fix: Set env var if it differs from actual value

[david-marconis]

Problem

There is an issue with the current action if you run multiple Trivy actions in a row. It will not respect the inputs as it will not set the env var if the env var if the input value is a different value. However, if the env var already has a different value than the default and you try to set it to a default value, it will not work.

Scenario

Here is a scenario: You first run Trivy scan with sarif format, and then you run with table format:

        - uses: aquasecurity/trivy-action@0.29.0
          with:
            image-ref: node:23.2.0-alpine3.20
            severity: CRITICAL,HIGH
            exit-code: 0
            format: sarif
        - uses: aquasecurity/trivy-action@0.29.0
          with:
            image-ref: node:23.2.0-alpine3.20
            severity: CRITICAL,HIGH
            exit-code: 1
            format: table

Then then the second scan will not use format table, as it uses the previously set env var: TRIVY_FORMAT: sarif.

Tests

Here is a workflow run that shows the issue:
input format: table
https://github.com/david-marconis/trivy-ignore-bug/actions/runs/12065562387/job/33644593462#step:3:6
env TRIVY_FORMAT: sarif
https://github.com/david-marconis/trivy-ignore-bug/actions/runs/12065562387/job/33644593462#step:3:20
log indicating sarif mode:
https://github.com/david-marconis/trivy-ignore-bug/actions/runs/12065562387/job/33644593462#step:3:159

Fix

The fix is to check if the actual value differs from the wanted value. You could also remove the check if it is the same as the default, IDK if this has any other implications.

Here is a workflow run with the fix implemented:
https://github.com/david-marconis/trivy-ignore-bug/actions/runs/12065669260/job/33644932663#step:3:217

Fixes

Fixes this issue #438
Might also fix this #435 and #422

[CLAassistant]

All committers have signed the CLA.

[mkjpryor]

I am also seeing this - it would be great if the fix could be merged and released ASAP.

[simar7]

@DmitriyLewen could you take a look?

[DmitriyLewen]

Hello @david-marconis
I played around with this a bit more today.
It seems we can't unset envs from GITHUB_ENV.

I suggest saving and loading envs to a file (to use them locally in trivy-action).
Check out this branch - https://github.com/DmitriyLewen/trivy-action/commits/fix/overwrite-envs/
and test runs - https://github.com/DmitriyLewen/test-trivy-action/actions/runs/12155043324/job/33896010552

Let me know if you have time to test this and update my pr.
If not - no problem - I'll do it when I have time.

Best regards, Dmitriy

[david-marconis]

Hello @david-marconis I played around with this a bit more today. It seems we can't unset envs from GITHUB_ENV.

I suggest saving and loading envs to a file (to use them locally in trivy-action). Check out this branch - https://github.com/DmitriyLewen/trivy-action/commits/fix/overwrite-envs/ and test runs - https://github.com/DmitriyLewen/test-trivy-action/actions/runs/12155043324/job/33896010552

Let me know if you have time to test this and update my pr. If not - no problem - I'll do it when I have time.

Best regards, Dmitriy

Thanks for taking a look at this Dmitriy. Saving and loading to file might be a better solution than this as it avoids lingering env vars set in GITHUB_ENV.

I'll leave my PR like it is now, it is at least better that the current solution and isn't very complicated. It fixes some of the issues, but not all, and I don't believe it causes any regressions.

[rvesse]

I suggest saving and loading envs to a file (to use them locally in trivy-action). Check out this branch - https://github.com/DmitriyLewen/trivy-action/commits/fix/overwrite-envs/ and test runs - https://github.com/DmitriyLewen/test-trivy-action/actions/runs/12155043324/job/33896010552

Let me know if you have time to test this and update my pr. If not - no problem - I'll do it when I have time.

@DmitriyLewen Any idea when your suggested fix might be reviewed and merged, also running into #422 in our workflows

[DmitriyLewen]

Hello @rvesse
Unfortunately I'm busy with other tasks now and can't say when I'll be able to do this.

[rvesse]

Hello @rvesse Unfortunately I'm busy with other tasks now and can't say when I'll be able to do this.

If someone else were to pick up your branch, finish off the work on testing and open a PR could it get reviewed and merged by the rest of the Aqua Security team sooner?

[DmitriyLewen]

Yes, that would speed up the process considerably.

[rvesse]

Cleaned up and proposed as PR #454, if anyone else wants to test with their own workflows that would be welcome, it resolved the problem for our workflows