Merge pull request #104 from aquasecurity/feat/security-checks

(feat) Add support for security-checks flag

.github/workflows/build.yaml

@@ -0,0 +1,24 @@
+name: "build"
+on: [push, pull_request]
+env:
+  TRIVY_VERSION: 0.25.0
+jobs:
+  build:
+    name: build
+    runs-on: ubuntu-20.04
+    steps:
+
+      - name: Setup BATS
+        uses: mig4/setup-bats@v1
+        with:
+          bats-version: 1.2.1
+
+      - name: Check out code
+        uses: actions/checkout@v1
+
+      - name: Install Trivy
+        run: |
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
+
+      - name: Test
+        run: bats -r .

.gitignore

@@ -1 +1,2 @@
 .idea/
+*.test

Dockerfile

@@ -0,0 +1,5 @@
+FROM aquasec/trivy:0.25.0
+COPY entrypoint.sh /
+RUN apk --no-cache add bash
+RUN chmod +x /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]

LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

README.md

@@ -1,2 +1,404 @@
-# Trivy GitHub Action
+# Trivy Action
 
+> [GitHub Action](https://github.com/features/actions) for [Trivy](https://github.com/aquasecurity/trivy)
+
+[![GitHub Release][release-img]][release]
+[![GitHub Marketplace][marketplace-img]][marketplace]
+[![License][license-img]][license]
+
+![](docs/images/trivy-action.png)
+
+## Table of Contents
+
+- [Usage](#usage)
+  - [Workflow](#workflow)
+  - [Docker Image Scanning](#using-trivy-with-github-code-scanning)
+  - [Git Repository Scanning](#using-trivy-to-scan-your-git-repo)
+- [Customizing](#customizing)
+  - [Inputs](#inputs)
+
+## Usage
+
+### Workflow
+
+```yaml
+name: build
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      
+      - name: Build an image from Dockerfile
+        run: |
+          docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
+      
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+```
+
+### Using Trivy with GitHub Code Scanning
+If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
+```yaml
+name: build
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: 'trivy-results.sarif'
+```
+
+You can find a more in-depth example here: https://github.com/aquasecurity/trivy-sarif-demo/blob/master/.github/workflows/scan.yml
+
+If you would like to upload SARIF results to GitHub Code scanning even upon a non zero exit code from Trivy Scan, you can add the following to your upload step:
+```yaml
+name: build
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        if: always() 
+        with:
+          sarif_file: 'trivy-results.sarif'
+```
+
+See this for more details: https://docs.github.com/en/actions/learn-github-actions/expressions#always
+
+### Using Trivy to scan your Git repo
+It's also possible to scan your git repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
+
+If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
+```yaml
+name: build
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: 'trivy-results.sarif'
+```
+
+### Using Trivy to scan your rootfs directories
+It's also possible to scan your rootfs directories with Trivy's built-in rootfs scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
+
+If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
+```yaml
+name: build
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Run Trivy vulnerability scanner with rootfs command
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'rootfs'
+          scan-ref: 'rootfs-example-binary'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: 'trivy-results.sarif'
+```
+
+### Using Trivy to scan Infrastucture as Code
+It's also possible to scan your IaC repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
+
+If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
+```yaml
+name: build
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Run Trivy vulnerability scanner in IaC mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'config'
+          hide-progress: false
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: 'trivy-results.sarif'
+```
+
+### Using Trivy to scan your private registry
+It's also possible to scan your private registry with Trivy's built-in image scan. All you have to do is set ENV vars.
+
+#### Docker Hub registry
+Docker Hub needs `TRIVY_USERNAME` and `TRIVY_PASSWORD`.
+You don't need to set ENV vars when downloading from a public repository.
+```yaml
+name: build
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+        env:
+          TRIVY_USERNAME: Username
+          TRIVY_PASSWORD: Password        
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: 'trivy-results.sarif'
+```
+
+#### AWS ECR (Elastic Container Registry)
+Trivy uses AWS SDK. You don't need to install `aws` CLI tool.
+You can use [AWS CLI's ENV Vars][env-var].
+
+[env-var]: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
+```yaml
+name: build
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+        env:
+          AWS_ACCESS_KEY_ID: key_id
+          AWS_SECRET_ACCESS_KEY: access_key
+          AWS_DEFAULT_REGION: us-west-2
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: 'trivy-results.sarif'
+```
+
+#### GCR (Google Container Registry)
+Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.
+
+If you want to use target project's repository, you can set it via `GOOGLE_APPLICATION_CREDENTIAL`.
+```yaml
+name: build
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+        env:
+          GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: 'trivy-results.sarif'
+```
+
+#### Self-Hosted
+BasicAuth server needs `TRIVY_USERNAME` and `TRIVY_PASSWORD`.
+if you want to use 80 port, use NonSSL `TRIVY_NON_SSL=true`
+```yaml
+name: build
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+        env:
+          TRIVY_USERNAME: Username
+          TRIVY_PASSWORD: Password        
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: 'trivy-results.sarif'
+```
+
+## Customizing
+
+### inputs
+
+Following inputs can be used as `step.with` keys:
+
+| Name             | Type    | Default                            | Description                                   |
+|------------------|---------|------------------------------------|-----------------------------------------------|
+| `scan-type`      | String  | `image`                            | Scan type, e.g. `image` or `fs`|
+| `input`          | String  |                                    | Tar reference, e.g. `alpine-latest.tar` |
+| `image-ref`      | String  |                                    | Image reference, e.g. `alpine:3.10.2`         |
+| `scan-ref`       | String  | `/github/workspace/`               | Scan reference, e.g. `/github/workspace/` or `.`|
+| `format`         | String  | `table`                            | Output format (`table`, `json`, `sarif`)   |
+| `template`       | String  |                                    | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`)|
+| `output`         | String  |                                    | Save results to a file                        |
+| `exit-code`      | String  | `0`                                | Exit code when specified vulnerabilities are found     |
+| `ignore-unfixed` | Boolean | false                              | Ignore unpatched/unfixed vulnerabilities      |
+| `vuln-type`      | String  | `os,library`                       | Vulnerability types (os,library)              |
+| `severity`       | String  | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
+| `skip-dirs`      | String  |                                    | Comma separated list of directories where traversal is skipped |
+| `skip-files`     | String  |                                    | Comma separated list of files where traversal is skipped |
+| `cache-dir`      | String  |                                    | Cache directory                               |
+| `timeout`        | String  | `5m0s`                             | Scan timeout duration                         |
+| `ignore-policy`  | String  |                                    | Filter vulnerabilities with OPA rego language |
+| `list-all-pkgs`  | String  |                                    | Output all packages regardless of vulnerability |
+| `security-checks`| String  | `vuln`                             | comma-separated list of what security issues to detect (`vuln`,`config`)|
+
+[release]: https://github.com/aquasecurity/trivy-action/releases/latest
+[release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github
+[marketplace]: https://github.com/marketplace/actions/aqua-security-trivy
+[marketplace-img]: https://img.shields.io/badge/marketplace-trivy--action-blue?logo=github
+[license]: https://github.com/aquasecurity/trivy-action/blob/master/LICENSE
+[license-img]: https://img.shields.io/github/license/aquasecurity/trivy-action

action.yaml

@@ -1,23 +1,102 @@
-name: 'Trivy Vulnerability Scanner'
-description: 'Scan container image for vulnerabilities with Trivy'
-author: 'Daniel Pacak'
+name: 'Aqua Security Trivy'
+description: 'Scans container images for vulnerabilities with Trivy'
+author: 'Aqua Security'
 inputs:
-  image-ref: # Docker image reference, e.g. alpine:3.10.2
-    description: 'Docker image reference'
+  scan-type:
+    description: 'Scan type to use for scanning vulnerability'
+    required: false
+    default: 'image'
+  image-ref:
+    description: 'image reference(for backward compatibility)'
     required: true
+  input:
+    description: 'reference of tar file to scan'
+    required: false
+    default: ''
+  scan-ref:
+    description: 'Scan reference'
+    required: false
+    default: '.'
   exit-code:
-    description: 'Exit code'
+    description: 'exit code when vulnerabilities were found'
     required: false
     default: '0'
+  ignore-unfixed:
+    description: 'ignore unfixed vulnerabilities'
+    required: false
+    default: 'false'
+  vuln-type:
+    description: 'comma-separated list of vulnerability types (os,library)'
+    required: false
+    default: 'os,library'
+  severity:
+    description: 'severities of vulnerabilities to be displayed'
+    required: false
+    default: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
   format:
-    description: 'Output format'
+    description: 'output format (table, json, template)'
     required: false
     default: 'table'
+  template:
+    description: 'use an existing template for rendering output (@/contrib/sarif.tpl, @/contrib/gitlab.tpl, @/contrib/junit.tpl'
+    required: false
+    default: ''
+  output:
+    description: 'writes results to a file with the specified file name'
+    required: false
+    default: ''
+  skip-dirs:
+    description: 'comma separated list of directories where traversal is skipped'
+    required: false
+    default: ''
+  skip-files:
+    description: 'comma separated list of files to be skipped'
+    required: false
+    default: ''
+  cache-dir:
+    description: 'specify where the cache is stored'
+    required: false
+    default: ''
+  timeout:
+    description: 'timeout (default 5m0s)'
+    required: false
+    default: ''
+  ignore-policy:
+    description: 'filter vulnerabilities with OPA rego language'
+    required: false
+    default: ''
+  hide-progress:
+    description: 'hide progress output'
+    required: false
+    default: 'true'
+  list-all-pkgs:
+    description: 'output all packages regardless of vulnerability'
+    required: false
+    default: 'false'
+  security-checks:
+    description: 'comma-separated list of what security issues to detect'
+    required: false
+    default: ''
 runs:
   using: 'docker'
-  image: 'docker://docker.io/aquasec/trivy:latest'
+  image: "Dockerfile"
   args:
-    - 'image'
-    - '--format=${{ inputs.format }}'
-    - '--exit-code=${{ inputs.exit-code }}'
-    - '${{ inputs.image-ref }}'
+    - '-a ${{ inputs.scan-type }}'
+    - '-b ${{ inputs.format }}'
+    - '-c ${{ inputs.template }}'
+    - '-d ${{ inputs.exit-code }}'
+    - '-e ${{ inputs.ignore-unfixed }}'
+    - '-f ${{ inputs.vuln-type }}'
+    - '-g ${{ inputs.severity }}'
+    - '-h ${{ inputs.output }}'
+    - '-i ${{ inputs.image-ref }}'
+    - '-j ${{ inputs.scan-ref }}'
+    - '-k ${{ inputs.skip-dirs }}'
+    - '-l ${{ inputs.input }}'
+    - '-m ${{ inputs.cache-dir }}'
+    - '-n ${{ inputs.timeout }}'
+    - '-o ${{ inputs.ignore-policy }}'
+    - '-p ${{ inputs.hide-progress }}'
+    - '-q ${{ inputs.skip-files }}'
+    - '-r ${{ inputs.list-all-pkgs }}'
+    - '-s ${{ inputs.security-checks }}'

entrypoint.sh

@@ -0,0 +1,152 @@
+#!/bin/bash
+set -e
+while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:" o; do
+   case "${o}" in
+       a)
+         export scanType=${OPTARG}
+       ;;
+       b)
+         export format=${OPTARG}
+       ;;
+       c)
+         export template=${OPTARG}
+       ;;
+       d)
+         export exitCode=${OPTARG}
+       ;;
+       e)
+         export ignoreUnfixed=${OPTARG}
+       ;;
+       f)
+         export vulnType=${OPTARG}
+       ;;
+       g)
+         export severity=${OPTARG}
+       ;;
+       h)
+         export output=${OPTARG}
+       ;;
+       i)
+         export imageRef=${OPTARG}
+       ;;
+       j)
+         export scanRef=${OPTARG}
+       ;;
+       k)
+         export skipDirs=${OPTARG}
+       ;;
+       l)
+         export input=${OPTARG}
+       ;;
+       m)
+         export cacheDir=${OPTARG}
+       ;;
+       n)
+         export timeout=${OPTARG}
+       ;;
+       o)
+         export ignorePolicy=${OPTARG}
+       ;;
+       p)
+         export hideProgress=${OPTARG}
+       ;;
+       q)
+         export skipFiles=${OPTARG}
+       ;;
+       r)
+         export listAllPkgs=${OPTARG}
+       ;;
+       s)
+         export securityChecks=${OPTARG}
+       ;;
+  esac
+done
+
+scanType=$(echo $scanType | tr -d '\r')
+export artifactRef="${imageRef}"
+if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] ||  [ "${scanType}" = "config" ] ||  [ "${scanType}" = "rootfs" ];then
+  artifactRef=$(echo $scanRef | tr -d '\r')
+fi
+input=$(echo $input | tr -d '\r')
+if [ $input ]; then
+  artifactRef="--input $input"
+fi
+ignoreUnfixed=$(echo $ignoreUnfixed | tr -d '\r')
+hideProgress=$(echo $hideProgress | tr -d '\r')
+
+GLOBAL_ARGS=""
+if [ $cacheDir ];then
+  GLOBAL_ARGS="$GLOBAL_ARGS --cache-dir $cacheDir"
+fi
+
+SARIF_ARGS=""
+ARGS=""
+if [ $format ];then
+ ARGS="$ARGS --format $format"
+fi
+if [ $template ] ;then
+ ARGS="$ARGS --template $template"
+fi
+if [ $exitCode ];then
+ ARGS="$ARGS --exit-code $exitCode"
+fi
+if [ "$ignoreUnfixed" == "true" ] && [ "$scanType" != "config" ];then
+  ARGS="$ARGS --ignore-unfixed"
+  SARIF_ARGS="$SARIF_ARGS --ignore-unfixed"
+fi
+if [ $vulnType ] && [ "$scanType" != "config" ];then
+  ARGS="$ARGS --vuln-type $vulnType"
+  SARIF_ARGS="$SARIF_ARGS --vuln-type $vulnType"
+fi
+if [ $securityChecks ] && [ "$scanType" == "fs" ];then
+  ARGS="$ARGS --security-checks $securityChecks"
+fi
+if [ $severity ];then
+  ARGS="$ARGS --severity $severity"
+fi
+if [ $output ];then
+  ARGS="$ARGS --output $output"
+fi
+if [ $skipDirs ];then
+  for i in $(echo $skipDirs | tr "," "\n")
+  do
+    ARGS="$ARGS --skip-dirs $i"
+    SARIF_ARGS="$SARIF_ARGS --skip-dirs $i"
+  done
+fi
+if [ $timeout ];then
+  ARGS="$ARGS --timeout $timeout"
+fi
+if [ $ignorePolicy ];then
+  ARGS="$ARGS --ignore-policy $ignorePolicy"
+  SARIF_ARGS="$SARIF_ARGS --ignore-policy $ignorePolicy"
+fi
+if [ "$hideProgress" == "true" ];then
+  ARGS="$ARGS --no-progress"
+fi
+
+listAllPkgs=$(echo $listAllPkgs | tr -d '\r')
+if [ "$listAllPkgs" == "true" ];then
+  ARGS="$ARGS --list-all-pkgs"
+fi
+if [ "$skipFiles" ];then
+  for i in $(echo $skipFiles | tr "," "\n")
+  do
+    ARGS="$ARGS --skip-files $i"
+  done
+fi
+
+echo "Running trivy with options: ${ARGS}" "${artifactRef}"
+echo "Global options: " "${GLOBAL_ARGS}"
+trivy $GLOBAL_ARGS ${scanType} $ARGS ${artifactRef}
+returnCode=$?
+
+# SARIF is special. We output all vulnerabilities,
+# regardless of severity level specified in this report.
+# This is a feature, not a bug :)
+if [[ "${format}" == "sarif" ]]; then
+  echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
+  trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
+fi
+
+exit $returnCode

test/data/config.test

@@ -0,0 +1,8 @@
++---------------------------+------------+-----------+----------+------------------------------------------+
+|           TYPE            | MISCONF ID |   CHECK   | SEVERITY |                 MESSAGE                  |
++---------------------------+------------+-----------+----------+------------------------------------------+
+| Dockerfile Security Check |   DS002    | root user |   HIGH   | Specify at least 1 USER                  |
+|                           |            |           |          | command in Dockerfile with               |
+|                           |            |           |          | non-root user as argument                |
+|                           |            |           |          | -->avd.aquasec.com/appshield/ds002       |
++---------------------------+------------+-----------+----------+------------------------------------------+

test/data/fs.test

@@ -0,0 +1,17 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": ".",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  }
+}

test/data/image-sarif.test

@@ -0,0 +1,941 @@
+{
+  "version": "2.1.0",
+  "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "fullName": "Trivy Vulnerability Scanner",
+          "informationUri": "https://github.com/aquasecurity/trivy",
+          "name": "Trivy",
+          "rules": [
+            {
+              "id": "CVE-2018-14618",
+              "name": "OsPackageVulnerability",
+              "shortDescription": {
+                "text": "CVE-2018-14618"
+              },
+              "fullDescription": {
+                "text": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)"
+              },
+              "defaultConfiguration": {
+                "level": "error"
+              },
+              "helpUri": "https://avd.aquasec.com/nvd/cve-2018-14618",
+              "help": {
+                "text": "Vulnerability CVE-2018-14618\nSeverity: CRITICAL\nPackage: curl\nFixed Version: 7.61.1-r0\nLink: [CVE-2018-14618](https://avd.aquasec.com/nvd/cve-2018-14618)\ncurl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)",
+                "markdown": "**Vulnerability CVE-2018-14618**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|curl|7.61.1-r0|[CVE-2018-14618](https://avd.aquasec.com/nvd/cve-2018-14618)|\n\ncurl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)"
+              },
+              "properties": {
+                "precision": "very-high",
+                "security-severity": "9.8",
+                "tags": [
+                  "vulnerability",
+                  "security",
+                  "CRITICAL"
+                ]
+              }
+            },
+            {
+              "id": "CVE-2018-16839",
+              "name": "OsPackageVulnerability",
+              "shortDescription": {
+                "text": "CVE-2018-16839"
+              },
+              "fullDescription": {
+                "text": "Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service."
+              },
+              "defaultConfiguration": {
+                "level": "error"
+              },
+              "helpUri": "https://avd.aquasec.com/nvd/cve-2018-16839",
+              "help": {
+                "text": "Vulnerability CVE-2018-16839\nSeverity: CRITICAL\nPackage: libcurl\nFixed Version: 7.61.1-r1\nLink: [CVE-2018-16839](https://avd.aquasec.com/nvd/cve-2018-16839)\nCurl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.",
+                "markdown": "**Vulnerability CVE-2018-16839**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|libcurl|7.61.1-r1|[CVE-2018-16839](https://avd.aquasec.com/nvd/cve-2018-16839)|\n\nCurl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service."
+              },
+              "properties": {
+                "precision": "very-high",
+                "security-severity": "9.8",
+                "tags": [
+                  "vulnerability",
+                  "security",
+                  "CRITICAL"
+                ]
+              }
+            },
+            {
+              "id": "CVE-2018-16840",
+              "name": "OsPackageVulnerability",
+              "shortDescription": {
+                "text": "CVE-2018-16840"
+              },
+              "fullDescription": {
+                "text": "A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an \u0026#39;easy\u0026#39; handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct."
+              },
+              "defaultConfiguration": {
+                "level": "error"
+              },
+              "helpUri": "https://avd.aquasec.com/nvd/cve-2018-16840",
+              "help": {
+                "text": "Vulnerability CVE-2018-16840\nSeverity: CRITICAL\nPackage: libcurl\nFixed Version: 7.61.1-r1\nLink: [CVE-2018-16840](https://avd.aquasec.com/nvd/cve-2018-16840)\nA heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct.",
+                "markdown": "**Vulnerability CVE-2018-16840**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|libcurl|7.61.1-r1|[CVE-2018-16840](https://avd.aquasec.com/nvd/cve-2018-16840)|\n\nA heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct."
+              },
+              "properties": {
+                "precision": "very-high",
+                "security-severity": "9.8",
+                "tags": [
+                  "vulnerability",
+                  "security",
+                  "CRITICAL"
+                ]
+              }
+            },
+            {
+              "id": "CVE-2018-16842",
+              "name": "OsPackageVulnerability",
+              "shortDescription": {
+                "text": "CVE-2018-16842"
+              },
+              "fullDescription": {
+                "text": "Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service."
+              },
+              "defaultConfiguration": {
+                "level": "error"
+              },
+              "helpUri": "https://avd.aquasec.com/nvd/cve-2018-16842",
+              "help": {
+                "text": "Vulnerability CVE-2018-16842\nSeverity: CRITICAL\nPackage: libcurl\nFixed Version: 7.61.1-r1\nLink: [CVE-2018-16842](https://avd.aquasec.com/nvd/cve-2018-16842)\nCurl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.",
+                "markdown": "**Vulnerability CVE-2018-16842**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|libcurl|7.61.1-r1|[CVE-2018-16842](https://avd.aquasec.com/nvd/cve-2018-16842)|\n\nCurl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service."
+              },
+              "properties": {
+                "precision": "very-high",
+                "security-severity": "9.1",
+                "tags": [
+                  "vulnerability",
+                  "security",
+                  "CRITICAL"
+                ]
+              }
+            },
+            {
+              "id": "CVE-2019-3822",
+              "name": "OsPackageVulnerability",
+              "shortDescription": {
+                "text": "CVE-2019-3822"
+              },
+              "fullDescription": {
+                "text": "libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large \u0026#39;nt response\u0026#39; data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a \u0026#39;large value\u0026#39; needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header."
+              },
+              "defaultConfiguration": {
+                "level": "error"
+              },
+              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-3822",
+              "help": {
+                "text": "Vulnerability CVE-2019-3822\nSeverity: CRITICAL\nPackage: libcurl\nFixed Version: 7.61.1-r2\nLink: [CVE-2019-3822](https://avd.aquasec.com/nvd/cve-2019-3822)\nlibcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.",
+                "markdown": "**Vulnerability CVE-2019-3822**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|libcurl|7.61.1-r2|[CVE-2019-3822](https://avd.aquasec.com/nvd/cve-2019-3822)|\n\nlibcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header."
+              },
+              "properties": {
+                "precision": "very-high",
+                "security-severity": "9.8",
+                "tags": [
+                  "vulnerability",
+                  "security",
+                  "CRITICAL"
+                ]
+              }
+            },
+            {
+              "id": "CVE-2019-5481",
+              "name": "OsPackageVulnerability",
+              "shortDescription": {
+                "text": "CVE-2019-5481"
+              },
+              "fullDescription": {
+                "text": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3."
+              },
+              "defaultConfiguration": {
+                "level": "error"
+              },
+              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-5481",
+              "help": {
+                "text": "Vulnerability CVE-2019-5481\nSeverity: CRITICAL\nPackage: libcurl\nFixed Version: 7.61.1-r3\nLink: [CVE-2019-5481](https://avd.aquasec.com/nvd/cve-2019-5481)\nDouble-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
+                "markdown": "**Vulnerability CVE-2019-5481**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|libcurl|7.61.1-r3|[CVE-2019-5481](https://avd.aquasec.com/nvd/cve-2019-5481)|\n\nDouble-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3."
+              },
+              "properties": {
+                "precision": "very-high",
+                "security-severity": "9.8",
+                "tags": [
+                  "vulnerability",
+                  "security",
+                  "CRITICAL"
+                ]
+              }
+            },
+            {
+              "id": "CVE-2019-5482",
+              "name": "OsPackageVulnerability",
+              "shortDescription": {
+                "text": "CVE-2019-5482"
+              },
+              "fullDescription": {
+                "text": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3."
+              },
+              "defaultConfiguration": {
+                "level": "error"
+              },
+              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-5482",
+              "help": {
+                "text": "Vulnerability CVE-2019-5482\nSeverity: CRITICAL\nPackage: libcurl\nFixed Version: 7.61.1-r3\nLink: [CVE-2019-5482](https://avd.aquasec.com/nvd/cve-2019-5482)\nHeap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
+                "markdown": "**Vulnerability CVE-2019-5482**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|libcurl|7.61.1-r3|[CVE-2019-5482](https://avd.aquasec.com/nvd/cve-2019-5482)|\n\nHeap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3."
+              },
+              "properties": {
+                "precision": "very-high",
+                "security-severity": "9.8",
+                "tags": [
+                  "vulnerability",
+                  "security",
+                  "CRITICAL"
+                ]
+              }
+            },
+            {
+              "id": "CVE-2018-17456",
+              "name": "OsPackageVulnerability",
+              "shortDescription": {
+                "text": "CVE-2018-17456"
+              },
+              "fullDescription": {
+                "text": "Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive \u0026#34;git clone\u0026#34; of a superproject if a .gitmodules file has a URL field beginning with a \u0026#39;-\u0026#39; character."
+              },
+              "defaultConfiguration": {
+                "level": "error"
+              },
+              "helpUri": "https://avd.aquasec.com/nvd/cve-2018-17456",
+              "help": {
+                "text": "Vulnerability CVE-2018-17456\nSeverity: CRITICAL\nPackage: git\nFixed Version: 2.15.3-r0\nLink: [CVE-2018-17456](https://avd.aquasec.com/nvd/cve-2018-17456)\nGit before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive \"git clone\" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.",
+                "markdown": "**Vulnerability CVE-2018-17456**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|git|2.15.3-r0|[CVE-2018-17456](https://avd.aquasec.com/nvd/cve-2018-17456)|\n\nGit before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive \"git clone\" of a superproject if a .gitmodules file has a URL field beginning with a '-' character."
+              },
+              "properties": {
+                "precision": "very-high",
+                "security-severity": "9.8",
+                "tags": [
+                  "vulnerability",
+                  "security",
+                  "CRITICAL"
+                ]
+              }
+            },
+            {
+              "id": "CVE-2019-1353",
+              "name": "OsPackageVulnerability",
+              "shortDescription": {
+                "text": "CVE-2019-1353"
+              },
+              "fullDescription": {
+                "text": "An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as \u0026#34;WSL\u0026#34;) while accessing a working directory on a regular Windows drive, none of the NTFS protections were active."
+              },
+              "defaultConfiguration": {
+                "level": "error"
+              },
+              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1353",
+              "help": {
+                "text": "Vulnerability CVE-2019-1353\nSeverity: CRITICAL\nPackage: git\nFixed Version: 2.15.4-r0\nLink: [CVE-2019-1353](https://avd.aquasec.com/nvd/cve-2019-1353)\nAn issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as \"WSL\") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active.",
+                "markdown": "**Vulnerability CVE-2019-1353**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|git|2.15.4-r0|[CVE-2019-1353](https://avd.aquasec.com/nvd/cve-2019-1353)|\n\nAn issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as \"WSL\") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active."
+              },
+              "properties": {
+                "precision": "very-high",
+                "security-severity": "9.8",
+                "tags": [
+                  "vulnerability",
+                  "security",
+                  "CRITICAL"
+                ]
+              }
+            },
+            {
+              "id": "CVE-2019-12900",
+              "name": "OsPackageVulnerability",
+              "shortDescription": {
+                "text": "CVE-2019-12900"
+              },
+              "fullDescription": {
+                "text": "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors."
+              },
+              "defaultConfiguration": {
+                "level": "error"
+              },
+              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-12900",
+              "help": {
+                "text": "Vulnerability CVE-2019-12900\nSeverity: CRITICAL\nPackage: libbz2\nFixed Version: 1.0.6-r7\nLink: [CVE-2019-12900](https://avd.aquasec.com/nvd/cve-2019-12900)\nBZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.",
+                "markdown": "**Vulnerability CVE-2019-12900**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|libbz2|1.0.6-r7|[CVE-2019-12900](https://avd.aquasec.com/nvd/cve-2019-12900)|\n\nBZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors."
+              },
+              "properties": {
+                "precision": "very-high",
+                "security-severity": "9.8",
+                "tags": [
+                  "vulnerability",
+                  "security",
+                  "CRITICAL"
+                ]
+              }
+            },
+            {
+              "id": "CVE-2019-14697",
+              "name": "OsPackageVulnerability",
+              "shortDescription": {
+                "text": "CVE-2019-14697"
+              },
+              "fullDescription": {
+                "text": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application\u0026#39;s source code."
+              },
+              "defaultConfiguration": {
+                "level": "error"
+              },
+              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-14697",
+              "help": {
+                "text": "Vulnerability CVE-2019-14697\nSeverity: CRITICAL\nPackage: musl-utils\nFixed Version: 1.1.18-r4\nLink: [CVE-2019-14697](https://avd.aquasec.com/nvd/cve-2019-14697)\nmusl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
+                "markdown": "**Vulnerability CVE-2019-14697**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|musl-utils|1.1.18-r4|[CVE-2019-14697](https://avd.aquasec.com/nvd/cve-2019-14697)|\n\nmusl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code."
+              },
+              "properties": {
+                "precision": "very-high",
+                "security-severity": "9.8",
+                "tags": [
+                  "vulnerability",
+                  "security",
+                  "CRITICAL"
+                ]
+              }
+            },
+            {
+              "id": "CVE-2019-8457",
+              "name": "OsPackageVulnerability",
+              "shortDescription": {
+                "text": "CVE-2019-8457"
+              },
+              "fullDescription": {
+                "text": "SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables."
+              },
+              "defaultConfiguration": {
+                "level": "error"
+              },
+              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-8457",
+              "help": {
+                "text": "Vulnerability CVE-2019-8457\nSeverity: CRITICAL\nPackage: sqlite-libs\nFixed Version: 3.25.3-r1\nLink: [CVE-2019-8457](https://avd.aquasec.com/nvd/cve-2019-8457)\nSQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.",
+                "markdown": "**Vulnerability CVE-2019-8457**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|sqlite-libs|3.25.3-r1|[CVE-2019-8457](https://avd.aquasec.com/nvd/cve-2019-8457)|\n\nSQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables."
+              },
+              "properties": {
+                "precision": "very-high",
+                "security-severity": "9.8",
+                "tags": [
+                  "vulnerability",
+                  "security",
+                  "CRITICAL"
+                ]
+              }
+            },
+            {
+              "id": "CVE-2020-25576",
+              "name": "LanguageSpecificPackageVulnerability",
+              "shortDescription": {
+                "text": "CVE-2020-25576"
+              },
+              "fullDescription": {
+                "text": "An issue was discovered in the rand_core crate before 0.4.2 for Rust. Casting of byte slices to integer slices mishandles alignment constraints."
+              },
+              "defaultConfiguration": {
+                "level": "error"
+              },
+              "helpUri": "https://avd.aquasec.com/nvd/cve-2020-25576",
+              "help": {
+                "text": "Vulnerability CVE-2020-25576\nSeverity: CRITICAL\nPackage: rand_core\nFixed Version: 0.3.1, 0.4.2\nLink: [CVE-2020-25576](https://avd.aquasec.com/nvd/cve-2020-25576)\nAn issue was discovered in the rand_core crate before 0.4.2 for Rust. Casting of byte slices to integer slices mishandles alignment constraints.",
+                "markdown": "**Vulnerability CVE-2020-25576**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|rand_core|0.3.1, 0.4.2|[CVE-2020-25576](https://avd.aquasec.com/nvd/cve-2020-25576)|\n\nAn issue was discovered in the rand_core crate before 0.4.2 for Rust. Casting of byte slices to integer slices mishandles alignment constraints."
+              },
+              "properties": {
+                "precision": "very-high",
+                "security-severity": "9.8",
+                "tags": [
+                  "vulnerability",
+                  "security",
+                  "CRITICAL"
+                ]
+              }
+            },
+            {
+              "id": "CVE-2019-15551",
+              "name": "LanguageSpecificPackageVulnerability",
+              "shortDescription": {
+                "text": "CVE-2019-15551"
+              },
+              "fullDescription": {
+                "text": "An issue was discovered in the smallvec crate before 0.6.10 for Rust. There is a double free for certain grow attempts with the current capacity."
+              },
+              "defaultConfiguration": {
+                "level": "error"
+              },
+              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-15551",
+              "help": {
+                "text": "Vulnerability CVE-2019-15551\nSeverity: CRITICAL\nPackage: smallvec\nFixed Version: 0.6.10\nLink: [CVE-2019-15551](https://avd.aquasec.com/nvd/cve-2019-15551)\nAn issue was discovered in the smallvec crate before 0.6.10 for Rust. There is a double free for certain grow attempts with the current capacity.",
+                "markdown": "**Vulnerability CVE-2019-15551**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|smallvec|0.6.10|[CVE-2019-15551](https://avd.aquasec.com/nvd/cve-2019-15551)|\n\nAn issue was discovered in the smallvec crate before 0.6.10 for Rust. There is a double free for certain grow attempts with the current capacity."
+              },
+              "properties": {
+                "precision": "very-high",
+                "security-severity": "9.8",
+                "tags": [
+                  "vulnerability",
+                  "security",
+                  "CRITICAL"
+                ]
+              }
+            },
+            {
+              "id": "CVE-2019-15554",
+              "name": "LanguageSpecificPackageVulnerability",
+              "shortDescription": {
+                "text": "CVE-2019-15554"
+              },
+              "fullDescription": {
+                "text": "An issue was discovered in the smallvec crate before 0.6.10 for Rust. There is memory corruption for certain grow attempts with less than the current capacity."
+              },
+              "defaultConfiguration": {
+                "level": "error"
+              },
+              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-15554",
+              "help": {
+                "text": "Vulnerability CVE-2019-15554\nSeverity: CRITICAL\nPackage: smallvec\nFixed Version: 0.6.10\nLink: [CVE-2019-15554](https://avd.aquasec.com/nvd/cve-2019-15554)\nAn issue was discovered in the smallvec crate before 0.6.10 for Rust. There is memory corruption for certain grow attempts with less than the current capacity.",
+                "markdown": "**Vulnerability CVE-2019-15554**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|smallvec|0.6.10|[CVE-2019-15554](https://avd.aquasec.com/nvd/cve-2019-15554)|\n\nAn issue was discovered in the smallvec crate before 0.6.10 for Rust. There is memory corruption for certain grow attempts with less than the current capacity."
+              },
+              "properties": {
+                "precision": "very-high",
+                "security-severity": "9.8",
+                "tags": [
+                  "vulnerability",
+                  "security",
+                  "CRITICAL"
+                ]
+              }
+            },
+            {
+              "id": "CVE-2021-25900",
+              "name": "LanguageSpecificPackageVulnerability",
+              "shortDescription": {
+                "text": "CVE-2021-25900"
+              },
+              "fullDescription": {
+                "text": "An issue was discovered in the smallvec crate before 0.6.14 and 1.x before 1.6.1 for Rust. There is a heap-based buffer overflow in SmallVec::insert_many."
+              },
+              "defaultConfiguration": {
+                "level": "error"
+              },
+              "helpUri": "https://avd.aquasec.com/nvd/cve-2021-25900",
+              "help": {
+                "text": "Vulnerability CVE-2021-25900\nSeverity: CRITICAL\nPackage: smallvec\nFixed Version: 0.6.14, 1.6.1\nLink: [CVE-2021-25900](https://avd.aquasec.com/nvd/cve-2021-25900)\nAn issue was discovered in the smallvec crate before 0.6.14 and 1.x before 1.6.1 for Rust. There is a heap-based buffer overflow in SmallVec::insert_many.",
+                "markdown": "**Vulnerability CVE-2021-25900**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|smallvec|0.6.14, 1.6.1|[CVE-2021-25900](https://avd.aquasec.com/nvd/cve-2021-25900)|\n\nAn issue was discovered in the smallvec crate before 0.6.14 and 1.x before 1.6.1 for Rust. There is a heap-based buffer overflow in SmallVec::insert_many."
+              },
+              "properties": {
+                "precision": "very-high",
+                "security-severity": "9.8",
+                "tags": [
+                  "vulnerability",
+                  "security",
+                  "CRITICAL"
+                ]
+              }
+            }
+          ],
+          "version": "0.25.0"
+        }
+      },
+      "results": [
+        {
+          "ruleId": "CVE-2018-14618",
+          "ruleIndex": 0,
+          "level": "error",
+          "message": {
+            "text": "Package: curl\nInstalled Version: 7.61.0-r0\nVulnerability CVE-2018-14618\nSeverity: CRITICAL\nFixed Version: 7.61.1-r0\nLink: [CVE-2018-14618](https://avd.aquasec.com/nvd/cve-2018-14618)"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "knqyf263/vuln-image:1.2.3",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "CVE-2018-16839",
+          "ruleIndex": 1,
+          "level": "error",
+          "message": {
+            "text": "Package: curl\nInstalled Version: 7.61.0-r0\nVulnerability CVE-2018-16839\nSeverity: CRITICAL\nFixed Version: 7.61.1-r1\nLink: [CVE-2018-16839](https://avd.aquasec.com/nvd/cve-2018-16839)"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "knqyf263/vuln-image:1.2.3",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "CVE-2018-16840",
+          "ruleIndex": 2,
+          "level": "error",
+          "message": {
+            "text": "Package: curl\nInstalled Version: 7.61.0-r0\nVulnerability CVE-2018-16840\nSeverity: CRITICAL\nFixed Version: 7.61.1-r1\nLink: [CVE-2018-16840](https://avd.aquasec.com/nvd/cve-2018-16840)"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "knqyf263/vuln-image:1.2.3",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "CVE-2018-16842",
+          "ruleIndex": 3,
+          "level": "error",
+          "message": {
+            "text": "Package: curl\nInstalled Version: 7.61.0-r0\nVulnerability CVE-2018-16842\nSeverity: CRITICAL\nFixed Version: 7.61.1-r1\nLink: [CVE-2018-16842](https://avd.aquasec.com/nvd/cve-2018-16842)"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "knqyf263/vuln-image:1.2.3",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "CVE-2019-3822",
+          "ruleIndex": 4,
+          "level": "error",
+          "message": {
+            "text": "Package: curl\nInstalled Version: 7.61.0-r0\nVulnerability CVE-2019-3822\nSeverity: CRITICAL\nFixed Version: 7.61.1-r2\nLink: [CVE-2019-3822](https://avd.aquasec.com/nvd/cve-2019-3822)"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "knqyf263/vuln-image:1.2.3",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "CVE-2019-5481",
+          "ruleIndex": 5,
+          "level": "error",
+          "message": {
+            "text": "Package: curl\nInstalled Version: 7.61.0-r0\nVulnerability CVE-2019-5481\nSeverity: CRITICAL\nFixed Version: 7.61.1-r3\nLink: [CVE-2019-5481](https://avd.aquasec.com/nvd/cve-2019-5481)"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "knqyf263/vuln-image:1.2.3",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "CVE-2019-5482",
+          "ruleIndex": 6,
+          "level": "error",
+          "message": {
+            "text": "Package: curl\nInstalled Version: 7.61.0-r0\nVulnerability CVE-2019-5482\nSeverity: CRITICAL\nFixed Version: 7.61.1-r3\nLink: [CVE-2019-5482](https://avd.aquasec.com/nvd/cve-2019-5482)"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "knqyf263/vuln-image:1.2.3",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "CVE-2018-17456",
+          "ruleIndex": 7,
+          "level": "error",
+          "message": {
+            "text": "Package: git\nInstalled Version: 2.15.2-r0\nVulnerability CVE-2018-17456\nSeverity: CRITICAL\nFixed Version: 2.15.3-r0\nLink: [CVE-2018-17456](https://avd.aquasec.com/nvd/cve-2018-17456)"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "knqyf263/vuln-image:1.2.3",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "CVE-2019-1353",
+          "ruleIndex": 8,
+          "level": "error",
+          "message": {
+            "text": "Package: git\nInstalled Version: 2.15.2-r0\nVulnerability CVE-2019-1353\nSeverity: CRITICAL\nFixed Version: 2.15.4-r0\nLink: [CVE-2019-1353](https://avd.aquasec.com/nvd/cve-2019-1353)"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "knqyf263/vuln-image:1.2.3",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "CVE-2019-12900",
+          "ruleIndex": 9,
+          "level": "error",
+          "message": {
+            "text": "Package: libbz2\nInstalled Version: 1.0.6-r6\nVulnerability CVE-2019-12900\nSeverity: CRITICAL\nFixed Version: 1.0.6-r7\nLink: [CVE-2019-12900](https://avd.aquasec.com/nvd/cve-2019-12900)"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "knqyf263/vuln-image:1.2.3",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "CVE-2018-16839",
+          "ruleIndex": 1,
+          "level": "error",
+          "message": {
+            "text": "Package: libcurl\nInstalled Version: 7.61.1-r0\nVulnerability CVE-2018-16839\nSeverity: CRITICAL\nFixed Version: 7.61.1-r1\nLink: [CVE-2018-16839](https://avd.aquasec.com/nvd/cve-2018-16839)"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "knqyf263/vuln-image:1.2.3",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "CVE-2018-16840",
+          "ruleIndex": 2,
+          "level": "error",
+          "message": {
+            "text": "Package: libcurl\nInstalled Version: 7.61.1-r0\nVulnerability CVE-2018-16840\nSeverity: CRITICAL\nFixed Version: 7.61.1-r1\nLink: [CVE-2018-16840](https://avd.aquasec.com/nvd/cve-2018-16840)"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "knqyf263/vuln-image:1.2.3",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "CVE-2018-16842",
+          "ruleIndex": 3,
+          "level": "error",
+          "message": {
+            "text": "Package: libcurl\nInstalled Version: 7.61.1-r0\nVulnerability CVE-2018-16842\nSeverity: CRITICAL\nFixed Version: 7.61.1-r1\nLink: [CVE-2018-16842](https://avd.aquasec.com/nvd/cve-2018-16842)"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "knqyf263/vuln-image:1.2.3",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "CVE-2019-3822",
+          "ruleIndex": 4,
+          "level": "error",
+          "message": {
+            "text": "Package: libcurl\nInstalled Version: 7.61.1-r0\nVulnerability CVE-2019-3822\nSeverity: CRITICAL\nFixed Version: 7.61.1-r2\nLink: [CVE-2019-3822](https://avd.aquasec.com/nvd/cve-2019-3822)"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "knqyf263/vuln-image:1.2.3",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "CVE-2019-5481",
+          "ruleIndex": 5,
+          "level": "error",
+          "message": {
+            "text": "Package: libcurl\nInstalled Version: 7.61.1-r0\nVulnerability CVE-2019-5481\nSeverity: CRITICAL\nFixed Version: 7.61.1-r3\nLink: [CVE-2019-5481](https://avd.aquasec.com/nvd/cve-2019-5481)"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "knqyf263/vuln-image:1.2.3",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "CVE-2019-5482",
+          "ruleIndex": 6,
+          "level": "error",
+          "message": {
+            "text": "Package: libcurl\nInstalled Version: 7.61.1-r0\nVulnerability CVE-2019-5482\nSeverity: CRITICAL\nFixed Version: 7.61.1-r3\nLink: [CVE-2019-5482](https://avd.aquasec.com/nvd/cve-2019-5482)"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "knqyf263/vuln-image:1.2.3",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "CVE-2019-14697",
+          "ruleIndex": 10,
+          "level": "error",
+          "message": {
+            "text": "Package: musl\nInstalled Version: 1.1.18-r3\nVulnerability CVE-2019-14697\nSeverity: CRITICAL\nFixed Version: 1.1.18-r4\nLink: [CVE-2019-14697](https://avd.aquasec.com/nvd/cve-2019-14697)"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "knqyf263/vuln-image:1.2.3",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "CVE-2019-14697",
+          "ruleIndex": 10,
+          "level": "error",
+          "message": {
+            "text": "Package: musl-utils\nInstalled Version: 1.1.18-r3\nVulnerability CVE-2019-14697\nSeverity: CRITICAL\nFixed Version: 1.1.18-r4\nLink: [CVE-2019-14697](https://avd.aquasec.com/nvd/cve-2019-14697)"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "knqyf263/vuln-image:1.2.3",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "CVE-2019-8457",
+          "ruleIndex": 11,
+          "level": "error",
+          "message": {
+            "text": "Package: sqlite-libs\nInstalled Version: 3.21.0-r1\nVulnerability CVE-2019-8457\nSeverity: CRITICAL\nFixed Version: 3.25.3-r1\nLink: [CVE-2019-8457](https://avd.aquasec.com/nvd/cve-2019-8457)"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "knqyf263/vuln-image:1.2.3",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "CVE-2020-25576",
+          "ruleIndex": 12,
+          "level": "error",
+          "message": {
+            "text": "Package: rand_core\nInstalled Version: 0.4.0\nVulnerability CVE-2020-25576\nSeverity: CRITICAL\nFixed Version: 0.3.1, 0.4.2\nLink: [CVE-2020-25576](https://avd.aquasec.com/nvd/cve-2020-25576)"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "rust-app/Cargo.lock",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "CVE-2019-15551",
+          "ruleIndex": 13,
+          "level": "error",
+          "message": {
+            "text": "Package: smallvec\nInstalled Version: 0.6.9\nVulnerability CVE-2019-15551\nSeverity: CRITICAL\nFixed Version: 0.6.10\nLink: [CVE-2019-15551](https://avd.aquasec.com/nvd/cve-2019-15551)"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "rust-app/Cargo.lock",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "CVE-2019-15554",
+          "ruleIndex": 14,
+          "level": "error",
+          "message": {
+            "text": "Package: smallvec\nInstalled Version: 0.6.9\nVulnerability CVE-2019-15554\nSeverity: CRITICAL\nFixed Version: 0.6.10\nLink: [CVE-2019-15554](https://avd.aquasec.com/nvd/cve-2019-15554)"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "rust-app/Cargo.lock",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "CVE-2021-25900",
+          "ruleIndex": 15,
+          "level": "error",
+          "message": {
+            "text": "Package: smallvec\nInstalled Version: 0.6.9\nVulnerability CVE-2021-25900\nSeverity: CRITICAL\nFixed Version: 0.6.14, 1.6.1\nLink: [CVE-2021-25900](https://avd.aquasec.com/nvd/cve-2021-25900)"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "rust-app/Cargo.lock",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ]
+        }
+      ],
+      "columnKind": "utf16CodeUnits",
+      "originalUriBaseIds": {
+        "ROOTPATH": {
+          "uri": "file:///"
+        }
+      }
+    }
+  ]
+}

test/data/image.test

@@ -0,0 +1,107 @@
++-------------+------------------+----------+-------------------+---------------+---------------------------------------+
+|   LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
++-------------+------------------+----------+-------------------+---------------+---------------------------------------+
+| curl        | CVE-2018-14618   | CRITICAL | 7.61.0-r0         | 7.61.1-r0     | curl: NTLM password overflow          |
+|             |                  |          |                   |               | via integer overflow                  |
+|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-14618 |
++             +------------------+          +                   +---------------+---------------------------------------+
+|             | CVE-2018-16839   |          |                   | 7.61.1-r1     | curl: Integer overflow leading        |
+|             |                  |          |                   |               | to heap-based buffer overflow in      |
+|             |                  |          |                   |               | Curl_sasl_create_plain_message()      |
+|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-16839 |
++             +------------------+          +                   +               +---------------------------------------+
+|             | CVE-2018-16840   |          |                   |               | curl: Use-after-free when closing     |
+|             |                  |          |                   |               | "easy" handle in Curl_close()         |
+|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-16840 |
++             +------------------+          +                   +               +---------------------------------------+
+|             | CVE-2018-16842   |          |                   |               | curl: Heap-based buffer over-read     |
+|             |                  |          |                   |               | in the curl tool warning formatting   |
+|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-16842 |
++             +------------------+          +                   +---------------+---------------------------------------+
+|             | CVE-2019-3822    |          |                   | 7.61.1-r2     | curl: NTLMv2 type-3 header            |
+|             |                  |          |                   |               | stack buffer overflow                 |
+|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-3822  |
++             +------------------+          +                   +---------------+---------------------------------------+
+|             | CVE-2019-5481    |          |                   | 7.61.1-r3     | curl: double free due to              |
+|             |                  |          |                   |               | subsequent call of realloc()          |
+|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-5481  |
++             +------------------+          +                   +               +---------------------------------------+
+|             | CVE-2019-5482    |          |                   |               | curl: heap buffer overflow in         |
+|             |                  |          |                   |               | function tftp_receive_packet()        |
+|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-5482  |
++-------------+------------------+          +-------------------+---------------+---------------------------------------+
+| git         | CVE-2018-17456   |          | 2.15.2-r0         | 2.15.3-r0     | git: arbitrary code                   |
+|             |                  |          |                   |               | execution via .gitmodules             |
+|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-17456 |
++             +------------------+          +                   +---------------+---------------------------------------+
+|             | CVE-2019-1353    |          |                   | 2.15.4-r0     | git: NTFS protections inactive        |
+|             |                  |          |                   |               | when running Git in the               |
+|             |                  |          |                   |               | Windows Subsystem for...              |
+|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1353  |
++-------------+------------------+          +-------------------+---------------+---------------------------------------+
+| libbz2      | CVE-2019-12900   |          | 1.0.6-r6          | 1.0.6-r7      | bzip2: out-of-bounds write            |
+|             |                  |          |                   |               | in function BZ2_decompress            |
+|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-12900 |
++-------------+------------------+          +-------------------+---------------+---------------------------------------+
+| libcurl     | CVE-2018-16839   |          | 7.61.1-r0         | 7.61.1-r1     | curl: Integer overflow leading        |
+|             |                  |          |                   |               | to heap-based buffer overflow in      |
+|             |                  |          |                   |               | Curl_sasl_create_plain_message()      |
+|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-16839 |
++             +------------------+          +                   +               +---------------------------------------+
+|             | CVE-2018-16840   |          |                   |               | curl: Use-after-free when closing     |
+|             |                  |          |                   |               | "easy" handle in Curl_close()         |
+|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-16840 |
++             +------------------+          +                   +               +---------------------------------------+
+|             | CVE-2018-16842   |          |                   |               | curl: Heap-based buffer over-read     |
+|             |                  |          |                   |               | in the curl tool warning formatting   |
+|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-16842 |
++             +------------------+          +                   +---------------+---------------------------------------+
+|             | CVE-2019-3822    |          |                   | 7.61.1-r2     | curl: NTLMv2 type-3 header            |
+|             |                  |          |                   |               | stack buffer overflow                 |
+|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-3822  |
++             +------------------+          +                   +---------------+---------------------------------------+
+|             | CVE-2019-5481    |          |                   | 7.61.1-r3     | curl: double free due to              |
+|             |                  |          |                   |               | subsequent call of realloc()          |
+|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-5481  |
++             +------------------+          +                   +               +---------------------------------------+
+|             | CVE-2019-5482    |          |                   |               | curl: heap buffer overflow in         |
+|             |                  |          |                   |               | function tftp_receive_packet()        |
+|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-5482  |
++-------------+------------------+          +-------------------+---------------+---------------------------------------+
+| musl        | CVE-2019-14697   |          | 1.1.18-r3         | 1.1.18-r4     | musl libc through 1.1.23              |
+|             |                  |          |                   |               | has an x87 floating-point             |
+|             |                  |          |                   |               | stack adjustment im ......            |
+|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-14697 |
++-------------+                  +          +                   +               +                                       +
+| musl-utils  |                  |          |                   |               |                                       |
+|             |                  |          |                   |               |                                       |
+|             |                  |          |                   |               |                                       |
+|             |                  |          |                   |               |                                       |
++-------------+------------------+          +-------------------+---------------+---------------------------------------+
+| sqlite-libs | CVE-2019-8457    |          | 3.21.0-r1         | 3.25.3-r1     | sqlite: heap out-of-bound             |
+|             |                  |          |                   |               | read in function rtreenode()          |
+|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-8457  |
++-------------+------------------+----------+-------------------+---------------+---------------------------------------+
++-----------+------------------+----------+-------------------+---------------+---------------------------------------+
+|  LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
++-----------+------------------+----------+-------------------+---------------+---------------------------------------+
+| rand_core | CVE-2020-25576   | CRITICAL | 0.4.0             | 0.3.1, 0.4.2  | An issue was discovered               |
+|           |                  |          |                   |               | in the rand_core crate                |
+|           |                  |          |                   |               | before 0.4.2 for Rust....             |
+|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-25576 |
++-----------+------------------+          +-------------------+---------------+---------------------------------------+
+| smallvec  | CVE-2019-15551   |          | 0.6.9             | 0.6.10        | An issue was discovered               |
+|           |                  |          |                   |               | in the smallvec crate                 |
+|           |                  |          |                   |               | before 0.6.10 for Rust....            |
+|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-15551 |
++           +------------------+          +                   +               +---------------------------------------+
+|           | CVE-2019-15554   |          |                   |               | An issue was discovered               |
+|           |                  |          |                   |               | in the smallvec crate                 |
+|           |                  |          |                   |               | before 0.6.10 for Rust....            |
+|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-15554 |
++           +------------------+          +                   +---------------+---------------------------------------+
+|           | CVE-2021-25900   |          |                   | 0.6.14, 1.6.1 | An issue was discovered               |
+|           |                  |          |                   |               | in the smallvec crate                 |
+|           |                  |          |                   |               | before 0.6.14 and 1.x...              |
+|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-25900 |
++-----------+------------------+----------+-------------------+---------------+---------------------------------------+

test/data/repo.test

@@ -0,0 +1,17 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "https://github.com/aquasecurity/trivy-action/",
+  "ArtifactType": "repository",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  }
+}

test/data/rootfs.test

@@ -0,0 +1,17 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": ".",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  }
+}

test/test.bats

@@ -0,0 +1,43 @@
+#!/usr/bin/env bats
+
+@test "trivy image" {
+  # trivy image --severity CRITICAL -o image.test knqyf263/vuln-image:1.2.3
+  ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b table' '-h image.test' '-g CRITICAL'
+  result="$(diff ./test/data/image.test image.test)"
+  [ "$result" == '' ]
+}
+
+@test "trivy image sarif report" {
+  # trivy image --severity CRITICAL -f sarif -o image-sarif.test knqyf263/vuln-image:1.2.3
+  ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b sarif' '-h image-sarif.test' '-g CRITICAL'
+  result="$(diff ./test/data/image-sarif.test image-sarif.test)"
+  [ "$result" == '' ]
+}
+
+@test "trivy config" {
+  # trivy conf -o config.test .
+  ./entrypoint.sh '-a config' '-j .' '-b table' '-h config.test'
+  result="$(diff ./test/data/config.test config.test)"
+  [ "$result" == '' ]
+}
+
+@test "trivy rootfs" {
+  # trivy rootfs -o rootfs.test -f json .
+  ./entrypoint.sh '-a rootfs' '-j .' '-b json' '-h rootfs.test'
+  result="$(diff ./test/data/rootfs.test rootfs.test)"
+  [ "$result" == '' ]
+}
+
+@test "trivy fs" {
+  # trivy fs -f json -o fs.test .
+  ./entrypoint.sh '-a fs' '-j .' '-b json' '-h fs.test'
+  result="$(diff ./test/data/fs.test fs.test)"
+  [ "$result" == '' ]
+}
+
+@test "trivy repo" {
+  # trivy repo -f json -o repo.test --severity CRITICAL https://github.com/aquasecurity/trivy-action/
+  ./entrypoint.sh '-b json' '-h repo.test' '-g CRITICAL' '-a repo' '-j https://github.com/aquasecurity/trivy-action/'
+  result="$(diff ./test/data/repo.test repo.test)"
+  [ "$result" == '' ]
+}

workflow.yml

@@ -0,0 +1,34 @@
+name: build
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: 'trivy-results.sarif'