Compare commits
6 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
9789b6ae3b | ||
|
|
fd44a8c1a7 | ||
|
|
341f810bd6 | ||
|
|
731c4a9c64 | ||
|
|
9c91cd8af6 | ||
|
|
b38389f8ef |
+1
-1
@@ -1,4 +1,4 @@
|
||||
FROM aquasec/trivy:latest
|
||||
FROM aquasec/trivy:0.18.0
|
||||
COPY entrypoint.sh /
|
||||
RUN apk --no-cache add bash
|
||||
RUN chmod +x /entrypoint.sh
|
||||
|
||||
@@ -107,10 +107,6 @@ jobs:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Build an image from Dockerfile
|
||||
run: |
|
||||
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
|
||||
|
||||
- name: Run Trivy vulnerability scanner in repo mode
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
@@ -127,6 +123,152 @@ jobs:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
|
||||
### Using Trivy to scan your private registry
|
||||
It's also possible to scan your private registry with Trivy's built-in image scan. All you have to do is set ENV vars.
|
||||
|
||||
#### Docker Hub registry
|
||||
Docker Hub needs `TRIVY_USERNAME` and `TRIVY_PASSWORD`.
|
||||
You don't need to set ENV vars when downloading from a public repository.
|
||||
```yaml
|
||||
name: build
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
pull_request:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'template'
|
||||
template: '@/contrib/sarif.tpl'
|
||||
output: 'trivy-results.sarif'
|
||||
env:
|
||||
TRIVY_USERNAME: Username
|
||||
TRIVY_PASSWORD: Password
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
|
||||
#### AWS ECR (Elastic Container Registry)
|
||||
Trivy uses AWS SDK. You don't need to install `aws` CLI tool.
|
||||
You can use [AWS CLI's ENV Vars][env-var].
|
||||
|
||||
[env-var]: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
|
||||
```yaml
|
||||
name: build
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
pull_request:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}'
|
||||
format: 'template'
|
||||
template: '@/contrib/sarif.tpl'
|
||||
output: 'trivy-results.sarif'
|
||||
env:
|
||||
AWS_ACCESS_KEY_ID: key_id
|
||||
AWS_SECRET_ACCESS_KEY: access_key
|
||||
AWS_DEFAULT_REGION: us-west-2
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
|
||||
#### GCR (Google Container Registry)
|
||||
Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.
|
||||
|
||||
If you want to use target project's repository, you can set it via `GOOGLE_APPLICATION_CREDENTIAL`.
|
||||
```yaml
|
||||
name: build
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
pull_request:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'template'
|
||||
template: '@/contrib/sarif.tpl'
|
||||
output: 'trivy-results.sarif'
|
||||
env:
|
||||
GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
|
||||
#### Self-Hosted
|
||||
BasicAuth server needs `TRIVY_USERNAME` and `TRIVY_PASSWORD`.
|
||||
if you want to use 80 port, use NonSSL `TRIVY_NON_SSL=true`
|
||||
```yaml
|
||||
name: build
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
pull_request:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'template'
|
||||
template: '@/contrib/sarif.tpl'
|
||||
output: 'trivy-results.sarif'
|
||||
env:
|
||||
TRIVY_USERNAME: Username
|
||||
TRIVY_PASSWORD: Password
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
|
||||
## Customizing
|
||||
|
||||
### inputs
|
||||
@@ -147,6 +289,8 @@ Following inputs can be used as `step.with` keys:
|
||||
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
|
||||
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to be displayed |
|
||||
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
|
||||
| `cache-dir` | String | | Cache directory |
|
||||
| `timeout` | String | `2m0s` | Scan timeout duration |
|
||||
|
||||
[release]: https://github.com/aquasecurity/trivy-action/releases/latest
|
||||
[release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github
|
||||
|
||||
+10
@@ -49,6 +49,14 @@ inputs:
|
||||
description: 'comma separated list of directories where traversal is skipped'
|
||||
required: false
|
||||
default: ''
|
||||
cache-dir:
|
||||
description: 'specify where the cache is stored'
|
||||
required: false
|
||||
default: ''
|
||||
timeout:
|
||||
description: 'timeout (default 2m0s)'
|
||||
required: false
|
||||
default: ''
|
||||
runs:
|
||||
using: 'docker'
|
||||
image: "Dockerfile"
|
||||
@@ -65,3 +73,5 @@ runs:
|
||||
- '-j ${{ inputs.scan-ref }}'
|
||||
- '-k ${{ inputs.skip-dirs }}'
|
||||
- '-l ${{ inputs.input }}'
|
||||
- '-m ${{ inputs.cache-dir }}'
|
||||
- '-n ${{ inputs.timeout }}'
|
||||
|
||||
Regular → Executable
+17
-2
@@ -1,6 +1,6 @@
|
||||
#!/bin/bash
|
||||
set -e
|
||||
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:" o; do
|
||||
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:" o; do
|
||||
case "${o}" in
|
||||
a)
|
||||
export scanType=${OPTARG}
|
||||
@@ -38,6 +38,12 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:" o; do
|
||||
l)
|
||||
export input=${OPTARG}
|
||||
;;
|
||||
m)
|
||||
export cacheDir=${OPTARG}
|
||||
;;
|
||||
n)
|
||||
export timeout=${OPTARG}
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
@@ -75,7 +81,16 @@ if [ $output ];then
|
||||
ARGS="$ARGS --output $output"
|
||||
fi
|
||||
if [ $skipDirs ];then
|
||||
ARGS="$ARGS --skip-dirs $skipDirs"
|
||||
for i in $(echo $skipDirs | tr "," "\n")
|
||||
do
|
||||
ARGS="$ARGS --skip-dirs $i"
|
||||
done
|
||||
fi
|
||||
if [ $cacheDir ];then
|
||||
ARGS="$ARGS --cache-dir $cacheDir"
|
||||
fi
|
||||
if [ $timeout ];then
|
||||
ARGS="$ARGS --timeout $timeout"
|
||||
fi
|
||||
|
||||
echo "Running trivy with options: " --no-progress "${ARGS}" "${artifactRef}"
|
||||
|
||||
Reference in New Issue
Block a user