You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm encountering an issue where Trivy scans the entire repository instead of just the changed files or the latest commits.
I initially attempted the fetch-depth: 1 method in the checkout action, but this did not limit the scan to recent changes. Subsequently, I tried the shallow cloning approach i have used with TruffleHog, but Trivy still scanned the entire repository instead of focusing on the modified files (new commits).
What am I doing wrong or how else can I achieve my goal (scanning only the changed files and the pushed code)?
I am not able to scan with trivy just the changed files/ lastest commits. On Every Scan the whole Repo is scanned.
What i am doing wrong or can i achieve my intention ?
I have first tested with the Checkout fetch-depth: 1 Way, was not working
Hi @ameurmeddeb-zero. I don't think this is possible with trivy, trivy fs will scan all files and directories recursively, If you wanted to scan just Terraform you could do trivy config (scan-type: config). The fetch with --depth will still include all of the files from your git repository, However, the git history will be incomplete.
You could possibly do this by using git diff on the current versus the last commit? and by piping the paths into Trivy. But I don't see why this would be useful.
Hello @kderck 👋
I need to create the same functionality: having trivy to run solely on the committed files. I understand this may be not a part of the action feature, and it is more focus on having a periodic full scan, that would report back to github code scanning. ref.
I'm encountering an issue where Trivy scans the entire repository instead of just the changed files or the latest commits.
I initially attempted the fetch-depth: 1 method in the checkout action, but this did not limit the scan to recent changes. Subsequently, I tried the shallow cloning approach i have used with TruffleHog, but Trivy still scanned the entire repository instead of focusing on the modified files (new commits).
What am I doing wrong or how else can I achieve my goal (scanning only the changed files and the pushed code)?
I am not able to scan with trivy just the changed files/ lastest commits. On Every Scan the whole Repo is scanned.
What i am doing wrong or can i achieve my intention ?
I have first tested with the Checkout fetch-depth: 1 Way, was not working
`
name: IaC scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
name: Checkout
with:
fetch-depth: 1
`
` name: IAC Scan with Trivy$(jq length <<< '$ {{ toJson(github.event.commits) }}') + 2))" >> $GITHUB_ENV
runs-on: ubuntu-latest
steps:
- name: File Change Detection
shell: bash
run: |
if [ "${{ github.event_name }}" == "push" ]; then
echo "depth=$((
echo "branch=${{ github.ref_name }}" >> $GITHUB_ENV
fi
if [ "${{ github.event_name }}" == "pull_request" ]; then
echo "depth=$((${{ github.event.pull_request.commits }}+2))" >> $GITHUB_ENV
echo "branch=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV
fi
`
The text was updated successfully, but these errors were encountered: