Compare commits
12 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
dba83feec8 | ||
|
|
c9017eb417 | ||
|
|
4ef054abe6 | ||
|
|
9789b6ae3b | ||
|
|
fd44a8c1a7 | ||
|
|
341f810bd6 | ||
|
|
731c4a9c64 | ||
|
|
9c91cd8af6 | ||
|
|
b38389f8ef | ||
|
|
e2054f8b6a | ||
|
|
6890ac5cba | ||
|
|
c6431cf821 |
@@ -1,4 +1,4 @@
|
||||
FROM aquasec/trivy:latest
|
||||
FROM aquasec/trivy:0.18.1
|
||||
COPY entrypoint.sh /
|
||||
RUN apk --no-cache add bash
|
||||
RUN chmod +x /entrypoint.sh
|
||||
|
||||
154
README.md
154
README.md
@@ -107,10 +107,6 @@ jobs:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Build an image from Dockerfile
|
||||
run: |
|
||||
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
|
||||
|
||||
- name: Run Trivy vulnerability scanner in repo mode
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
@@ -127,6 +123,152 @@ jobs:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
|
||||
### Using Trivy to scan your private registry
|
||||
It's also possible to scan your private registry with Trivy's built-in image scan. All you have to do is set ENV vars.
|
||||
|
||||
#### Docker Hub registry
|
||||
Docker Hub needs `TRIVY_USERNAME` and `TRIVY_PASSWORD`.
|
||||
You don't need to set ENV vars when downloading from a public repository.
|
||||
```yaml
|
||||
name: build
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
pull_request:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'template'
|
||||
template: '@/contrib/sarif.tpl'
|
||||
output: 'trivy-results.sarif'
|
||||
env:
|
||||
TRIVY_USERNAME: Username
|
||||
TRIVY_PASSWORD: Password
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
|
||||
#### AWS ECR (Elastic Container Registry)
|
||||
Trivy uses AWS SDK. You don't need to install `aws` CLI tool.
|
||||
You can use [AWS CLI's ENV Vars][env-var].
|
||||
|
||||
[env-var]: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
|
||||
```yaml
|
||||
name: build
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
pull_request:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}'
|
||||
format: 'template'
|
||||
template: '@/contrib/sarif.tpl'
|
||||
output: 'trivy-results.sarif'
|
||||
env:
|
||||
AWS_ACCESS_KEY_ID: key_id
|
||||
AWS_SECRET_ACCESS_KEY: access_key
|
||||
AWS_DEFAULT_REGION: us-west-2
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
|
||||
#### GCR (Google Container Registry)
|
||||
Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.
|
||||
|
||||
If you want to use target project's repository, you can set it via `GOOGLE_APPLICATION_CREDENTIAL`.
|
||||
```yaml
|
||||
name: build
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
pull_request:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'template'
|
||||
template: '@/contrib/sarif.tpl'
|
||||
output: 'trivy-results.sarif'
|
||||
env:
|
||||
GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
|
||||
#### Self-Hosted
|
||||
BasicAuth server needs `TRIVY_USERNAME` and `TRIVY_PASSWORD`.
|
||||
if you want to use 80 port, use NonSSL `TRIVY_NON_SSL=true`
|
||||
```yaml
|
||||
name: build
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
pull_request:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'template'
|
||||
template: '@/contrib/sarif.tpl'
|
||||
output: 'trivy-results.sarif'
|
||||
env:
|
||||
TRIVY_USERNAME: Username
|
||||
TRIVY_PASSWORD: Password
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
|
||||
## Customizing
|
||||
|
||||
### inputs
|
||||
@@ -136,6 +278,7 @@ Following inputs can be used as `step.with` keys:
|
||||
| Name | Type | Default | Description |
|
||||
|------------------|---------|------------------------------------|-----------------------------------------------|
|
||||
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs`|
|
||||
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
|
||||
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
|
||||
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.`|
|
||||
| `format` | String | `table` | Output format (`table`, `json`, `template`) |
|
||||
@@ -145,6 +288,9 @@ Following inputs can be used as `step.with` keys:
|
||||
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
|
||||
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
|
||||
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to be displayed |
|
||||
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
|
||||
| `cache-dir` | String | | Cache directory |
|
||||
| `timeout` | String | `2m0s` | Scan timeout duration |
|
||||
|
||||
[release]: https://github.com/aquasecurity/trivy-action/releases/latest
|
||||
[release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github
|
||||
|
||||
20
action.yaml
20
action.yaml
@@ -9,6 +9,10 @@ inputs:
|
||||
image-ref:
|
||||
description: 'image reference(for backward compatibility)'
|
||||
required: true
|
||||
input:
|
||||
description: 'reference of tar file to scan'
|
||||
required: false
|
||||
default: ''
|
||||
scan-ref:
|
||||
description: 'Scan reference'
|
||||
required: false
|
||||
@@ -41,6 +45,18 @@ inputs:
|
||||
description: 'writes results to a file with the specified file name'
|
||||
required: false
|
||||
default: ''
|
||||
skip-dirs:
|
||||
description: 'comma separated list of directories where traversal is skipped'
|
||||
required: false
|
||||
default: ''
|
||||
cache-dir:
|
||||
description: 'specify where the cache is stored'
|
||||
required: false
|
||||
default: ''
|
||||
timeout:
|
||||
description: 'timeout (default 2m0s)'
|
||||
required: false
|
||||
default: ''
|
||||
runs:
|
||||
using: 'docker'
|
||||
image: "Dockerfile"
|
||||
@@ -55,3 +71,7 @@ runs:
|
||||
- '-h ${{ inputs.output }}'
|
||||
- '-i ${{ inputs.image-ref }}'
|
||||
- '-j ${{ inputs.scan-ref }}'
|
||||
- '-k ${{ inputs.skip-dirs }}'
|
||||
- '-l ${{ inputs.input }}'
|
||||
- '-m ${{ inputs.cache-dir }}'
|
||||
- '-n ${{ inputs.timeout }}'
|
||||
|
||||
30
entrypoint.sh
Normal file → Executable file
30
entrypoint.sh
Normal file → Executable file
@@ -1,6 +1,6 @@
|
||||
#!/bin/bash
|
||||
set -e
|
||||
while getopts "a:b:c:d:e:f:g:h:i:j:" o; do
|
||||
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:" o; do
|
||||
case "${o}" in
|
||||
a)
|
||||
export scanType=${OPTARG}
|
||||
@@ -32,6 +32,18 @@ while getopts "a:b:c:d:e:f:g:h:i:j:" o; do
|
||||
j)
|
||||
export scanRef=${OPTARG}
|
||||
;;
|
||||
k)
|
||||
export skipDirs=${OPTARG}
|
||||
;;
|
||||
l)
|
||||
export input=${OPTARG}
|
||||
;;
|
||||
m)
|
||||
export cacheDir=${OPTARG}
|
||||
;;
|
||||
n)
|
||||
export timeout=${OPTARG}
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
@@ -40,6 +52,10 @@ export artifactRef="${imageRef}"
|
||||
if [ "${scanType}" = "fs" ];then
|
||||
artifactRef=$(echo $scanRef | tr -d '\r')
|
||||
fi
|
||||
input=$(echo $input | tr -d '\r')
|
||||
if [ $input ]; then
|
||||
artifactRef="--input $input"
|
||||
fi
|
||||
ignoreUnfixed=$(echo $ignoreUnfixed | tr -d '\r')
|
||||
|
||||
ARGS=""
|
||||
@@ -64,6 +80,18 @@ fi
|
||||
if [ $output ];then
|
||||
ARGS="$ARGS --output $output"
|
||||
fi
|
||||
if [ $skipDirs ];then
|
||||
for i in $(echo $skipDirs | tr "," "\n")
|
||||
do
|
||||
ARGS="$ARGS --skip-dirs $i"
|
||||
done
|
||||
fi
|
||||
if [ $cacheDir ];then
|
||||
ARGS="$ARGS --cache-dir $cacheDir"
|
||||
fi
|
||||
if [ $timeout ];then
|
||||
ARGS="$ARGS --timeout $timeout"
|
||||
fi
|
||||
|
||||
echo "Running trivy with options: " --no-progress "${ARGS}" "${artifactRef}"
|
||||
trivy ${scanType} --no-progress $ARGS ${artifactRef}
|
||||
|
||||
Reference in New Issue
Block a user