pandora/trivy.woodpecker
3
0
Fork 0
Code Issues 2 Pull requests Projects Releases 14 Packages 1 Wiki Activity Actions
Woodpecker CI plugin with trivy utility to check vulnerabilities in images.
28 commits 1 branch 14 tags 64 MiB
  • Go 95.1%
  • Dockerfile 4.9%
Find a file
Exact
renovate-bot 0978e9a6c6
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/tag/release Pipeline was successful
Details
ci/woodpecker/cron/vulnerability Pipeline was successful
Details
ci/woodpecker/cron/renovate Pipeline was successful
Details
ci/woodpecker/cron/auto_merge Pipeline was successful
Details
Update all dependencies #18 
Merged automatically
2026-04-18 07:39:41 +00:00
.gitignore Add file_list mode (#16) 2026-04-15 22:14:52 +00:00
.goreleaser.yaml Redesign the plugin and give more option (#8) 2026-03-22 23:07:45 +00:00
.markdownlint.json Redesign the plugin and give more option (#8) 2026-03-22 23:07:45 +00:00
.prettierrc Redesign the plugin and give more option (#8) 2026-03-22 23:07:45 +00:00
.test.env Add file_list mode (#16) 2026-04-15 22:14:52 +00:00
.trivyignore fallback to trivy 0.69.3 2026-03-23 19:36:01 +01:00
action_file_list.go Add file_list mode (#16) 2026-04-15 22:14:52 +00:00
action_local.go Add file_list mode (#16) 2026-04-15 22:14:52 +00:00
action_repo.go Add file_list mode (#16) 2026-04-15 22:14:52 +00:00
Containerfile Update all dependencies #18 2026-04-18 07:39:41 +00:00
go.mod Update all dependencies #18 2026-04-18 07:39:41 +00:00
go.sum Update all dependencies #18 2026-04-18 07:39:41 +00:00
LICENSE add license 2026-04-11 13:49:42 +02:00
main.go Fix default mode (#17) 2026-04-16 19:32:26 +00:00
README.md Add file_list mode (#16) 2026-04-15 22:14:52 +00:00
renovate.json remove woodpecker jobs, renovate open one PR 2026-04-11 01:06:10 +02:00
template.go Update code with feautre (#15) 2026-04-14 18:55:47 +00:00
trivy.go Update code with feautre (#15) 2026-04-14 18:55:47 +00:00

README.md

Container with trivy for Woodpecker CI

This is a plugin for Woodpecker CI that check vulnerabilities with trivy utility. This can be used in two mode:

  • Using in pipeline to validate the code itself
  • Using as a cron trigger to scan the repository and belonging container images

In case of repo_scan mode, it open a vulnerability dashboard ticket and update it accordingly. It makes a "ping comment" then a critical one was detected.

Usage

It can be used at any event.

Example to use from a release workflow to scan image and local project.

steps:
  - name: Build image locally
    image: code.thinkaboutit.tech/pandora/container-builder.woodpecker
    settings:
      debug: true
      registry_push: false
  - name: Check built image.tar.gz for vulnerabilities
    image: code.thinkaboutit.tech/pandora/trivy.woodpecker
    settings:
      debug: true
  - name: Scan the code of the project
    image: code.thinkaboutit.tech/pandora/trivy.woodpecker
    settings:
      mode: local_fs_scan
      debug: true
  - name: Push the verified image to the repository
    image: code.thinkaboutit.tech/pandora/container-builder.woodpecker
    settings:
      debug: true
      registry_push: true
      registry_push_latest: true
      registry_owner: pandora
      registry_user: bot-ci
      registry_pwd:
        from_secret: gitea-bot-ci

Example to use to scan repository:

steps:
  - name: Check built image.tar.gz for vulnerabilities
    image: code.thinkaboutit.tech/pandora/trivy.woodpecker
    settings:
      mode: repo_scan
      forgejo_user:
        from_secret: ci-user
      forgejo_token:
        from_secret: ci-password
      debug: true

Settings

Base settings

Name Default value Description
mode local_image_scan It can be local_image_scan, local_fs_scan, scan_file_list or repo_scan
repo_name CI_REPO_NAME Name of repository
repo_owner CI_REPO_OWNER Owner of the repository
forgejo_url CI_FORGE_URL Address of Forgejo

Authentication settings

They are needed when repo_scan is specified.

Name Default value Description
forgejo_user User to handle issues
forgejo_token Access token for CI user

File list settings

They are need when scan_file_list is specified.

Name Default value Description
file_list image_list Name of the file that is read
forgejo_user (optional) User to handle issues
forgejo_token (optional) Access token for CI user