-10-14T08:41:37.9656110Z �[36;1mset_env_var_if_provided "TRIVY_IGNORE_POLICY" "" ""�[0m
2024-10-14T08:41:37.9656595Z �[36;1mset_env_var_if_provided "TRIVY_QUIET" "" ""�[0m
2024-10-14T08:41:37.9657113Z �[36;1mset_env_var_if_provided "TRIVY_LIST_ALL_PKGS" "false" "false"�[0m
2024-10-14T08:41:37.9657766Z �[36;1mset_env_var_if_provided "TRIVY_SCANNERS" "" ""�[0m
2024-10-14T08:41:37.9658230Z �[36;1mset_env_var_if_provided "TRIVY_CONFIG" "" ""�[0m
2024-10-14T08:41:37.9658692Z �[36;1mset_env_var_if_provided "TRIVY_TF_VARS" "" ""�[0m
2024-10-14T08:41:37.9659180Z �[36;1mset_env_var_if_provided "TRIVY_DOCKER_HOST" "" ""�[0m
2024-10-14T08:41:37.9709281Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-10-14T08:41:37.9709723Z env:
2024-10-14T08:41:37.9709962Z MAVEN_USERNAME:
2024-10-14T08:41:37.9710241Z MAVEN_PASSWORD:
2024-10-14T08:41:37.9710680Z JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:37.9711349Z JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:37.9712024Z ##[endgroup]
2024-10-14T08:41:37.9806483Z ##[group]Run entrypoint.sh
2024-10-14T08:41:37.9806815Z �[36;1mentrypoint.sh�[0m
2024-10-14T08:41:37.9849691Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-10-14T08:41:37.9850131Z env:
2024-10-14T08:41:37.9850375Z MAVEN_USERNAME:
2024-10-14T08:41:37.9850658Z MAVEN_PASSWORD:
2024-10-14T08:41:37.9851092Z JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:37.9851758Z JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:37.9852266Z TRIVY_EXIT_CODE: 0
2024-10-14T08:41:37.9852556Z TRIVY_FORMAT: json
2024-10-14T08:41:37.9852862Z TRIVY_OUTPUT: trivy-report.json
2024-10-14T08:41:37.9853216Z INPUT_SCAN_TYPE: fs
2024-10-14T08:41:37.9853498Z INPUT_IMAGE_REF:
2024-10-14T08:41:37.9853769Z INPUT_SCAN_REF: .
2024-10-14T08:41:37.9854048Z INPUT_TRIVYIGNORES:
2024-10-14T08:41:37.9854341Z INPUT_GITHUB_PAT:
2024-10-14T08:41:37.9854636Z INPUT_LIMIT_SEVERITIES_FOR_SARIF:
2024-10-14T08:41:37.9854984Z TRIVY_CACHE_DIR: .trivy
2024-10-14T08:41:37.9855286Z ##[endgroup]
2024-10-14T08:41:37.9934539Z Running Trivy with options: trivy fs .
2024-10-14T08:41:38.0506210Z 2024-10-14T08:41:38Z INFO [vuln] Vulnerability scanning is enabled
2024-10-14T08:41:38.0506934Z 2024-10-14T08:41:38Z INFO [secret] Secret scanning is enabled
2024-10-14T08:41:38.0508143Z 2024-10-14T08:41:38Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-14T08:41:38.0509747Z 2024-10-14T08:41:38Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-14T08:41:39.6183955Z 2024-10-14T08:41:39Z INFO Number of language-specific files num=12
2024-10-14T08:41:39.6185160Z 2024-10-14T08:41:39Z INFO [pom] Detecting vulnerabilities...
2024-10-14T08:41:39.6572667Z ##[group]Run actions/upload-artifact@v4
2024-10-14T08:41:39.6573068Z with:
2024-10-14T08:41:39.6573326Z name: trivy-report
2024-10-14T08:41:39.6573630Z path: trivy-report.json
2024-10-14T08:41:39.6573941Z retention-days: 30
2024-10-14T08:41:39.6574236Z if-no-files-found: warn
2024-10-14T08:41:39.6574538Z compression-level: 6
2024-10-14T08:41:39.6574832Z overwrite: false
2024-10-14T08:41:39.6575117Z include-hidden-files: false
2024-10-14T08:41:39.6575425Z env:
2024-10-14T08:41:39.6575785Z MAVEN_USERNAME:
2024-10-14T08:41:39.6576155Z MAVEN_PASSWORD:
2024-10-14T08:41:39.6576826Z JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:39.6577819Z JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:39.6578509Z TRIVY_EXIT_CODE: 0
2024-10-14T08:41:39.6578926Z TRIVY_FORMAT: json
2024-10-14T08:41:39.6579337Z TRIVY_OUTPUT: trivy-report.json
2024-10-14T08:41:39.6579818Z ##[endgroup]
2024-10-14T08:41:39.8694546Z With the provided path, there will be 1 file uploaded
2024-10-14T08:41:39.8700213Z Artifact name is valid!
2024-10-14T08:41:39.8701440Z Root directory input is valid!
2024-10-14T08:41:40.1446384Z Beginning upload of artifact content to blob storage
2024-10-14T08:41:40.3988528Z Uploaded bytes 503
2024-10-14T08:41:40.4660128Z Finished uploading artifact content to blob storage!
2024-10-14T08:41:40.4662734Z SHA256 hash of uploaded artifact zip is eb3662323bdb3bd48084f07301fb0ef8f1448f694f754dba9c5fab43e20cd336
2024-10-14T08:41:40.4664184Z Finalizing artifact upload
2024-10-14T08:41:40.5949815Z Artifact trivy-report.zip successfully finalized. Artifact ID 2052114189
2024-10-14T08:41:40.5951500Z Artifact trivy-report has been successfully uploaded! Final size is 503 bytes. Artifact ID is 2052114189
2024-10-14T08:41:40.5957914Z Artifact download URL: https://github.com/telicent-oss/jwt-servlet-auth/actions/runs/11323718298/artifacts/2052114189
2024-10-14T08:41:40.6183406Z ##[group]Run aquasecurity/trivy-action@master
2024-10-14T08:41:40.6184092Z with:
2024-10-14T08:41:40.6184763Z scan-type: fs
2024-10-14T08:41:40.6185211Z format: table
2024-10-14T08:41:40.6185675Z scan-ref: .
2024-10-14T08:41:40.6186156Z severity: HIGH,CRITICAL
2024-10-14T08:41:40.6186474Z ignore-unfixed: true
2024-10-14T08:41:40.6186761Z exit-code: 1
2024-10-14T08:41:40.6187017Z cache-dir: .trivy
2024-10-14T08:41:40.6187469Z vuln-type: os,library
2024-10-14T08:41:40.6187811Z list-all-pkgs: false
2024-10-14T08:41:40.6188099Z version: v0.56.1
2024-10-14T08:41:40.6188359Z cache: true
2024-10-14T08:41:40.6188596Z env:
2024-10-14T08:41:40.6188828Z MAVEN_USERNAME:
2024-10-14T08:41:40.6189100Z MAVEN_PASSWORD:
2024-10-14T08:41:40.6189522Z JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:40.6190174Z JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:40.6190706Z TRIVY_EXIT_CODE: 0
2024-10-14T08:41:40.6190987Z TRIVY_FORMAT: json
2024-10-14T08:41:40.6191281Z TRIVY_OUTPUT: trivy-report.json
2024-10-14T08:41:40.6191622Z ##[endgroup]
2024-10-14T08:41:40.6245958Z ##[group]Run aquasecurity/setup-trivy@v0.1.0
2024-10-14T08:41:40.6246342Z with:
2024-10-14T08:41:40.6246585Z version: v0.56.1
2024-10-14T08:41:40.6246859Z cache: true
2024-10-14T08:41:40.6247106Z env:
2024-10-14T08:41:40.6247555Z MAVEN_USERNAME:
2024-10-14T08:41:40.6247867Z MAVEN_PASSWORD:
2024-10-14T08:41:40.6248303Z JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:40.6248974Z JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:40.6249487Z TRIVY_EXIT_CODE: 0
2024-10-14T08:41:40.6249771Z TRIVY_FORMAT: json
2024-10-14T08:41:40.6250071Z TRIVY_OUTPUT: trivy-report.json
2024-10-14T08:41:40.6250403Z ##[endgroup]
2024-10-14T08:41:40.6275170Z ##[group]Run lowercase_repo=$(echo "Linux" | tr '[:upper:]' '[:lower:]')
2024-10-14T08:41:40.6275803Z �[36;1mlowercase_repo=$(echo "Linux" | tr '[:upper:]' '[:lower:]')�[0m
2024-10-14T08:41:40.6276387Z �[36;1mecho "PLATFORM=${lowercase_repo}" >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:40.6324834Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-10-14T08:41:40.6325274Z env:
2024-10-14T08:41:40.6325511Z MAVEN_USERNAME:
2024-10-14T08:41:40.6325796Z MAVEN_PASSWORD:
2024-10-14T08:41:40.6326222Z JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:40.6326868Z JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:40.6327528Z TRIVY_EXIT_CODE: 0
2024-10-14T08:41:40.6327813Z TRIVY_FORMAT: json
2024-10-14T08:41:40.6328109Z TRIVY_OUTPUT: trivy-report.json
2024-10-14T08:41:40.6328439Z ##[endgroup]
2024-10-14T08:41:40.6438385Z ##[group]Run if [ "X64" == "X86" ]; then
2024-10-14T08:41:40.6438769Z �[36;1mif [ "X64" == "X86" ]; then�[0m
2024-10-14T08:41:40.6439176Z �[36;1m echo "ARCH=32bit" >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:40.6439576Z �[36;1melif [ "X64" == "X64" ]; then�[0m
2024-10-14T08:41:40.6439966Z �[36;1m echo "ARCH=64bit" >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:40.6440368Z �[36;1melif [ "X64" == "ARM" ]; then�[0m
2024-10-14T08:41:40.6440748Z �[36;1m echo "ARCH=arm" >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:40.6441134Z �[36;1melif [ "X64" == "ARM64" ]; then�[0m
2024-10-14T08:41:40.6441535Z �[36;1m echo "ARCH=arm64" >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:40.6441897Z �[36;1melse�[0m
2024-10-14T08:41:40.6442195Z �[36;1m echo "Unsupported architecture"�[0m
2024-10-14T08:41:40.6442564Z �[36;1m exit 1�[0m
2024-10-14T08:41:40.6442830Z �[36;1mfi�[0m
2024-10-14T08:41:40.6485965Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-10-14T08:41:40.6486396Z env:
2024-10-14T08:41:40.6486633Z MAVEN_USERNAME:
2024-10-14T08:41:40.6486913Z MAVEN_PASSWORD:
2024-10-14T08:41:40.6487619Z JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:40.6488505Z JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:40.6489023Z TRIVY_EXIT_CODE: 0
2024-10-14T08:41:40.6489443Z TRIVY_FORMAT: json
2024-10-14T08:41:40.6489742Z TRIVY_OUTPUT: trivy-report.json
2024-10-14T08:41:40.6490072Z ##[endgroup]
2024-10-14T08:41:40.6577783Z ##[group]Run if [ "true" == "true" ]; then
2024-10-14T08:41:40.6578208Z �[36;1mif [ "true" == "true" ]; then�[0m
2024-10-14T08:41:40.6578611Z �[36;1m if [ "v0.56.1" == "latest" ]; then�[0m
2024-10-14T08:41:40.6579144Z �[36;1m echo "Trivy binaries caching for 'latest' tag is not supported"�[0m
2024-10-14T08:41:40.6579646Z �[36;1m else�[0m
2024-10-14T08:41:40.6579988Z �[36;1m echo "CACHE=enable" >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:40.6580375Z �[36;1m fi�[0m
2024-10-14T08:41:40.6580631Z �[36;1mfi�[0m
2024-10-14T08:41:40.6623378Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-10-14T08:41:40.6623818Z env:
2024-10-14T08:41:40.6624062Z MAVEN_USERNAME:
2024-10-14T08:41:40.6624356Z MAVEN_PASSWORD:
2024-10-14T08:41:40.6624786Z JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:40.6625451Z JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:40.6625953Z TRIVY_EXIT_CODE: 0
2024-10-14T08:41:40.6626232Z TRIVY_FORMAT: json
2024-10-14T08:41:40.6626538Z TRIVY_OUTPUT: trivy-report.json
2024-10-14T08:41:40.6626884Z ##[endgroup]
2024-10-14T08:41:40.6759760Z ##[group]Run jaxxstorm/action-install-gh-release@v1.10.0
2024-10-14T08:41:40.6760211Z with:
2024-10-14T08:41:40.6760479Z repo: aquasecurity/trivy
2024-10-14T08:41:40.6760797Z tag: v0.56.1
2024-10-14T08:41:40.6761064Z platform: linux
2024-10-14T08:41:40.6761343Z arch: 64bit
2024-10-14T08:41:40.6761598Z cache: enable
2024-10-14T08:41:40.6761975Z token: ***
2024-10-14T08:41:40.6762257Z extension-matching: enable
2024-10-14T08:41:40.6762573Z env:
2024-10-14T08:41:40.6762810Z MAVEN_USERNAME:
2024-10-14T08:41:40.6763088Z MAVEN_PASSWORD:
2024-10-14T08:41:40.6763531Z JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:40.6764198Z JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:40.6764703Z TRIVY_EXIT_CODE: 0
2024-10-14T08:41:40.6764992Z TRIVY_FORMAT: json
2024-10-14T08:41:40.6765291Z TRIVY_OUTPUT: trivy-report.json
2024-10-14T08:41:40.6765623Z ##[endgroup]
2024-10-14T08:41:40.8309634Z ==> System reported platform: linux
2024-10-14T08:41:40.8310769Z ==> Using platform: linux
2024-10-14T08:41:40.8313376Z ==> System reported arch: x64
2024-10-14T08:41:40.8313975Z ==> Using arch: 64bit
2024-10-14T08:41:40.8314900Z ==> Using default file extension matching: .(tar.gz|zip)
2024-10-14T08:41:40.8316634Z ==> Binaries will be located at: /opt/hostedtoolcache/aquasecurity/trivy/v0.56.1/linux-64bit
2024-10-14T08:41:42.4093680Z Received 8388608 of 37531381 (22.4%), 8.0 MBs/sec
2024-10-14T08:41:42.7284759Z Received 37531381 of 37531381 (100.0%), 27.1 MBs/sec
2024-10-14T08:41:42.7285800Z Cache Size: ~36 MB (37531381 B)
2024-10-14T08:41:42.7315931Z [command]/usr/bin/tar -xf /home/runner/work/_temp/2236305b-ea26-4eef-b6b2-a5334489f6d8/cache.tzst -P -C /home/runner/work/jwt-servlet-auth/jwt-servlet-auth --use-compress-program unzstd
2024-10-14T08:41:42.9571509Z Cache restored successfully
2024-10-14T08:41:42.9659393Z Found trivy in the cache: /opt/hostedtoolcache/aquasecurity/trivy/v0.56.1/linux-64bit
2024-10-14T08:41:42.9890440Z ##[group]Run echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
2024-10-14T08:41:42.9891364Z �[36;1mecho "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:42.9946579Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-10-14T08:41:42.9947037Z env:
2024-10-14T08:41:42.9947466Z MAVEN_USERNAME:
2024-10-14T08:41:42.9947969Z MAVEN_PASSWORD:
2024-10-14T08:41:42.9948646Z JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:42.9949944Z JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:42.9950810Z TRIVY_EXIT_CODE: 0
2024-10-14T08:41:42.9951307Z TRIVY_FORMAT: json
2024-10-14T08:41:42.9952007Z TRIVY_OUTPUT: trivy-report.json
2024-10-14T08:41:42.9952583Z ##[endgroup]
2024-10-14T08:41:43.0226240Z ##[group]Run actions/cache@v4
2024-10-14T08:41:43.0226835Z with:
2024-10-14T08:41:43.0227148Z path: .trivy
2024-10-14T08:41:43.0227642Z key: cache-trivy-2024-10-14
2024-10-14T08:41:43.0227992Z restore-keys: cache-trivy-
2024-10-14T08:41:43.0228334Z enableCrossOsArchive: false
2024-10-14T08:41:43.0228678Z fail-on-cache-miss: false
2024-10-14T08:41:43.0228995Z lookup-only: false
2024-10-14T08:41:43.0229281Z save-always: false
2024-10-14T08:41:43.0229557Z env:
2024-10-14T08:41:43.0229796Z MAVEN_USERNAME:
2024-10-14T08:41:43.0230084Z MAVEN_PASSWORD:
2024-10-14T08:41:43.0230524Z JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:43.0231226Z JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:43.0231755Z TRIVY_EXIT_CODE: 0
2024-10-14T08:41:43.0232045Z TRIVY_FORMAT: json
2024-10-14T08:41:43.0232365Z TRIVY_OUTPUT: trivy-report.json
2024-10-14T08:41:43.0232702Z ##[endgroup]
2024-10-14T08:41:44.6439364Z Received 4194304 of 685706255 (0.6%), 4.0 MBs/sec
2024-10-14T08:41:45.6444016Z Received 109051904 of 685706255 (15.9%), 52.0 MBs/sec
2024-10-14T08:41:46.6449329Z Received 234881024 of 685706255 (34.3%), 74.6 MBs/sec
2024-10-14T08:41:47.6455977Z Received 343932928 of 685706255 (50.2%), 82.0 MBs/sec
2024-10-14T08:41:48.6453611Z Received 465567744 of 685706255 (67.9%), 88.8 MBs/sec
2024-10-14T08:41:49.6454591Z Received 574619648 of 685706255 (83.8%), 91.3 MBs/sec
2024-10-14T08:41:50.5401949Z Cache Size: ~654 MB (685706255 B)
2024-10-14T08:41:50.5443705Z [command]/usr/bin/tar -xf /home/runner/work/_temp/83221014-e858-4a5b-b82d-602997efe21a/cache.tzst -P -C /home/runner/work/jwt-servlet-auth/jwt-servlet-auth --use-compress-program unzstd
2024-10-14T08:41:50.6456412Z Received 685706255 of 685706255 (100.0%), 93.4 MBs/sec
2024-10-14T08:41:53.0321652Z Cache restored successfully
2024-10-14T08:41:53.5180855Z Cache restored from key: cache-trivy-2024-10-14
2024-10-14T08:41:53.5687162Z ##[group]Run echo "$GITHUB_ACTION_PATH" >> $GITHUB_PATH
2024-10-14T08:41:53.5687959Z �[36;1mecho "$GITHUB_ACTION_PATH" >> $GITHUB_PATH�[0m
2024-10-14T08:41:53.5737235Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-10-14T08:41:53.5737809Z env:
2024-10-14T08:41:53.5738077Z MAVEN_USERNAME:
2024-10-14T08:41:53.5738381Z MAVEN_PASSWORD:
2024-10-14T08:41:53.5738830Z JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:53.5739515Z JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:53.5740053Z TRIVY_EXIT_CODE: 0
2024-10-14T08:41:53.5740353Z TRIVY_FORMAT: json
2024-10-14T08:41:53.5740671Z TRIVY_OUTPUT: trivy-report.json
2024-10-14T08:41:53.5741240Z GITHUB_ACTION_PATH: /home/runner/work/_actions/aquasecurity/trivy-action/master
2024-10-14T08:41:53.5741780Z ##[endgroup]
2024-10-14T08:41:53.7151555Z ##[group]Run # Note: There is currently no way to distinguish between undefined variables and empty strings in GitHub Actions.
2024-10-14T08:41:53.7152709Z �[36;1m# Note: There is currently no way to distinguish between undefined variables and empty strings in GitHub Actions.�[0m
2024-10-14T08:41:53.7153608Z �[36;1m# This limitation affects how we handle default values and empty inputs.�[0m
2024-10-14T08:41:53.7154480Z �[36;1m# For more information, see: https://github.com/actions/runner/issues/924�[0m
2024-10-14T08:41:53.7155035Z �[36;1m�[0m
2024-10-14T08:41:53.7155582Z �[36;1m# Function to set environment variable only if the input is provided and different from default�[0m
2024-10-14T08:41:53.7156244Z �[36;1mset_env_var_if_provided() {�[0m
2024-10-14T08:41:53.7156618Z �[36;1m local var_name="$1"�[0m
2024-10-14T08:41:53.7156975Z �[36;1m local input_value="$2"�[0m
2024-10-14T08:41:53.7157798Z �[36;1m local default_value="$3"�[0m
2024-10-14T08:41:53.7158179Z �[36;1m�[0m
2024-10-14T08:41:53.7158606Z �[36;1m if [ ! -z "$input_value" ] && [ "$input_value" != "$default_value" ]; then�[0m
2024-10-14T08:41:53.7159352Z �[36;1m echo "$var_name=$input_value" >> $GITHUB_ENV�[0m
2024-10-14T08:41:53.7159780Z �[36;1m fi�[0m
2024-10-14T08:41:53.7160044Z �[36;1m}�[0m
2024-10-14T08:41:53.7160301Z �[36;1m�[0m
2024-10-14T08:41:53.7160711Z �[36;1m# Set environment variables, handling those with default values�[0m
2024-10-14T08:41:53.7161527Z �[36;1m# cf. https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables�[0m
2024-10-14T08:41:53.7162239Z �[36;1mset_env_var_if_provided "TRIVY_INPUT" "" ""�[0m
2024-10-14T08:41:53.7162742Z �[36;1mset_env_var_if_provided "TRIVY_EXIT_CODE" "1" ""�[0m
2024-10-14T08:41:53.7163310Z �[36;1mset_env_var_if_provided "TRIVY_IGNORE_UNFIXED" "true" "false"�[0m
2024-10-14T08:41:53.7163954Z �[36;1mset_env_var_if_provided "TRIVY_PKG_TYPES" "os,library" "os,library"�[0m
2024-10-14T08:41:53.7164732Z �[36;1mset_env_var_if_provided "TRIVY_SEVERITY" "HIGH,CRITICAL" "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"�[0m
2024-10-14T08:41:53.7165459Z �[36;1mset_env_var_if_provided "TRIVY_FORMAT" "table" "table"�[0m
2024-10-14T08:41:53.7165997Z �[36;1mset_env_var_if_provided "TRIVY_TEMPLATE" "" ""�[0m
2024-10-14T08:41:53.7166592Z �[36;1mset_env_var_if_provided "TRIVY_OUTPUT" "" ""�[0m
2024-10-14T08:41:53.7167090Z �[36;1mset_env_var_if_provided "TRIVY_SKIP_DIRS" "" ""�[0m
2024-10-14T08:41:53.7167850Z �[36;1mset_env_var_if_provided "TRIVY_SKIP_FILES" "" ""�[0m
2024-10-14T08:41:53.7168381Z �[36;1mset_env_var_if_provided "TRIVY_TIMEOUT" "" ""�[0m
2024-10-14T08:41:53.7168897Z �[36;1mset_env_var_if_provided "TRIVY_IGNORE_POLICY" "" ""�[0m
2024-10-14T08:41:53.7169403Z �[36;1mset_env_var_if_provided "TRIVY_QUIET" "" ""�[0m
2024-10-14T08:41:53.7169948Z �[36;1mset_env_var_if_provided "TRIVY_LIST_ALL_PKGS" "false" "false"�[0m
2024-10-14T08:41:53.7170504Z �[36;1mset_env_var_if_provided "TRIVY_SCANNERS" "" ""�[0m
2024-10-14T08:41:53.7170999Z �[36;1mset_env_var_if_provided "TRIVY_CONFIG" "" ""�[0m
2024-10-14T08:41:53.7171484Z �[36;1mset_env_var_if_provided "TRIVY_TF_VARS" "" ""�[0m
2024-10-14T08:41:53.7171992Z �[36;1mset_env_var_if_provided "TRIVY_DOCKER_HOST" "" ""�[0m
2024-10-14T08:41:53.7221289Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-10-14T08:41:53.7221737Z env:
2024-10-14T08:41:53.7222001Z MAVEN_USERNAME:
2024-10-14T08:41:53.7222295Z MAVEN_PASSWORD:
2024-10-14T08:41:53.7222751Z JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:53.7223415Z JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:53.7223942Z TRIVY_EXIT_CODE: 0
2024-10-14T08:41:53.7224235Z TRIVY_FORMAT: json
2024-10-14T08:41:53.7224554Z TRIVY_OUTPUT: trivy-report.json
2024-10-14T08:41:53.7224910Z ##[endgroup]
2024-10-14T08:41:53.9044049Z ##[group]Run entrypoint.sh
2024-10-14T08:41:53.9044419Z �[36;1mentrypoint.sh�[0m
2024-10-14T08:41:53.9093177Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-10-14T08:41:53.9093643Z env:
2024-10-14T08:41:53.9093904Z MAVEN_USERNAME:
2024-10-14T08:41:53.9094203Z MAVEN_PASSWORD:
2024-10-14T08:41:53.9094648Z JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:53.9095328Z JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:53.9095847Z TRIVY_EXIT_CODE: 1
2024-10-14T08:41:53.9096148Z TRIVY_FORMAT: json
2024-10-14T08:41:53.9096456Z TRIVY_OUTPUT: trivy-report.json
2024-10-14T08:41:53.9096827Z TRIVY_IGNORE_UNFIXED: true
2024-10-14T08:41:53.9097174Z TRIVY_SEVERITY: HIGH,CRITICAL
2024-10-14T08:41:53.9097786Z INPUT_SCAN_TYPE: fs
2024-10-14T08:41:53.9098090Z INPUT_IMAGE_REF:
2024-10-14T08:41:53.9098374Z INPUT_SCAN_REF: .
2024-10-14T08:41:53.9098666Z INPUT_TRIVYIGNORES:
2024-10-14T08:41:53.9098966Z INPUT_GITHUB_PAT:
2024-10-14T08:41:53.9099281Z INPUT_LIMIT_SEVERITIES_FOR_SARIF:
2024-10-14T08:41:53.9099811Z TRIVY_CACHE_DIR: .trivy
2024-10-14T08:41:53.9100132Z ##[endgroup]
2024-10-14T08:41:53.9184181Z Running Trivy with options: trivy fs .
2024-10-14T08:41:53.9809018Z 2024-10-14T08:41:53Z INFO [vuln] Vulnerability scanning is enabled
2024-10-14T08:41:53.9809749Z 2024-10-14T08:41:53Z INFO [secret] Secret scanning is enabled
2024-10-14T08:41:53.9810656Z 2024-10-14T08:41:53Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-14T08:41:53.9812014Z 2024-10-14T08:41:53Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-14T08:41:55.5352791Z 2024-10-14T08:41:55Z INFO Number of language-specific files num=12
2024-10-14T08:41:55.5354051Z 2024-10-14T08:41:55Z INFO [pom] Detecting vulnerabilities...
2024-10-14T08:41:55.5726236Z ##[group]Run echo version=$(mvn -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec) >> $GITHUB_OUTPUT
2024-10-14T08:41:55.5727684Z �[36;1mecho version=$(mvn -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec) >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:55.5776866Z shell: /usr/bin/bash -e {0}
2024-10-14T08:41:55.5777211Z env:
2024-10-14T08:41:55.5777763Z MAVEN_USERNAME:
2024-10-14T08:41:55.5778074Z MAVEN_PASSWORD:
2024-10-14T08:41:55.5778521Z JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:55.5779207Z JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:55.5779743Z TRIVY_EXIT_CODE: 1
2024-10-14T08:41:55.5780050Z TRIVY_FORMAT: json
2024-10-14T08:41:55.5780371Z TRIVY_OUTPUT: trivy-report.json
2024-10-14T08:41:55.5780736Z TRIVY_IGNORE_UNFIXED: true
2024-10-14T08:41:55.5781074Z TRIVY_SEVERITY: HIGH,CRITICAL
2024-10-14T08:41:55.5781456Z ##[endgroup]
This is from https://github.com/telicent-oss/jwt-servlet-auth/actions/runs/11323718298/job/31487698417 if you want to see the GitHub Actions output directly, copied and pasted relevant sections above as Actions workflow logs expire after a time. Note that run was still using v0.1.0 of the setup-trivy action but the same issue can be seen even if explicitly using v0.2.0, I've put together a small test repository with various example workflows at https://github.com/rvesse/setup-trivy-debugging
With the previous docker based trivy action this wasn't an issue as GitHub Actions would build the image once and then use it each time we involved the trivy-action
(Aside - Yes you have the option of caching the binary install in which case steps would be skipped BUT caching doesn't work with latest version and for my company we always want to be using the latest version)
One possibility might be to set an environment variable at the conclusion of the composite action and use that to make subsequent invocations conditional, but there could be other ways, I'll throw together a quick PR for you guys to look at but feel free to solve this other ways as well.