chore: Include skip options other than severity filter option when building SARIF report. (#79 )

feat: Build a full SARIF report even if under accepted severity level. (#73 )
Signed-off-by: Simar <simar@linux.com>
2021-11-10 13:11:56 -08:00 · 2021-10-26 17:45:53 -07:00 · 2021-10-26 11:44:53 -07:00 · 2021-10-26 11:43:48 -07:00 · 2021-10-26 11:42:59 -07:00
3 changed files with 19 additions and 3 deletions
@@ -1,5 +1,5 @@
-FROM aquasec/trivy:0.19.2
+FROM aquasec/trivy:0.20.2
 COPY entrypoint.sh /
 RUN apk --no-cache add bash
 RUN chmod +x /entrypoint.sh
-ENTRYPOINT ["/entrypoint.sh"]
+ENTRYPOINT ["/entrypoint.sh"]
@@ -54,7 +54,7 @@ inputs:
    required: false
    default: ''
  timeout:
-    description: 'timeout (default 2m0s)'
+    description: 'timeout (default 5m0s)'
    required: false
    default: ''
  ignore-policy:
@@ -70,6 +70,7 @@ if [ $cacheDir ];then
  GLOBAL_ARGS="$GLOBAL_ARGS --cache-dir $cacheDir"
 fi

+SARIF_ARGS=""
 ARGS=""
 if [ $format ];then
 ARGS="$ARGS --format $format"
@@ -82,9 +83,11 @@ if [ $exitCode ];then
 fi
 if [ "$ignoreUnfixed" == "true" ] && [ "$scanType" != "config" ];then
  ARGS="$ARGS --ignore-unfixed"
+  SARIF_ARGS="$SARIF_ARGS --ignore-unfixed"
 fi
 if [ $vulnType ] && [ "$scanType" != "config" ];then
  ARGS="$ARGS --vuln-type $vulnType"
+  SARIF_ARGS="$SARIF_ARGS --vuln-type $vulnType"
 fi
 if [ $severity ];then
  ARGS="$ARGS --severity $severity"
@@ -96,6 +99,7 @@ if [ $skipDirs ];then
  for i in $(echo $skipDirs | tr "," "\n")
  do
    ARGS="$ARGS --skip-dirs $i"
+    SARIF_ARGS="$SARIF_ARGS --skip-dirs $i"
  done
 fi
 if [ $timeout ];then
@@ -103,6 +107,7 @@ if [ $timeout ];then
 fi
 if [ $ignorePolicy ];then
  ARGS="$ARGS --ignore-policy $ignorePolicy"
+  SARIF_ARGS="$SARIF_ARGS --ignore-policy $ignorePolicy"
 fi
 if [ "$hideProgress" == "true" ];then
  ARGS="$ARGS --no-progress"
@@ -111,3 +116,14 @@ fi
 echo "Running trivy with options: ${ARGS}" "${artifactRef}"
 echo "Global options: " "${GLOBAL_ARGS}"
 trivy $GLOBAL_ARGS ${scanType} $ARGS ${artifactRef}
+returnCode=$?
+
+# SARIF is special. We output all vulnerabilities,
+# regardless of severity level specified in this report.
+# This is a feature, not a bug :)
+if [[ ${template} == *"sarif"* ]]; then
+  echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
+  trivy --quiet ${scanType} --format template --template ${template} --output ${output} $SARIF_ARGS ${artifactRef}
+fi
+
+exit $returnCode
Author	SHA1	Message	Date
rahul2393	2a2157eb22	chore: Include skip options other than severity filter option when building SARIF report. (#79 )	2021-11-10 13:11:56 -08:00
Simar	1ccef265f5	feat: Build a full SARIF report even if under accepted severity level. (#73 ) Signed-off-by: Simar <simar@linux.com>	2021-10-26 17:45:53 -07:00
Simar	d62898dfb3	Bump to latest Trivy release	2021-10-26 11:44:53 -07:00
Emil Lengman	6bce46377c	bump to version 0.20.0 to add requirements.txt support (#69 )	2021-10-26 11:43:48 -07:00
Simar	101d9bacf6	Update action.yaml	2021-10-26 11:42:59 -07:00