Compare commits
6 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
8f4c7160b4 | ||
|
|
81cc8cd841 | ||
|
|
0769bbf0d2 | ||
|
|
9ec80b5796 | ||
|
|
a58433e1c9 | ||
|
|
7168e9ba5a |
@@ -1,4 +1,4 @@
|
||||
FROM aquasec/trivy:0.20.2
|
||||
FROM aquasec/trivy:0.21.2
|
||||
COPY entrypoint.sh /
|
||||
RUN apk --no-cache add bash
|
||||
RUN chmod +x /entrypoint.sh
|
||||
|
||||
77
README.md
77
README.md
@@ -88,6 +88,43 @@ jobs:
|
||||
|
||||
You can find a more in-depth example here: https://github.com/aquasecurity/trivy-sarif-demo/blob/master/.github/workflows/scan.yml
|
||||
|
||||
If you would like to upload SARIF results to GitHub Code scanning even upon a non zero exit code from Trivy Scan, you can add the following to your upload step:
|
||||
```yaml
|
||||
name: build
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
pull_request:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Build an image from Dockerfile
|
||||
run: |
|
||||
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'template'
|
||||
template: '@/contrib/sarif.tpl'
|
||||
output: 'trivy-results.sarif'
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
if: always()
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
|
||||
See this for more details: https://docs.github.com/en/actions/learn-github-actions/expressions#always
|
||||
|
||||
### Using Trivy to scan your Git repo
|
||||
It's also possible to scan your git repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
|
||||
|
||||
@@ -123,6 +160,42 @@ jobs:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
|
||||
### Using Trivy to scan your rootfs directories
|
||||
It's also possible to scan your rootfs directories with Trivy's built-in rootfs scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
|
||||
|
||||
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
|
||||
```yaml
|
||||
name: build
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
pull_request:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Run Trivy vulnerability scanner with rootfs command
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
scan-type: 'rootfs'
|
||||
scan-ref: 'rootfs-example-binary'
|
||||
ignore-unfixed: true
|
||||
format: 'template'
|
||||
template: '@/contrib/sarif.tpl'
|
||||
output: 'trivy-results.sarif'
|
||||
severity: 'CRITICAL'
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
|
||||
### Using Trivy to scan Infrastucture as Code
|
||||
It's also possible to scan your IaC repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
|
||||
|
||||
@@ -323,10 +396,12 @@ Following inputs can be used as `step.with` keys:
|
||||
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
|
||||
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
|
||||
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
|
||||
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
|
||||
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
|
||||
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
|
||||
| `cache-dir` | String | | Cache directory |
|
||||
| `timeout` | String | `2m0s` | Scan timeout duration |
|
||||
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
|
||||
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
|
||||
|
||||
[release]: https://github.com/aquasecurity/trivy-action/releases/latest
|
||||
[release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github
|
||||
|
||||
10
action.yaml
10
action.yaml
@@ -49,6 +49,10 @@ inputs:
|
||||
description: 'comma separated list of directories where traversal is skipped'
|
||||
required: false
|
||||
default: ''
|
||||
skip-files:
|
||||
description: 'comma separated list of files to be skipped'
|
||||
required: false
|
||||
default: ''
|
||||
cache-dir:
|
||||
description: 'specify where the cache is stored'
|
||||
required: false
|
||||
@@ -65,6 +69,10 @@ inputs:
|
||||
description: 'hide progress output'
|
||||
required: false
|
||||
default: 'true'
|
||||
list-all-pkgs:
|
||||
description: 'output all packages regardless of vulnerability'
|
||||
required: false
|
||||
default: 'false'
|
||||
runs:
|
||||
using: 'docker'
|
||||
image: "Dockerfile"
|
||||
@@ -85,3 +93,5 @@ runs:
|
||||
- '-n ${{ inputs.timeout }}'
|
||||
- '-o ${{ inputs.ignore-policy }}'
|
||||
- '-p ${{ inputs.hide-progress }}'
|
||||
- '-q ${{ inputs.skip-files }}'
|
||||
- '-r ${{ inputs.list-all-pkgs }}'
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
#!/bin/bash
|
||||
set -e
|
||||
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:" o; do
|
||||
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:" o; do
|
||||
case "${o}" in
|
||||
a)
|
||||
export scanType=${OPTARG}
|
||||
@@ -50,12 +50,18 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:" o; do
|
||||
p)
|
||||
export hideProgress=${OPTARG}
|
||||
;;
|
||||
q)
|
||||
export skipFiles=${OPTARG}
|
||||
;;
|
||||
r)
|
||||
export listAllPkgs=${OPTARG}
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
scanType=$(echo $scanType | tr -d '\r')
|
||||
export artifactRef="${imageRef}"
|
||||
if [ "${scanType}" = "fs" ] || [ "${scanType}" = "config" ];then
|
||||
if [ "${scanType}" = "fs" ] || [ "${scanType}" = "config" ] || [ "${scanType}" = "rootfs" ];then
|
||||
artifactRef=$(echo $scanRef | tr -d '\r')
|
||||
fi
|
||||
input=$(echo $input | tr -d '\r')
|
||||
@@ -113,6 +119,17 @@ if [ "$hideProgress" == "true" ];then
|
||||
ARGS="$ARGS --no-progress"
|
||||
fi
|
||||
|
||||
listAllPkgs=$(echo $listAllPkgs | tr -d '\r')
|
||||
if [ "$listAllPkgs" == "true" ];then
|
||||
ARGS="$ARGS --list-all-pkgs"
|
||||
fi
|
||||
if [ "$skipFiles" ];then
|
||||
for i in $(echo $skipFiles | tr "," "\n")
|
||||
do
|
||||
ARGS="$ARGS --skip-files $i"
|
||||
done
|
||||
fi
|
||||
|
||||
echo "Running trivy with options: ${ARGS}" "${artifactRef}"
|
||||
echo "Global options: " "${GLOBAL_ARGS}"
|
||||
trivy $GLOBAL_ARGS ${scanType} $ARGS ${artifactRef}
|
||||
|
||||
Reference in New Issue
Block a user