Skip to content

STAC-25082: add skip-files input to scan-image action #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
viliakov merged 1 commit into from
Jun 22, 2026
Merged

STAC-25082: add skip-files input to scan-image action #19

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions .github/actions/scan-image/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,15 @@ Input/output reference: [`action.yml`](./action.yml).
8. Exits non-zero if any finding is unmanaged or has an expired
exception.

## Skipping upstream binaries

Use the `skip-files` input to exclude specific in-image paths from the
vulnerability scanners when a binary is shipped from upstream and we don't
maintain a per-CVE audit trail for it (e.g. statically-linked Go binaries
like `sops` or `terraform`). Paths are passed to Trivy as `--skip-files`
and to Grype as `--exclude`. The Trivy **secrets** scan deliberately
ignores this list — secret coverage stays comprehensive across every file.

## Exception files

Consumer repos write YAML files matching
Expand Down
33 changes: 32 additions & 1 deletion .github/actions/scan-image/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,16 @@ inputs:
description: "Also run Grype against the image"
required: false
default: "true"
skip-files:
description: |
Optional newline-separated list of absolute paths inside the image to
skip during vulnerability scanning. Use for upstream binaries we ship
but don't audit per-CVE (e.g. /usr/bin/sops, /work/.tfenv/.../terraform).
Passed to Trivy as --skip-files and to Grype as --exclude. The Trivy
secrets scan is NOT subject to this list — secret coverage stays
comprehensive.
required: false
default: ""
upload-sarif:
description: "Upload SARIF to GHAS Code Scanning"
required: false
Expand Down Expand Up @@ -170,10 +180,22 @@ runs:
env:
INPUT_IMAGE: ${{ inputs.image }}
INPUT_SEVERITY: ${{ inputs.severity }}
INPUT_SKIP_FILES: ${{ inputs.skip-files }}
GITHUB_TOKEN: ${{ github.token }}
run: |
set -euo pipefail

skip_args=()
while IFS= read -r path; do
path="${path#"${path%%[![:space:]]*}"}"
path="${path%"${path##*[![:space:]]}"}"
[ -z "${path}" ] && continue
skip_args+=(--skip-files "${path}")
done <<< "${INPUT_SKIP_FILES}"

trivy image \
--scanners vuln \
"${skip_args[@]}" \
--format json \
--output reports/trivy.json \
--severity "${INPUT_SEVERITY}" \
Expand All @@ -190,6 +212,7 @@ runs:
shell: bash
env:
INPUT_IMAGE: ${{ inputs.image }}
INPUT_SKIP_FILES: ${{ inputs.skip-files }}
run: |
set -euo pipefail

Expand All @@ -205,8 +228,16 @@ runs:
exit 1
fi

skip_args=()
while IFS= read -r path; do
path="${path#"${path%%[![:space:]]*}"}"
path="${path%"${path##*[![:space:]]}"}"
[ -z "${path}" ] && continue
skip_args+=(--exclude "${path}")
done <<< "${INPUT_SKIP_FILES}"

echo "::group::Grype vuln report (table)"
grype "${INPUT_IMAGE}" "${vex_args[@]}" --by-cve -o table -o "json=reports/grype.json"
grype "${INPUT_IMAGE}" "${vex_args[@]}" "${skip_args[@]}" --by-cve -o table -o "json=reports/grype.json"
echo "::endgroup::"

- name: Evaluate
Expand Down
Loading