Compare commits
25 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
7294c6a408 | ||
|
|
df28e4135d | ||
|
|
1d28acf359 | ||
|
|
7684771c94 | ||
|
|
8595c5d059 | ||
|
|
d8496b917f | ||
|
|
ddc1a12251 | ||
|
|
2e51a7d82c | ||
|
|
6087d9d64e | ||
|
|
888827683a | ||
|
|
7e2e12baea | ||
|
|
202e8283bd | ||
|
|
507a96efe4 | ||
|
|
6c3dd513ad | ||
|
|
2b5de51086 | ||
|
|
de7cb7d4ba | ||
|
|
9403afcefd | ||
|
|
28ef387ad0 | ||
|
|
159e7e8ec2 | ||
|
|
4edb45e6ff | ||
|
|
6d50808eba | ||
|
|
8cc32f763c | ||
|
|
3fadcda6be | ||
|
|
d424596f39 | ||
|
|
6b9375bd16 |
@@ -0,0 +1,5 @@
|
||||
FROM aquasec/trivy:latest
|
||||
COPY entrypoint.sh /
|
||||
RUN apk --no-cache add bash
|
||||
RUN chmod +x /entrypoint.sh
|
||||
ENTRYPOINT ["/entrypoint.sh"]
|
||||
@@ -1,6 +1,6 @@
|
||||
# Trivy Action
|
||||
|
||||
> [GitHub Action](https://github.com/features/actions) for Trivy
|
||||
> [GitHub Action](https://github.com/features/actions) for [Trivy](https://github.com/aquasecurity/trivy)
|
||||
|
||||
[![GitHub Release][release-img]][release]
|
||||
[![GitHub Marketplace][marketplace-img]][marketplace]
|
||||
@@ -12,6 +12,8 @@
|
||||
|
||||
- [Usage](#usage)
|
||||
- [Workflow](#workflow)
|
||||
- [Docker Image Scanning](#using-trivy-with-github-code-scanning)
|
||||
- [Git Repository Scanning](#using-trivy-to-scan-your-git-repo)
|
||||
- [Customizing](#customizing)
|
||||
- [Inputs](#inputs)
|
||||
|
||||
@@ -31,25 +33,100 @@ jobs:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
steps:
|
||||
- name: Setup Go
|
||||
uses: actions/setup-go@v1
|
||||
with:
|
||||
go-version: 1.14
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Build an image from Dockerfile
|
||||
run: |
|
||||
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
|
||||
- name: Run vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@0.0.7
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'table'
|
||||
exit-code: '1'
|
||||
ignore-unfixed: true
|
||||
vuln-type: 'os,library'
|
||||
severity: 'CRITICAL,HIGH'
|
||||
```
|
||||
|
||||
### Using Trivy with GitHub Code Scanning
|
||||
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
|
||||
```yaml
|
||||
name: build
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
pull_request:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Build an image from Dockerfile
|
||||
run: |
|
||||
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'template'
|
||||
template: '@/contrib/sarif.tpl'
|
||||
output: 'trivy-results.sarif'
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
|
||||
You can find a more in-depth example here: https://github.com/aquasecurity/trivy-sarif-demo/blob/master/.github/workflows/scan.yml
|
||||
|
||||
### Using Trivy to scan your Git repo
|
||||
It's also possible to scan your git repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
|
||||
|
||||
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
|
||||
```yaml
|
||||
name: build
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
pull_request:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Build an image from Dockerfile
|
||||
run: |
|
||||
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
|
||||
|
||||
- name: Run Trivy vulnerability scanner in repo mode
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
scan-type: 'fs'
|
||||
ignore-unfixed: true
|
||||
format: 'template'
|
||||
template: '@/contrib/sarif.tpl'
|
||||
output: 'trivy-results.sarif'
|
||||
severity: 'CRITICAL'
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
|
||||
## Customizing
|
||||
|
||||
### inputs
|
||||
@@ -58,15 +135,20 @@ Following inputs can be used as `step.with` keys:
|
||||
|
||||
| Name | Type | Default | Description |
|
||||
|------------------|---------|------------------------------------|-----------------------------------------------|
|
||||
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs`|
|
||||
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
|
||||
| `format` | String | `table` | Output format (`table`, `json`) |
|
||||
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.`|
|
||||
| `format` | String | `table` | Output format (`table`, `json`, `template`) |
|
||||
| `template` | String | | Output template (`@/contrib/sarif.tpl`, `@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`)|
|
||||
| `output` | String | | Save results to a file |
|
||||
| `exit-code` | String | `0` | Exit code when vulnerabilities were found |
|
||||
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
|
||||
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
|
||||
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to be displayed |
|
||||
|
||||
[release]: https://github.com/aquasecurity/trivy-action/releases/latest
|
||||
[release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github
|
||||
[marketplace]: https://github.com/marketplace/actions/trivy-vulnerability-scanner
|
||||
[marketplace]: https://github.com/marketplace/actions/aqua-security-trivy
|
||||
[marketplace-img]: https://img.shields.io/badge/marketplace-trivy--action-blue?logo=github
|
||||
[license]: https://github.com/aquasecurity/trivy-action/blob/master/LICENSE
|
||||
[license-img]: https://img.shields.io/github/license/aquasecurity/trivy-action
|
||||
|
||||
+35
-11
@@ -1,10 +1,18 @@
|
||||
name: 'Trivy Vulnerability Scanner'
|
||||
name: 'Aqua Security Trivy'
|
||||
description: 'Scans container images for vulnerabilities with Trivy'
|
||||
author: 'Aqua Security'
|
||||
inputs:
|
||||
scan-type:
|
||||
description: 'Scan type to use for scanning vulnerability'
|
||||
required: false
|
||||
default: 'image'
|
||||
image-ref:
|
||||
description: 'image reference'
|
||||
description: 'image reference(for backward compatibility)'
|
||||
required: true
|
||||
scan-ref:
|
||||
description: 'Scan reference'
|
||||
required: false
|
||||
default: '.'
|
||||
exit-code:
|
||||
description: 'exit code when vulnerabilities were found'
|
||||
required: false
|
||||
@@ -12,22 +20,38 @@ inputs:
|
||||
ignore-unfixed:
|
||||
description: 'ignore unfixed vulnerabilities'
|
||||
required: false
|
||||
default: false
|
||||
default: 'false'
|
||||
vuln-type:
|
||||
description: 'comma-separated list of vulnerability types (os,library)'
|
||||
required: false
|
||||
default: 'os,library'
|
||||
severity:
|
||||
description: 'severities of vulnerabilities to be displayed'
|
||||
required: false
|
||||
default: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
|
||||
format:
|
||||
description: 'output format (table, json)'
|
||||
description: 'output format (table, json, template)'
|
||||
required: false
|
||||
default: 'table'
|
||||
template:
|
||||
description: 'use an existing template for rendering output (@/contrib/sarif.tpl, @/contrib/gitlab.tpl, @/contrib/junit.tpl'
|
||||
required: false
|
||||
default: ''
|
||||
output:
|
||||
description: 'writes results to a file with the specified file name'
|
||||
required: false
|
||||
default: ''
|
||||
runs:
|
||||
using: 'docker'
|
||||
image: 'docker://docker.io/aquasec/trivy:latest'
|
||||
image: "Dockerfile"
|
||||
args:
|
||||
- 'image'
|
||||
- '--format=${{ inputs.format }}'
|
||||
- '--exit-code=${{ inputs.exit-code }}'
|
||||
- '--ignore-unfixed=${{ inputs.ignore-unfixed }}'
|
||||
- '--severity=${{ inputs.severity }}'
|
||||
- '${{ inputs.image-ref }}'
|
||||
- '-a ${{ inputs.scan-type }}'
|
||||
- '-b ${{ inputs.format }}'
|
||||
- '-c ${{ inputs.template }}'
|
||||
- '-d ${{ inputs.exit-code }}'
|
||||
- '-e ${{ inputs.ignore-unfixed }}'
|
||||
- '-f ${{ inputs.vuln-type }}'
|
||||
- '-g ${{ inputs.severity }}'
|
||||
- '-h ${{ inputs.output }}'
|
||||
- '-i ${{ inputs.image-ref }}'
|
||||
- '-j ${{ inputs.scan-ref }}'
|
||||
|
||||
@@ -0,0 +1,68 @@
|
||||
#!/bin/bash
|
||||
set -e
|
||||
while getopts "a:b:c:d:e:f:g:h:i:j:" o; do
|
||||
case "${o}" in
|
||||
a)
|
||||
export scanType=${OPTARG}
|
||||
;;
|
||||
b)
|
||||
export format=${OPTARG}
|
||||
;;
|
||||
c)
|
||||
export template=${OPTARG}
|
||||
;;
|
||||
d)
|
||||
export exitCode=${OPTARG}
|
||||
;;
|
||||
e)
|
||||
export ignoreUnfixed=${OPTARG}
|
||||
;;
|
||||
f)
|
||||
export vulnType=${OPTARG}
|
||||
;;
|
||||
g)
|
||||
export severity=${OPTARG}
|
||||
;;
|
||||
h)
|
||||
export output=${OPTARG}
|
||||
;;
|
||||
i)
|
||||
export imageRef=${OPTARG}
|
||||
;;
|
||||
j)
|
||||
export scanRef=${OPTARG}
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
scanType=$(echo $scanType | tr -d '\r')
|
||||
export artifactRef="${imageRef}"
|
||||
if [ "${scanType}" = "fs" ];then
|
||||
artifactRef=$(echo $scanRef | tr -d '\r')
|
||||
fi
|
||||
|
||||
ARGS=""
|
||||
if [ $format ];then
|
||||
ARGS="$ARGS --format $format"
|
||||
fi
|
||||
if [ $template ] ;then
|
||||
ARGS="$ARGS --template $template"
|
||||
fi
|
||||
if [ $exitCode ];then
|
||||
ARGS="$ARGS --exit-code $exitCode"
|
||||
fi
|
||||
if [ "$ignoreUnfixed" == "true" ];then
|
||||
ARGS="$ARGS --ignore-unfixed"
|
||||
fi
|
||||
if [ $vulnType ];then
|
||||
ARGS="$ARGS --vuln-type $vulnType"
|
||||
fi
|
||||
if [ $severity ];then
|
||||
ARGS="$ARGS --severity $severity"
|
||||
fi
|
||||
if [ $output ];then
|
||||
ARGS="$ARGS --output $output"
|
||||
fi
|
||||
|
||||
echo "Runnin trivy with options" "${ARGS}" "${artifactRef}"
|
||||
trivy ${scanType} $ARGS ${artifactRef}
|
||||
@@ -0,0 +1,34 @@
|
||||
name: build
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
pull_request:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Build an image from Dockerfile
|
||||
run: |
|
||||
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
exit-code: '1'
|
||||
ignore-unfixed: true
|
||||
vuln-type: 'os,library'
|
||||
format: 'template'
|
||||
template: '@/contrib/sarif.tpl'
|
||||
output: 'trivy-results.sarif'
|
||||
severity: 'CRITICAL,HIGH'
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
Reference in New Issue
Block a user