Add support for scan-type: 'sbom'

[luafanti]

It would be nice if trivy-action could support vulnerability scanning based on a pre-generated SBOM file. Using the Trivy CLI it is possible

trivy sbom /path/to/cyclonedx.json

https://aquasecurity.github.io/trivy/v0.32/docs/sbom/cyclonedx/

I tried the below configuration with trivy-action but it fails.

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'sbom'
          scan-ref: "trivy-sbom.json"
          format: 'sarif'
          output: 'trivy-vuln.sarif'

Looks like the scan-ref value with scan-type: sbom is not passed to the final trivy command. See attached image for details

[saerosV]

Hey @luafanti.

The "generating SBOM" feature was added by #129. It's not exactly what you asked for, but here's the documentation.
It should serve as a reference for anyone looking to implement the feature you mentioned, in the future.

Note that Instead of scan-type: 'sbom', you should use scan-type: 'fs'

[drew-viles]

Hey @luafanti

So, it's a little bit hacky but you can create & scan SBOMs even though it's not listed as something you can do using the action in the same way you would using Trivy on the CLI.

My case was that I wanted to replicate the cli command for generating an SBOM for an image as shown here: `https://aquasecurity.github.io/trivy/v0.39/docs/sbom/spdx/

I've found using fs as the type just scans the repo and that's not what I was looking for. I wanted to essentially replicate what is in that link for image SBOM generation and scanning.

I could use a combination of Syft and Grype for this but I'm a Trivy guy and the CLI supports this so I dug through the entrypoint.sh script. The good news is that nowhere in it does it check the type and throw anything out that isn't supported meaning you can do the following:

Generate an SBOM for an image

    - name: Create SBOM
      uses: aquasecurity/trivy-action@0.9.2
      id: create-sbom
      with:
        scan-type: image
        format: spdx-json
        output: "sbom.spdx.json"
        image-ref: "alpine:3.17"

This works because defining a format of spdx or spdx-json disables security scanning by default causing an SBOM to be generated. It creates this command and output:

Running trivy with options: trivy image  --format spdx-json --severity  HIGH,CRITICAL --output  sbom.spdx.json  [local/cloud-cli-tools:CN-130-grype-to-trivy](alpine:3.17)

Global options:  
INFO	"--format spdx" and "--format spdx-json" disable security scanning

You can then scan the SBOM by passing the file in as the image-ref because again, there are no actual checks done against the image-ref to make sure it's actually an image.

    - name: Scan SBOM
      uses: aquasecurity/trivy-action@0.9.2
      id: scan-sbom
      with:
        scan-type: sbom
        format: json
        image-ref: "sbom.spdx.json"
        output: "sbom-results.json"
        ignore-unfixed: true
        exit-code: '1'

Due to how the CLI works and the script behind this action works, the image just gets dumped at the end of the command so this ends up generating this command:

trivy sbom  --format json --severity  MEDIUM,HIGH,CRITICAL --output  sbom-results.json --exit-code  1 --ignore-unfixed sbom.spdx.json

It'd be nice if this was built into the action and maybe if I have time I'll contribute this but for now, it's something that we can do.

Even something as simple as changing the image-ref input to input-ref would be sufficient.

[ismaelhamed]

@drew-viles thanks for the time-saving hack! Much appreciated!