Add jsonOutputPath option

marketplace.md

@@ -47,6 +47,7 @@ You can supply several inputs to customise the task.
 | `aquaSecret` | The Aqua API Secret to use to link scan results to your Aqua Security account _(not required)_.                                      |
 | `options`    | Additional flags to pass to trivy. Example: `--timeout 10m0s` _(not required)_.                                                      |
 | `additionalCommandsWithResult` | Additional trivy commands to execute, one per line, with the path to the result.json file appended. E.g. `convert --format cyclonedx --output result.cdx` |
+| `jsonOutputPath` | A path to a file where trivy saves it's output. Defaults to a random temporary path. Can be overriden e.g. to upload the output as an artifact. E.g. `$(Build.ArtifactStagingDirectory)/trivy-code-scan-results.json` |
 
 ### Example of scanning multiple targets
 

trivy-task/index.ts

@@ -8,9 +8,10 @@ const latestTrivyVersion = "v0.56.2"
 const tmpPath = "/tmp/"
 
 async function run() {
+    let configuredJsonOutputPath = task.getInput("jsonOutputPath", false)
 
-    console.log("Preparing output location...")
-    const outputPath = tmpPath + "trivy-results-" + Math.random() + ".json";
+    const outputPath = configuredJsonOutputPath ?? (tmpPath + "trivy-results-" + Math.random() + ".json");
+    console.log("Preparing output location " + outputPath + "...")
     task.rmRF(outputPath);
 
     let scanPath = task.getInput("path", false)
@@ -43,7 +44,7 @@ async function run() {
         process.env.AQUA_ASSURANCE_EXPORT = assurancePath
     }
 
-    const runner = await createRunner(task.getBoolInput("docker", false), loginDockerConfig, false);
+    const runner = await createRunner(task.getBoolInput("docker", false), loginDockerConfig, configuredJsonOutputPath !== undefined);
 
     if (task.getBoolInput("debug", false)) {
         runner.arg("--debug")