chore: update test to version 0.27.1 (#106 )

* chore: update test to version 0.27.0 * chore: add test file secret and update to 0.27.1 * fix: support repository with securityCheck secret Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
chore: Update trivy version to 0.26.0 (#102 )
2022-05-09 13:12:55 -07:00 · 2022-04-18 08:40:37 -07:00 · 2022-04-13 22:10:55 +03:00 · 2022-04-13 16:25:40 +03:00
9 changed files with 98 additions and 9 deletions
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -1,7 +1,7 @@
 name: "build"
 on: [push, pull_request]
 env:
-  TRIVY_VERSION: 0.25.0
+  TRIVY_VERSION: 0.27.1
 jobs:
  build:
    name: build
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-FROM aquasec/trivy:0.25.0
+FROM aquasec/trivy:0.27.1
 COPY entrypoint.sh /
 RUN apk --no-cache add bash
 RUN chmod +x /entrypoint.sh
--- a/README.md
+++ b/README.md
@@ -394,6 +394,7 @@ Following inputs can be used as `step.with` keys:
 | `timeout`        | String  | `5m0s`                             | Scan timeout duration                         |
 | `ignore-policy`  | String  |                                    | Filter vulnerabilities with OPA rego language |
 | `list-all-pkgs`  | String  |                                    | Output all packages regardless of vulnerability |
+| `security-checks`| String  | `vuln`                             | comma-separated list of what security issues to detect (`vuln`,`config`)|

 [release]: https://github.com/aquasecurity/trivy-action/releases/latest
 [release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github
--- a/action.yaml
+++ b/action.yaml
@@ -73,6 +73,10 @@ inputs:
    description: 'output all packages regardless of vulnerability'
    required: false
    default: 'false'
+  security-checks:
+    description: 'comma-separated list of what security issues to detect'
+    required: false
+    default: ''
 runs:
  using: 'docker'
  image: "Dockerfile"
@@ -95,3 +99,4 @@ runs:
    - '-p ${{ inputs.hide-progress }}'
    - '-q ${{ inputs.skip-files }}'
    - '-r ${{ inputs.list-all-pkgs }}'
+    - '-s ${{ inputs.security-checks }}'
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 set -e
-while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:" o; do
+while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:" o; do
   case "${o}" in
       a)
         export scanType=${OPTARG}
@@ -56,6 +56,9 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:" o; do
       r)
         export listAllPkgs=${OPTARG}
       ;;
+       s)
+         export securityChecks=${OPTARG}
+       ;;
  esac
 done

@@ -95,6 +98,12 @@ if [ $vulnType ] && [ "$scanType" != "config" ];then
  ARGS="$ARGS --vuln-type $vulnType"
  SARIF_ARGS="$SARIF_ARGS --vuln-type $vulnType"
 fi
+if [ $securityChecks ] && [ "$scanType" == "fs" ];then
+  ARGS="$ARGS --security-checks $securityChecks"
+fi
+if [ $securityChecks ] && [ "$scanType" == "repo" ];then
+  ARGS="$ARGS --security-checks $securityChecks"
+fi
 if [ $severity ];then
  ARGS="$ARGS --severity $severity"
 fi
--- a/test/data/fs-scheck.test
+++ b/test/data/fs-scheck.test
@@ -0,0 +1,50 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": ".",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
+  "Results": [
+    {
+      "Target": "Dockerfile",
+      "Class": "config",
+      "Type": "dockerfile",
+      "MisconfSummary": {
+        "Successes": 22,
+        "Failures": 1,
+        "Exceptions": 0
+      },
+      "Misconfigurations": [
+        {
+          "Type": "Dockerfile Security Check",
+          "ID": "DS002",
+          "Title": "root user",
+          "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
+          "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
+          "Namespace": "appshield.dockerfile.DS002",
+          "Query": "data.appshield.dockerfile.DS002.deny",
+          "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
+          "Severity": "HIGH",
+          "PrimaryURL": "https://avd.aquasec.com/appshield/ds002",
+          "References": [
+            "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
+            "https://avd.aquasec.com/appshield/ds002"
+          ],
+          "Status": "FAIL",
+          "Layer": {},
+          "IacMetadata": {}
+        }
+      ]
+    }
+  ]
+}
--- a/test/data/image-sarif.test
+++ b/test/data/image-sarif.test
@@ -442,7 +442,7 @@
              }
            }
          ],
-          "version": "0.25.0"
+          "version": "0.27.1"
        }
      },
      "results": [
--- a/test/data/repo.test
+++ b/test/data/repo.test
@@ -1,6 +1,6 @@
 {
  "SchemaVersion": 2,
-  "ArtifactName": "https://github.com/aquasecurity/trivy-action/",
+  "ArtifactName": "https://github.com/krol3/demo-trivy/",
  "ArtifactType": "repository",
  "Metadata": {
    "ImageConfig": {
@@ -13,5 +13,22 @@
      },
      "config": {}
    }
-  }
+  },
+  "Results": [
+    {
+      "Target": "env",
+      "Class": "secret",
+      "Secrets": [
+        {
+          "RuleID": "github-pat",
+          "Category": "GitHub",
+          "Severity": "CRITICAL",
+          "Title": "GitHub Personal Access Token",
+          "StartLine": 5,
+          "EndLine": 5,
+          "Match": "export GITHUB_PAT=*****"
+        }
+      ]
+    }
+  ]
 }
--- a/test/test.bats
+++ b/test/test.bats
@@ -35,9 +35,16 @@
  [ "$result" == '' ]
 }

-@test "trivy repo" {
-  # trivy repo -f json -o repo.test --severity CRITICAL https://github.com/aquasecurity/trivy-action/
-  ./entrypoint.sh '-b json' '-h repo.test' '-g CRITICAL' '-a repo' '-j https://github.com/aquasecurity/trivy-action/'
+@test "trivy fs with securityChecks option" {
+  # trivy fs -f json --security-checks=vuln,config -o fs.test .
+  ./entrypoint.sh '-a fs' '-j .' '-b json' '-s vuln,config,secret' '-h fs-scheck.test'
+  result="$(diff ./test/data/fs.test fs.test)"
+  [ "$result" == '' ]
+}
+
+@test "trivy repo with securityCheck secret only" {
+  # trivy repo -f json -o repo.test --security-checks=secret  https://github.com/krol3/demo-trivy/
+  ./entrypoint.sh '-b json' '-h repo.test' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
  result="$(diff ./test/data/repo.test repo.test)"
  [ "$result" == '' ]
 }
Author	SHA1	Message	Date
Carol Valencia	4b9b6fb4ef	chore: update test to version 0.27.1 (#106 ) * chore: update test to version 0.27.0 * chore: add test file secret and update to 0.27.1 * fix: support repository with securityCheck secret Co-authored-by: carolina valencia <krol3@users.noreply.github.com>	2022-05-09 13:12:55 -07:00
Carol Valencia	2b30463ddb	chore: Update trivy version to 0.26.0 (#102 ) * chore: Update trivy version to 0.25.3 * feat: trivy fs - securityCheck test * chore: update trivy 0.26.0 Co-authored-by: carolina valencia <krol3@users.noreply.github.com>	2022-04-18 08:40:37 -07:00
jerbia	d7a51817e8	Merge pull request #104 from aquasecurity/feat/security-checks (feat) Add support for security-checks flag	2022-04-13 22:10:55 +03:00
oranmoshai	9fbcc91008	(feat) Add support for security-checks flag When using fs mode add option to list of what security issues to detect	2022-04-13 16:25:40 +03:00