- Shell 89.9%
- Dockerfile 10.1%
|
All checks were successful
Test Action / validate-action (push) Successful in 3s
Test Action / test-severity-critical (push) Successful in 2s
Test Action / test-ignore-unfixed (push) Successful in 3s
Test Action / test-filesystem-scan (push) Successful in 3s
Test Action / test-reports (push) Successful in 3s
Test Action / test-summary (push) Successful in 1s
- Uses trivy-action for scanning (handles all installation) - Simple grep check for vulnerabilities - Basic Forgejo issue creation - No complex bash tricks, heredocs, or printf - Just the essentials that work |
||
|---|---|---|
| .forgejo/workflows | ||
| examples | ||
| tests | ||
| action-old.yml | ||
| action.yml | ||
| LICENSE | ||
| README.md | ||
Forgejo Trivy Action 🔒
A reusable Forgejo/Gitea Actions workflow for running Trivy security scans and automatically creating/updating issues when vulnerabilities are found.
Features
✅ Trivy Security Scanning - Supports filesystem, image, config, and repo scans
✅ Automatic Issue Management - Creates or updates Forgejo issues
✅ No Duplicate Issues - Intelligently updates existing issues
✅ Customizable - Configurable severity levels, labels, and scan types
✅ Artifact Upload - Saves scan reports for download
✅ Multiple Formats - Generates both table (human-readable) and JSON reports
Usage
Basic Example
name: Security Scan
on:
push:
branches: [main]
schedule:
- cron: '0 9 * * 1' # Weekly on Monday
jobs:
security-scan:
runs-on: security
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy scan
uses: ftmahringer/forgejo-trivy-action@v1
with:
forgejo-url: https://forgejo.ftmahringer.com
forgejo-token: ${{ secrets.FORGEJO_TOKEN }}
repository: ${{ github.repository }}
branch: ${{ github.ref_name }}
commit: ${{ github.sha }}
Advanced Example
- name: Run Trivy scan with custom settings
uses: ftmahringer/forgejo-trivy-action@v1
with:
# Scan configuration
scan-type: fs
scan-ref: .
severity: CRITICAL,HIGH,MEDIUM
ignore-unfixed: false
# Forgejo integration
forgejo-url: https://forgejo.ftmahringer.com
forgejo-token: ${{ secrets.FORGEJO_TOKEN }}
repository: ${{ github.repository }}
branch: ${{ github.ref_name }}
commit: ${{ github.sha }}
# Issue configuration
issue-title: '[Security] Vulnerabilities in ${{ github.ref_name }}'
issue-labels: security,vulnerability,automated
create-issue: true
# Artifact configuration
upload-artifacts: true
artifact-retention-days: 60
# Trivy configuration
trivy-version: latest
exit-code: 1
Scan Docker Images
- name: Build Docker image
run: docker build -t myapp:latest .
- name: Scan Docker image
uses: ftmahringer/forgejo-trivy-action@v1
with:
scan-type: image
scan-ref: myapp:latest
forgejo-url: https://forgejo.ftmahringer.com
forgejo-token: ${{ secrets.FORGEJO_TOKEN }}
repository: ${{ github.repository }}
branch: ${{ github.ref_name }}
commit: ${{ github.sha }}
Scan Only (No Issues)
- name: Run Trivy scan without creating issues
uses: ftmahringer/forgejo-trivy-action@v1
with:
scan-type: fs
scan-ref: .
create-issue: false
forgejo-url: https://forgejo.ftmahringer.com
forgejo-token: ${{ secrets.FORGEJO_TOKEN }}
repository: ${{ github.repository }}
branch: ${{ github.ref_name }}
commit: ${{ github.sha }}
Inputs
| Input | Description | Required | Default |
|---|---|---|---|
scan-type |
Type of scan (fs, image, config, repo) |
No | fs |
scan-ref |
Path or image to scan | No | . |
severity |
Severities to scan for | No | HIGH,CRITICAL |
exit-code |
Exit code when vulnerabilities found | No | 1 |
forgejo-url |
Forgejo instance URL | Yes | - |
forgejo-token |
Forgejo access token | Yes | - |
repository |
Repository (owner/repo) |
Yes | - |
branch |
Current branch name | Yes | - |
commit |
Current commit SHA | Yes | - |
issue-title |
Title for security issues | No | [Security] Trivy vulnerabilities detected |
issue-labels |
Labels for issues (comma-separated) | No | security,vulnerability |
create-issue |
Whether to create/update issues | No | true |
trivy-version |
Trivy Docker image version | No | latest |
ignore-unfixed |
Ignore unfixed vulnerabilities | No | false |
upload-artifacts |
Upload scan reports as artifacts | No | true |
artifact-retention-days |
Days to retain artifacts | No | 30 |
Outputs
| Output | Description |
|---|---|
exit-code |
Exit code from Trivy scan (0 = clean, 1 = vulnerabilities) |
vulnerabilities-found |
Whether vulnerabilities were found (true/false) |
issue-number |
Forgejo issue number (if created/updated) |
issue-url |
URL to the Forgejo issue |
Using Outputs
- name: Run Trivy scan
id: trivy
uses: ftmahringer/forgejo-trivy-action@v1
with:
forgejo-url: https://forgejo.ftmahringer.com
forgejo-token: ${{ secrets.FORGEJO_TOKEN }}
repository: ${{ github.repository }}
branch: ${{ github.ref_name }}
commit: ${{ github.sha }}
- name: Check scan results
run: |
echo "Vulnerabilities found: ${{ steps.trivy.outputs.vulnerabilities-found }}"
echo "Exit code: ${{ steps.trivy.outputs.exit-code }}"
echo "Issue URL: ${{ steps.trivy.outputs.issue-url }}"
Requirements
Forgejo Token
Create a Personal Access Token with the following permissions:
read:repo- Read repository informationwrite:issue- Create and update issues
Steps:
- Go to
https://your-forgejo.com/user/settings/applications - Click "Generate New Token"
- Name:
Trivy Security Scanner - Select permissions:
read:repo,write:issue - Generate and copy the token
- Add to repository secrets as
FORGEJO_TOKEN
Runner Requirements
- Docker installed and accessible
jqwill be auto-installed if not present- Internet access to pull Trivy Docker image
How It Works
- Install jq - Ensures jq is available for JSON processing
- Run Trivy Scan - Scans using Docker with table format
- Create JSON Report - Generates machine-readable report
- Display Results - Shows scan output in workflow logs
- Manage Issues - Creates new issue or comments on existing
- Upload Artifacts - Saves reports for download
- Fail on Vulnerabilities - Exits with error code if vulnerabilities found
Issue Management
First Scan with Vulnerabilities
- Creates a new issue with title:
[Security] Trivy vulnerabilities detected - Tags with labels:
security,vulnerability - Includes full scan results in code block
Subsequent Scans
- Searches for existing open issue with same title
- Adds comment with new scan results
- No duplicate issues created
Manual Resolution
Close the issue manually when vulnerabilities are fixed. On the next scan:
- If vulnerabilities still exist → New issue is created
- If clean → No issue created
Examples
Replace Existing Security Workflow
Before (inline script):
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Trivy
run: |
docker run --rm -v "$PWD:/project" aquasec/trivy:latest fs \
--severity HIGH,CRITICAL \
--format table \
/project
After (using action):
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Security Scan
uses: ftmahringer/forgejo-trivy-action@v1
with:
forgejo-url: https://forgejo.ftmahringer.com
forgejo-token: ${{ secrets.FORGEJO_TOKEN }}
repository: ${{ github.repository }}
branch: ${{ github.ref_name }}
commit: ${{ github.sha }}
Benefits:
- ✅ Automatic issue creation
- ✅ No duplicate issues
- ✅ Artifact upload
- ✅ Cleaner workflow file
- ✅ Reusable across repos
Troubleshooting
Issue Not Created
Problem: Scan finds vulnerabilities but no issue is created
Solutions:
- Verify
FORGEJO_TOKENsecret is set - Check token has
read:repoandwrite:issuepermissions - Verify
forgejo-urlis correct - Check workflow logs for API error messages
Permission Denied
Problem: ERROR: Failed to create issue (HTTP 403)
Solution: Regenerate token with correct permissions
jq Not Found
Problem: jq: command not found
Solution: The action auto-installs jq, but if it fails:
- Check runner has internet access
- Manually install jq on runner
Docker Not Available
Problem: docker: command not found
Solution: Ensure Docker is installed on the runner
License
MIT License - See LICENSE file
Contributing
Issues and pull requests welcome!
Author
FTMahringer - https://forgejo.ftmahringer.com
Made with ❤️ for the Forgejo community