Add lhotari/sandboxed-trivy-action v1.0.1

[lhotari]

Request for adding a new GitHub Action to the allow list

Overview

This action is forked from aquasecurity/trivy-action with security hardened by running Trivy inside a sandboxed Docker container. More details about the security hardening in the README file of the repository.
Credits to Aqua Security for the original action.

Name of action:
lhotari/sandboxed-trivy-action

URL of action:
https://github.com/lhotari/sandboxed-trivy-action
https://github.com/marketplace/actions/sandboxed-trivy

Version to pin to (hash only):
555963036b2012b44c1071508a236e569db28ebb

Permissions

No special permissions required.

Related Actions

This is a fork of https://github.com/aquasecurity/trivy-action

Checklist

You should be able to check most of these boxes for an action to be considered for review.
Please check all boxes that currently apply:

• The action is listed in the GitHub Actions Marketplace
• The action is not already on the list of approved actions
• The action has a sufficient number of contributors or has contributors within the ASF community
• The action has a clearly defined license
• The action is actively developed or maintained
• The action has CI/unit tests configured

[potiuk]

I am still a bit sceptical about trivy's abilities to do somethign "well". @raboof WDYT?

[potiuk]

LGTM:

Checked with enhanced verification for composite actions #629:

Also manually inspected, it does sandbox trivy, so I would recommend to approve it.

I likely need one more person to approve it.

[dave2wave]

LGTM

[lhotari]

@potiuk @dave2wave PTAL
I updated to v1.0.1, 555963036b2012b44c1071508a236e569db28ebb since I noticed that actions/cache was outdated and using node20 runtime which will be phased out later this year.

changes:
lhotari/sandboxed-trivy-action@f5a39c6...5559630

[dave2wave]

Thanks for upgraded SHA

[kevinjqliu]

thanks! this is super helpful to unblock apache projects from using trivy.

Curious which commit from trivy was it forked from? I couldnt find a reference. Would be good for us to check that the original source code is forked from a "known good version"

[dave2wave]

@lhotari would you either add the requested information to your action and provide the new SHA, or if the information is there provide a direct link that would help with approval.

[lhotari]

thanks! this is super helpful to unblock apache projects from using trivy.

Curious which commit from trivy was it forked from? I couldnt find a reference. Would be good for us to check that the original source code is forked from a "known good version"

@kevinjqliu I forked off v0.35.0 (immutable tag 57a97c7e7821a5776cebc9bb87c984fa69cba8f1) of aquasecurity/trivy-action and adapted it to the sandboxed implementation.

[kevinjqliu]

awesome thank you! i think it would be helpful to include that context in the projects README

[lhotari]

awesome thank you! i think it would be helpful to include that context in the projects README

@kevinjqliu Thanks for the suggestion, added to README in lhotari/sandboxed-trivy-action@f34b732a.

[kevinjqliu]

LGTM!

the underlying repo is forked from trivy's v0.35.0 release with commit hash 57a97c7e7821a5776cebc9bb87c984fa69cba8f1

This is mentioned by Trivy as a safe release, aquasecurity/trivy#10425

The action by default pulls the docker image aquasec/trivy:0.69.3@sha256:bcc376de8d77cfe086a917230e818dc9f8528e3c852f7b1aff648949b6258d1c
which i also validated against docker https://hub.docker.com/layers/aquasec/trivy/0.69.3/images/sha256-7228e304ae0f610a1fad937baa463598cadac0c2ac4027cc68f3a8b997115689