actions/trivy-action
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: actions:0.0.17
Branches Tags
actions:master actions:fix-gh-actions actions:bump-trivy-1751468699 actions:update-default-version actions:use-pinned-version actions:update-to-v0.45.0 actions:update-trivy-v0.43.1 actions:bump-trivy-3 actions:bump-trivy actions:add-support-for-trivy-config actions:fix-golden-files actions:exit-code-test actions:update-tarball-docs actions:volume-mounts actions:update-readme actions:revert-45-fix_sarif_duplicate_rule_id actions:knqyf263-patch-1 actions:artifact_types actions:sarif-support-2
actions:0.33.1 actions:0.33.0 actions:0.32.0 actions:0.31.0 actions:0.30.0 actions:0.29.0 actions:0.28.0 actions:0.27.0 actions:0.26.0 actions:0.25.0 actions:0.24.0 actions:0.23.0 actions:0.22.0 actions:0.21.0 actions:0.20.0 actions:0.19.0 actions:0.18.0 actions:0.17.0 actions:0.16.1 actions:0.16.0 actions:0.15.0 actions:0.14.0 actions:0.13.1 actions:0.13.0 actions:0.12.0 actions:0.11.2 actions:0.11.1 actions:0.11.0 actions:0.10.0 actions:0.9.2 actions:0.9.1 actions:0.9.0 actions:0.8.0 actions:0.7.1 actions:0.7.0 actions:0.6.2 actions:0.6.1 actions:0.6.0 actions:0.5.1 actions:0.5.0 actions:0.4.1 actions:0.4.0 actions:0.3.0 actions:0.2.5 actions:0.2.4 actions:0.2.3 actions:0.2.2 actions:0.2.1 actions:0.2.0 actions:0.1.0 actions:0.0.22 actions:0.0.21 actions:0.0.20 actions:0.0.19 actions:0.0.18 actions:0.0.17 actions:0.0.16 actions:0.0.15 actions:0.0.14 actions:0.0.13 actions:0.0.12 actions:0.0.11 actions:v0.0.10 actions:0.0.10 actions:0.0.9 actions:0.0.8 actions:0.0.7 actions:0.0.6 actions:0.0.5 actions:0.0.4 actions:0.0.3 actions:0.0.2 actions:0.0.1
..
compare: actions:0.17.0
Branches Tags
actions:master actions:fix-gh-actions actions:bump-trivy-1751468699 actions:update-default-version actions:use-pinned-version actions:update-to-v0.45.0 actions:update-trivy-v0.43.1 actions:bump-trivy-3 actions:bump-trivy actions:add-support-for-trivy-config actions:fix-golden-files actions:exit-code-test actions:update-tarball-docs actions:volume-mounts actions:update-readme actions:revert-45-fix_sarif_duplicate_rule_id actions:knqyf263-patch-1 actions:artifact_types actions:sarif-support-2
actions:0.33.1 actions:0.33.0 actions:0.32.0 actions:0.31.0 actions:0.30.0 actions:0.29.0 actions:0.28.0 actions:0.27.0 actions:0.26.0 actions:0.25.0 actions:0.24.0 actions:0.23.0 actions:0.22.0 actions:0.21.0 actions:0.20.0 actions:0.19.0 actions:0.18.0 actions:0.17.0 actions:0.16.1 actions:0.16.0 actions:0.15.0 actions:0.14.0 actions:0.13.1 actions:0.13.0 actions:0.12.0 actions:0.11.2 actions:0.11.1 actions:0.11.0 actions:0.10.0 actions:0.9.2 actions:0.9.1 actions:0.9.0 actions:0.8.0 actions:0.7.1 actions:0.7.0 actions:0.6.2 actions:0.6.1 actions:0.6.0 actions:0.5.1 actions:0.5.0 actions:0.4.1 actions:0.4.0 actions:0.3.0 actions:0.2.5 actions:0.2.4 actions:0.2.3 actions:0.2.2 actions:0.2.1 actions:0.2.0 actions:0.1.0 actions:0.0.22 actions:0.0.21 actions:0.0.20 actions:0.0.19 actions:0.0.18 actions:0.0.17 actions:0.0.16 actions:0.0.15 actions:0.0.14 actions:0.0.13 actions:0.0.12 actions:0.0.11 actions:v0.0.10 actions:0.0.10 actions:0.0.9 actions:0.0.8 actions:0.0.7 actions:0.0.6 actions:0.0.5 actions:0.0.4 actions:0.0.3 actions:0.0.2 actions:0.0.1

80 Commits
0.0.17 .. 0.17.0

Author SHA1 Message Date
Kyle Davies
84384bd6e7 Upgraded Trivy from 0.48.1 to v0.49.0 (#304) 2024-02-05 18:54:03 -07:00
Simão Silva
f3d98514b0 fix: Fix skip-files and hide-progress options not being applied when using Sarif report format (#297) 
* Update entrypoint.sh

* Update entrypoint.sh

* Update entrypoint.sh
 2024-01-14 14:28:49 -07:00
DmitriyLewen
0b9d17b6b5 docs: add configuration info for flags not supported by inputs (#296) 
* docs: add information about configuration flags not supported by inputs

* docs: add env and config file to Customizing
 2024-01-11 15:13:21 -07:00
Lucas Bickel
d43c1f16c0 docs: fix typo in README.md (#293) 
Signed-off-by: Lucas Bickel <hairmare@purplehaze.ch>
 2024-01-02 17:53:48 -07:00
Martin Kemp
5f1841df8d Update Trivy to 0.48.1 (#291) 
* Update Trivy to 0.48.1

Signed-off-by: Martin Kemp <me@martinke.mp>

* update tests

---------

Signed-off-by: Martin Kemp <me@martinke.mp>
Co-authored-by: Simar <simar@linux.com>
 2024-01-02 17:51:04 -07:00
Ivan Santos
91713af97d Update to trivy version 0.48.0 (#289) 
* Update to trivy version 0.48.0

 

---------

Signed-off-by: Simar <simar@linux.com>
Co-authored-by: Simar <simar@linux.com>
 2023-12-08 11:08:35 -07:00
Kyle Davies
22d2755f77 feature(config): add terraform variable files (#285) 
* Action now takes an input for terraform variable filess

* added tf-vars

* updated README.md

* Updated yamlconfig test to latest version of trivy output for that container

* updated for correct cpu type

* test trivy version change to 0.45.0

* run scan with correct parameters

* Added test for terraform tfvars

* Updated output for other tests

* use test data as path and updated tf vars to be relative

* removed quiet
 2023-12-04 16:27:47 -07:00
Kyle Davies
2b6a709cf9 Add filesystem alias (#269) 2023-11-06 18:35:42 -07:00
Victor Sollerhed
47e481a388 Update to trivy version 0.47.0 in Dockerfile (#280) 
See:
- https://github.com/aquasecurity/trivy/releases/tag/v0.47.0
 2023-11-06 18:35:08 -07:00
Liam MacPherson
7b07fa7d6a fix: set return code after each Trivy call (#247) 
This change moves the return code to outside the trivy call. This fixes
#228 as the return code was not being propagated.
 2023-11-06 18:32:48 -07:00
Witold Ślęczkowski
f78e9ecf42 Update Dockerfile to 0.46.1 (#277) 
This update fixes https://github.com/aquasecurity/trivy/issues/5441
 2023-10-30 18:28:16 -06:00
Brandon Helms
b77b85c025 Update Dockerfile to 0.46.0 (#274) 
* Update Dockerfile to 0.46.0

This will address bugs before 0.46.0

* updating tests
 2023-10-25 11:39:02 -06:00
Pavel Kutáč
69cbbc0cbb fix: mark image-ref attribute optional (#261) 2023-09-14 22:32:56 -06:00
simar7
fbd16365eb feat(trivy): Bump to v0.45.0 (#256) 2023-09-01 11:44:50 -06:00
Anais Urlichs
559eb1224e Merge pull request #234 from jdsmithit/patch-1 
Update README.md to change the example to the new default brach name …
 2023-08-07 12:32:05 +01:00
Nikita Pivkin
e602665a11 ci: add workflow to bump trivy (#245) 
* ci: add workflow to bump trivy

* update trivy version in tests

* dispatch event workflow_dispatch

* use ORG_REPO_TOKEN secret
 2023-07-25 15:58:10 -06:00
simar7
3dd517d8c9 chore(deps): Update trivy to v0.43.1 (#243) 
* chore(deps): Update trivy to v0.43.1

* fix tests

Signed-off-by: Simar <simar@linux.com>

---------

Signed-off-by: Simar <simar@linux.com>
 2023-07-17 11:07:42 +03:00
Simar
41f05d9ecf Revert "Include args when using trivy config file (#231)" 
Fixes: https://github.com/aquasecurity/trivy-action/issues/238

This reverts commit 82ec0dd604.
 2023-06-09 16:37:19 -06:00
Daniel Chabr
0cd397afbf bump trivy to v0.42.1 (#240) 
* bump trivy to v0.42.1

* revert formatting
 2023-06-09 12:01:09 -06:00
Roger Coll
b43daad0c3 feat: add exit-code parameter to sarif format (#213) 2023-06-05 11:19:20 -06:00
abriko
dedfa59531 Enhance GitHub Dependency Snapshot upload (#233) 2023-06-05 11:12:39 -06:00
Daniel Chabr
f96f79aa22 bump trivy to v0.42.0 (#237) 
* chore(deps): update trivy to v0.42.0

* revert formatting

* revert formatting again

* update sarif version in tests
 2023-06-05 11:08:24 -06:00
Herman Wika Horn
82ec0dd604 Include args when using trivy config file (#231) 
Previously, arguments provided using regular flags
were ignored if a trivy config file was provided

Note that this pull request makes no effort to
deduce or merge desired argument if the same
configuration with different values are provided
both within the config file and as flags. Behaviour
for this case would develop on the implementation
of trivy
 2023-05-31 14:47:20 -06:00
John Smith
463f27e2d8 Update README.md to change the example to the new default brach name main from master. 
Update README.md to change the example to the new default branch name "main" from "master".

I hope this will make the action slightly easier to work with for newer members of the community.
 2023-05-12 10:45:16 +01:00
Bruce Bujon
e5f43133f6 chore: Update Trivy to 0.40.0 (#223) 
* chore: Update trivy to 0.39.0

* chore: Update trivy to 0.40.0
 2023-04-18 17:44:36 -07:00
Guilherme Marz Vazzolla
1a09192c0e docs: improve SBOM documentation (#208) 
* fix: dependency graph name ocurrences

* feat: improve readability and add useful links

* feat: improve readability and instructions 

Improves readability and adds missing information about github_token, another authentication method.

* feat: add github_token instructions

* feat: add github_token to inputs table

* feat: add "what is an SBOM" link

* fix: GitHub dependency graph name ocurrence

* feat: improve SBOM input description

* fix: remove "on pull request" trigger

Co-authored-by: Duncan Casteleyn <10881109+DuncanCasteleyn@users.noreply.github.com>

* fix: outdated input name

---------

Co-authored-by: Duncan Casteleyn <10881109+DuncanCasteleyn@users.noreply.github.com>
 2023-03-28 17:48:04 -07:00
Viktor Sadovnikov
1f0aa582c8 Rename security-checks to scanners (#211) 
* Renaming securityChecks to runners

* Renaming securityChecks to runners

* Renaming securityChecks to runners

* Correcting README
 2023-03-06 21:00:01 -08:00
DmitriyLewen
43849adf01 bump trivy to v0.38.1 (#215) 2023-03-06 20:58:30 -08:00
Falk Puschner
8bd2f9fbda ⬆️ bump trivy action (#203) 2023-02-10 16:20:50 +09:00
simar7
cff3e9a7f6 feat(trivy): Bump Trivy to v0.37.1 (#199) 
Signed-off-by: Simar <simar@linux.com>
 2023-02-01 16:40:29 -08:00
Michael Cantú
ab15891596 Update README.md (#186) 
Fix typo
 2023-02-01 16:23:59 -08:00
Omar Silva
cacfd7a243 docs: add trivy-config to table (#195) 2023-02-01 16:19:16 -08:00
AndreyLevchenko
1e0bef4613 fix(sarif): Add option to limit severities for sarif (aquasecurity#192) (#198) 2023-02-01 16:18:31 -08:00
Aibek
9ab158e859 Add 0.34.0 release (#177) 
* bump to ghcr.io/aquasecurity/trivy:0.33.0

* fix tests

* bump to 0.34.0
 2022-10-31 17:18:27 -07:00
Lior Vaisman Argon
e55de85bee Add npm to action Dockerfile (#176) 2022-10-25 07:04:22 -07:00
chejn
d63413b0a4 Fix github dependency submission API call (#162) 
* Update entrypoint.sh

* Update entrypoint.sh

* Update entrypoint.sh
 2022-08-17 14:54:57 -07:00
simar7
1db49f5326 feat(trivy): Bump Trivy to v0.31.0 (#165) 
Fixes: https://github.com/aquasecurity/trivy-action/issues/164

Signed-off-by: Simar <simar@linux.com>

Signed-off-by: Simar <simar@linux.com>
 2022-08-16 17:25:38 -07:00
Engin Diri
12814ff8bc docs: correct format and add output on config scan with sarif (#159) 2022-08-15 11:09:42 -07:00
simar7
cb606dfdb0 fix(sarif): Add timeout and security-checks for sarif (#156) 2022-08-03 17:32:25 -07:00
Carol Valencia
0d7cf2ddfb chore: improve message output sbom with gh (#145) 
* fix: merge with master- entrypoint

* chore: gitignore .vscode

Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-08-02 15:24:58 -07:00
simar7
5144f05a8d fix(config): Drop mixing of options with yaml config. (#148) 
Also adds some documentation explaining how the config
and flags are used in conjunction with each other.

Fixes: https://github.com/aquasecurity/trivy-action/issues/147

Signed-off-by: Simar <simar@linux.com>
 2022-07-29 14:30:07 -07:00
simar7
81b9a6f5ab Update Dockerfile (#152) 2022-07-26 13:08:58 -07:00
simar7
503d3abc15 feat(yaml): Add support for trivy.yaml (#143) 
* feat(yaml): Add support for trivy.yaml

Signed-off-by: Simar <simar@linux.com>

* chore: fixing test using trivy v 0.30.0

* chore(deps): Update to use Trivy v0.30.2

Signed-off-by: Simar <simar@linux.com>

Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-07-21 16:36:46 -07:00
simar7
0105373003 docs(trivy): Add instructions to scan tarballs. (#134) 
Signed-off-by: Simar <simar@linux.com>
 2022-06-29 14:34:09 -07:00
simar7
bc615ae2d7 fix(tests): Update test golden files for Trivy v0.29.2 (#136) 
Fixes: https://github.com/aquasecurity/trivy-action/issues/133
Fixes: https://github.com/aquasecurity/trivy-action/issues/135

Signed-off-by: Simar <simar@linux.com>
 2022-06-29 14:33:23 -07:00
simar7
7b7aa264d8 feat(SBOM): Support SBOM generation (#129) 
* feat(sbom): Support SBOM generation

Signed-off-by: Simar <simar@linux.com>

* Update README.md

Co-authored-by: Itay Shakury <itay@itaysk.com>

* feat(sbom): Send results within the entrypoint.sh

* fix(sbom): Fix leading whitespaces for format var.

Signed-off-by: Simar <simar@linux.com>

* docs(sbom): Update README.md

* docs(sbom): Update README.md

* chore(trivy): Bump Trivy version to 0.29.1

Signed-off-by: Simar <simar@linux.com>

* feat(sbom): Change to fs scan.

Signed-off-by: Simar <simar@linux.com>

* fix(tests): Update SARIF goldenfile

Co-authored-by: Itay Shakury <itay@itaysk.com>
 2022-06-22 11:24:39 -07:00
nleconte-csgroup
63b6e4c61b docs: added missing HTML template and removed deprecated SARIF template (#132) 
* docs: add missing template

* docs: add missing template and remove deprecated

Add missing HTML template
Remove deprecated SARIF template

* docs: remove deprecated SARIF template
 2022-06-21 11:46:57 -07:00
Carol Valencia
49e970d7ac chore: pinning 0.29.0 trivy (#128) 
Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-06-17 13:27:39 -07:00
Achton Smidt Winther
c666240787 Add missing option to README. (#127) 2022-06-16 08:25:13 -07:00
David Calvert
e27605859b feat: update codeql-action/upload-sarif to v2 (#124) 2022-06-15 09:16:34 -07:00
Achton Smidt Winther
2b22459068 Update tests for 0.28.1 and convert to JSON (#126) 
* Fix bug with test for securityChecks option which caused it to be skipped.

* Convert tests to JSON output only, and update them for Trivy 0.28.1.

* Update CI test to use Trivy 0.28.1.
 2022-06-15 08:23:38 -07:00
Achton Smidt Winther
4b3b5f928b Add support for --ignorefile option (.trivyignore) (#122) 
* Add support for supplying one or more .trivyignore files.

* Fix gitignore for test data.

* Add test for trivyignores option.

* Be explicit about the trivy options we use during testing.

* Add documentation of trivyignores option.
 2022-06-14 07:41:49 -07:00
Tanguy Segarra
1a53202fc4 Use AWS public ECR instead of rate-limiting dockerhub (#118) 2022-06-08 11:17:38 -07:00
James Luther
df3fb7d00b Update Trivy Version in Dockerfile (#117) 
Updated the dockerfile to use the latest release of Trivy.
 2022-06-02 14:53:00 -07:00
Tanguy Segarra
987beb8186 Enable security checks option for image type (#112) 
* Enable security checks option for image type

* Readme: update security checks option

* action.yaml: add default value for security checks option

* echo env var

* action.yaml: remove default value for security checks

* remove useless echo
 2022-06-02 14:52:06 -07:00
Carol Valencia
4b9b6fb4ef chore: update test to version 0.27.1 (#106) 
* chore: update test to version 0.27.0

* chore: add test file secret and update to 0.27.1

* fix: support repository with securityCheck secret

Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-05-09 13:12:55 -07:00
Carol Valencia
2b30463ddb chore: Update trivy version to 0.26.0 (#102) 
* chore: Update trivy version to 0.25.3

* feat: trivy fs - securityCheck test

* chore: update trivy 0.26.0

Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-04-18 08:40:37 -07:00
jerbia
d7a51817e8 Merge pull request #104 from aquasecurity/feat/security-checks 
(feat) Add support for security-checks flag
 2022-04-13 22:10:55 +03:00
oranmoshai
9fbcc91008 (feat) Add support for security-checks flag 
When using fs mode add option to list of what security issues to detect
 2022-04-13 16:25:40 +03:00
Carol Valencia
40c4ca9e74 feat: bash unit test - adding repo (#101) 
* feat: bash unit test - adding repo

* fix: clean dummy data

Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-04-08 15:57:27 -07:00
Carol Valencia
f39d29766a chore: Update trivy version to 0.25 (#100) 
Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-04-04 10:05:28 -07:00
Chanaka Lakmal
296212627a Update default value of timeout configuration (#97) 2022-02-24 14:33:03 -08:00
Oran Moshai
a7a829a434 chore: update trivy version Dockerfile (#96) 
* chore: update trivy version Dockerfile

* Update readme for sarif deprecate
https://github.com/aquasecurity/trivy/discussions/1571

* docs: revert template and remove sarif.tpl

* fix: update condition to use format variable

Co-authored-by: oranmoshai <oran.moshai@aquasec.com>
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2022-02-02 15:19:51 -08:00
Carol Valencia
9c21d3ca2c chore: update trivy version Dockerfile (#89) 
Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-01-10 16:47:20 -08:00
Masayoshi Mizutani
8f4c7160b4 feat: Add list-all-pkgs option (#88) 2021-12-16 08:31:49 -08:00
Carol Valencia
81cc8cd841 chore: update trivy version - fixed sarif (#87) 2021-12-10 10:18:11 -08:00
Nick Liffen
0769bbf0d2 Update Dockerfile (#82) 2021-11-26 12:02:01 -08:00
gustavomonarin
9ec80b5796 feat(#59) add support to skip files (#60) 
* feat(#59) Add support to skip files

closes #59

* Fix skipFiles parameter check

The check should be if present not if enabled.
 2021-11-26 12:01:28 -08:00
rahul2393
a58433e1c9 feat: added support for rootfs command (#84) 2021-11-26 10:32:44 -08:00
Simar
7168e9ba5a feat: Update README to include a case where upload upon failure (#78) 
* feat: Update README to include a case where upload is needed upon failure.

Signed-off-by: Simar <simar@linux.com>

* Update README.md
 2021-11-16 14:28:39 -08:00
rahul2393
2a2157eb22 chore: Include skip options other than severity filter option when building SARIF report. (#79) 2021-11-10 13:11:56 -08:00
Simar
1ccef265f5 feat: Build a full SARIF report even if under accepted severity level. (#73) 
Signed-off-by: Simar <simar@linux.com>
 2021-10-26 17:45:53 -07:00
Simar
d62898dfb3 Bump to latest Trivy release 2021-10-26 11:44:53 -07:00
Emil Lengman
6bce46377c bump to version 0.20.0 to add requirements.txt support (#69) 2021-10-26 11:43:48 -07:00
Simar
101d9bacf6 Update action.yaml 2021-10-26 11:42:59 -07:00
Peter Kipping
8eccb55397 Bump base image version to 0.19.2 to fix issue with config scanning. (#58) 2021-08-17 11:50:20 -07:00
Brandon Sorgdrager
9438b49cc3 Enable config scanning (#56) 
* Bump trivy image to enable use of config scan-type

* move --no-progress switch behind input arg and set default

* prevent unrelated args from passing with config scan-type

* fix invalid option passing

* set artifactRef if scanType = config

* Add workflow example for IAC/YAML scanning

* Update README.md

Co-authored-by: Simar <1254783+simar7@users.noreply.github.com>

* Update README.md

Co-authored-by: Simar <1254783+simar7@users.noreply.github.com>

* clean hideProgress input

Co-authored-by: Simar <1254783+simar7@users.noreply.github.com>
 2021-07-27 14:49:55 -07:00
Valentin Laurin
ac8de07fd1 Pass --cache-dir as global argument to Trivy (#51) 2021-05-27 09:03:06 -07:00
Anand Gautam
09b815c470 feat: add ignore-policy option to filter vulnerabilities (#48) 
* feat: add ignore-policy option to filter vulnerabilities

* fix: format README
 2021-05-26 13:12:03 -07:00
Simar
0ce0e69d98 Update README.md 2021-05-17 12:03:58 -07:00
26 changed files with 3178 additions and 80 deletions
Expand all files Collapse all files
.github/workflows/build.yaml
Vendored
+28
View File
@@ -0,0 +1,28 @@
name: "build"
on: [push, pull_request]
env:
TRIVY_VERSION: 0.49.0
BATS_LIB_PATH: '/usr/lib/'
jobs:
build:
name: build
runs-on: ubuntu-20.04
steps:
- name: Setup BATS
uses: mig4/setup-bats@v1
with:
bats-version: 1.7.0
- name: Setup Bats libs
uses: brokenpip3/setup-bats-libs@0.1.0
- name: Check out code
uses: actions/checkout@v1
- name: Install Trivy
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
- name: Test
run: BATS_LIB_PATH=${{ env.BATS_LIB_PATH }} bats --recursive --timing .
.github/workflows/bump-trivy.yaml
Vendored
+40
View File
@@ -0,0 +1,40 @@
name: Bump trivy
on:
workflow_dispatch:
inputs:
trivy_version:
required: true
type: string
description: the trivy version
run-name: Bump trivy to v${{ inputs.trivy_version }}
jobs:
bump:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Update Trivy versions
run: |
sed -r -i "s/ghcr.io\/aquasecurity\/trivy:[0-9]+\.[0-9]+\.[0-9]+/ghcr.io\/aquasecurity\/trivy:${{ inputs.trivy_version }}/" Dockerfile
sed -r -i "s/TRIVY_VERSION: [0-9]+\.[0-9]+\.[0-9]+/TRIVY_VERSION: ${{ inputs.trivy_version }}/" .github/workflows/build.yaml
find test/data -type f -name '*.test' | xargs sed -r -i 's/"version": "[0-9]+\.[0-9]+\.[0-9]+"/"version": "${{ inputs.trivy_version }}"/'
- name: Create PR
id: create-pr
uses: peter-evans/create-pull-request@v5
with:
token: ${{ secrets.ORG_REPO_TOKEN }}
title: "chore(deps): Update trivy to v${{ inputs.trivy_version }}"
commit-message: "chore(deps): Update trivy to v${{ inputs.trivy_version }}"
committer: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
branch-suffix: timestamp
branch: bump-trivy
delete-branch: true
- name: Check outputs
run: |
echo "Pull Request Number - ${{ steps.create-pr.outputs.pull-request-number }}"
echo "Pull Request URL - ${{ steps.create-pr.outputs.pull-request-url }}"
.gitignore
Vendored
+4
View File
@@ -1 +1,5 @@
.idea/
*.test
!test/data/*.test
trivyignores
.vscode/
Dockerfile
+3 -3
View File
@@ -1,5 +1,5 @@
FROM aquasec/trivy:0.18.1
FROM ghcr.io/aquasecurity/trivy:0.49.0
COPY entrypoint.sh /
RUN apk --no-cache add bash
RUN apk --no-cache add bash curl npm
RUN chmod +x /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
ENTRYPOINT ["/entrypoint.sh"]
Makefile
+4
View File
@@ -0,0 +1,4 @@
.PHONY: test
test:
BATS_LIB_PATH=/usr/local/lib/ bats -r .
README.md
+298 -63
View File
@@ -19,27 +19,25 @@
## Usage
### Workflow
### Scan CI Pipeline
```yaml
name: build
on:
push:
branches:
- master
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build an image from Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
@@ -51,6 +49,80 @@ jobs:
severity: 'CRITICAL,HIGH'
```
### Scan CI Pipeline (w/ Trivy Config)
```yaml
name: build
on:
push:
branches:
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
trivy-config: trivy.yaml
```
In this case `trivy.yaml` is a YAML configuration that is checked in as part of the repo. Detailed information is available on the Trivy website but an example is as follows:
```yaml
format: json
exit-code: 1
severity: CRITICAL
secret:
config: config/trivy/secret.yaml
```
It is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes. Defining the following is required as they cannot be defined with the config file:
- `scan-ref`: If using `fs, repo` scans.
- `image-ref`: If using `image` scan.
- `scan-type`: To define the scan type, e.g. `image`, `fs`, `repo`, etc.
#### Order of preference for options
Trivy uses [Viper](https://github.com/spf13/viper) which has a defined precedence order for options. The order is as follows:
- GitHub Action flag
- Environment variable
- Config file
- Default
### Scanning a Tarball
```yaml
name: build
on:
push:
branches:
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Generate tarball from image
run: |
docker pull <your-docker-image>
docker save -o vuln-image.tar <your-docker-image>
- name: Run Trivy vulnerability scanner in tarball mode
uses: aquasecurity/trivy-action@master
with:
input: /github/workspace/vuln-image.tar
severity: 'CRITICAL,HIGH'
```
### Using Trivy with GitHub Code Scanning
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
```yaml
@@ -58,15 +130,15 @@ name: build
on:
push:
branches:
- master
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Build an image from Dockerfile
run: |
@@ -76,18 +148,53 @@ jobs:
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'template'
template: '@/contrib/sarif.tpl'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
```
You can find a more in-depth example here: https://github.com/aquasecurity/trivy-sarif-demo/blob/master/.github/workflows/scan.yml
If you would like to upload SARIF results to GitHub Code scanning even upon a non zero exit code from Trivy Scan, you can add the following to your upload step:
```yaml
name: build
on:
push:
branches:
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Build an image from Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: 'trivy-results.sarif'
```
See this for more details: https://docs.github.com/en/actions/learn-github-actions/expressions#always
### Using Trivy to scan your Git repo
It's also possible to scan your git repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
@@ -97,32 +204,139 @@ name: build
on:
push:
branches:
- master
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'template'
template: '@/contrib/sarif.tpl'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
```
### Using Trivy to scan your rootfs directories
It's also possible to scan your rootfs directories with Trivy's built-in rootfs scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
```yaml
name: build
on:
push:
branches:
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner with rootfs command
uses: aquasecurity/trivy-action@master
with:
scan-type: 'rootfs'
scan-ref: 'rootfs-example-binary'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
```
### Using Trivy to scan Infrastructure as Code
It's also possible to scan your IaC repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
```yaml
name: build
on:
push:
branches:
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner in IaC mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'config'
hide-progress: false
format: 'sarif'
output: 'trivy-results.sarif'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
```
### Using Trivy to generate SBOM
It's possible for Trivy to generate an [SBOM](https://www.aquasec.com/cloud-native-academy/supply-chain-security/sbom/) of your dependencies and submit them to a consumer like [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).
The [sending of an SBOM to GitHub](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) feature is only available if you currently have GitHub Dependency Graph [enabled in your repo](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository).
In order to send results to GitHub Dependency Graph, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) or use the [GitHub installation access token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication) (also known as `GITHUB_TOKEN`):
```yaml
---
name: Pull Request
on:
push:
branches:
- main
## GITHUB_TOKEN authentication, add only if you're not going to use a PAT
permissions:
contents: write
jobs:
build:
name: Checks
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
format: 'github'
output: 'dependency-results.sbom.json'
image-ref: '.'
github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
```
### Using Trivy to scan your private registry
It's also possible to scan your private registry with Trivy's built-in image scan. All you have to do is set ENV vars.
@@ -134,29 +348,28 @@ name: build
on:
push:
branches:
- master
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'template'
template: '@/contrib/sarif.tpl'
format: 'sarif'
output: 'trivy-results.sarif'
env:
TRIVY_USERNAME: Username
TRIVY_PASSWORD: Password
TRIVY_PASSWORD: Password
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
```
@@ -171,22 +384,21 @@ name: build
on:
push:
branches:
- master
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}'
format: 'template'
template: '@/contrib/sarif.tpl'
format: 'sarif'
output: 'trivy-results.sarif'
env:
AWS_ACCESS_KEY_ID: key_id
@@ -194,7 +406,7 @@ jobs:
AWS_DEFAULT_REGION: us-west-2
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
```
@@ -208,28 +420,27 @@ name: build
on:
push:
branches:
- master
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'template'
template: '@/contrib/sarif.tpl'
format: 'sarif'
output: 'trivy-results.sarif'
env:
GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
```
@@ -242,55 +453,77 @@ name: build
on:
push:
branches:
- master
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'template'
template: '@/contrib/sarif.tpl'
format: 'sarif'
output: 'trivy-results.sarif'
env:
TRIVY_USERNAME: Username
TRIVY_PASSWORD: Password
TRIVY_PASSWORD: Password
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
```
## Customizing
Configuration priority:
- [Inputs](#inputs)
- [Environment variables](#environment-variables)
- [Trivy config file](#trivy-config-file)
- Default values
### inputs
Following inputs can be used as `step.with` keys:
| Name | Type | Default | Description |
|------------------|---------|------------------------------------|-----------------------------------------------|
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs`|
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.`|
| `format` | String | `table` | Output format (`table`, `json`, `template`) |
| `template` | String | | Output template (`@/contrib/sarif.tpl`, `@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`)|
| `output` | String | | Save results to a file |
| `exit-code` | String | `0` | Exit code when vulnerabilities were found |
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to be displayed |
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
| `cache-dir` | String | | Cache directory |
| `timeout` | String | `2m0s` | Scan timeout duration |
| Name | Type | Default | Description |
|------------------------------|---------|------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) |
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |
| `tf-vars` | String | | path to Terraform variables file |
| `output` | String | | Save results to a file |
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
| `cache-dir` | String | | Cache directory |
| `timeout` | String | `5m0s` | Scan timeout duration |
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
| `hide-progress` | String | `true` | Suppress progress bar |
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
| `trivy-config` | String | | Path to trivy.yaml config |
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
### Environment variables
You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
### Trivy config file
When using the `trivy-config` [Input](#inputs), you can set options using the [Trivy config file][trivy-config] (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
[release]: https://github.com/aquasecurity/trivy-action/releases/latest
[release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github
@@ -298,3 +531,5 @@ Following inputs can be used as `step.with` keys:
[marketplace-img]: https://img.shields.io/badge/marketplace-trivy--action-blue?logo=github
[license]: https://github.com/aquasecurity/trivy-action/blob/master/LICENSE
[license-img]: https://img.shields.io/github/license/aquasecurity/trivy-action
[trivy-env]: https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables
[trivy-config]: https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/
action.yaml
+53 -4
View File
@@ -8,7 +8,7 @@ inputs:
default: 'image'
image-ref:
description: 'image reference(for backward compatibility)'
required: true
required: false
input:
description: 'reference of tar file to scan'
required: false
@@ -20,7 +20,6 @@ inputs:
exit-code:
description: 'exit code when vulnerabilities were found'
required: false
default: '0'
ignore-unfixed:
description: 'ignore unfixed vulnerabilities'
required: false
@@ -38,7 +37,7 @@ inputs:
required: false
default: 'table'
template:
description: 'use an existing template for rendering output (@/contrib/sarif.tpl, @/contrib/gitlab.tpl, @/contrib/junit.tpl'
description: 'use an existing template for rendering output (@/contrib/gitlab.tpl, @/contrib/junit.tpl, @/contrib/html.tpl)'
required: false
default: ''
output:
@@ -49,14 +48,53 @@ inputs:
description: 'comma separated list of directories where traversal is skipped'
required: false
default: ''
skip-files:
description: 'comma separated list of files to be skipped'
required: false
default: ''
cache-dir:
description: 'specify where the cache is stored'
required: false
default: ''
timeout:
description: 'timeout (default 2m0s)'
description: 'timeout (default 5m0s)'
required: false
default: ''
ignore-policy:
description: 'filter vulnerabilities with OPA rego language'
required: false
default: ''
hide-progress:
description: 'hide progress output'
required: false
list-all-pkgs:
description: 'output all packages regardless of vulnerability'
required: false
default: 'false'
scanners:
description: 'comma-separated list of what security issues to detect'
required: false
default: ''
trivyignores:
description: 'comma-separated list of relative paths in repository to one or more .trivyignore files'
required: false
default: ''
artifact-type:
description: 'input artifact type (image, fs, repo, archive) for SBOM generation'
required: false
github-pat:
description: 'GitHub Personal Access Token (PAT) for submitting SBOM to GitHub Dependency Snapshot API'
required: false
trivy-config:
description: 'path to trivy.yaml config'
required: false
tf-vars:
description: "path to terraform tfvars file"
required: false
limit-severities-for-sarif:
description: 'limit severities for SARIF format'
required: false
runs:
using: 'docker'
image: "Dockerfile"
@@ -75,3 +113,14 @@ runs:
- '-l ${{ inputs.input }}'
- '-m ${{ inputs.cache-dir }}'
- '-n ${{ inputs.timeout }}'
- '-o ${{ inputs.ignore-policy }}'
- '-p ${{ inputs.hide-progress }}'
- '-q ${{ inputs.skip-files }}'
- '-r ${{ inputs.list-all-pkgs }}'
- '-s ${{ inputs.scanners }}'
- '-t ${{ inputs.trivyignores }}'
- '-u ${{ inputs.github-pat }}'
- '-v ${{ inputs.trivy-config }}'
- '-x ${{ inputs.tf-vars }}'
- '-z ${{ inputs.limit-severities-for-sarif }}'
entrypoint.sh
+121 -8
View File
@@ -1,6 +1,6 @@
#!/bin/bash
set -e
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:" o; do
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:x:z:" o; do
case "${o}" in
a)
export scanType=${OPTARG}
@@ -44,21 +44,62 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:" o; do
n)
export timeout=${OPTARG}
;;
o)
export ignorePolicy=${OPTARG}
;;
p)
export hideProgress=${OPTARG}
;;
q)
export skipFiles=${OPTARG}
;;
r)
export listAllPkgs=${OPTARG}
;;
s)
export scanners=${OPTARG}
;;
t)
export trivyIgnores=${OPTARG}
;;
u)
export githubPAT=${OPTARG}
;;
v)
export trivyConfig=${OPTARG}
;;
x)
export tfVars=${OPTARG}
;;
z)
export limitSeveritiesForSARIF=${OPTARG}
;;
esac
done
scanType=$(echo $scanType | tr -d '\r')
export artifactRef="${imageRef}"
if [ "${scanType}" = "fs" ];then
if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "filesystem" ] || [ "${scanType}" = "config" ] || [ "${scanType}" = "rootfs" ];then
artifactRef=$(echo $scanRef | tr -d '\r')
fi
input=$(echo $input | tr -d '\r')
if [ $input ]; then
artifactRef="--input $input"
fi
#trim leading spaces for boolean params
ignoreUnfixed=$(echo $ignoreUnfixed | tr -d '\r')
hideProgress=$(echo $hideProgress | tr -d '\r')
limitSeveritiesForSARIF=$(echo $limitSeveritiesForSARIF | tr -d '\r')
GLOBAL_ARGS=""
if [ $cacheDir ];then
GLOBAL_ARGS="$GLOBAL_ARGS --cache-dir $cacheDir"
fi
SARIF_ARGS=""
ARGS=""
format=$(echo $format | xargs)
if [ $format ];then
ARGS="$ARGS --format $format"
fi
@@ -67,12 +108,19 @@ if [ $template ] ;then
fi
if [ $exitCode ];then
ARGS="$ARGS --exit-code $exitCode"
SARIF_ARGS="$SARIF_ARGS --exit-code $exitCode"
fi
if [ "$ignoreUnfixed" == "true" ];then
if [ "$ignoreUnfixed" == "true" ] && [ "$scanType" != "config" ];then
ARGS="$ARGS --ignore-unfixed"
SARIF_ARGS="$SARIF_ARGS --ignore-unfixed"
fi
if [ $vulnType ];then
if [ $vulnType ] && [ "$scanType" != "config" ] && [ "$scanType" != "sbom" ];then
ARGS="$ARGS --vuln-type $vulnType"
SARIF_ARGS="$SARIF_ARGS --vuln-type $vulnType"
fi
if [ $scanners ];then
ARGS="$ARGS --scanners $scanners"
SARIF_ARGS="$SARIF_ARGS --scanners $scanners"
fi
if [ $severity ];then
ARGS="$ARGS --severity $severity"
@@ -84,14 +132,79 @@ if [ $skipDirs ];then
for i in $(echo $skipDirs | tr "," "\n")
do
ARGS="$ARGS --skip-dirs $i"
SARIF_ARGS="$SARIF_ARGS --skip-dirs $i"
done
fi
if [ $cacheDir ];then
ARGS="$ARGS --cache-dir $cacheDir"
if [ $tfVars ] && [ "$scanType" == "config" ];then
ARGS="$ARGS --tf-vars $tfVars"
fi
if [ $trivyIgnores ];then
for f in $(echo $trivyIgnores | tr "," "\n")
do
if [ -f "$f" ]; then
echo "Found ignorefile '${f}':"
cat "${f}"
cat "${f}" >> ./trivyignores
else
echo "ERROR: cannot find ignorefile '${f}'."
exit 1
fi
done
ARGS="$ARGS --ignorefile ./trivyignores"
fi
if [ $timeout ];then
ARGS="$ARGS --timeout $timeout"
SARIF_ARGS="$SARIF_ARGS --timeout $timeout"
fi
if [ $ignorePolicy ];then
ARGS="$ARGS --ignore-policy $ignorePolicy"
SARIF_ARGS="$SARIF_ARGS --ignore-policy $ignorePolicy"
fi
if [ "$hideProgress" == "true" ];then
ARGS="$ARGS --no-progress"
SARIF_ARGS="$SARIF_ARGS --no-progress"
fi
echo "Running trivy with options: " --no-progress "${ARGS}" "${artifactRef}"
trivy ${scanType} --no-progress $ARGS ${artifactRef}
listAllPkgs=$(echo $listAllPkgs | tr -d '\r')
if [ "$listAllPkgs" == "true" ];then
ARGS="$ARGS --list-all-pkgs"
fi
if [ "$skipFiles" ];then
for i in $(echo $skipFiles | tr "," "\n")
do
ARGS="$ARGS --skip-files $i"
SARIF_ARGS="$SARIF_ARGS --skip-files $i"
done
fi
trivyConfig=$(echo $trivyConfig | tr -d '\r')
# To make sure that uploda GitHub Dependency Snapshot succeeds, disable the script that fails first.
set +e
if [ "${format}" == "sarif" ] && [ "${limitSeveritiesForSARIF}" != "true" ]; then
# SARIF is special. We output all vulnerabilities,
# regardless of severity level specified in this report.
# This is a feature, not a bug :)
echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
elif [ $trivyConfig ]; then
echo "Running Trivy with trivy.yaml config from: " $trivyConfig
trivy --config $trivyConfig ${scanType} ${artifactRef}
else
echo "Running trivy with options: trivy ${scanType} ${ARGS}" "${artifactRef}"
echo "Global options: " "${GLOBAL_ARGS}"
trivy $GLOBAL_ARGS ${scanType} ${ARGS} ${artifactRef}
fi
returnCode=$?
set -e
if [[ "${format}" == "github" ]]; then
if [[ "$(echo $githubPAT | xargs)" != "" ]]; then
printf "\n Uploading GitHub Dependency Snapshot"
curl -H 'Accept: application/vnd.github+json' -H "Authorization: token $githubPAT" 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./$(echo $output | xargs)
else
printf "\n Failing GitHub Dependency Snapshot. Missing github-pat"
fi
fi
exit $returnCode
test/data/.trivyignore1
+3
View File
@@ -0,0 +1,3 @@
# test data #1 for trivy-ignores option
CVE-2020-25576
CVE-2019-15551
test/data/.trivyignore2
+2
View File
@@ -0,0 +1,2 @@
# test data #2 for trivy-ignores option
CVE-2019-15554
test/data/config-sarif.test
+620
View File
@@ -0,0 +1,620 @@
{
"version": "2.1.0",
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"runs": [
{
"tool": {
"driver": {
"fullName": "Trivy Vulnerability Scanner",
"informationUri": "https://github.com/aquasecurity/trivy",
"name": "Trivy",
"rules": [
{
"id": "DS002",
"name": "Misconfiguration",
"shortDescription": {
"text": "Image user should not be \u0026#39;root\u0026#39;"
},
"fullDescription": {
"text": "Running containers with \u0026#39;root\u0026#39; user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a \u0026#39;USER\u0026#39; statement to the Dockerfile."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/ds002",
"help": {
"text": "Misconfiguration DS002\\nType: Dockerfile Security Check\\nSeverity: HIGH\\nCheck: Image user should not be 'root'\\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)\\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"markdown": "**Misconfiguration DS002**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Dockerfile Security Check|HIGH|Image user should not be 'root'|Specify at least 1 USER command in Dockerfile with non-root user as argument|[DS002](https://avd.aquasec.com/misconfig/ds002)|\\n\\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile."
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
},
{
"id": "DS026",
"name": "Misconfiguration",
"shortDescription": {
"text": "No HEALTHCHECK defined"
},
"fullDescription": {
"text": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
},
"defaultConfiguration": {
"level": "note"
},
"helpUri": "https://avd.aquasec.com/misconfig/ds026",
"help": {
"text": "Misconfiguration DS026\\nType: Dockerfile Security Check\\nSeverity: LOW\\nCheck: No HEALTHCHECK defined\\nMessage: Add HEALTHCHECK instruction in your Dockerfile\\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)\\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
"markdown": "**Misconfiguration DS026**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Dockerfile Security Check|LOW|No HEALTHCHECK defined|Add HEALTHCHECK instruction in your Dockerfile|[DS026](https://avd.aquasec.com/misconfig/ds026)|\\n\\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
},
"properties": {
"precision": "very-high",
"security-severity": "2.0",
"tags": [
"misconfiguration",
"security",
"LOW"
]
}
},
{
"id": "AVD-AWS-0086",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 Access block should block public ACL"
},
"fullDescription": {
"text": "\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n"
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0086",
"help": {
"text": "Misconfiguration AVD-AWS-0086\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: S3 Access block should block public ACL\\nMessage: No public access block so not blocking public acls\\nLink: [AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)\\n\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n",
"markdown": "**Misconfiguration AVD-AWS-0086**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|S3 Access block should block public ACL|No public access block so not blocking public acls|[AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)|\\n\\n\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n"
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
},
{
"id": "AVD-AWS-0087",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 Access block should block public policy"
},
"fullDescription": {
"text": "\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n"
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0087",
"help": {
"text": "Misconfiguration AVD-AWS-0087\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: S3 Access block should block public policy\\nMessage: No public access block so not blocking public policies\\nLink: [AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)\\n\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n",
"markdown": "**Misconfiguration AVD-AWS-0087**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|S3 Access block should block public policy|No public access block so not blocking public policies|[AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)|\\n\\n\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n"
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
},
{
"id": "AVD-AWS-0088",
"name": "Misconfiguration",
"shortDescription": {
"text": "Unencrypted S3 bucket."
},
"fullDescription": {
"text": "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0088",
"help": {
"text": "Misconfiguration AVD-AWS-0088\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: Unencrypted S3 bucket.\\nMessage: Bucket does not have encryption enabled\\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)\\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.",
"markdown": "**Misconfiguration AVD-AWS-0088**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|Unencrypted S3 bucket.|Bucket does not have encryption enabled|[AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)|\\n\\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised."
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
},
{
"id": "AVD-AWS-0089",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 Bucket Logging"
},
"fullDescription": {
"text": "Ensures S3 bucket logging is enabled for S3 buckets"
},
"defaultConfiguration": {
"level": "note"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0089",
"help": {
"text": "Misconfiguration AVD-AWS-0089\\nType: Terraform Security Check\\nSeverity: LOW\\nCheck: S3 Bucket Logging\\nMessage: Bucket has logging disabled\\nLink: [AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)\\nEnsures S3 bucket logging is enabled for S3 buckets",
"markdown": "**Misconfiguration AVD-AWS-0089**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|LOW|S3 Bucket Logging|Bucket has logging disabled|[AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)|\\n\\nEnsures S3 bucket logging is enabled for S3 buckets"
},
"properties": {
"precision": "very-high",
"security-severity": "2.0",
"tags": [
"misconfiguration",
"security",
"LOW"
]
}
},
{
"id": "AVD-AWS-0090",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 Data should be versioned"
},
"fullDescription": {
"text": "\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n"
},
"defaultConfiguration": {
"level": "warning"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0090",
"help": {
"text": "Misconfiguration AVD-AWS-0090\\nType: Terraform Security Check\\nSeverity: MEDIUM\\nCheck: S3 Data should be versioned\\nMessage: Bucket does not have versioning enabled\\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)\\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n",
"markdown": "**Misconfiguration AVD-AWS-0090**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|MEDIUM|S3 Data should be versioned|Bucket does not have versioning enabled|[AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)|\\n\\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n"
},
"properties": {
"precision": "very-high",
"security-severity": "5.5",
"tags": [
"misconfiguration",
"security",
"MEDIUM"
]
}
},
{
"id": "AVD-AWS-0091",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 Access Block should Ignore Public Acl"
},
"fullDescription": {
"text": "\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n"
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0091",
"help": {
"text": "Misconfiguration AVD-AWS-0091\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: S3 Access Block should Ignore Public Acl\\nMessage: No public access block so not ignoring public acls\\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)\\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n",
"markdown": "**Misconfiguration AVD-AWS-0091**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|S3 Access Block should Ignore Public Acl|No public access block so not ignoring public acls|[AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)|\\n\\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n"
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
},
{
"id": "AVD-AWS-0093",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 Access block should restrict public bucket to limit access"
},
"fullDescription": {
"text": "S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0093",
"help": {
"text": "Misconfiguration AVD-AWS-0093\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: S3 Access block should restrict public bucket to limit access\\nMessage: No public access block so not restricting public buckets\\nLink: [AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)\\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.",
"markdown": "**Misconfiguration AVD-AWS-0093**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|S3 Access block should restrict public bucket to limit access|No public access block so not restricting public buckets|[AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)|\\n\\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy."
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
},
{
"id": "AVD-AWS-0094",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 buckets should each define an aws_s3_bucket_public_access_block"
},
"fullDescription": {
"text": "The \u0026#34;block public access\u0026#34; settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it."
},
"defaultConfiguration": {
"level": "note"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0094",
"help": {
"text": "Misconfiguration AVD-AWS-0094\\nType: Terraform Security Check\\nSeverity: LOW\\nCheck: S3 buckets should each define an aws_s3_bucket_public_access_block\\nMessage: Bucket does not have a corresponding public access block.\\nLink: [AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)\\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.",
"markdown": "**Misconfiguration AVD-AWS-0094**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|LOW|S3 buckets should each define an aws_s3_bucket_public_access_block|Bucket does not have a corresponding public access block.|[AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)|\\n\\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it."
},
"properties": {
"precision": "very-high",
"security-severity": "2.0",
"tags": [
"misconfiguration",
"security",
"LOW"
]
}
},
{
"id": "AVD-AWS-0132",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 encryption should use Customer Managed Keys"
},
"fullDescription": {
"text": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0132",
"help": {
"text": "Misconfiguration AVD-AWS-0132\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: S3 encryption should use Customer Managed Keys\\nMessage: Bucket does not encrypt data with a customer managed key.\\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)\\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.",
"markdown": "**Misconfiguration AVD-AWS-0132**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|S3 encryption should use Customer Managed Keys|Bucket does not encrypt data with a customer managed key.|[AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)|\\n\\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys."
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
}
],
"version": "0.48.1"
}
},
"results": [
{
"ruleId": "DS002",
"ruleIndex": 0,
"level": "error",
"message": {
"text": "Artifact: Dockerfile\\nType: dockerfile\\nVulnerability DS002\\nSeverity: HIGH\\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "Dockerfile",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
},
"message": {
"text": "Dockerfile"
}
}
]
},
{
"ruleId": "DS026",
"ruleIndex": 1,
"level": "note",
"message": {
"text": "Artifact: Dockerfile\\nType: dockerfile\\nVulnerability DS026\\nSeverity: LOW\\nMessage: Add HEALTHCHECK instruction in your Dockerfile\\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "Dockerfile",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
},
"message": {
"text": "Dockerfile"
}
}
]
},
{
"ruleId": "AVD-AWS-0086",
"ruleIndex": 2,
"level": "error",
"message": {
"text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0086\\nSeverity: HIGH\\nMessage: No public access block so not blocking public acls\\nLink: [AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "test/data/main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "test/data/main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0087",
"ruleIndex": 3,
"level": "error",
"message": {
"text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0087\\nSeverity: HIGH\\nMessage: No public access block so not blocking public policies\\nLink: [AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "test/data/main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "test/data/main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0088",
"ruleIndex": 4,
"level": "error",
"message": {
"text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0088\\nSeverity: HIGH\\nMessage: Bucket does not have encryption enabled\\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "test/data/main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "test/data/main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0089",
"ruleIndex": 5,
"level": "note",
"message": {
"text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0089\\nSeverity: LOW\\nMessage: Bucket has logging disabled\\nLink: [AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "test/data/main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "test/data/main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0090",
"ruleIndex": 6,
"level": "warning",
"message": {
"text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0090\\nSeverity: MEDIUM\\nMessage: Bucket does not have versioning enabled\\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "test/data/main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 16,
"startColumn": 1,
"endLine": 16,
"endColumn": 1
}
},
"message": {
"text": "test/data/main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0091",
"ruleIndex": 7,
"level": "error",
"message": {
"text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0091\\nSeverity: HIGH\\nMessage: No public access block so not ignoring public acls\\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "test/data/main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "test/data/main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0093",
"ruleIndex": 8,
"level": "error",
"message": {
"text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0093\\nSeverity: HIGH\\nMessage: No public access block so not restricting public buckets\\nLink: [AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "test/data/main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "test/data/main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0094",
"ruleIndex": 9,
"level": "note",
"message": {
"text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0094\\nSeverity: LOW\\nMessage: Bucket does not have a corresponding public access block.\\nLink: [AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "test/data/main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "test/data/main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0132",
"ruleIndex": 10,
"level": "error",
"message": {
"text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0132\\nSeverity: HIGH\\nMessage: Bucket does not encrypt data with a customer managed key.\\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "test/data/main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "test/data/main.tf"
}
}
]
}
],
"columnKind": "utf16CodeUnits",
"originalUriBaseIds": {
"ROOTPATH": {
"uri": "file:///home/runner/work/trivy-action/trivy-action/"
}
}
}
]
}
test/data/config.test
+695
View File
@@ -0,0 +1,695 @@
{
"SchemaVersion": 2,
"CreatedAt": "2024-01-02T23:40:12.036390742Z",
"ArtifactName": ".",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "Dockerfile",
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 24,
"Failures": 2,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Dockerfile Security Check",
"ID": "DS002",
"AVDID": "AVD-DS-0002",
"Title": "Image user should not be 'root'",
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
"Namespace": "builtin.dockerfile.DS002",
"Query": "data.builtin.dockerfile.DS002.deny",
"Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
"References": [
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
"https://avd.aquasec.com/misconfig/ds002"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"Code": {
"Lines": null
}
}
},
{
"Type": "Dockerfile Security Check",
"ID": "DS026",
"AVDID": "AVD-DS-0026",
"Title": "No HEALTHCHECK defined",
"Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
"Message": "Add HEALTHCHECK instruction in your Dockerfile",
"Namespace": "builtin.dockerfile.DS026",
"Query": "data.builtin.dockerfile.DS026.deny",
"Resolution": "Add HEALTHCHECK instruction in Dockerfile",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds026",
"References": [
"https://blog.aquasec.com/docker-security-best-practices",
"https://avd.aquasec.com/misconfig/ds026"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"Code": {
"Lines": null
}
}
}
]
},
{
"Target": "test/data",
"Class": "config",
"Type": "terraform",
"MisconfSummary": {
"Successes": 2,
"Failures": 0,
"Exceptions": 0
}
},
{
"Target": "test/data/main.tf",
"Class": "config",
"Type": "terraform",
"MisconfSummary": {
"Successes": 1,
"Failures": 9,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0086",
"AVDID": "AVD-AWS-0086",
"Title": "S3 Access block should block public ACL",
"Description": "\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n",
"Message": "No public access block so not blocking public acls",
"Query": "data..",
"Resolution": "Enable blocking any PUT calls with a public ACL specified",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0086",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0086"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0087",
"AVDID": "AVD-AWS-0087",
"Title": "S3 Access block should block public policy",
"Description": "\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n",
"Message": "No public access block so not blocking public policies",
"Query": "data..",
"Resolution": "Prevent policies that allow public access being PUT",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0087",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0087"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0088",
"AVDID": "AVD-AWS-0088",
"Title": "Unencrypted S3 bucket.",
"Description": "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.",
"Message": "Bucket does not have encryption enabled",
"Query": "data..",
"Resolution": "Configure bucket encryption",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0088",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html",
"https://avd.aquasec.com/misconfig/avd-aws-0088"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0089",
"AVDID": "AVD-AWS-0089",
"Title": "S3 Bucket Logging",
"Description": "Ensures S3 bucket logging is enabled for S3 buckets",
"Message": "Bucket has logging disabled",
"Namespace": "builtin.aws.s3.aws0089",
"Query": "data.builtin.aws.s3.aws0089.deny",
"Resolution": "Add a logging block to the resource to enable access logging",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0089",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html",
"https://avd.aquasec.com/misconfig/avd-aws-0089"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0090",
"AVDID": "AVD-AWS-0090",
"Title": "S3 Data should be versioned",
"Description": "\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n",
"Message": "Bucket does not have versioning enabled",
"Query": "data..",
"Resolution": "Enable versioning to protect against accidental/malicious removal or modification",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0090",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html",
"https://avd.aquasec.com/misconfig/avd-aws-0090"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket_versioning.bucket_versioning",
"Provider": "AWS",
"Service": "s3",
"StartLine": 16,
"EndLine": 16,
"Code": {
"Lines": [
{
"Number": 12,
"Content": "resource \"aws_s3_bucket_versioning\" \"bucket_versioning\" {",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket_versioning\"\u001b[0m \u001b[38;5;37m\"bucket_versioning\"\u001b[0m {",
"FirstCause": false,
"LastCause": false
},
{
"Number": 13,
"Content": " bucket = aws_s3_bucket.bucket.id",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = aws_s3_bucket.bucket.id",
"FirstCause": false,
"LastCause": false
},
{
"Number": 14,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"FirstCause": false,
"LastCause": false
},
{
"Number": 15,
"Content": " versioning_configuration {",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " versioning_configuration {",
"FirstCause": false,
"LastCause": false
},
{
"Number": 16,
"Content": " status = var.bucket_versioning_enabled",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mstatus\u001b[0m = \u001b[38;5;33mvar\u001b[0m.bucket_versioning_enabled",
"FirstCause": true,
"LastCause": true
},
{
"Number": 17,
"Content": " }",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " }",
"FirstCause": false,
"LastCause": false
},
{
"Number": 18,
"Content": "}",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": "}",
"FirstCause": false,
"LastCause": false
}
]
},
"Occurrences": [
{
"Resource": "versioning_configuration",
"Filename": "test/data/main.tf",
"Location": {
"StartLine": 15,
"EndLine": 17
}
},
{
"Resource": "aws_s3_bucket_versioning.bucket_versioning",
"Filename": "test/data/main.tf",
"Location": {
"StartLine": 12,
"EndLine": 18
}
}
]
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0091",
"AVDID": "AVD-AWS-0091",
"Title": "S3 Access Block should Ignore Public Acl",
"Description": "\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n",
"Message": "No public access block so not ignoring public acls",
"Query": "data..",
"Resolution": "Enable ignoring the application of public ACLs in PUT calls",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0091",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0091"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0093",
"AVDID": "AVD-AWS-0093",
"Title": "S3 Access block should restrict public bucket to limit access",
"Description": "S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.",
"Message": "No public access block so not restricting public buckets",
"Query": "data..",
"Resolution": "Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0093",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0093"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0094",
"AVDID": "AVD-AWS-0094",
"Title": "S3 buckets should each define an aws_s3_bucket_public_access_block",
"Description": "The \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.",
"Message": "Bucket does not have a corresponding public access block.",
"Query": "data..",
"Resolution": "Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0094",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0094"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0132",
"AVDID": "AVD-AWS-0132",
"Title": "S3 encryption should use Customer Managed Keys",
"Description": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.",
"Message": "Bucket does not encrypt data with a customer managed key.",
"Query": "data..",
"Resolution": "Enable encryption using customer managed keys",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0132",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html",
"https://avd.aquasec.com/misconfig/avd-aws-0132"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
}
]
}
]
}
test/data/dev.tfvars
+2
View File
@@ -0,0 +1,2 @@
# test data for trivy config with terraform variables
bucket_versioning_enabled="Enabled"
test/data/fs-scheck.test
+695
View File
@@ -0,0 +1,695 @@
{
"SchemaVersion": 2,
"CreatedAt": "2024-01-02T23:40:15.166517221Z",
"ArtifactName": ".",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "Dockerfile",
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 24,
"Failures": 2,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Dockerfile Security Check",
"ID": "DS002",
"AVDID": "AVD-DS-0002",
"Title": "Image user should not be 'root'",
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
"Namespace": "builtin.dockerfile.DS002",
"Query": "data.builtin.dockerfile.DS002.deny",
"Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
"References": [
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
"https://avd.aquasec.com/misconfig/ds002"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"Code": {
"Lines": null
}
}
},
{
"Type": "Dockerfile Security Check",
"ID": "DS026",
"AVDID": "AVD-DS-0026",
"Title": "No HEALTHCHECK defined",
"Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
"Message": "Add HEALTHCHECK instruction in your Dockerfile",
"Namespace": "builtin.dockerfile.DS026",
"Query": "data.builtin.dockerfile.DS026.deny",
"Resolution": "Add HEALTHCHECK instruction in Dockerfile",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds026",
"References": [
"https://blog.aquasec.com/docker-security-best-practices",
"https://avd.aquasec.com/misconfig/ds026"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"Code": {
"Lines": null
}
}
}
]
},
{
"Target": "test/data",
"Class": "config",
"Type": "terraform",
"MisconfSummary": {
"Successes": 2,
"Failures": 0,
"Exceptions": 0
}
},
{
"Target": "test/data/main.tf",
"Class": "config",
"Type": "terraform",
"MisconfSummary": {
"Successes": 1,
"Failures": 9,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0086",
"AVDID": "AVD-AWS-0086",
"Title": "S3 Access block should block public ACL",
"Description": "\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n",
"Message": "No public access block so not blocking public acls",
"Query": "data..",
"Resolution": "Enable blocking any PUT calls with a public ACL specified",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0086",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0086"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0087",
"AVDID": "AVD-AWS-0087",
"Title": "S3 Access block should block public policy",
"Description": "\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n",
"Message": "No public access block so not blocking public policies",
"Query": "data..",
"Resolution": "Prevent policies that allow public access being PUT",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0087",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0087"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0088",
"AVDID": "AVD-AWS-0088",
"Title": "Unencrypted S3 bucket.",
"Description": "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.",
"Message": "Bucket does not have encryption enabled",
"Query": "data..",
"Resolution": "Configure bucket encryption",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0088",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html",
"https://avd.aquasec.com/misconfig/avd-aws-0088"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0089",
"AVDID": "AVD-AWS-0089",
"Title": "S3 Bucket Logging",
"Description": "Ensures S3 bucket logging is enabled for S3 buckets",
"Message": "Bucket has logging disabled",
"Namespace": "builtin.aws.s3.aws0089",
"Query": "data.builtin.aws.s3.aws0089.deny",
"Resolution": "Add a logging block to the resource to enable access logging",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0089",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html",
"https://avd.aquasec.com/misconfig/avd-aws-0089"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0090",
"AVDID": "AVD-AWS-0090",
"Title": "S3 Data should be versioned",
"Description": "\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n",
"Message": "Bucket does not have versioning enabled",
"Query": "data..",
"Resolution": "Enable versioning to protect against accidental/malicious removal or modification",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0090",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html",
"https://avd.aquasec.com/misconfig/avd-aws-0090"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket_versioning.bucket_versioning",
"Provider": "AWS",
"Service": "s3",
"StartLine": 16,
"EndLine": 16,
"Code": {
"Lines": [
{
"Number": 12,
"Content": "resource \"aws_s3_bucket_versioning\" \"bucket_versioning\" {",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket_versioning\"\u001b[0m \u001b[38;5;37m\"bucket_versioning\"\u001b[0m {",
"FirstCause": false,
"LastCause": false
},
{
"Number": 13,
"Content": " bucket = aws_s3_bucket.bucket.id",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = aws_s3_bucket.bucket.id",
"FirstCause": false,
"LastCause": false
},
{
"Number": 14,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"FirstCause": false,
"LastCause": false
},
{
"Number": 15,
"Content": " versioning_configuration {",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " versioning_configuration {",
"FirstCause": false,
"LastCause": false
},
{
"Number": 16,
"Content": " status = var.bucket_versioning_enabled",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mstatus\u001b[0m = \u001b[38;5;33mvar\u001b[0m.bucket_versioning_enabled",
"FirstCause": true,
"LastCause": true
},
{
"Number": 17,
"Content": " }",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " }",
"FirstCause": false,
"LastCause": false
},
{
"Number": 18,
"Content": "}",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": "}",
"FirstCause": false,
"LastCause": false
}
]
},
"Occurrences": [
{
"Resource": "versioning_configuration",
"Filename": "test/data/main.tf",
"Location": {
"StartLine": 15,
"EndLine": 17
}
},
{
"Resource": "aws_s3_bucket_versioning.bucket_versioning",
"Filename": "test/data/main.tf",
"Location": {
"StartLine": 12,
"EndLine": 18
}
}
]
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0091",
"AVDID": "AVD-AWS-0091",
"Title": "S3 Access Block should Ignore Public Acl",
"Description": "\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n",
"Message": "No public access block so not ignoring public acls",
"Query": "data..",
"Resolution": "Enable ignoring the application of public ACLs in PUT calls",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0091",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0091"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0093",
"AVDID": "AVD-AWS-0093",
"Title": "S3 Access block should restrict public bucket to limit access",
"Description": "S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.",
"Message": "No public access block so not restricting public buckets",
"Query": "data..",
"Resolution": "Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0093",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0093"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0094",
"AVDID": "AVD-AWS-0094",
"Title": "S3 buckets should each define an aws_s3_bucket_public_access_block",
"Description": "The \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.",
"Message": "Bucket does not have a corresponding public access block.",
"Query": "data..",
"Resolution": "Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0094",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0094"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0132",
"AVDID": "AVD-AWS-0132",
"Title": "S3 encryption should use Customer Managed Keys",
"Description": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.",
"Message": "Bucket does not encrypt data with a customer managed key.",
"Query": "data..",
"Resolution": "Enable encryption using customer managed keys",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0132",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html",
"https://avd.aquasec.com/misconfig/avd-aws-0132"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
}
]
}
]
}
test/data/fs.test
View File
test/data/image-sarif.test
+77
View File
@@ -0,0 +1,77 @@
{
"version": "2.1.0",
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"runs": [
{
"tool": {
"driver": {
"fullName": "Trivy Vulnerability Scanner",
"informationUri": "https://github.com/aquasecurity/trivy",
"name": "Trivy",
"rules": [
{
"id": "CVE-2021-36159",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2021-36159"
},
"fullDescription": {
"text": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the \u0026#39;\\0\u0026#39; terminator one byte too late."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2021-36159",
"help": {
"text": "Vulnerability CVE-2021-36159\nSeverity: CRITICAL\nPackage: apk-tools\nFixed Version: 2.10.7-r0\nLink: [CVE-2021-36159](https://avd.aquasec.com/nvd/cve-2021-36159)\nlibfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
"markdown": "**Vulnerability CVE-2021-36159**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|apk-tools|2.10.7-r0|[CVE-2021-36159](https://avd.aquasec.com/nvd/cve-2021-36159)|\n\nlibfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late."
},
"properties": {
"precision": "very-high",
"security-severity": "9.1",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
}
],
"version": "0.43.1"
}
},
"results": [
{
"ruleId": "CVE-2021-36159",
"ruleIndex": 0,
"level": "error",
"message": {
"text": "Package: apk-tools\nInstalled Version: 2.10.6-r0\nVulnerability CVE-2021-36159\nSeverity: CRITICAL\nFixed Version: 2.10.7-r0\nLink: [CVE-2021-36159](https://avd.aquasec.com/nvd/cve-2021-36159)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "library/alpine",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
}
}
]
}
],
"columnKind": "utf16CodeUnits",
"originalUriBaseIds": {
"ROOTPATH": {
"uri": "file:///"
}
}
}
]
}
test/data/image-trivyignores.test
+86
View File
@@ -0,0 +1,86 @@
knqyf263/vuln-image:1.2.3 (alpine 3.7.1)
========================================
Total: 19 (CRITICAL: 19)
┌─────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ curl │ CVE-2018-14618 │ CRITICAL │ fixed │ 7.61.0-r0 │ 7.61.1-r0 │ curl: NTLM password overflow via integer overflow │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-14618 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16839 │ │ │ │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
│ │ │ │ │ │ │ in Curl_sasl_create_plain_message() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16839 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16840 │ │ │ │ │ curl: Use-after-free when closing "easy" handle in │
│ │ │ │ │ │ │ Curl_close() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16840 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16842 │ │ │ │ │ curl: Heap-based buffer over-read in the curl tool warning │
│ │ │ │ │ │ │ formatting │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16842 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-3822 │ │ │ │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3822 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5481 │ │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5482 │ │ │ │ │ heap buffer overflow in function tftp_receive_packet() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ git │ CVE-2018-17456 │ │ │ 2.15.2-r0 │ 2.15.3-r0 │ arbitrary code execution via .gitmodules │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-17456 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-1353 │ │ │ │ 2.15.4-r0 │ git: NTFS protections inactive when running Git in the │
│ │ │ │ │ │ │ Windows Subsystem for... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl │ CVE-2018-16839 │ │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
│ │ │ │ │ │ │ in Curl_sasl_create_plain_message() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16839 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16840 │ │ │ │ │ curl: Use-after-free when closing "easy" handle in │
│ │ │ │ │ │ │ Curl_close() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16840 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16842 │ │ │ │ │ curl: Heap-based buffer over-read in the curl tool warning │
│ │ │ │ │ │ │ formatting │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16842 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-3822 │ │ │ │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3822 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5481 │ │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5482 │ │ │ │ │ heap buffer overflow in function tftp_receive_packet() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ musl │ CVE-2019-14697 │ │ │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │
│ │ │ │ │ │ │ adjustment im ...... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-14697 │
├─────────────┤ │ │ │ │ │ │
│ musl-utils │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ sqlite-libs │ CVE-2019-8457 │ │ │ 3.21.0-r1 │ 3.25.3-r1 │ heap out-of-bound read in function rtreenode() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │
└─────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
rust-app/Cargo.lock (cargo)
===========================
Total: 1 (CRITICAL: 1)
┌──────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ smallvec │ CVE-2021-25900 │ CRITICAL │ fixed │ 0.6.9 │ 0.6.14, 1.6.1 │ An issue was discovered in the smallvec crate before 0.6.14 │
│ │ │ │ │ │ │ and 1.x... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25900 │
└──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
test/data/image.test
+98
View File
@@ -0,0 +1,98 @@
knqyf263/vuln-image:1.2.3 (alpine 3.7.1)
========================================
Total: 19 (CRITICAL: 19)
┌─────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ curl │ CVE-2018-14618 │ CRITICAL │ fixed │ 7.61.0-r0 │ 7.61.1-r0 │ curl: NTLM password overflow via integer overflow │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-14618 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16839 │ │ │ │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
│ │ │ │ │ │ │ in Curl_sasl_create_plain_message() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16839 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16840 │ │ │ │ │ curl: Use-after-free when closing "easy" handle in │
│ │ │ │ │ │ │ Curl_close() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16840 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16842 │ │ │ │ │ curl: Heap-based buffer over-read in the curl tool warning │
│ │ │ │ │ │ │ formatting │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16842 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-3822 │ │ │ │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3822 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5481 │ │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5482 │ │ │ │ │ heap buffer overflow in function tftp_receive_packet() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ git │ CVE-2018-17456 │ │ │ 2.15.2-r0 │ 2.15.3-r0 │ arbitrary code execution via .gitmodules │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-17456 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-1353 │ │ │ │ 2.15.4-r0 │ git: NTFS protections inactive when running Git in the │
│ │ │ │ │ │ │ Windows Subsystem for... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl │ CVE-2018-16839 │ │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
│ │ │ │ │ │ │ in Curl_sasl_create_plain_message() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16839 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16840 │ │ │ │ │ curl: Use-after-free when closing "easy" handle in │
│ │ │ │ │ │ │ Curl_close() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16840 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16842 │ │ │ │ │ curl: Heap-based buffer over-read in the curl tool warning │
│ │ │ │ │ │ │ formatting │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16842 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-3822 │ │ │ │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3822 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5481 │ │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5482 │ │ │ │ │ heap buffer overflow in function tftp_receive_packet() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ musl │ CVE-2019-14697 │ │ │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │
│ │ │ │ │ │ │ adjustment im ...... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-14697 │
├─────────────┤ │ │ │ │ │ │
│ musl-utils │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ sqlite-libs │ CVE-2019-8457 │ │ │ 3.21.0-r1 │ 3.25.3-r1 │ heap out-of-bound read in function rtreenode() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │
└─────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
rust-app/Cargo.lock (cargo)
===========================
Total: 4 (CRITICAL: 4)
┌───────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ rand_core │ CVE-2020-25576 │ CRITICAL │ fixed │ 0.4.0 │ 0.4.2, 0.3.1 │ An issue was discovered in the rand_core crate before 0.4.2 │
│ │ │ │ │ │ │ for Rust.... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-25576 │
├───────────┼────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ smallvec │ CVE-2019-15551 │ │ │ 0.6.9 │ 0.6.10 │ An issue was discovered in the smallvec crate before 0.6.10 │
│ │ │ │ │ │ │ for Rust.... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-15551 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2019-15554 │ │ │ │ │ An issue was discovered in the smallvec crate before 0.6.10 │
│ │ │ │ │ │ │ for Rust.... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-15554 │
│ ├────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2021-25900 │ │ │ │ 0.6.14, 1.6.1 │ An issue was discovered in the smallvec crate before 0.6.14 │
│ │ │ │ │ │ │ and 1.x... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25900 │
└───────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
test/data/main.tf
+18
View File
@@ -0,0 +1,18 @@
# test data for trivy config with terraform variables
variable "bucket_versioning_enabled" {
type = string
default = "Disabled"
}
resource "aws_s3_bucket" "bucket" {
bucket = "trivy-action-bucket"
}
resource "aws_s3_bucket_versioning" "bucket_versioning" {
bucket = aws_s3_bucket.bucket.id
versioning_configuration {
status = var.bucket_versioning_enabled
}
}
test/data/repo.test
+78
View File
@@ -0,0 +1,78 @@
{
"SchemaVersion": 2,
"CreatedAt": "2024-01-02T23:40:04.647712097Z",
"ArtifactName": "https://github.com/krol3/demo-trivy/",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "env",
"Class": "secret",
"Secrets": [
{
"RuleID": "github-pat",
"Category": "GitHub",
"Severity": "CRITICAL",
"Title": "GitHub Personal Access Token",
"StartLine": 5,
"EndLine": 5,
"Code": {
"Lines": [
{
"Number": 3,
"Content": "export AWS_ACCESS_KEY_ID=1234567",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": "export AWS_ACCESS_KEY_ID=1234567",
"FirstCause": false,
"LastCause": false
},
{
"Number": 4,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"FirstCause": false,
"LastCause": false
},
{
"Number": 5,
"Content": "export GITHUB_PAT=****************************************",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "export GITHUB_PAT=****************************************",
"FirstCause": true,
"LastCause": true
},
{
"Number": 6,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"FirstCause": false,
"LastCause": false
}
]
},
"Match": "export GITHUB_PAT=****************************************",
"Layer": {}
}
]
}
]
}
test/data/rootfs.test
View File
test/data/tfvars.test
+40
View File
@@ -0,0 +1,40 @@
{
"SchemaVersion": 2,
"CreatedAt": "2024-01-02T16:27:32.841193-07:00",
"ArtifactName": "test/data",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": ".",
"Class": "config",
"Type": "terraform",
"MisconfSummary": {
"Successes": 2,
"Failures": 0,
"Exceptions": 0
}
},
{
"Target": "main.tf",
"Class": "config",
"Type": "terraform",
"MisconfSummary": {
"Successes": 1,
"Failures": 0,
"Exceptions": 0
}
}
]
}
test/data/trivy.yaml
+5
View File
@@ -0,0 +1,5 @@
format: json
severity: CRITICAL
vulnerability:
type: os
output: yamlconfig.test
test/data/yamlconfig.test
+115
View File
@@ -0,0 +1,115 @@
{
"SchemaVersion": 2,
"CreatedAt": "2024-01-02T23:40:21.039454971Z",
"ArtifactName": "alpine:3.10",
"ArtifactType": "container_image",
"Metadata": {
"OS": {
"Family": "alpine",
"Name": "3.10.9",
"EOSL": true
},
"ImageID": "sha256:e7b300aee9f9bf3433d32bc9305bfdd22183beb59d933b48d77ab56ba53a197a",
"DiffIDs": [
"sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
],
"RepoTags": [
"alpine:3.10"
],
"RepoDigests": [
"alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98"
],
"ImageConfig": {
"architecture": "amd64",
"container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4",
"created": "2021-04-14T19:20:05.338397761Z",
"docker_version": "19.03.12",
"history": [
{
"created": "2021-04-14T19:20:04.987219124Z",
"created_by": "/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / "
},
{
"created": "2021-04-14T19:20:05.338397761Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]",
"empty_layer": true
}
],
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
]
},
"config": {
"Cmd": [
"/bin/sh"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Image": "sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8"
}
}
},
"Results": [
{
"Target": "alpine:3.10 (alpine 3.10.9)",
"Class": "os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2021-36159",
"PkgID": "apk-tools@2.10.6-r0",
"PkgName": "apk-tools",
"InstalledVersion": "2.10.6-r0",
"FixedVersion": "2.10.7-r0",
"Status": "fixed",
"Layer": {
"Digest": "sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5",
"DiffID": "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-36159",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Title": "libfetch: an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes leads to information leak or crash",
"Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"V2Score": 6.4,
"V3Score": 9.1
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"V3Score": 9.1
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2021-36159",
"https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch",
"https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749",
"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E",
"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E",
"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E",
"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E",
"https://nvd.nist.gov/vuln/detail/CVE-2021-36159",
"https://www.cve.org/CVERecord?id=CVE-2021-36159"
],
"PublishedDate": "2021-08-03T14:15:08.233Z",
"LastModifiedDate": "2023-11-07T03:36:43.337Z"
}
]
}
]
}
test/test.bats
+91
View File
@@ -0,0 +1,91 @@
#!/usr/bin/env bats
bats_load_library bats-support
bats_load_library bats-assert
bats_load_library bats-file
@test "trivy repo with securityCheck secret only" {
# trivy repo --format json --output repo.test --scanners=secret https://github.com/krol3/demo-trivy/
run ./entrypoint.sh '-b json' '-h repo.test' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
run diff repo.test ./test/data/repo.test
echo "$output"
assert_files_equal repo.test ./test/data/repo.test
}
@test "trivy image" {
# trivy image --severity CRITICAL --output image.test knqyf263/vuln-image:1.2.3
run ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image.test' '-g CRITICAL'
run diff image.test ./test/data/image.test
echo "$output"
assert_files_equal image.test ./test/data/image.test
}
@test "trivy config sarif report" {
# trivy config --format sarif --output config-sarif.test .
run ./entrypoint.sh '-a config' '-b sarif' '-h config-sarif.test' '-j .'
run diff config-sarif.test ./test/data/config-sarif.test
echo "$output"
assert_files_equal config-sarif.test ./test/data/config-sarif.test
}
@test "trivy config" {
# trivy config --format json --output config.test .
run ./entrypoint.sh '-a config' '-b json' '-j .' '-h config.test'
run diff config.test ./test/data/config.test
echo "$output"
assert_files_equal config.test ./test/data/config.test
}
@test "trivy rootfs" {
# trivy rootfs --output rootfs.test .
run ./entrypoint.sh '-a rootfs' '-j .' '-h rootfs.test'
run diff rootfs.test ./test/data/rootfs.test
echo "$output"
assert_files_equal rootfs.test ./test/data/rootfs.test
}
@test "trivy fs" {
# trivy fs --output fs.test .
run ./entrypoint.sh '-a fs' '-j .' '-h fs.test'
run diff fs.test ./test/data/fs.test
echo "$output"
assert_files_equal fs.test ./test/data/fs.test
}
@test "trivy fs with securityChecks option" {
# trivy fs --format json --scanners=vuln,config --output fs-scheck.test .
run ./entrypoint.sh '-a fs' '-b json' '-j .' '-s vuln,config,secret' '-h fs-scheck.test'
run diff fs-scheck.test ./test/data/fs-scheck.test
echo "$output"
assert_files_equal fs-scheck.test ./test/data/fs-scheck.test
}
@test "trivy image with trivyIgnores option" {
# cat ./test/data/.trivyignore1 ./test/data/.trivyignore2 > ./trivyignores ; trivy image --severity CRITICAL --output image-trivyignores.test --ignorefile ./trivyignores knqyf263/vuln-image:1.2.3
run ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image-trivyignores.test' '-g CRITICAL' '-t ./test/data/.trivyignore1,./test/data/.trivyignore2'
run diff image-trivyignores.test ./test/data/image-trivyignores.test
echo "$output"
assert_files_equal image-trivyignores.test ./test/data/image-trivyignores.test
}
@test "trivy image with sbom output" {
# trivy image --format github knqyf263/vuln-image:1.2.3
run ./entrypoint.sh "-a image" "-b github" "-i knqyf263/vuln-image:1.2.3"
assert_output --partial '"package_url": "pkg:apk/ca-certificates@20171114-r0",' # TODO: Output contains time, need to mock
}
@test "trivy image with trivy.yaml config" {
# trivy --config=./test/data/trivy.yaml image alpine:3.10
run ./entrypoint.sh "-v ./test/data/trivy.yaml" "-a image" "-i alpine:3.10"
run diff yamlconfig.test ./test/data/yamlconfig.test
echo "$output"
assert_files_equal yamlconfig.test ./test/data/yamlconfig.test
}
@test "trivy config with terraform variables" {
# trivy config --format json --severity MEDIUM --output tfvars.test --tf-vars ./test/data/dev.tfvars ./test/data
run ./entrypoint.sh "-a config" "-j ./test/data" "-h tfvars.test" "-g MEDIUM" "-x dev.tfvars" "-b json"
run diff tfvars.test ./test/data/tfvars.test
echo "$output"
assert_files_equal tfvars.test ./test/data/tfvars.test
}
workflow.yml
+2 -2
View File
@@ -7,7 +7,7 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
@@ -29,6 +29,6 @@ jobs:
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'