bump trivy version to v0.50.1 (#324 )

fix: Refer to scan-ref when scan-type is "sbom" (#314 )
docs(report): improve documentation around Using Trivy to generate SBOM and sending it to Github (#307 )
2024-03-27 16:22:09 -06:00 · 2024-02-22 14:28:04 -07:00 · 2024-02-13 15:20:36 -07:00
4 changed files with 46 additions and 3 deletions
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -1,7 +1,7 @@
 name: "build"
 on: [push, pull_request]
 env:
-  TRIVY_VERSION: 0.49.0
+  TRIVY_VERSION: 0.50.1
  BATS_LIB_PATH: '/usr/lib/'
 jobs:
  build:
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-FROM ghcr.io/aquasecurity/trivy:0.49.0
+FROM ghcr.io/aquasecurity/trivy:0.50.1
 COPY entrypoint.sh /
 RUN apk --no-cache add bash curl npm
 RUN chmod +x /entrypoint.sh
--- a/README.md
+++ b/README.md
@@ -337,6 +337,49 @@ jobs:
          github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
 ```

+When scanning images you may want to parse the actual output JSON as Github Dependency doesn't show all details like the file path of each dependency for instance.
+
+You can upload the report as an artifact and download it, for instance using the [upload-artifact action](https://github.com/actions/upload-artifact):
+
+```yaml
+---
+name: Pull Request
+on:
+  push:
+    branches:
+    - main
+
+## GITHUB_TOKEN authentication, add only if you're not going to use a PAT
+permissions:
+  contents: write
+
+jobs:
+  build:
+    name: Checks
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Scan image in a private registry
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: "private_image_registry/image_name:image_tag"
+          scan-type: image
+          format: 'github'
+          output: 'dependency-results.sbom.json'
+          github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
+          severity: "MEDIUM,HIGH,CRITICAL"
+          scanners: "vuln"
+        env:
+          TRIVY_USERNAME: "image_registry_admin_username"
+          TRIVY_PASSWORD: "image_registry_admin_password"
+
+      - name: Upload trivy report as a Github artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-sbom-report
+          path: '${{ github.workspace }}/dependency-results.sbom.json'
+          retention-days: 20 # 90 is the default
+```
+
 ### Using Trivy to scan your private registry
 It's also possible to scan your private registry with Trivy's built-in image scan. All you have to do is set ENV vars.

--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -80,7 +80,7 @@ done

 scanType=$(echo $scanType | tr -d '\r')
 export artifactRef="${imageRef}"
-if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "filesystem" ] ||  [ "${scanType}" = "config" ] ||  [ "${scanType}" = "rootfs" ];then
+if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "filesystem" ] ||  [ "${scanType}" = "config" ] ||  [ "${scanType}" = "rootfs" ] || [ "${scanType}" = "sbom" ];then
  artifactRef=$(echo $scanRef | tr -d '\r')
 fi
 input=$(echo $input | tr -d '\r')
Author	SHA1	Message	Date
simar7	d710430a67	bump trivy version to v0.50.1 (#324 )	2024-03-27 16:22:09 -06:00
cococig	062f259268	fix: Refer to scan-ref when scan-type is "sbom" (#314 )	2024-02-22 14:28:04 -07:00
Maxime Durand	1f6384b6ce	docs(report): improve documentation around `Using Trivy to generate SBOM` and sending it to Github (#307 ) * Improved documentation with details on how to send output as an artifact on Github and giving an example of a private image scan * formatting * better name for job	2024-02-13 15:20:36 -07:00