actions/trivy-action
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: actions:0.0.2
Branches Tags
actions:master actions:fix-gh-actions actions:bump-trivy-1751468699 actions:update-default-version actions:use-pinned-version actions:update-to-v0.45.0 actions:update-trivy-v0.43.1 actions:bump-trivy-3 actions:bump-trivy actions:add-support-for-trivy-config actions:fix-golden-files actions:exit-code-test actions:update-tarball-docs actions:volume-mounts actions:update-readme actions:revert-45-fix_sarif_duplicate_rule_id actions:knqyf263-patch-1 actions:artifact_types actions:sarif-support-2
actions:0.33.1 actions:0.33.0 actions:0.32.0 actions:0.31.0 actions:0.30.0 actions:0.29.0 actions:0.28.0 actions:0.27.0 actions:0.26.0 actions:0.25.0 actions:0.24.0 actions:0.23.0 actions:0.22.0 actions:0.21.0 actions:0.20.0 actions:0.19.0 actions:0.18.0 actions:0.17.0 actions:0.16.1 actions:0.16.0 actions:0.15.0 actions:0.14.0 actions:0.13.1 actions:0.13.0 actions:0.12.0 actions:0.11.2 actions:0.11.1 actions:0.11.0 actions:0.10.0 actions:0.9.2 actions:0.9.1 actions:0.9.0 actions:0.8.0 actions:0.7.1 actions:0.7.0 actions:0.6.2 actions:0.6.1 actions:0.6.0 actions:0.5.1 actions:0.5.0 actions:0.4.1 actions:0.4.0 actions:0.3.0 actions:0.2.5 actions:0.2.4 actions:0.2.3 actions:0.2.2 actions:0.2.1 actions:0.2.0 actions:0.1.0 actions:0.0.22 actions:0.0.21 actions:0.0.20 actions:0.0.19 actions:0.0.18 actions:0.0.17 actions:0.0.16 actions:0.0.15 actions:0.0.14 actions:0.0.13 actions:0.0.12 actions:0.0.11 actions:v0.0.10 actions:0.0.10 actions:0.0.9 actions:0.0.8 actions:0.0.7 actions:0.0.6 actions:0.0.5 actions:0.0.4 actions:0.0.3 actions:0.0.2 actions:0.0.1
...
compare: actions:0.9.2
Branches Tags
actions:master actions:fix-gh-actions actions:bump-trivy-1751468699 actions:update-default-version actions:use-pinned-version actions:update-to-v0.45.0 actions:update-trivy-v0.43.1 actions:bump-trivy-3 actions:bump-trivy actions:add-support-for-trivy-config actions:fix-golden-files actions:exit-code-test actions:update-tarball-docs actions:volume-mounts actions:update-readme actions:revert-45-fix_sarif_duplicate_rule_id actions:knqyf263-patch-1 actions:artifact_types actions:sarif-support-2
actions:0.33.1 actions:0.33.0 actions:0.32.0 actions:0.31.0 actions:0.30.0 actions:0.29.0 actions:0.28.0 actions:0.27.0 actions:0.26.0 actions:0.25.0 actions:0.24.0 actions:0.23.0 actions:0.22.0 actions:0.21.0 actions:0.20.0 actions:0.19.0 actions:0.18.0 actions:0.17.0 actions:0.16.1 actions:0.16.0 actions:0.15.0 actions:0.14.0 actions:0.13.1 actions:0.13.0 actions:0.12.0 actions:0.11.2 actions:0.11.1 actions:0.11.0 actions:0.10.0 actions:0.9.2 actions:0.9.1 actions:0.9.0 actions:0.8.0 actions:0.7.1 actions:0.7.0 actions:0.6.2 actions:0.6.1 actions:0.6.0 actions:0.5.1 actions:0.5.0 actions:0.4.1 actions:0.4.0 actions:0.3.0 actions:0.2.5 actions:0.2.4 actions:0.2.3 actions:0.2.2 actions:0.2.1 actions:0.2.0 actions:0.1.0 actions:0.0.22 actions:0.0.21 actions:0.0.20 actions:0.0.19 actions:0.0.18 actions:0.0.17 actions:0.0.16 actions:0.0.15 actions:0.0.14 actions:0.0.13 actions:0.0.12 actions:0.0.11 actions:v0.0.10 actions:0.0.10 actions:0.0.9 actions:0.0.8 actions:0.0.7 actions:0.0.6 actions:0.0.5 actions:0.0.4 actions:0.0.3 actions:0.0.2 actions:0.0.1

102 Commits
0.0.2 ... 0.9.2

Author SHA1 Message Date
Viktor Sadovnikov
1f0aa582c8 Rename security-checks to scanners (#211) 
* Renaming securityChecks to runners

* Renaming securityChecks to runners

* Renaming securityChecks to runners

* Correcting README
 2023-03-06 21:00:01 -08:00
DmitriyLewen
43849adf01 bump trivy to v0.38.1 (#215) 2023-03-06 20:58:30 -08:00
Falk Puschner
8bd2f9fbda ⬆️ bump trivy action (#203) 2023-02-10 16:20:50 +09:00
simar7
cff3e9a7f6 feat(trivy): Bump Trivy to v0.37.1 (#199) 
Signed-off-by: Simar <simar@linux.com>
 2023-02-01 16:40:29 -08:00
Michael Cantú
ab15891596 Update README.md (#186) 
Fix typo
 2023-02-01 16:23:59 -08:00
Omar Silva
cacfd7a243 docs: add trivy-config to table (#195) 2023-02-01 16:19:16 -08:00
AndreyLevchenko
1e0bef4613 fix(sarif): Add option to limit severities for sarif (aquasecurity#192) (#198) 2023-02-01 16:18:31 -08:00
Aibek
9ab158e859 Add 0.34.0 release (#177) 
* bump to ghcr.io/aquasecurity/trivy:0.33.0

* fix tests

* bump to 0.34.0
 2022-10-31 17:18:27 -07:00
Lior Vaisman Argon
e55de85bee Add npm to action Dockerfile (#176) 2022-10-25 07:04:22 -07:00
chejn
d63413b0a4 Fix github dependency submission API call (#162) 
* Update entrypoint.sh

* Update entrypoint.sh

* Update entrypoint.sh
 2022-08-17 14:54:57 -07:00
simar7
1db49f5326 feat(trivy): Bump Trivy to v0.31.0 (#165) 
Fixes: https://github.com/aquasecurity/trivy-action/issues/164

Signed-off-by: Simar <simar@linux.com>

Signed-off-by: Simar <simar@linux.com>
 2022-08-16 17:25:38 -07:00
Engin Diri
12814ff8bc docs: correct format and add output on config scan with sarif (#159) 2022-08-15 11:09:42 -07:00
simar7
cb606dfdb0 fix(sarif): Add timeout and security-checks for sarif (#156) 2022-08-03 17:32:25 -07:00
Carol Valencia
0d7cf2ddfb chore: improve message output sbom with gh (#145) 
* fix: merge with master- entrypoint

* chore: gitignore .vscode

Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-08-02 15:24:58 -07:00
simar7
5144f05a8d fix(config): Drop mixing of options with yaml config. (#148) 
Also adds some documentation explaining how the config
and flags are used in conjunction with each other.

Fixes: https://github.com/aquasecurity/trivy-action/issues/147

Signed-off-by: Simar <simar@linux.com>
 2022-07-29 14:30:07 -07:00
simar7
81b9a6f5ab Update Dockerfile (#152) 2022-07-26 13:08:58 -07:00
simar7
503d3abc15 feat(yaml): Add support for trivy.yaml (#143) 
* feat(yaml): Add support for trivy.yaml

Signed-off-by: Simar <simar@linux.com>

* chore: fixing test using trivy v 0.30.0

* chore(deps): Update to use Trivy v0.30.2

Signed-off-by: Simar <simar@linux.com>

Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-07-21 16:36:46 -07:00
simar7
0105373003 docs(trivy): Add instructions to scan tarballs. (#134) 
Signed-off-by: Simar <simar@linux.com>
 2022-06-29 14:34:09 -07:00
simar7
bc615ae2d7 fix(tests): Update test golden files for Trivy v0.29.2 (#136) 
Fixes: https://github.com/aquasecurity/trivy-action/issues/133
Fixes: https://github.com/aquasecurity/trivy-action/issues/135

Signed-off-by: Simar <simar@linux.com>
 2022-06-29 14:33:23 -07:00
simar7
7b7aa264d8 feat(SBOM): Support SBOM generation (#129) 
* feat(sbom): Support SBOM generation

Signed-off-by: Simar <simar@linux.com>

* Update README.md

Co-authored-by: Itay Shakury <itay@itaysk.com>

* feat(sbom): Send results within the entrypoint.sh

* fix(sbom): Fix leading whitespaces for format var.

Signed-off-by: Simar <simar@linux.com>

* docs(sbom): Update README.md

* docs(sbom): Update README.md

* chore(trivy): Bump Trivy version to 0.29.1

Signed-off-by: Simar <simar@linux.com>

* feat(sbom): Change to fs scan.

Signed-off-by: Simar <simar@linux.com>

* fix(tests): Update SARIF goldenfile

Co-authored-by: Itay Shakury <itay@itaysk.com>
 2022-06-22 11:24:39 -07:00
nleconte-csgroup
63b6e4c61b docs: added missing HTML template and removed deprecated SARIF template (#132) 
* docs: add missing template

* docs: add missing template and remove deprecated

Add missing HTML template
Remove deprecated SARIF template

* docs: remove deprecated SARIF template
 2022-06-21 11:46:57 -07:00
Carol Valencia
49e970d7ac chore: pinning 0.29.0 trivy (#128) 
Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-06-17 13:27:39 -07:00
Achton Smidt Winther
c666240787 Add missing option to README. (#127) 2022-06-16 08:25:13 -07:00
David Calvert
e27605859b feat: update codeql-action/upload-sarif to v2 (#124) 2022-06-15 09:16:34 -07:00
Achton Smidt Winther
2b22459068 Update tests for 0.28.1 and convert to JSON (#126) 
* Fix bug with test for securityChecks option which caused it to be skipped.

* Convert tests to JSON output only, and update them for Trivy 0.28.1.

* Update CI test to use Trivy 0.28.1.
 2022-06-15 08:23:38 -07:00
Achton Smidt Winther
4b3b5f928b Add support for --ignorefile option (.trivyignore) (#122) 
* Add support for supplying one or more .trivyignore files.

* Fix gitignore for test data.

* Add test for trivyignores option.

* Be explicit about the trivy options we use during testing.

* Add documentation of trivyignores option.
 2022-06-14 07:41:49 -07:00
Tanguy Segarra
1a53202fc4 Use AWS public ECR instead of rate-limiting dockerhub (#118) 2022-06-08 11:17:38 -07:00
James Luther
df3fb7d00b Update Trivy Version in Dockerfile (#117) 
Updated the dockerfile to use the latest release of Trivy.
 2022-06-02 14:53:00 -07:00
Tanguy Segarra
987beb8186 Enable security checks option for image type (#112) 
* Enable security checks option for image type

* Readme: update security checks option

* action.yaml: add default value for security checks option

* echo env var

* action.yaml: remove default value for security checks

* remove useless echo
 2022-06-02 14:52:06 -07:00
Carol Valencia
4b9b6fb4ef chore: update test to version 0.27.1 (#106) 
* chore: update test to version 0.27.0

* chore: add test file secret and update to 0.27.1

* fix: support repository with securityCheck secret

Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-05-09 13:12:55 -07:00
Carol Valencia
2b30463ddb chore: Update trivy version to 0.26.0 (#102) 
* chore: Update trivy version to 0.25.3

* feat: trivy fs - securityCheck test

* chore: update trivy 0.26.0

Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-04-18 08:40:37 -07:00
jerbia
d7a51817e8 Merge pull request #104 from aquasecurity/feat/security-checks 
(feat) Add support for security-checks flag
 2022-04-13 22:10:55 +03:00
oranmoshai
9fbcc91008 (feat) Add support for security-checks flag 
When using fs mode add option to list of what security issues to detect
 2022-04-13 16:25:40 +03:00
Carol Valencia
40c4ca9e74 feat: bash unit test - adding repo (#101) 
* feat: bash unit test - adding repo

* fix: clean dummy data

Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-04-08 15:57:27 -07:00
Carol Valencia
f39d29766a chore: Update trivy version to 0.25 (#100) 
Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-04-04 10:05:28 -07:00
Chanaka Lakmal
296212627a Update default value of timeout configuration (#97) 2022-02-24 14:33:03 -08:00
Oran Moshai
a7a829a434 chore: update trivy version Dockerfile (#96) 
* chore: update trivy version Dockerfile

* Update readme for sarif deprecate
https://github.com/aquasecurity/trivy/discussions/1571

* docs: revert template and remove sarif.tpl

* fix: update condition to use format variable

Co-authored-by: oranmoshai <oran.moshai@aquasec.com>
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2022-02-02 15:19:51 -08:00
Carol Valencia
9c21d3ca2c chore: update trivy version Dockerfile (#89) 
Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-01-10 16:47:20 -08:00
Masayoshi Mizutani
8f4c7160b4 feat: Add list-all-pkgs option (#88) 2021-12-16 08:31:49 -08:00
Carol Valencia
81cc8cd841 chore: update trivy version - fixed sarif (#87) 2021-12-10 10:18:11 -08:00
Nick Liffen
0769bbf0d2 Update Dockerfile (#82) 2021-11-26 12:02:01 -08:00
gustavomonarin
9ec80b5796 feat(#59) add support to skip files (#60) 
* feat(#59) Add support to skip files

closes #59

* Fix skipFiles parameter check

The check should be if present not if enabled.
 2021-11-26 12:01:28 -08:00
rahul2393
a58433e1c9 feat: added support for rootfs command (#84) 2021-11-26 10:32:44 -08:00
Simar
7168e9ba5a feat: Update README to include a case where upload upon failure (#78) 
* feat: Update README to include a case where upload is needed upon failure.

Signed-off-by: Simar <simar@linux.com>

* Update README.md
 2021-11-16 14:28:39 -08:00
rahul2393
2a2157eb22 chore: Include skip options other than severity filter option when building SARIF report. (#79) 2021-11-10 13:11:56 -08:00
Simar
1ccef265f5 feat: Build a full SARIF report even if under accepted severity level. (#73) 
Signed-off-by: Simar <simar@linux.com>
 2021-10-26 17:45:53 -07:00
Simar
d62898dfb3 Bump to latest Trivy release 2021-10-26 11:44:53 -07:00
Emil Lengman
6bce46377c bump to version 0.20.0 to add requirements.txt support (#69) 2021-10-26 11:43:48 -07:00
Simar
101d9bacf6 Update action.yaml 2021-10-26 11:42:59 -07:00
Peter Kipping
8eccb55397 Bump base image version to 0.19.2 to fix issue with config scanning. (#58) 2021-08-17 11:50:20 -07:00
Brandon Sorgdrager
9438b49cc3 Enable config scanning (#56) 
* Bump trivy image to enable use of config scan-type

* move --no-progress switch behind input arg and set default

* prevent unrelated args from passing with config scan-type

* fix invalid option passing

* set artifactRef if scanType = config

* Add workflow example for IAC/YAML scanning

* Update README.md

Co-authored-by: Simar <1254783+simar7@users.noreply.github.com>

* Update README.md

Co-authored-by: Simar <1254783+simar7@users.noreply.github.com>

* clean hideProgress input

Co-authored-by: Simar <1254783+simar7@users.noreply.github.com>
 2021-07-27 14:49:55 -07:00
Valentin Laurin
ac8de07fd1 Pass --cache-dir as global argument to Trivy (#51) 2021-05-27 09:03:06 -07:00
Anand Gautam
09b815c470 feat: add ignore-policy option to filter vulnerabilities (#48) 
* feat: add ignore-policy option to filter vulnerabilities

* fix: format README
 2021-05-26 13:12:03 -07:00
Simar
0ce0e69d98 Update README.md 2021-05-17 12:03:58 -07:00
rahul2393
dba83feec8 fix invalid rule exception for SARIF templates (#47) 2021-05-13 11:25:15 -07:00
Simar
c9017eb417 Revert "Use fixed Sarif template (#45)" (#46) 
This reverts commit 4ef054abe6.
 2021-05-13 09:50:48 -07:00
rahul2393
4ef054abe6 Use fixed Sarif template (#45) 2021-05-13 09:49:59 -07:00
rahul2393
9789b6ae3b Update docker base image for trivy. (#44) 2021-05-12 20:13:49 +03:00
rahul2393
fd44a8c1a7 Improve Readme to remove docker build step (#43) 
* Remove docker build step

* Update README.md

Co-authored-by: Simar <1254783+simar7@users.noreply.github.com>
 2021-05-06 11:00:05 -07:00
rahul2393
341f810bd6 Pin docker image, and update skip dirs argument passing to trivy (#41) 2021-05-06 10:45:41 -07:00
rahul2393
731c4a9c64 Update readme to scan private repository (#42) 
* Printing env var to debug

* Update Readme to scan private registries.

* Apply suggestions from code review

Co-authored-by: Simar <1254783+simar7@users.noreply.github.com>
 2021-05-06 10:40:05 -07:00
Simar
9c91cd8af6 Update README.md 2021-04-07 12:52:06 -07:00
Donald Piret
b38389f8ef feat: add support for cache dire and timeout inputs (#35) 2021-04-07 12:50:09 -07:00
rahul2393
e2054f8b6a Added input option support (#34) 
* Added input option support

* Fix position of input flag

* update readme

* Update README.md

Co-authored-by: Simarpreet Singh <simar@linux.com>
 2021-03-24 13:54:13 -07:00
Simarpreet Singh
6890ac5cba Update README.md 2021-03-19 15:25:03 -07:00
Anand Gautam
c6431cf821 Feat/add skip dirs option (#33) 
Fixes: https://github.com/aquasecurity/trivy-action/issues/32
 2021-03-19 15:21:09 -07:00
Teppei Fukuda
f5e208a156 feat: suppress progress bar (#31) 
Add `--no-progress`
 2021-03-11 10:36:48 -08:00
Simarpreet Singh
bceef37a45 entrypoint: Remove \r from ignoreUnfixed option (#29) 
Signed-off-by: Simarpreet Singh <simar@linux.com>
 2021-02-26 22:33:29 -08:00
Simarpreet Singh
7294c6a408 Update README.md 2021-02-24 16:54:57 -08:00
Simarpreet Singh
df28e4135d Update README.md 
Add a guide for using in repo mode
 2021-02-24 16:47:59 -08:00
rahul2393
1d28acf359 Add scan type as option (#27) 
* Add scan type as option

* Fix exitCode

* remove all options

* Add default value to scanRef and improve shell

* print args

* fix description.

* More changes
 2021-02-24 16:31:43 -08:00
Chris Aumann
7684771c94 Add vuln-type parameter (#19) 
Co-authored-by: Simarpreet Singh <simar@linux.com>
 2021-02-11 13:49:57 -08:00
Simarpreet Singh
8595c5d059 Update README.md 2021-02-05 13:20:20 -08:00
Airtower
d8496b917f docs: Add a link to the Trivy repository (#20) 2020-10-15 20:31:54 +02:00
Simarpreet Singh
ddc1a12251 workflow: Update example workflow.yml 
Signed-off-by: Simarpreet Singh <simar@linux.com>
 2020-09-17 14:24:25 -07:00
Simarpreet Singh
2e51a7d82c README: Update example yaml 
Signed-off-by: Simarpreet Singh <simar@linux.com>
 2020-09-17 14:20:40 -07:00
Simarpreet Singh
6087d9d64e Merge branch 'master' of github.com:aquasecurity/trivy-action 2020-09-17 14:19:41 -07:00
Simarpreet Singh
888827683a Update README.md 2020-08-25 14:20:44 -07:00
Simarpreet Singh
7e2e12baea Update sample workflow.yml with a small example 2020-08-25 14:20:04 -07:00
jerbia
202e8283bd Create workflow.yml 2020-08-25 21:17:27 +03:00
Simarpreet Singh
507a96efe4 Merge pull request #2 from aquasecurity/master 
merge upstream
 2020-08-17 18:09:47 -07:00
Simarpreet Singh
6c3dd513ad README: Clean up cruft 
Signed-off-by: Simarpreet Singh <simar@linux.com>
 2020-08-14 09:50:12 -07:00
Simarpreet Singh
2b5de51086 Merge pull request #16 from aquasecurity/update-title 
Update action.yaml
 2020-08-13 15:40:49 -07:00
Simarpreet Singh
de7cb7d4ba Update action.yaml 
Co-authored-by: Daniel Pacak <pacak.daniel@gmail.com>
 2020-08-13 09:56:17 -07:00
Simarpreet Singh
9403afcefd Update action.yaml 
Update title to include Aqua Security for searchability purposes.
 2020-08-12 12:00:26 -07:00
Simarpreet Singh
28ef387ad0 Merge pull request #1 from aquasecurity/master 
upstream merge
 2020-08-04 15:06:36 -07:00
Simarpreet Singh
159e7e8ec2 Merge pull request #15 from aquasecurity/sarif-support-3 
docs: Fix docs and add improved example repo
 2020-07-30 14:35:51 -07:00
Simarpreet Singh
4edb45e6ff docs: Fix docs and add improved example repo 
Signed-off-by: Simarpreet Singh <simar@linux.com>
 2020-07-30 14:32:23 -07:00
Simarpreet Singh
6d50808eba Merge pull request #13 from simar7/sarif-support 
SARIF: Add support for sarif output
 2020-07-28 11:22:16 -07:00
Simarpreet Singh
8cc32f763c README: Add instructions on how to use Trivy for GH Code Scanning 
Signed-off-by: Simarpreet Singh <simar@linux.com>
 2020-07-28 10:48:20 -07:00
Simarpreet Singh
3fadcda6be action: Add template option 
Signed-off-by: Simarpreet Singh <simar@linux.com>
 2020-07-27 15:55:05 -07:00
Simarpreet Singh
d424596f39 action: Change option to template instead 
Signed-off-by: Simarpreet Singh <simar@linux.com>
 2020-07-27 15:29:14 -07:00
Simarpreet Singh
6b9375bd16 sarif: Add support for sarif output 
Signed-off-by: Simarpreet Singh <simar@linux.com>
 2020-07-24 14:17:51 -07:00
Zois Pagoulatos
f498173417 feat: Add support for --ignore-unfixed flag (#10) 
Resolves: #9
 2020-06-22 19:40:11 +02:00
Zois Pagoulatos
c88ebc55b9 docs: Update README with 0.0.6 release (#8) 
Actions using `0.0.5` are failing with 
`(Line: 26, Col: 10): Unrecognized named-value: 'inputs'. Located at position 1 within expression: inputs.version`

Resolves: #7
 2020-06-18 10:50:30 +02:00
Daniel Pacak
1eb53c0425 docs: Update README.md 
Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
 2020-06-03 09:33:30 +02:00
Daniel Pacak
e09a3cf5ca fix: Use the latest version of Trivy 
Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
 2020-06-03 00:23:27 +02:00
Daniel Pacak
248a0c40b9 docs: Add badges (#6) 
Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
 2020-06-03 00:09:08 +02:00
Daniel Pacak
1c67427335 feat: Add severity arg (#5) 
Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
 2020-06-02 23:39:09 +02:00
Daniel Pacak
74538091fa docs: Update README.md (#4) 
Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
 2020-06-02 21:17:22 +02:00
Daniel Pacak
7991a69583 chore: Update action metadata (#3) 
Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
 2020-06-02 19:43:09 +02:00
Daniel Pacak
677942f9f7 feat: Add exit-code to Trivy args (#1) (#2) 
Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
 2020-06-02 18:32:53 +02:00
24 changed files with 1943 additions and 12 deletions
Expand all files Collapse all files
.github/workflows/build.yaml
Vendored
+28
View File
@@ -0,0 +1,28 @@
name: "build"
on: [push, pull_request]
env:
TRIVY_VERSION: 0.38.1
BATS_LIB_PATH: '/usr/lib/'
jobs:
build:
name: build
runs-on: ubuntu-20.04
steps:
- name: Setup BATS
uses: mig4/setup-bats@v1
with:
bats-version: 1.7.0
- name: Setup Bats libs
uses: brokenpip3/setup-bats-libs@0.1.0
- name: Check out code
uses: actions/checkout@v1
- name: Install Trivy
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
- name: Test
run: BATS_LIB_PATH=${{ env.BATS_LIB_PATH }} bats --recursive --timing .
.gitignore
Vendored
+4
View File
@@ -1 +1,5 @@
.idea/
*.test
!test/data/*.test
trivyignores
.vscode/
Dockerfile
+5
View File
@@ -0,0 +1,5 @@
FROM ghcr.io/aquasecurity/trivy:0.38.1
COPY entrypoint.sh /
RUN apk --no-cache add bash curl npm
RUN chmod +x /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
LICENSE
+201
View File
@@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Makefile
+4
View File
@@ -0,0 +1,4 @@
.PHONY: test
test:
BATS_LIB_PATH=/usr/local/lib/ bats -r .
README.md
+511 -1
View File
@@ -1,2 +1,512 @@
# Trivy GitHub Action
# Trivy Action
> [GitHub Action](https://github.com/features/actions) for [Trivy](https://github.com/aquasecurity/trivy)
[![GitHub Release][release-img]][release]
[![GitHub Marketplace][marketplace-img]][marketplace]
[![License][license-img]][license]
![](docs/images/trivy-action.png)
## Table of Contents
- [Usage](#usage)
- [Workflow](#workflow)
- [Docker Image Scanning](#using-trivy-with-github-code-scanning)
- [Git Repository Scanning](#using-trivy-to-scan-your-git-repo)
- [Customizing](#customizing)
- [Inputs](#inputs)
## Usage
### Scan CI Pipeline
```yaml
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build an image from Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
```
### Scan CI Pipeline (w/ Trivy Config)
```yaml
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
trivy-config: trivy.yaml
```
In this case `trivy.yaml` is a YAML configuration that is checked in as part of the repo. Detailed information is available on the Trivy website but an example is as follows:
```yaml
format: json
exit-code: 1
severity: CRITICAL
```
It is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes. Defining the following is required as they cannot be defined with the config file:
- `scan-ref`: If using `fs, repo` scans.
- `image-ref`: If using `image` scan.
- `scan-type`: To define the scan type, e.g. `image`, `fs`, `repo`, etc.
#### Order of prerference for options
Trivy uses [Viper](https://github.com/spf13/viper) which has a defined precedence order for options. The order is as follows:
- GitHub Action flag
- Environment variable
- Config file
- Default
### Scanning a Tarball
```yaml
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Generate tarball from image
run: |
docker pull <your-docker-image>
docker save -o vuln-image.tar <your-docker-image>
- name: Run Trivy vulnerability scanner in tarball mode
uses: aquasecurity/trivy-action@master
with:
input: /github/workspace/vuln-image.tar
severity: 'CRITICAL,HIGH'
```
### Using Trivy with GitHub Code Scanning
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
```yaml
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Build an image from Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
```
You can find a more in-depth example here: https://github.com/aquasecurity/trivy-sarif-demo/blob/master/.github/workflows/scan.yml
If you would like to upload SARIF results to GitHub Code scanning even upon a non zero exit code from Trivy Scan, you can add the following to your upload step:
```yaml
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Build an image from Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: 'trivy-results.sarif'
```
See this for more details: https://docs.github.com/en/actions/learn-github-actions/expressions#always
### Using Trivy to scan your Git repo
It's also possible to scan your git repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
```yaml
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
```
### Using Trivy to scan your rootfs directories
It's also possible to scan your rootfs directories with Trivy's built-in rootfs scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
```yaml
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner with rootfs command
uses: aquasecurity/trivy-action@master
with:
scan-type: 'rootfs'
scan-ref: 'rootfs-example-binary'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
```
### Using Trivy to scan Infrastructure as Code
It's also possible to scan your IaC repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
```yaml
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner in IaC mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'config'
hide-progress: false
format: 'sarif'
output: 'trivy-results.sarif'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
```
### Using Trivy to generate SBOM
It's possible for Trivy to generate an SBOM of your dependencies and submit them to a consumer like GitHub Dependency Snapshot.
The sending of SBOM to GitHub feature is only available if you currently have [GitHub Dependency Snapshot](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) available to you in your repo.
In order to send results to the GitHub Dependency Snapshot, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)
```yaml
---
name: Pull Request
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Checks
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Snapshots
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
format: 'github'
output: 'dependency-results.sbom.json'
image-ref: '.'
github-pat: '<github_pat_token>'
```
### Using Trivy to scan your private registry
It's also possible to scan your private registry with Trivy's built-in image scan. All you have to do is set ENV vars.
#### Docker Hub registry
Docker Hub needs `TRIVY_USERNAME` and `TRIVY_PASSWORD`.
You don't need to set ENV vars when downloading from a public repository.
```yaml
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
env:
TRIVY_USERNAME: Username
TRIVY_PASSWORD: Password
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
```
#### AWS ECR (Elastic Container Registry)
Trivy uses AWS SDK. You don't need to install `aws` CLI tool.
You can use [AWS CLI's ENV Vars][env-var].
[env-var]: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
```yaml
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
env:
AWS_ACCESS_KEY_ID: key_id
AWS_SECRET_ACCESS_KEY: access_key
AWS_DEFAULT_REGION: us-west-2
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
```
#### GCR (Google Container Registry)
Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.
If you want to use target project's repository, you can set it via `GOOGLE_APPLICATION_CREDENTIAL`.
```yaml
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
env:
GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
```
#### Self-Hosted
BasicAuth server needs `TRIVY_USERNAME` and `TRIVY_PASSWORD`.
if you want to use 80 port, use NonSSL `TRIVY_NON_SSL=true`
```yaml
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
env:
TRIVY_USERNAME: Username
TRIVY_PASSWORD: Password
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
```
## Customizing
### inputs
Following inputs can be used as `step.with` keys:
| Name | Type | Default | Description |
|------------------------------|---------|------------------------------------|-------------------------------------------------------------------------------------------------|
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) |
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |
| `output` | String | | Save results to a file |
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
| `cache-dir` | String | | Cache directory |
| `timeout` | String | `5m0s` | Scan timeout duration |
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
| `hide-progress` | String | `true` | Suppress progress bar |
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
| `trivy-config` | String | | Path to trivy.yaml config |
| `github-pat` | String | | GitHub Personal Access Token (PAT) for sending SBOM scan results to GitHub Dependency Snapshots |
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
[release]: https://github.com/aquasecurity/trivy-action/releases/latest
[release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github
[marketplace]: https://github.com/marketplace/actions/aqua-security-trivy
[marketplace-img]: https://img.shields.io/badge/marketplace-trivy--action-blue?logo=github
[license]: https://github.com/aquasecurity/trivy-action/blob/master/LICENSE
[license-img]: https://img.shields.io/github/license/aquasecurity/trivy-action
action.yaml
+116 -11
View File
@@ -1,16 +1,121 @@
name: 'Trivy Vulnerability Scanner'
description: 'Scan container image for vulnerabilities with Trivy'
author: 'Daniel Pacak'
name: 'Aqua Security Trivy'
description: 'Scans container images for vulnerabilities with Trivy'
author: 'Aqua Security'
inputs:
image-ref: # Docker image reference, e.g. alpine:3.10.2
description: 'Docker image reference'
required: true
exit-code:
description: 'Exit code'
scan-type:
description: 'Scan type to use for scanning vulnerability'
required: false
default: '0'
default: 'image'
image-ref:
description: 'image reference(for backward compatibility)'
required: true
input:
description: 'reference of tar file to scan'
required: false
default: ''
scan-ref:
description: 'Scan reference'
required: false
default: '.'
exit-code:
description: 'exit code when vulnerabilities were found'
required: false
ignore-unfixed:
description: 'ignore unfixed vulnerabilities'
required: false
default: 'false'
vuln-type:
description: 'comma-separated list of vulnerability types (os,library)'
required: false
default: 'os,library'
severity:
description: 'severities of vulnerabilities to be displayed'
required: false
default: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
format:
description: 'output format (table, json, template)'
required: false
default: 'table'
template:
description: 'use an existing template for rendering output (@/contrib/gitlab.tpl, @/contrib/junit.tpl, @/contrib/html.tpl)'
required: false
default: ''
output:
description: 'writes results to a file with the specified file name'
required: false
default: ''
skip-dirs:
description: 'comma separated list of directories where traversal is skipped'
required: false
default: ''
skip-files:
description: 'comma separated list of files to be skipped'
required: false
default: ''
cache-dir:
description: 'specify where the cache is stored'
required: false
default: ''
timeout:
description: 'timeout (default 5m0s)'
required: false
default: ''
ignore-policy:
description: 'filter vulnerabilities with OPA rego language'
required: false
default: ''
hide-progress:
description: 'hide progress output'
required: false
list-all-pkgs:
description: 'output all packages regardless of vulnerability'
required: false
default: 'false'
scanners:
description: 'comma-separated list of what security issues to detect'
required: false
default: ''
trivyignores:
description: 'comma-separated list of relative paths in repository to one or more .trivyignore files'
required: false
default: ''
artifact-type:
description: 'input artifact type (image, fs, repo, archive) for SBOM generation'
required: false
github-pat:
description: 'GitHub Personal Access Token (PAT) for submitting SBOM to GitHub Dependency Snapshot API'
required: false
trivy-config:
description: 'path to trivy.yaml config'
required: false
limit-severities-for-sarif:
description: 'limit severities for SARIF format'
required: false
runs:
using: 'docker'
image: 'docker://docker.io/aquasec/trivy:latest'
image: "Dockerfile"
args:
- --exit-code ${{ inputs.exit-code }} ${{ inputs.image-ref }}
- '-a ${{ inputs.scan-type }}'
- '-b ${{ inputs.format }}'
- '-c ${{ inputs.template }}'
- '-d ${{ inputs.exit-code }}'
- '-e ${{ inputs.ignore-unfixed }}'
- '-f ${{ inputs.vuln-type }}'
- '-g ${{ inputs.severity }}'
- '-h ${{ inputs.output }}'
- '-i ${{ inputs.image-ref }}'
- '-j ${{ inputs.scan-ref }}'
- '-k ${{ inputs.skip-dirs }}'
- '-l ${{ inputs.input }}'
- '-m ${{ inputs.cache-dir }}'
- '-n ${{ inputs.timeout }}'
- '-o ${{ inputs.ignore-policy }}'
- '-p ${{ inputs.hide-progress }}'
- '-q ${{ inputs.skip-files }}'
- '-r ${{ inputs.list-all-pkgs }}'
- '-s ${{ inputs.scanners }}'
- '-t ${{ inputs.trivyignores }}'
- '-u ${{ inputs.github-pat }}'
- '-v ${{ inputs.trivy-config }}'
- '-z ${{ inputs.limit-severities-for-sarif }}'
docs/images/trivy-action.png
BIN
View File
Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 505 KiB

entrypoint.sh
Executable
+198
View File
@@ -0,0 +1,198 @@
#!/bin/bash
set -e
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:" o; do
case "${o}" in
a)
export scanType=${OPTARG}
;;
b)
export format=${OPTARG}
;;
c)
export template=${OPTARG}
;;
d)
export exitCode=${OPTARG}
;;
e)
export ignoreUnfixed=${OPTARG}
;;
f)
export vulnType=${OPTARG}
;;
g)
export severity=${OPTARG}
;;
h)
export output=${OPTARG}
;;
i)
export imageRef=${OPTARG}
;;
j)
export scanRef=${OPTARG}
;;
k)
export skipDirs=${OPTARG}
;;
l)
export input=${OPTARG}
;;
m)
export cacheDir=${OPTARG}
;;
n)
export timeout=${OPTARG}
;;
o)
export ignorePolicy=${OPTARG}
;;
p)
export hideProgress=${OPTARG}
;;
q)
export skipFiles=${OPTARG}
;;
r)
export listAllPkgs=${OPTARG}
;;
s)
export scanners=${OPTARG}
;;
t)
export trivyIgnores=${OPTARG}
;;
u)
export githubPAT=${OPTARG}
;;
v)
export trivyConfig=${OPTARG}
;;
z)
export limitSeveritiesForSARIF=${OPTARG}
;;
esac
done
scanType=$(echo $scanType | tr -d '\r')
export artifactRef="${imageRef}"
if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "config" ] || [ "${scanType}" = "rootfs" ];then
artifactRef=$(echo $scanRef | tr -d '\r')
fi
input=$(echo $input | tr -d '\r')
if [ $input ]; then
artifactRef="--input $input"
fi
#trim leading spaces for boolean params
ignoreUnfixed=$(echo $ignoreUnfixed | tr -d '\r')
hideProgress=$(echo $hideProgress | tr -d '\r')
limitSeveritiesForSARIF=$(echo $limitSeveritiesForSARIF | tr -d '\r')
GLOBAL_ARGS=""
if [ $cacheDir ];then
GLOBAL_ARGS="$GLOBAL_ARGS --cache-dir $cacheDir"
fi
SARIF_ARGS=""
ARGS=""
format=$(echo $format | xargs)
if [ $format ];then
ARGS="$ARGS --format $format"
fi
if [ $template ] ;then
ARGS="$ARGS --template $template"
fi
if [ $exitCode ];then
ARGS="$ARGS --exit-code $exitCode"
fi
if [ "$ignoreUnfixed" == "true" ] && [ "$scanType" != "config" ];then
ARGS="$ARGS --ignore-unfixed"
SARIF_ARGS="$SARIF_ARGS --ignore-unfixed"
fi
if [ $vulnType ] && [ "$scanType" != "config" ] && [ "$scanType" != "sbom" ];then
ARGS="$ARGS --vuln-type $vulnType"
SARIF_ARGS="$SARIF_ARGS --vuln-type $vulnType"
fi
if [ $scanners ];then
ARGS="$ARGS --scanners $scanners"
SARIF_ARGS="$SARIF_ARGS --scanners $scanners"
fi
if [ $severity ];then
ARGS="$ARGS --severity $severity"
fi
if [ $output ];then
ARGS="$ARGS --output $output"
fi
if [ $skipDirs ];then
for i in $(echo $skipDirs | tr "," "\n")
do
ARGS="$ARGS --skip-dirs $i"
SARIF_ARGS="$SARIF_ARGS --skip-dirs $i"
done
fi
if [ $trivyIgnores ];then
for f in $(echo $trivyIgnores | tr "," "\n")
do
if [ -f "$f" ]; then
echo "Found ignorefile '${f}':"
cat "${f}"
cat "${f}" >> ./trivyignores
else
echo "ERROR: cannot find ignorefile '${f}'."
exit 1
fi
done
ARGS="$ARGS --ignorefile ./trivyignores"
fi
if [ $timeout ];then
ARGS="$ARGS --timeout $timeout"
SARIF_ARGS="$SARIF_ARGS --timeout $timeout"
fi
if [ $ignorePolicy ];then
ARGS="$ARGS --ignore-policy $ignorePolicy"
SARIF_ARGS="$SARIF_ARGS --ignore-policy $ignorePolicy"
fi
if [ "$hideProgress" == "true" ];then
ARGS="$ARGS --no-progress"
fi
listAllPkgs=$(echo $listAllPkgs | tr -d '\r')
if [ "$listAllPkgs" == "true" ];then
ARGS="$ARGS --list-all-pkgs"
fi
if [ "$skipFiles" ];then
for i in $(echo $skipFiles | tr "," "\n")
do
ARGS="$ARGS --skip-files $i"
done
fi
trivyConfig=$(echo $trivyConfig | tr -d '\r')
if [ "${format}" == "sarif" ] && [ "${limitSeveritiesForSARIF}" != "true" ]; then
# SARIF is special. We output all vulnerabilities,
# regardless of severity level specified in this report.
# This is a feature, not a bug :)
echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
elif [ $trivyConfig ]; then
echo "Running Trivy with trivy.yaml config from: " $trivyConfig
trivy --config $trivyConfig ${scanType} ${artifactRef}
returnCode=$?
else
echo "Running trivy with options: trivy ${scanType} ${ARGS}" "${artifactRef}"
echo "Global options: " "${GLOBAL_ARGS}"
trivy $GLOBAL_ARGS ${scanType} ${ARGS} ${artifactRef}
returnCode=$?
fi
if [[ "${format}" == "github" ]]; then
if [[ "$(echo $githubPAT | xargs)" != "" ]]; then
printf "\n Uploading GitHub Dependency Snapshot"
curl -H 'Accept: application/vnd.github+json' -H "Authorization: token $githubPAT" 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./$(echo $output | xargs)
else
printf "\n Failing GitHub Dependency Snapshot. Missing github-pat"
fi
fi
exit $returnCode
test/data/.trivyignore1
+3
View File
@@ -0,0 +1,3 @@
# test data #1 for trivy-ignores option
CVE-2020-25576
CVE-2019-15551
test/data/.trivyignore2
+2
View File
@@ -0,0 +1,2 @@
# test data #2 for trivy-ignores option
CVE-2019-15554
test/data/config-sarif.test
+134
View File
@@ -0,0 +1,134 @@
{
"version": "2.1.0",
"$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
"runs": [
{
"tool": {
"driver": {
"fullName": "Trivy Vulnerability Scanner",
"informationUri": "https://github.com/aquasecurity/trivy",
"name": "Trivy",
"rules": [
{
"id": "DS002",
"name": "Misconfiguration",
"shortDescription": {
"text": "Image user should not be \u0026#39;root\u0026#39;"
},
"fullDescription": {
"text": "Running containers with \u0026#39;root\u0026#39; user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a \u0026#39;USER\u0026#39; statement to the Dockerfile."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/ds002",
"help": {
"text": "Misconfiguration DS002\nType: Dockerfile Security Check\nSeverity: HIGH\nCheck: Image user should not be 'root'\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"markdown": "**Misconfiguration DS002**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|HIGH|Image user should not be 'root'|Specify at least 1 USER command in Dockerfile with non-root user as argument|[DS002](https://avd.aquasec.com/misconfig/ds002)|\n\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile."
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
},
{
"id": "DS026",
"name": "Misconfiguration",
"shortDescription": {
"text": "No HEALTHCHECK defined"
},
"fullDescription": {
"text": "You shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
},
"defaultConfiguration": {
"level": "note"
},
"helpUri": "https://avd.aquasec.com/misconfig/ds026",
"help": {
"text": "Misconfiguration DS026\nType: Dockerfile Security Check\nSeverity: LOW\nCheck: No HEALTHCHECK defined\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)\nYou shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
"markdown": "**Misconfiguration DS026**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|LOW|No HEALTHCHECK defined|Add HEALTHCHECK instruction in your Dockerfile|[DS026](https://avd.aquasec.com/misconfig/ds026)|\n\nYou shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
},
"properties": {
"precision": "very-high",
"security-severity": "2.0",
"tags": [
"misconfiguration",
"security",
"LOW"
]
}
}
],
"version": "0.38.1"
}
},
"results": [
{
"ruleId": "DS002",
"ruleIndex": 0,
"level": "error",
"message": {
"text": "Artifact: Dockerfile\nType: dockerfile\nVulnerability DS002\nSeverity: HIGH\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "Dockerfile",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
},
"message": {
"text": "Dockerfile"
}
}
]
},
{
"ruleId": "DS026",
"ruleIndex": 1,
"level": "note",
"message": {
"text": "Artifact: Dockerfile\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "Dockerfile",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
},
"message": {
"text": "Dockerfile"
}
}
]
}
],
"columnKind": "utf16CodeUnits",
"originalUriBaseIds": {
"ROOTPATH": {
"uri": "file:///"
}
}
}
]
}
test/data/config.test
+83
View File
@@ -0,0 +1,83 @@
{
"SchemaVersion": 2,
"ArtifactName": ".",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "Dockerfile",
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 22,
"Failures": 2,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Dockerfile Security Check",
"ID": "DS002",
"AVDID": "AVD-DS-0002",
"Title": "Image user should not be 'root'",
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
"Namespace": "builtin.dockerfile.DS002",
"Query": "data.builtin.dockerfile.DS002.deny",
"Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
"References": [
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
"https://avd.aquasec.com/misconfig/ds002"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"Code": {
"Lines": null
}
}
},
{
"Type": "Dockerfile Security Check",
"ID": "DS026",
"AVDID": "AVD-DS-0026",
"Title": "No HEALTHCHECK defined",
"Description": "You shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
"Message": "Add HEALTHCHECK instruction in your Dockerfile",
"Namespace": "builtin.dockerfile.DS026",
"Query": "data.builtin.dockerfile.DS026.deny",
"Resolution": "Add HEALTHCHECK instruction in Dockerfile",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds026",
"References": [
"https://blog.aquasec.com/docker-security-best-practices",
"https://avd.aquasec.com/misconfig/ds026"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"Code": {
"Lines": null
}
}
}
]
}
]
}
test/data/fs-scheck.test
+83
View File
@@ -0,0 +1,83 @@
{
"SchemaVersion": 2,
"ArtifactName": ".",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "Dockerfile",
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 22,
"Failures": 2,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Dockerfile Security Check",
"ID": "DS002",
"AVDID": "AVD-DS-0002",
"Title": "Image user should not be 'root'",
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
"Namespace": "builtin.dockerfile.DS002",
"Query": "data.builtin.dockerfile.DS002.deny",
"Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
"References": [
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
"https://avd.aquasec.com/misconfig/ds002"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"Code": {
"Lines": null
}
}
},
{
"Type": "Dockerfile Security Check",
"ID": "DS026",
"AVDID": "AVD-DS-0026",
"Title": "No HEALTHCHECK defined",
"Description": "You shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
"Message": "Add HEALTHCHECK instruction in your Dockerfile",
"Namespace": "builtin.dockerfile.DS026",
"Query": "data.builtin.dockerfile.DS026.deny",
"Resolution": "Add HEALTHCHECK instruction in Dockerfile",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds026",
"References": [
"https://blog.aquasec.com/docker-security-best-practices",
"https://avd.aquasec.com/misconfig/ds026"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"Code": {
"Lines": null
}
}
}
]
}
]
}
test/data/fs.test
View File
test/data/image-sarif.test
+77
View File
@@ -0,0 +1,77 @@
{
"version": "2.1.0",
"$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
"runs": [
{
"tool": {
"driver": {
"fullName": "Trivy Vulnerability Scanner",
"informationUri": "https://github.com/aquasecurity/trivy",
"name": "Trivy",
"rules": [
{
"id": "CVE-2021-36159",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2021-36159"
},
"fullDescription": {
"text": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the \u0026#39;\\0\u0026#39; terminator one byte too late."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2021-36159",
"help": {
"text": "Vulnerability CVE-2021-36159\nSeverity: CRITICAL\nPackage: apk-tools\nFixed Version: 2.10.7-r0\nLink: [CVE-2021-36159](https://avd.aquasec.com/nvd/cve-2021-36159)\nlibfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
"markdown": "**Vulnerability CVE-2021-36159**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|apk-tools|2.10.7-r0|[CVE-2021-36159](https://avd.aquasec.com/nvd/cve-2021-36159)|\n\nlibfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late."
},
"properties": {
"precision": "very-high",
"security-severity": "9.1",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
}
],
"version": "0.38.1"
}
},
"results": [
{
"ruleId": "CVE-2021-36159",
"ruleIndex": 0,
"level": "error",
"message": {
"text": "Package: apk-tools\nInstalled Version: 2.10.6-r0\nVulnerability CVE-2021-36159\nSeverity: CRITICAL\nFixed Version: 2.10.7-r0\nLink: [CVE-2021-36159](https://avd.aquasec.com/nvd/cve-2021-36159)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "library/alpine",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
}
}
]
}
],
"columnKind": "utf16CodeUnits",
"originalUriBaseIds": {
"ROOTPATH": {
"uri": "file:///"
}
}
}
]
}
test/data/image-trivyignores.test
+89
View File
@@ -0,0 +1,89 @@
knqyf263/vuln-image:1.2.3 (alpine 3.7.1)
========================================
Total: 19 (CRITICAL: 19)
┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ curl │ CVE-2018-14618 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r0 │ curl: NTLM password overflow via integer overflow │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-14618 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16839 │ │ │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
│ │ │ │ │ │ in Curl_sasl_create_plain_message() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16839 │
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16840 │ │ │ │ curl: Use-after-free when closing "easy" handle in │
│ │ │ │ │ │ Curl_close() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16840 │
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16842 │ │ │ │ curl: Heap-based buffer over-read in the curl tool warning │
│ │ │ │ │ │ formatting │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16842 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-3822 │ │ │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3822 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5481 │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5482 │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ git │ CVE-2018-17456 │ │ 2.15.2-r0 │ 2.15.3-r0 │ git: arbitrary code execution via .gitmodules │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-17456 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-1353 │ │ │ 2.15.4-r0 │ git: NTFS protections inactive when running Git in the │
│ │ │ │ │ │ Windows Subsystem for... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libbz2 │ CVE-2019-12900 │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl │ CVE-2018-16839 │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
│ │ │ │ │ │ in Curl_sasl_create_plain_message() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16839 │
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16840 │ │ │ │ curl: Use-after-free when closing "easy" handle in │
│ │ │ │ │ │ Curl_close() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16840 │
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16842 │ │ │ │ curl: Heap-based buffer over-read in the curl tool warning │
│ │ │ │ │ │ formatting │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16842 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-3822 │ │ │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3822 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5481 │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5482 │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ musl │ CVE-2019-14697 │ │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │
│ │ │ │ │ │ adjustment im ...... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-14697 │
├─────────────┤ │ │ │ │ │
│ musl-utils │ │ │ │ │ │
│ │ │ │ │ │ │
│ │ │ │ │ │ │
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ sqlite-libs │ CVE-2019-8457 │ │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │
└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
rust-app/Cargo.lock (cargo)
===========================
Total: 2 (CRITICAL: 2)
┌──────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ openssl │ CVE-2018-20997 │ CRITICAL │ 0.8.3 │ 0.10.9 │ Use after free in openssl │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-20997 │
├──────────┼────────────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ smallvec │ CVE-2021-25900 │ │ 0.6.9 │ 1.6.1, 0.6.14 │ An issue was discovered in the smallvec crate before 0.6.14 │
│ │ │ │ │ │ and 1.x... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25900 │
└──────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
test/data/image.test
+101
View File
@@ -0,0 +1,101 @@
knqyf263/vuln-image:1.2.3 (alpine 3.7.1)
========================================
Total: 19 (CRITICAL: 19)
┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ curl │ CVE-2018-14618 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r0 │ curl: NTLM password overflow via integer overflow │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-14618 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16839 │ │ │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
│ │ │ │ │ │ in Curl_sasl_create_plain_message() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16839 │
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16840 │ │ │ │ curl: Use-after-free when closing "easy" handle in │
│ │ │ │ │ │ Curl_close() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16840 │
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16842 │ │ │ │ curl: Heap-based buffer over-read in the curl tool warning │
│ │ │ │ │ │ formatting │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16842 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-3822 │ │ │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3822 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5481 │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5482 │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ git │ CVE-2018-17456 │ │ 2.15.2-r0 │ 2.15.3-r0 │ git: arbitrary code execution via .gitmodules │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-17456 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-1353 │ │ │ 2.15.4-r0 │ git: NTFS protections inactive when running Git in the │
│ │ │ │ │ │ Windows Subsystem for... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libbz2 │ CVE-2019-12900 │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl │ CVE-2018-16839 │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
│ │ │ │ │ │ in Curl_sasl_create_plain_message() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16839 │
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16840 │ │ │ │ curl: Use-after-free when closing "easy" handle in │
│ │ │ │ │ │ Curl_close() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16840 │
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16842 │ │ │ │ curl: Heap-based buffer over-read in the curl tool warning │
│ │ │ │ │ │ formatting │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16842 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-3822 │ │ │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3822 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5481 │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5482 │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ musl │ CVE-2019-14697 │ │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │
│ │ │ │ │ │ adjustment im ...... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-14697 │
├─────────────┤ │ │ │ │ │
│ musl-utils │ │ │ │ │ │
│ │ │ │ │ │ │
│ │ │ │ │ │ │
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ sqlite-libs │ CVE-2019-8457 │ │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │
└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
rust-app/Cargo.lock (cargo)
===========================
Total: 5 (CRITICAL: 5)
┌───────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├───────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ openssl │ CVE-2018-20997 │ CRITICAL │ 0.8.3 │ 0.10.9 │ Use after free in openssl │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-20997 │
├───────────┼────────────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ rand_core │ CVE-2020-25576 │ │ 0.4.0 │ 0.3.1, 0.4.2 │ An issue was discovered in the rand_core crate before 0.4.2 │
│ │ │ │ │ │ for Rust.... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-25576 │
├───────────┼────────────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ smallvec │ CVE-2019-15551 │ │ 0.6.9 │ 0.6.10 │ An issue was discovered in the smallvec crate before 0.6.10 │
│ │ │ │ │ │ for Rust.... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-15551 │
│ ├────────────────┤ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2019-15554 │ │ │ │ An issue was discovered in the smallvec crate before 0.6.10 │
│ │ │ │ │ │ for Rust.... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-15554 │
│ ├────────────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2021-25900 │ │ │ 1.6.1, 0.6.14 │ An issue was discovered in the smallvec crate before 0.6.14 │
│ │ │ │ │ │ and 1.x... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25900 │
└───────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
test/data/repo.test
+77
View File
@@ -0,0 +1,77 @@
{
"SchemaVersion": 2,
"ArtifactName": "https://github.com/krol3/demo-trivy/",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "env",
"Class": "secret",
"Secrets": [
{
"RuleID": "github-pat",
"Category": "GitHub",
"Severity": "CRITICAL",
"Title": "GitHub Personal Access Token",
"StartLine": 5,
"EndLine": 5,
"Code": {
"Lines": [
{
"Number": 3,
"Content": "export AWS_ACCESS_KEY_ID=1234567",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": "export AWS_ACCESS_KEY_ID=1234567",
"FirstCause": false,
"LastCause": false
},
{
"Number": 4,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"FirstCause": false,
"LastCause": false
},
{
"Number": 5,
"Content": "export GITHUB_PAT=****************************************",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "export GITHUB_PAT=****************************************",
"FirstCause": true,
"LastCause": true
},
{
"Number": 6,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"FirstCause": false,
"LastCause": false
}
]
},
"Match": "export GITHUB_PAT=****************************************",
"Layer": {}
}
]
}
]
}
test/data/rootfs.test
View File
test/data/trivy.yaml
+5
View File
@@ -0,0 +1,5 @@
format: json
severity: CRITICAL
vulnerability:
type: os
output: yamlconfig.test
test/data/yamlconfig.test
+105
View File
@@ -0,0 +1,105 @@
{
"SchemaVersion": 2,
"ArtifactName": "alpine:3.10",
"ArtifactType": "container_image",
"Metadata": {
"OS": {
"Family": "alpine",
"Name": "3.10.9",
"EOSL": true
},
"ImageID": "sha256:e7b300aee9f9bf3433d32bc9305bfdd22183beb59d933b48d77ab56ba53a197a",
"DiffIDs": [
"sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
],
"RepoTags": [
"alpine:3.10"
],
"RepoDigests": [
"alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98"
],
"ImageConfig": {
"architecture": "amd64",
"container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4",
"created": "2021-04-14T19:20:05.338397761Z",
"docker_version": "19.03.12",
"history": [
{
"created": "2021-04-14T19:20:04.987219124Z",
"created_by": "/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / "
},
{
"created": "2021-04-14T19:20:05.338397761Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]",
"empty_layer": true
}
],
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
]
},
"config": {
"Cmd": [
"/bin/sh"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Image": "sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8"
}
}
},
"Results": [
{
"Target": "alpine:3.10 (alpine 3.10.9)",
"Class": "os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2021-36159",
"PkgID": "apk-tools@2.10.6-r0",
"PkgName": "apk-tools",
"InstalledVersion": "2.10.6-r0",
"FixedVersion": "2.10.7-r0",
"Layer": {
"Digest": "sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5",
"DiffID": "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-36159",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"V2Score": 6.4,
"V3Score": 9.1
}
},
"References": [
"https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch",
"https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749",
"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E",
"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E",
"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E",
"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E"
],
"PublishedDate": "2021-08-03T14:15:00Z",
"LastModifiedDate": "2021-10-18T12:19:00Z"
}
]
}
]
}
test/test.bats
+83
View File
@@ -0,0 +1,83 @@
#!/usr/bin/env bats
bats_load_library bats-support
bats_load_library bats-assert
bats_load_library bats-file
@test "trivy repo with securityCheck secret only" {
# trivy repo --format json --output repo.test --scanners=secret https://github.com/krol3/demo-trivy/
run ./entrypoint.sh '-b json' '-h repo.test' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
run diff repo.test ./test/data/repo.test
echo "$output"
assert_files_equal repo.test ./test/data/repo.test
}
@test "trivy image" {
# trivy image --severity CRITICAL --output image.test knqyf263/vuln-image:1.2.3
run ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image.test' '-g CRITICAL'
run diff image.test ./test/data/image.test
echo "$output"
assert_files_equal image.test ./test/data/image.test
}
@test "trivy config sarif report" {
# trivy config --format sarif --output config-sarif.test .
run ./entrypoint.sh '-a config' '-b sarif' '-h config-sarif.test' '-j .'
run diff config-sarif.test ./test/data/config-sarif.test
echo "$output"
assert_files_equal config-sarif.test ./test/data/config-sarif.test
}
@test "trivy config" {
# trivy config --format json --output config.test .
run ./entrypoint.sh '-a config' '-b json' '-j .' '-h config.test'
run diff config.test ./test/data/config.test
echo "$output"
assert_files_equal config.test ./test/data/config.test
}
@test "trivy rootfs" {
# trivy rootfs --output rootfs.test .
run ./entrypoint.sh '-a rootfs' '-j .' '-h rootfs.test'
run diff rootfs.test ./test/data/rootfs.test
echo "$output"
assert_files_equal rootfs.test ./test/data/rootfs.test
}
@test "trivy fs" {
# trivy fs --output fs.test .
run ./entrypoint.sh '-a fs' '-j .' '-h fs.test'
run diff fs.test ./test/data/fs.test
echo "$output"
assert_files_equal fs.test ./test/data/fs.test
}
@test "trivy fs with securityChecks option" {
# trivy fs --format json --scanners=vuln,config --output fs-scheck.test .
run ./entrypoint.sh '-a fs' '-b json' '-j .' '-s vuln,config,secret' '-h fs-scheck.test'
run diff fs-scheck.test ./test/data/fs-scheck.test
echo "$output"
assert_files_equal fs-scheck.test ./test/data/fs-scheck.test
}
@test "trivy image with trivyIgnores option" {
# cat ./test/data/.trivyignore1 ./test/data/.trivyignore2 > ./trivyignores ; trivy image --severity CRITICAL --output image-trivyignores.test --ignorefile ./trivyignores knqyf263/vuln-image:1.2.3
run ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image-trivyignores.test' '-g CRITICAL' '-t ./test/data/.trivyignore1,./test/data/.trivyignore2'
run diff image-trivyignores.test ./test/data/image-trivyignores.test
echo "$output"
assert_files_equal image-trivyignores.test ./test/data/image-trivyignores.test
}
@test "trivy image with sbom output" {
# trivy image --format github knqyf263/vuln-image:1.2.3
run ./entrypoint.sh "-a image" "-b github" "-i knqyf263/vuln-image:1.2.3"
assert_output --partial '"package_url": "pkg:apk/ca-certificates@20171114-r0",' # TODO: Output contains time, need to mock
}
@test "trivy image with trivy.yaml config" {
# trivy --config=./test/data/trivy.yaml image alpine:3.10
run ./entrypoint.sh "-v ./test/data/trivy.yaml" "-a image" "-i alpine:3.10"
run diff yamlconfig.test ./test/data/yamlconfig.test
echo "$output"
assert_files_equal yamlconfig.test ./test/data/yamlconfig.test
}
workflow.yml
+34
View File
@@ -0,0 +1,34 @@
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build an image from Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'