Compare commits
8 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
d710430a67 | ||
|
|
062f259268 | ||
|
|
1f6384b6ce | ||
|
|
84384bd6e7 | ||
|
|
f3d98514b0 | ||
|
|
0b9d17b6b5 | ||
|
|
d43c1f16c0 | ||
|
|
5f1841df8d |
Vendored
+1
-1
@@ -1,7 +1,7 @@
|
||||
name: "build"
|
||||
on: [push, pull_request]
|
||||
env:
|
||||
TRIVY_VERSION: 0.48.0
|
||||
TRIVY_VERSION: 0.50.1
|
||||
BATS_LIB_PATH: '/usr/lib/'
|
||||
jobs:
|
||||
build:
|
||||
|
||||
+1
-1
@@ -1,4 +1,4 @@
|
||||
FROM ghcr.io/aquasecurity/trivy:0.48.0
|
||||
FROM ghcr.io/aquasecurity/trivy:0.50.1
|
||||
COPY entrypoint.sh /
|
||||
RUN apk --no-cache add bash curl npm
|
||||
RUN chmod +x /entrypoint.sh
|
||||
|
||||
@@ -79,6 +79,8 @@ In this case `trivy.yaml` is a YAML configuration that is checked in as part of
|
||||
format: json
|
||||
exit-code: 1
|
||||
severity: CRITICAL
|
||||
secret:
|
||||
config: config/trivy/secret.yaml
|
||||
```
|
||||
|
||||
It is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes. Defining the following is required as they cannot be defined with the config file:
|
||||
@@ -86,7 +88,7 @@ It is possible to define all options in the `trivy.yaml` file. Specifying indivi
|
||||
- `image-ref`: If using `image` scan.
|
||||
- `scan-type`: To define the scan type, e.g. `image`, `fs`, `repo`, etc.
|
||||
|
||||
#### Order of prerference for options
|
||||
#### Order of preference for options
|
||||
Trivy uses [Viper](https://github.com/spf13/viper) which has a defined precedence order for options. The order is as follows:
|
||||
- GitHub Action flag
|
||||
- Environment variable
|
||||
@@ -335,6 +337,49 @@ jobs:
|
||||
github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
|
||||
```
|
||||
|
||||
When scanning images you may want to parse the actual output JSON as Github Dependency doesn't show all details like the file path of each dependency for instance.
|
||||
|
||||
You can upload the report as an artifact and download it, for instance using the [upload-artifact action](https://github.com/actions/upload-artifact):
|
||||
|
||||
```yaml
|
||||
---
|
||||
name: Pull Request
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
## GITHUB_TOKEN authentication, add only if you're not going to use a PAT
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Checks
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
- name: Scan image in a private registry
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: "private_image_registry/image_name:image_tag"
|
||||
scan-type: image
|
||||
format: 'github'
|
||||
output: 'dependency-results.sbom.json'
|
||||
github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
|
||||
severity: "MEDIUM,HIGH,CRITICAL"
|
||||
scanners: "vuln"
|
||||
env:
|
||||
TRIVY_USERNAME: "image_registry_admin_username"
|
||||
TRIVY_PASSWORD: "image_registry_admin_password"
|
||||
|
||||
- name: Upload trivy report as a Github artifact
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: trivy-sbom-report
|
||||
path: '${{ github.workspace }}/dependency-results.sbom.json'
|
||||
retention-days: 20 # 90 is the default
|
||||
```
|
||||
|
||||
### Using Trivy to scan your private registry
|
||||
It's also possible to scan your private registry with Trivy's built-in image scan. All you have to do is set ENV vars.
|
||||
|
||||
@@ -479,36 +524,49 @@ jobs:
|
||||
|
||||
## Customizing
|
||||
|
||||
Configuration priority:
|
||||
- [Inputs](#inputs)
|
||||
- [Environment variables](#environment-variables)
|
||||
- [Trivy config file](#trivy-config-file)
|
||||
- Default values
|
||||
|
||||
|
||||
### inputs
|
||||
|
||||
Following inputs can be used as `step.with` keys:
|
||||
|
||||
| Name | Type | Default | Description |
|
||||
|-------------------|---------|------------------------------------|-------------------------------------------------------------------------------------------------|
|
||||
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |
|
||||
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
|
||||
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
|
||||
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
|
||||
| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) |
|
||||
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |
|
||||
| `tf-vars` | String | | path to Terraform variables file |
|
||||
| `output` | String | | Save results to a file |
|
||||
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
|
||||
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
|
||||
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
|
||||
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
|
||||
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
|
||||
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
|
||||
| `cache-dir` | String | | Cache directory |
|
||||
| `timeout` | String | `5m0s` | Scan timeout duration |
|
||||
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
|
||||
| `hide-progress` | String | `true` | Suppress progress bar |
|
||||
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
|
||||
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
|
||||
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
|
||||
| `trivy-config` | String | | Path to trivy.yaml config |
|
||||
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
|
||||
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
|
||||
| Name | Type | Default | Description |
|
||||
|------------------------------|---------|------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |
|
||||
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
|
||||
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
|
||||
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
|
||||
| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) |
|
||||
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |
|
||||
| `tf-vars` | String | | path to Terraform variables file |
|
||||
| `output` | String | | Save results to a file |
|
||||
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
|
||||
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
|
||||
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
|
||||
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
|
||||
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
|
||||
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
|
||||
| `cache-dir` | String | | Cache directory |
|
||||
| `timeout` | String | `5m0s` | Scan timeout duration |
|
||||
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
|
||||
| `hide-progress` | String | `true` | Suppress progress bar |
|
||||
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
|
||||
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
|
||||
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
|
||||
| `trivy-config` | String | | Path to trivy.yaml config |
|
||||
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
|
||||
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
|
||||
|
||||
### Environment variables
|
||||
You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
|
||||
|
||||
### Trivy config file
|
||||
When using the `trivy-config` [Input](#inputs), you can set options using the [Trivy config file][trivy-config] (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
|
||||
|
||||
[release]: https://github.com/aquasecurity/trivy-action/releases/latest
|
||||
[release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github
|
||||
@@ -516,3 +574,5 @@ Following inputs can be used as `step.with` keys:
|
||||
[marketplace-img]: https://img.shields.io/badge/marketplace-trivy--action-blue?logo=github
|
||||
[license]: https://github.com/aquasecurity/trivy-action/blob/master/LICENSE
|
||||
[license-img]: https://img.shields.io/github/license/aquasecurity/trivy-action
|
||||
[trivy-env]: https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables
|
||||
[trivy-config]: https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/
|
||||
+3
-1
@@ -80,7 +80,7 @@ done
|
||||
|
||||
scanType=$(echo $scanType | tr -d '\r')
|
||||
export artifactRef="${imageRef}"
|
||||
if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "filesystem" ] || [ "${scanType}" = "config" ] || [ "${scanType}" = "rootfs" ];then
|
||||
if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "filesystem" ] || [ "${scanType}" = "config" ] || [ "${scanType}" = "rootfs" ] || [ "${scanType}" = "sbom" ];then
|
||||
artifactRef=$(echo $scanRef | tr -d '\r')
|
||||
fi
|
||||
input=$(echo $input | tr -d '\r')
|
||||
@@ -163,6 +163,7 @@ if [ $ignorePolicy ];then
|
||||
fi
|
||||
if [ "$hideProgress" == "true" ];then
|
||||
ARGS="$ARGS --no-progress"
|
||||
SARIF_ARGS="$SARIF_ARGS --no-progress"
|
||||
fi
|
||||
|
||||
listAllPkgs=$(echo $listAllPkgs | tr -d '\r')
|
||||
@@ -173,6 +174,7 @@ if [ "$skipFiles" ];then
|
||||
for i in $(echo $skipFiles | tr "," "\n")
|
||||
do
|
||||
ARGS="$ARGS --skip-files $i"
|
||||
SARIF_ARGS="$SARIF_ARGS --skip-files $i"
|
||||
done
|
||||
fi
|
||||
|
||||
|
||||
@@ -307,7 +307,7 @@
|
||||
}
|
||||
}
|
||||
],
|
||||
"version": "0.48.0"
|
||||
"version": "0.48.1"
|
||||
}
|
||||
},
|
||||
"results": [
|
||||
@@ -612,7 +612,7 @@
|
||||
"columnKind": "utf16CodeUnits",
|
||||
"originalUriBaseIds": {
|
||||
"ROOTPATH": {
|
||||
"uri": "file:///Users/simarpreetsingh/repos/trivy-action/"
|
||||
"uri": "file:///home/runner/work/trivy-action/trivy-action/"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"SchemaVersion": 2,
|
||||
"CreatedAt": "2023-12-08T11:02:54.295987-07:00",
|
||||
"CreatedAt": "2024-01-02T23:40:12.036390742Z",
|
||||
"ArtifactName": ".",
|
||||
"ArtifactType": "filesystem",
|
||||
"Metadata": {
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"SchemaVersion": 2,
|
||||
"CreatedAt": "2023-12-08T11:02:56.571535-07:00",
|
||||
"CreatedAt": "2024-01-02T23:40:15.166517221Z",
|
||||
"ArtifactName": ".",
|
||||
"ArtifactType": "filesystem",
|
||||
"Metadata": {
|
||||
|
||||
+1
-1
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"SchemaVersion": 2,
|
||||
"CreatedAt": "2023-12-08T11:02:50.045151-07:00",
|
||||
"CreatedAt": "2024-01-02T23:40:04.647712097Z",
|
||||
"ArtifactName": "https://github.com/krol3/demo-trivy/",
|
||||
"ArtifactType": "repository",
|
||||
"Metadata": {
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"SchemaVersion": 2,
|
||||
"CreatedAt": "2023-12-08T11:03:02.76948-07:00",
|
||||
"CreatedAt": "2024-01-02T16:27:32.841193-07:00",
|
||||
"ArtifactName": "test/data",
|
||||
"ArtifactType": "filesystem",
|
||||
"Metadata": {
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"SchemaVersion": 2,
|
||||
"CreatedAt": "2023-12-08T11:03:01.877209-07:00",
|
||||
"CreatedAt": "2024-01-02T23:40:21.039454971Z",
|
||||
"ArtifactName": "alpine:3.10",
|
||||
"ArtifactType": "container_image",
|
||||
"Metadata": {
|
||||
@@ -106,8 +106,8 @@
|
||||
"https://nvd.nist.gov/vuln/detail/CVE-2021-36159",
|
||||
"https://www.cve.org/CVERecord?id=CVE-2021-36159"
|
||||
],
|
||||
"PublishedDate": "2021-08-03T14:15:00Z",
|
||||
"LastModifiedDate": "2023-11-07T03:36:00Z"
|
||||
"PublishedDate": "2021-08-03T14:15:08.233Z",
|
||||
"LastModifiedDate": "2023-11-07T03:36:43.337Z"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user