Update tests for 0.28.1 and convert to JSON (#126)

* Fix bug with test for securityChecks option which caused it to be skipped.

* Convert tests to JSON output only, and update them for Trivy 0.28.1.

* Update CI test to use Trivy 0.28.1.

.github/workflows/build.yaml

@@ -1,7 +1,7 @@
 name: "build"
 on: [push, pull_request]
 env:
-  TRIVY_VERSION: 0.25.0
+  TRIVY_VERSION: 0.28.1
 jobs:
   build:
     name: build

.gitignore

@@ -1,2 +1,4 @@
 .idea/
-*.test
+*.test
+!test/data/*.test
+trivyignores

Dockerfile

@@ -1,4 +1,4 @@
-FROM aquasec/trivy:0.25.0
+FROM ghcr.io/aquasecurity/trivy:0.28.1
 COPY entrypoint.sh /
 RUN apk --no-cache add bash
 RUN chmod +x /entrypoint.sh

README.md

@@ -35,11 +35,11 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v2
-      
+
       - name: Build an image from Dockerfile
         run: |
           docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
-      
+
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
@@ -116,7 +116,7 @@ jobs:
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v1
-        if: always() 
+        if: always()
         with:
           sarif_file: 'trivy-results.sarif'
 ```
@@ -247,7 +247,7 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v2
-        
+
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
@@ -256,7 +256,7 @@ jobs:
           output: 'trivy-results.sarif'
         env:
           TRIVY_USERNAME: Username
-          TRIVY_PASSWORD: Password        
+          TRIVY_PASSWORD: Password
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v1
@@ -283,7 +283,7 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v2
-        
+
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
@@ -319,7 +319,7 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v2
-        
+
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
@@ -352,7 +352,7 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v2
-        
+
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
@@ -361,7 +361,7 @@ jobs:
           output: 'trivy-results.sarif'
         env:
           TRIVY_USERNAME: Username
-          TRIVY_PASSWORD: Password        
+          TRIVY_PASSWORD: Password
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v1
@@ -394,6 +394,8 @@ Following inputs can be used as `step.with` keys:
 | `timeout`        | String  | `5m0s`                             | Scan timeout duration                         |
 | `ignore-policy`  | String  |                                    | Filter vulnerabilities with OPA rego language |
 | `list-all-pkgs`  | String  |                                    | Output all packages regardless of vulnerability |
+| `security-checks`| String  | `vuln,secret`                      | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`)|
+| `trivyignores`   | String  |                                    | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
 
 [release]: https://github.com/aquasecurity/trivy-action/releases/latest
 [release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github

action.yaml

@@ -73,6 +73,14 @@ inputs:
     description: 'output all packages regardless of vulnerability'
     required: false
     default: 'false'
+  security-checks:
+    description: 'comma-separated list of what security issues to detect'
+    required: false
+    default: ''
+  trivyignores:
+    description: 'comma-separated list of relative paths in repository to one or more .trivyignore files'
+    required: false
+    default: ''
 runs:
   using: 'docker'
   image: "Dockerfile"
@@ -95,3 +103,5 @@ runs:
     - '-p ${{ inputs.hide-progress }}'
     - '-q ${{ inputs.skip-files }}'
     - '-r ${{ inputs.list-all-pkgs }}'
+    - '-s ${{ inputs.security-checks }}'
+    - '-t ${{ inputs.trivyignores }}'

entrypoint.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 set -e
-while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:" o; do
+while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:" o; do
    case "${o}" in
        a)
          export scanType=${OPTARG}
@@ -56,6 +56,12 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:" o; do
        r)
          export listAllPkgs=${OPTARG}
        ;;
+       s)
+         export securityChecks=${OPTARG}
+       ;;
+       t)
+         export trivyIgnores=${OPTARG}
+       ;;
   esac
 done
 
@@ -95,6 +101,9 @@ if [ $vulnType ] && [ "$scanType" != "config" ];then
   ARGS="$ARGS --vuln-type $vulnType"
   SARIF_ARGS="$SARIF_ARGS --vuln-type $vulnType"
 fi
+if [ $securityChecks ];then
+  ARGS="$ARGS --security-checks $securityChecks"
+fi
 if [ $severity ];then
   ARGS="$ARGS --severity $severity"
 fi
@@ -108,6 +117,20 @@ if [ $skipDirs ];then
     SARIF_ARGS="$SARIF_ARGS --skip-dirs $i"
   done
 fi
+if [ $trivyIgnores ];then
+  for f in $(echo $trivyIgnores | tr "," "\n")
+  do
+    if [ -f "$f" ]; then
+      echo "Found ignorefile '${f}':"
+      cat "${f}"
+      cat "${f}" >> ./trivyignores
+    else
+      echo "ERROR: cannot find ignorefile '${f}'."
+      exit 1
+    fi
+  done
+  ARGS="$ARGS --ignorefile ./trivyignores"
+fi
 if [ $timeout ];then
   ARGS="$ARGS --timeout $timeout"
 fi

test/data/.trivyignore1

@@ -0,0 +1,3 @@
+# test data #1 for trivy-ignores option
+CVE-2020-25576
+CVE-2019-15551

test/data/.trivyignore2

@@ -0,0 +1,2 @@
+# test data #2 for trivy-ignores option
+CVE-2019-15554

test/data/config.test

@@ -1,8 +1,56 @@
-+---------------------------+------------+-----------+----------+------------------------------------------+
-|           TYPE            | MISCONF ID |   CHECK   | SEVERITY |                 MESSAGE                  |
-+---------------------------+------------+-----------+----------+------------------------------------------+
-| Dockerfile Security Check |   DS002    | root user |   HIGH   | Specify at least 1 USER                  |
-|                           |            |           |          | command in Dockerfile with               |
-|                           |            |           |          | non-root user as argument                |
-|                           |            |           |          | -->avd.aquasec.com/appshield/ds002       |
-+---------------------------+------------+-----------+----------+------------------------------------------+
+{
+  "SchemaVersion": 2,
+  "ArtifactName": ".",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
+  "Results": [
+    {
+      "Target": "Dockerfile",
+      "Class": "config",
+      "Type": "dockerfile",
+      "MisconfSummary": {
+        "Successes": 22,
+        "Failures": 1,
+        "Exceptions": 0
+      },
+      "Misconfigurations": [
+        {
+          "Type": "Dockerfile Security Check",
+          "ID": "DS002",
+          "Title": "Image user should not be 'root'",
+          "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
+          "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
+          "Namespace": "builtin.dockerfile.DS002",
+          "Query": "data.builtin.dockerfile.DS002.deny",
+          "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
+          "Severity": "HIGH",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
+          "References": [
+            "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
+            "https://avd.aquasec.com/misconfig/ds002"
+          ],
+          "Status": "FAIL",
+          "Layer": {},
+          "CauseMetadata": {
+            "Provider": "Dockerfile",
+            "Service": "general",
+            "Code": {
+              "Lines": null
+            }
+          }
+        }
+      ]
+    }
+  ]
+}

test/data/fs-scheck.test

@@ -0,0 +1,56 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": ".",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
+  "Results": [
+    {
+      "Target": "Dockerfile",
+      "Class": "config",
+      "Type": "dockerfile",
+      "MisconfSummary": {
+        "Successes": 22,
+        "Failures": 1,
+        "Exceptions": 0
+      },
+      "Misconfigurations": [
+        {
+          "Type": "Dockerfile Security Check",
+          "ID": "DS002",
+          "Title": "Image user should not be 'root'",
+          "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
+          "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
+          "Namespace": "builtin.dockerfile.DS002",
+          "Query": "data.builtin.dockerfile.DS002.deny",
+          "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
+          "Severity": "HIGH",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
+          "References": [
+            "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
+            "https://avd.aquasec.com/misconfig/ds002"
+          ],
+          "Status": "FAIL",
+          "Layer": {},
+          "CauseMetadata": {
+            "Provider": "Dockerfile",
+            "Service": "general",
+            "Code": {
+              "Lines": null
+            }
+          }
+        }
+      ]
+    }
+  ]
+}

test/data/image-sarif.test

@@ -442,7 +442,7 @@
               }
             }
           ],
-          "version": "0.25.0"
+          "version": "0.28.1"
         }
       },
       "results": [

test/data/repo.test

@@ -1,6 +1,6 @@
 {
   "SchemaVersion": 2,
-  "ArtifactName": "https://github.com/aquasecurity/trivy-action/",
+  "ArtifactName": "https://github.com/krol3/demo-trivy/",
   "ArtifactType": "repository",
   "Metadata": {
     "ImageConfig": {
@@ -13,5 +13,22 @@
       },
       "config": {}
     }
-  }
+  },
+  "Results": [
+    {
+      "Target": "env",
+      "Class": "secret",
+      "Secrets": [
+        {
+          "RuleID": "github-pat",
+          "Category": "GitHub",
+          "Severity": "CRITICAL",
+          "Title": "GitHub Personal Access Token",
+          "StartLine": 5,
+          "EndLine": 5,
+          "Match": "export GITHUB_PAT=*****"
+        }
+      ]
+    }
+  ]
 }

test/test.bats

@@ -1,43 +1,57 @@
 #!/usr/bin/env bats
 
 @test "trivy image" {
-  # trivy image --severity CRITICAL -o image.test knqyf263/vuln-image:1.2.3
-  ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b table' '-h image.test' '-g CRITICAL'
+  # trivy image --severity CRITICAL --format json --output image.test knqyf263/vuln-image:1.2.3
+  ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b json' '-h image.test' '-g CRITICAL'
   result="$(diff ./test/data/image.test image.test)"
   [ "$result" == '' ]
 }
 
 @test "trivy image sarif report" {
-  # trivy image --severity CRITICAL -f sarif -o image-sarif.test knqyf263/vuln-image:1.2.3
+  # trivy image --severity CRITICAL -f sarif --output image-sarif.test knqyf263/vuln-image:1.2.3
   ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b sarif' '-h image-sarif.test' '-g CRITICAL'
   result="$(diff ./test/data/image-sarif.test image-sarif.test)"
   [ "$result" == '' ]
 }
 
 @test "trivy config" {
-  # trivy conf -o config.test .
-  ./entrypoint.sh '-a config' '-j .' '-b table' '-h config.test'
+  # trivy config --format json --output config.test .
+  ./entrypoint.sh '-a config' '-j .' '-b json' '-h config.test'
   result="$(diff ./test/data/config.test config.test)"
   [ "$result" == '' ]
 }
 
 @test "trivy rootfs" {
-  # trivy rootfs -o rootfs.test -f json .
+  # trivy rootfs --format json --output rootfs.test .
   ./entrypoint.sh '-a rootfs' '-j .' '-b json' '-h rootfs.test'
   result="$(diff ./test/data/rootfs.test rootfs.test)"
   [ "$result" == '' ]
 }
 
 @test "trivy fs" {
-  # trivy fs -f json -o fs.test .
+  # trivy fs --format json --output fs.test .
   ./entrypoint.sh '-a fs' '-j .' '-b json' '-h fs.test'
   result="$(diff ./test/data/fs.test fs.test)"
   [ "$result" == '' ]
 }
 
-@test "trivy repo" {
-  # trivy repo -f json -o repo.test --severity CRITICAL https://github.com/aquasecurity/trivy-action/
-  ./entrypoint.sh '-b json' '-h repo.test' '-g CRITICAL' '-a repo' '-j https://github.com/aquasecurity/trivy-action/'
+@test "trivy fs with securityChecks option" {
+  # trivy fs --format json --security-checks=vuln,config --output fs-scheck.test .
+  ./entrypoint.sh '-a fs' '-j .' '-b json' '-s vuln,config,secret' '-h fs-scheck.test'
+  result="$(diff ./test/data/fs-scheck.test fs-scheck.test)"
+  [ "$result" == '' ]
+}
+
+@test "trivy repo with securityCheck secret only" {
+  # trivy repo --format json --output repo.test --security-checks=secret https://github.com/krol3/demo-trivy/
+  ./entrypoint.sh '-b json' '-h repo.test' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
   result="$(diff ./test/data/repo.test repo.test)"
   [ "$result" == '' ]
-}
+}
+
+@test "trivy image with trivyIgnores option" {
+  # cat ./test/data/.trivyignore1 ./test/data/.trivyignore2 > ./trivyignores ; trivy image --severity CRITICAL --format json --output image-trivyignores.test --ignorefile ./trivyignores knqyf263/vuln-image:1.2.3
+  ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b json' '-h image-trivyignores.test' '-g CRITICAL' '-t ./test/data/.trivyignore1,./test/data/.trivyignore2'
+  result="$(diff ./test/data/image-trivyignores.test image-trivyignores.test)"
+  [ "$result" == '' ]
+}