Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
84384bd6e7 | ||
|
|
f3d98514b0 | ||
|
|
0b9d17b6b5 |
Vendored
+1
-1
@@ -1,7 +1,7 @@
|
||||
name: "build"
|
||||
on: [push, pull_request]
|
||||
env:
|
||||
TRIVY_VERSION: 0.48.1
|
||||
TRIVY_VERSION: 0.49.0
|
||||
BATS_LIB_PATH: '/usr/lib/'
|
||||
jobs:
|
||||
build:
|
||||
|
||||
+1
-1
@@ -1,4 +1,4 @@
|
||||
FROM ghcr.io/aquasecurity/trivy:0.48.1
|
||||
FROM ghcr.io/aquasecurity/trivy:0.49.0
|
||||
COPY entrypoint.sh /
|
||||
RUN apk --no-cache add bash curl npm
|
||||
RUN chmod +x /entrypoint.sh
|
||||
|
||||
@@ -79,6 +79,8 @@ In this case `trivy.yaml` is a YAML configuration that is checked in as part of
|
||||
format: json
|
||||
exit-code: 1
|
||||
severity: CRITICAL
|
||||
secret:
|
||||
config: config/trivy/secret.yaml
|
||||
```
|
||||
|
||||
It is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes. Defining the following is required as they cannot be defined with the config file:
|
||||
@@ -479,36 +481,49 @@ jobs:
|
||||
|
||||
## Customizing
|
||||
|
||||
Configuration priority:
|
||||
- [Inputs](#inputs)
|
||||
- [Environment variables](#environment-variables)
|
||||
- [Trivy config file](#trivy-config-file)
|
||||
- Default values
|
||||
|
||||
|
||||
### inputs
|
||||
|
||||
Following inputs can be used as `step.with` keys:
|
||||
|
||||
| Name | Type | Default | Description |
|
||||
|-------------------|---------|------------------------------------|-------------------------------------------------------------------------------------------------|
|
||||
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |
|
||||
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
|
||||
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
|
||||
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
|
||||
| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) |
|
||||
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |
|
||||
| `tf-vars` | String | | path to Terraform variables file |
|
||||
| `output` | String | | Save results to a file |
|
||||
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
|
||||
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
|
||||
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
|
||||
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
|
||||
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
|
||||
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
|
||||
| `cache-dir` | String | | Cache directory |
|
||||
| `timeout` | String | `5m0s` | Scan timeout duration |
|
||||
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
|
||||
| `hide-progress` | String | `true` | Suppress progress bar |
|
||||
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
|
||||
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
|
||||
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
|
||||
| `trivy-config` | String | | Path to trivy.yaml config |
|
||||
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
|
||||
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
|
||||
| Name | Type | Default | Description |
|
||||
|------------------------------|---------|------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |
|
||||
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
|
||||
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
|
||||
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
|
||||
| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) |
|
||||
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |
|
||||
| `tf-vars` | String | | path to Terraform variables file |
|
||||
| `output` | String | | Save results to a file |
|
||||
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
|
||||
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
|
||||
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
|
||||
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
|
||||
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
|
||||
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
|
||||
| `cache-dir` | String | | Cache directory |
|
||||
| `timeout` | String | `5m0s` | Scan timeout duration |
|
||||
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
|
||||
| `hide-progress` | String | `true` | Suppress progress bar |
|
||||
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
|
||||
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
|
||||
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
|
||||
| `trivy-config` | String | | Path to trivy.yaml config |
|
||||
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
|
||||
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
|
||||
|
||||
### Environment variables
|
||||
You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
|
||||
|
||||
### Trivy config file
|
||||
When using the `trivy-config` [Input](#inputs), you can set options using the [Trivy config file][trivy-config] (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
|
||||
|
||||
[release]: https://github.com/aquasecurity/trivy-action/releases/latest
|
||||
[release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github
|
||||
@@ -516,3 +531,5 @@ Following inputs can be used as `step.with` keys:
|
||||
[marketplace-img]: https://img.shields.io/badge/marketplace-trivy--action-blue?logo=github
|
||||
[license]: https://github.com/aquasecurity/trivy-action/blob/master/LICENSE
|
||||
[license-img]: https://img.shields.io/github/license/aquasecurity/trivy-action
|
||||
[trivy-env]: https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables
|
||||
[trivy-config]: https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/
|
||||
@@ -163,6 +163,7 @@ if [ $ignorePolicy ];then
|
||||
fi
|
||||
if [ "$hideProgress" == "true" ];then
|
||||
ARGS="$ARGS --no-progress"
|
||||
SARIF_ARGS="$SARIF_ARGS --no-progress"
|
||||
fi
|
||||
|
||||
listAllPkgs=$(echo $listAllPkgs | tr -d '\r')
|
||||
@@ -173,6 +174,7 @@ if [ "$skipFiles" ];then
|
||||
for i in $(echo $skipFiles | tr "," "\n")
|
||||
do
|
||||
ARGS="$ARGS --skip-files $i"
|
||||
SARIF_ARGS="$SARIF_ARGS --skip-files $i"
|
||||
done
|
||||
fi
|
||||
|
||||
|
||||
Reference in New Issue
Block a user