Compare commits
5 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
062f259268 | ||
|
|
1f6384b6ce | ||
|
|
84384bd6e7 | ||
|
|
f3d98514b0 | ||
|
|
0b9d17b6b5 |
2
.github/workflows/build.yaml
vendored
2
.github/workflows/build.yaml
vendored
@@ -1,7 +1,7 @@
|
||||
name: "build"
|
||||
on: [push, pull_request]
|
||||
env:
|
||||
TRIVY_VERSION: 0.48.1
|
||||
TRIVY_VERSION: 0.49.0
|
||||
BATS_LIB_PATH: '/usr/lib/'
|
||||
jobs:
|
||||
build:
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
FROM ghcr.io/aquasecurity/trivy:0.48.1
|
||||
FROM ghcr.io/aquasecurity/trivy:0.49.0
|
||||
COPY entrypoint.sh /
|
||||
RUN apk --no-cache add bash curl npm
|
||||
RUN chmod +x /entrypoint.sh
|
||||
|
||||
112
README.md
112
README.md
@@ -79,6 +79,8 @@ In this case `trivy.yaml` is a YAML configuration that is checked in as part of
|
||||
format: json
|
||||
exit-code: 1
|
||||
severity: CRITICAL
|
||||
secret:
|
||||
config: config/trivy/secret.yaml
|
||||
```
|
||||
|
||||
It is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes. Defining the following is required as they cannot be defined with the config file:
|
||||
@@ -335,6 +337,49 @@ jobs:
|
||||
github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
|
||||
```
|
||||
|
||||
When scanning images you may want to parse the actual output JSON as Github Dependency doesn't show all details like the file path of each dependency for instance.
|
||||
|
||||
You can upload the report as an artifact and download it, for instance using the [upload-artifact action](https://github.com/actions/upload-artifact):
|
||||
|
||||
```yaml
|
||||
---
|
||||
name: Pull Request
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
## GITHUB_TOKEN authentication, add only if you're not going to use a PAT
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Checks
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
- name: Scan image in a private registry
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: "private_image_registry/image_name:image_tag"
|
||||
scan-type: image
|
||||
format: 'github'
|
||||
output: 'dependency-results.sbom.json'
|
||||
github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
|
||||
severity: "MEDIUM,HIGH,CRITICAL"
|
||||
scanners: "vuln"
|
||||
env:
|
||||
TRIVY_USERNAME: "image_registry_admin_username"
|
||||
TRIVY_PASSWORD: "image_registry_admin_password"
|
||||
|
||||
- name: Upload trivy report as a Github artifact
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: trivy-sbom-report
|
||||
path: '${{ github.workspace }}/dependency-results.sbom.json'
|
||||
retention-days: 20 # 90 is the default
|
||||
```
|
||||
|
||||
### Using Trivy to scan your private registry
|
||||
It's also possible to scan your private registry with Trivy's built-in image scan. All you have to do is set ENV vars.
|
||||
|
||||
@@ -479,36 +524,49 @@ jobs:
|
||||
|
||||
## Customizing
|
||||
|
||||
Configuration priority:
|
||||
- [Inputs](#inputs)
|
||||
- [Environment variables](#environment-variables)
|
||||
- [Trivy config file](#trivy-config-file)
|
||||
- Default values
|
||||
|
||||
|
||||
### inputs
|
||||
|
||||
Following inputs can be used as `step.with` keys:
|
||||
|
||||
| Name | Type | Default | Description |
|
||||
|-------------------|---------|------------------------------------|-------------------------------------------------------------------------------------------------|
|
||||
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |
|
||||
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
|
||||
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
|
||||
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
|
||||
| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) |
|
||||
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |
|
||||
| `tf-vars` | String | | path to Terraform variables file |
|
||||
| `output` | String | | Save results to a file |
|
||||
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
|
||||
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
|
||||
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
|
||||
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
|
||||
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
|
||||
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
|
||||
| `cache-dir` | String | | Cache directory |
|
||||
| `timeout` | String | `5m0s` | Scan timeout duration |
|
||||
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
|
||||
| `hide-progress` | String | `true` | Suppress progress bar |
|
||||
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
|
||||
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
|
||||
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
|
||||
| `trivy-config` | String | | Path to trivy.yaml config |
|
||||
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
|
||||
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
|
||||
| Name | Type | Default | Description |
|
||||
|------------------------------|---------|------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |
|
||||
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
|
||||
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
|
||||
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
|
||||
| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) |
|
||||
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |
|
||||
| `tf-vars` | String | | path to Terraform variables file |
|
||||
| `output` | String | | Save results to a file |
|
||||
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
|
||||
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
|
||||
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
|
||||
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
|
||||
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
|
||||
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
|
||||
| `cache-dir` | String | | Cache directory |
|
||||
| `timeout` | String | `5m0s` | Scan timeout duration |
|
||||
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
|
||||
| `hide-progress` | String | `true` | Suppress progress bar |
|
||||
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
|
||||
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
|
||||
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
|
||||
| `trivy-config` | String | | Path to trivy.yaml config |
|
||||
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
|
||||
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
|
||||
|
||||
### Environment variables
|
||||
You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
|
||||
|
||||
### Trivy config file
|
||||
When using the `trivy-config` [Input](#inputs), you can set options using the [Trivy config file][trivy-config] (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
|
||||
|
||||
[release]: https://github.com/aquasecurity/trivy-action/releases/latest
|
||||
[release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github
|
||||
@@ -516,3 +574,5 @@ Following inputs can be used as `step.with` keys:
|
||||
[marketplace-img]: https://img.shields.io/badge/marketplace-trivy--action-blue?logo=github
|
||||
[license]: https://github.com/aquasecurity/trivy-action/blob/master/LICENSE
|
||||
[license-img]: https://img.shields.io/github/license/aquasecurity/trivy-action
|
||||
[trivy-env]: https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables
|
||||
[trivy-config]: https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/
|
||||
@@ -80,7 +80,7 @@ done
|
||||
|
||||
scanType=$(echo $scanType | tr -d '\r')
|
||||
export artifactRef="${imageRef}"
|
||||
if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "filesystem" ] || [ "${scanType}" = "config" ] || [ "${scanType}" = "rootfs" ];then
|
||||
if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "filesystem" ] || [ "${scanType}" = "config" ] || [ "${scanType}" = "rootfs" ] || [ "${scanType}" = "sbom" ];then
|
||||
artifactRef=$(echo $scanRef | tr -d '\r')
|
||||
fi
|
||||
input=$(echo $input | tr -d '\r')
|
||||
@@ -163,6 +163,7 @@ if [ $ignorePolicy ];then
|
||||
fi
|
||||
if [ "$hideProgress" == "true" ];then
|
||||
ARGS="$ARGS --no-progress"
|
||||
SARIF_ARGS="$SARIF_ARGS --no-progress"
|
||||
fi
|
||||
|
||||
listAllPkgs=$(echo $listAllPkgs | tr -d '\r')
|
||||
@@ -173,6 +174,7 @@ if [ "$skipFiles" ];then
|
||||
for i in $(echo $skipFiles | tr "," "\n")
|
||||
do
|
||||
ARGS="$ARGS --skip-files $i"
|
||||
SARIF_ARGS="$SARIF_ARGS --skip-files $i"
|
||||
done
|
||||
fi
|
||||
|
||||
|
||||
Reference in New Issue
Block a user