Update README.md

feat: Update README to include a case where upload is needed upon failure.
Signed-off-by: Simar <simar@linux.com>
2021-11-16 14:28:24 -08:00 · 2021-11-08 10:37:38 -08:00 · 2021-10-26 17:45:53 -07:00 · 2021-10-26 11:44:53 -07:00 · 2021-10-26 11:43:48 -07:00 · 2021-10-26 11:42:59 -07:00
4 changed files with 51 additions and 3 deletions
--- a/4
+++ b/4
@@ -1,5 +1,5 @@
-FROM aquasec/trivy:0.19.1
+FROM aquasec/trivy:0.20.2
 COPY entrypoint.sh /
 RUN apk --no-cache add bash
 RUN chmod +x /entrypoint.sh
-ENTRYPOINT ["/entrypoint.sh"]
+ENTRYPOINT ["/entrypoint.sh"]
--- a/README.md
+++ b/README.md
@@ -88,6 +88,43 @@ jobs:

 You can find a more in-depth example here: https://github.com/aquasecurity/trivy-sarif-demo/blob/master/.github/workflows/scan.yml

+If you would like to upload SARIF results to GitHub Code scanning even upon a non zero exit code from Trivy Scan, you can add the following to your upload step:
+```yaml
+name: build
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        if: always() 
+        with:
+          sarif_file: 'trivy-results.sarif'
+```
+
+See this for more details: https://docs.github.com/en/actions/learn-github-actions/expressions#always
+
 ### Using Trivy to scan your Git repo
 It's also possible to scan your git repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.

--- a/action.yaml
+++ b/action.yaml
@@ -54,7 +54,7 @@ inputs:
    required: false
    default: ''
  timeout:
-    description: 'timeout (default 2m0s)'
+    description: 'timeout (default 5m0s)'
    required: false
    default: ''
  ignore-policy:
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -111,3 +111,14 @@ fi
 echo "Running trivy with options: ${ARGS}" "${artifactRef}"
 echo "Global options: " "${GLOBAL_ARGS}"
 trivy $GLOBAL_ARGS ${scanType} $ARGS ${artifactRef}
+returnCode=$?
+
+# SARIF is special. We output all vulnerabilities,
+# regardless of severity level specified in this report.
+# This is a feature, not a bug :)
+if [[ ${template} == *"sarif"* ]]; then
+  echo "Building SARIF report"
+  trivy --quiet ${scanType} --format template --template ${template} --output ${output} ${artifactRef}
+fi
+
+exit $returnCode
Author	SHA1	Message	Date
Simar	5f63408a2c	Update README.md	2021-11-16 14:28:24 -08:00
Simar	17b218d340	feat: Update README to include a case where upload is needed upon failure. Signed-off-by: Simar <simar@linux.com>	2021-11-08 10:37:38 -08:00
Simar	1ccef265f5	feat: Build a full SARIF report even if under accepted severity level. (#73 ) Signed-off-by: Simar <simar@linux.com>	2021-10-26 17:45:53 -07:00
Simar	d62898dfb3	Bump to latest Trivy release	2021-10-26 11:44:53 -07:00
Emil Lengman	6bce46377c	bump to version 0.20.0 to add requirements.txt support (#69 )	2021-10-26 11:43:48 -07:00
Simar	101d9bacf6	Update action.yaml	2021-10-26 11:42:59 -07:00
Peter Kipping	8eccb55397	Bump base image version to 0.19.2 to fix issue with config scanning. (#58 )	2021-08-17 11:50:20 -07:00