Update README.md

feat: Update README to include a case where upload is needed upon failure.
Signed-off-by: Simar <simar@linux.com>
2021-11-16 14:28:24 -08:00 · 2021-11-08 10:37:38 -08:00
4 changed files with 6 additions and 76 deletions
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-FROM aquasec/trivy:0.21.2
+FROM aquasec/trivy:0.20.2
 COPY entrypoint.sh /
 RUN apk --no-cache add bash
 RUN chmod +x /entrypoint.sh
--- a/README.md
+++ b/README.md
@@ -160,42 +160,6 @@ jobs:
          sarif_file: 'trivy-results.sarif'
 ```

-### Using Trivy to scan your rootfs directories
-It's also possible to scan your rootfs directories with Trivy's built-in rootfs scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
-
-If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
-```yaml
-name: build
-on:
-  push:
-    branches:
-      - master
-  pull_request:
-jobs:
-  build:
-    name: Build
-    runs-on: ubuntu-18.04
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-
-      - name: Run Trivy vulnerability scanner with rootfs command
-        uses: aquasecurity/trivy-action@master
-        with:
-          scan-type: 'rootfs'
-          scan-ref: 'rootfs-example-binary'
-          ignore-unfixed: true
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
-          output: 'trivy-results.sarif'
-          severity: 'CRITICAL'
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v1
-        with:
-          sarif_file: 'trivy-results.sarif'
-```
-
 ### Using Trivy to scan Infrastucture as Code
 It's also possible to scan your IaC repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.

@@ -396,12 +360,10 @@ Following inputs can be used as `step.with` keys:
 | `ignore-unfixed` | Boolean | false                              | Ignore unpatched/unfixed vulnerabilities      |
 | `vuln-type`      | String  | `os,library`                       | Vulnerability types (os,library)              |
 | `severity`       | String  | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
-| `skip-dirs`      | String  |                                    | Comma separated list of directories where traversal is skipped |
-| `skip-files`     | String  |                                    | Comma separated list of files where traversal is skipped |
+| `skip-dirs`       | String  |                                   | Comma separated list of directories where traversal is skipped |
 | `cache-dir`      | String  |                                    | Cache directory                               |
 | `timeout`        | String  | `2m0s`                             | Scan timeout duration                         |
 | `ignore-policy`  | String  |                                    | Filter vulnerabilities with OPA rego language |
-| `list-all-pkgs`  | String  |                                    | Output all packages regardless of vulnerability |

 [release]: https://github.com/aquasecurity/trivy-action/releases/latest
 [release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github
--- a/action.yaml
+++ b/action.yaml
@@ -49,10 +49,6 @@ inputs:
    description: 'comma separated list of directories where traversal is skipped'
    required: false
    default: ''
-  skip-files:
-    description: 'comma separated list of files to be skipped'
-    required: false
-    default: ''
  cache-dir:
    description: 'specify where the cache is stored'
    required: false
@@ -69,10 +65,6 @@ inputs:
    description: 'hide progress output'
    required: false
    default: 'true'
-  list-all-pkgs:
-    description: 'output all packages regardless of vulnerability'
-    required: false
-    default: 'false'
 runs:
  using: 'docker'
  image: "Dockerfile"
@@ -93,5 +85,3 @@ runs:
    - '-n ${{ inputs.timeout }}'
    - '-o ${{ inputs.ignore-policy }}'
    - '-p ${{ inputs.hide-progress }}'
-    - '-q ${{ inputs.skip-files }}'
-    - '-r ${{ inputs.list-all-pkgs }}'
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 set -e
-while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:" o; do
+while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:" o; do
   case "${o}" in
       a)
         export scanType=${OPTARG}
@@ -50,18 +50,12 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:" o; do
       p)
         export hideProgress=${OPTARG}
       ;;
-       q)
-         export skipFiles=${OPTARG}
-       ;;
-       r)
-         export listAllPkgs=${OPTARG}
-       ;;
  esac
 done

 scanType=$(echo $scanType | tr -d '\r')
 export artifactRef="${imageRef}"
-if [ "${scanType}" = "fs" ] ||  [ "${scanType}" = "config" ] ||  [ "${scanType}" = "rootfs" ];then
+if [ "${scanType}" = "fs" ] ||  [ "${scanType}" = "config" ];then
  artifactRef=$(echo $scanRef | tr -d '\r')
 fi
 input=$(echo $input | tr -d '\r')
@@ -76,7 +70,6 @@ if [ $cacheDir ];then
  GLOBAL_ARGS="$GLOBAL_ARGS --cache-dir $cacheDir"
 fi

-SARIF_ARGS=""
 ARGS=""
 if [ $format ];then
 ARGS="$ARGS --format $format"
@@ -89,11 +82,9 @@ if [ $exitCode ];then
 fi
 if [ "$ignoreUnfixed" == "true" ] && [ "$scanType" != "config" ];then
  ARGS="$ARGS --ignore-unfixed"
-  SARIF_ARGS="$SARIF_ARGS --ignore-unfixed"
 fi
 if [ $vulnType ] && [ "$scanType" != "config" ];then
  ARGS="$ARGS --vuln-type $vulnType"
-  SARIF_ARGS="$SARIF_ARGS --vuln-type $vulnType"
 fi
 if [ $severity ];then
  ARGS="$ARGS --severity $severity"
@@ -105,7 +96,6 @@ if [ $skipDirs ];then
  for i in $(echo $skipDirs | tr "," "\n")
  do
    ARGS="$ARGS --skip-dirs $i"
-    SARIF_ARGS="$SARIF_ARGS --skip-dirs $i"
  done
 fi
 if [ $timeout ];then
@@ -113,23 +103,11 @@ if [ $timeout ];then
 fi
 if [ $ignorePolicy ];then
  ARGS="$ARGS --ignore-policy $ignorePolicy"
-  SARIF_ARGS="$SARIF_ARGS --ignore-policy $ignorePolicy"
 fi
 if [ "$hideProgress" == "true" ];then
  ARGS="$ARGS --no-progress"
 fi

-listAllPkgs=$(echo $listAllPkgs | tr -d '\r')
-if [ "$listAllPkgs" == "true" ];then
-  ARGS="$ARGS --list-all-pkgs"
-fi
-if [ "$skipFiles" ];then
-  for i in $(echo $skipFiles | tr "," "\n")
-  do
-    ARGS="$ARGS --skip-files $i"
-  done
-fi
-
 echo "Running trivy with options: ${ARGS}" "${artifactRef}"
 echo "Global options: " "${GLOBAL_ARGS}"
 trivy $GLOBAL_ARGS ${scanType} $ARGS ${artifactRef}
@@ -139,8 +117,8 @@ returnCode=$?
 # regardless of severity level specified in this report.
 # This is a feature, not a bug :)
 if [[ ${template} == *"sarif"* ]]; then
-  echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
-  trivy --quiet ${scanType} --format template --template ${template} --output ${output} $SARIF_ARGS ${artifactRef}
+  echo "Building SARIF report"
+  trivy --quiet ${scanType} --format template --template ${template} --output ${output} ${artifactRef}
 fi

 exit $returnCode
Author	SHA1	Message	Date
Simar	5f63408a2c	Update README.md	2021-11-16 14:28:24 -08:00
Simar	17b218d340	feat: Update README to include a case where upload is needed upon failure. Signed-off-by: Simar <simar@linux.com>	2021-11-08 10:37:38 -08:00