fix: bump setup-trivy and add new contrib directory path info (#424)

* chore(deps): use fork for setup-trivy

* docs: add info about templates

* refactor: use `setup-trivy` v0.2.2

* docs: remove `./` prefix

* Merge branch 'main' into 'fix/contrib-dir'

* docs: fix link

* docs: fix typo

Co-authored-by: simar7 <[email protected]>

---------

Co-authored-by: simar7 <[email protected]>

Author: DmitriyLewen

README.md

@@ -16,6 +16,7 @@
   * [Cache](#cache)
   * [Trivy Setup](#trivy-setup)
   * [Scanning a Tarball](#scanning-a-tarball)
+  * [Using Trivy with templates](#using-trivy-with-templates)
   * [Using Trivy with GitHub Code Scanning](#using-trivy-with-github-code-scanning)
   * [Using Trivy to scan your Git repo](#using-trivy-to-scan-your-git-repo)
   * [Using Trivy to scan your rootfs directories](#using-trivy-to-scan-your-rootfs-directories)
@@ -323,6 +324,64 @@ jobs:
         severity: 'CRITICAL,HIGH'
 ```
 
+### Using Trivy with templates
+The action supports [Trivy templates][trivy-templates]. 
+
+Use `template` input to specify path (remember to prefix the path with `@`) to template file.
+
+```yaml
+name: build
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: "fs"
+          scan-ref: .
+          format: 'template'
+          template: "@path/to/my_template.tpl"
+```
+
+#### Default templates
+Trivy has [default templates][trivy-default-templates].
+
+By default, `setup-trivy` installs them into the `$HOME/.local/bin/trivy-bin/contrib` directory.
+
+```yaml
+name: build
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: "fs"
+          scan-ref: .
+          format: 'template'
+          template: "@$HOME/.local/bin/trivy-bin/contrib/html.tpl"
+```
+
 ### Using Trivy with GitHub Code Scanning
 If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
 ```yaml
@@ -771,7 +830,7 @@ Following inputs can be used as `step.with` keys:
 | `image-ref`                  | String  |                                    | Image reference, e.g. `alpine:3.10.2`                                                                                                                          |
 | `scan-ref`                   | String  | `/github/workspace/`               | Scan reference, e.g. `/github/workspace/` or `.`                                                                                                               |
 | `format`                     | String  | `table`                            | Output format (`table`, `json`, `template`, `sarif`, `cyclonedx`, `spdx`, `spdx-json`, `github`, `cosign-vuln`)                                                |
-| `template`                   | String  |                                    | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`)                                                                                                |
+| `template`                   | String  |                                    | Output template (`@$HOME/.local/bin/trivy-bin/contrib/gitlab.tpl`, `@$HOME/.local/bin/trivy-bin/contrib/junit.tpl`)                                           |
 | `tf-vars`                    | String  |                                    | path to Terraform variables file                                                                                                                               |
 | `output`                     | String  |                                    | Save results to a file                                                                                                                                         |
 | `exit-code`                  | String  | `0`                                | Exit code when specified vulnerabilities are found                                                                                                             |
@@ -791,7 +850,7 @@ Following inputs can be used as `step.with` keys:
 | `github-pat`                 | String  |                                    | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN        |
 | `limit-severities-for-sarif` | Boolean | false                              | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
 | `docker-host`                | String  |                                    | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values                                      |
-| `version`                    | String  | `v0.56.1`                          | Trivy version to use, e.g. `latest` or `v0.56.1`                                                                                                               |
+| `version`                    | String  | `v0.56.2`                          | Trivy version to use, e.g. `latest` or `v0.56.2`                                                                                                               |
 | `skip-setup-trivy`           | Boolean | false                              | Skip calling the `setup-trivy` action to install `trivy`                                                                                                       |
 | `token-setup-trivy`          | Boolean |                                    | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository                                                                              |
 
@@ -809,3 +868,5 @@ When using the `trivy-config` [Input](#inputs), you can set options using the [T
 [license-img]: https://img.shields.io/github/license/aquasecurity/trivy-action
 [trivy-env]: https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables
 [trivy-config]: https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/
+[trivy-templates]: https://aquasecurity.github.io/trivy/latest/docs/configuration/reporting/#template
+[trivy-default-templates]: https://aquasecurity.github.io/trivy/latest/docs/configuration/reporting/#default-templates