actions/trivy-action
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: actions:0.2.4
Branches Tags
actions:master actions:fix-gh-actions actions:bump-trivy-1751468699 actions:update-default-version actions:use-pinned-version actions:update-to-v0.45.0 actions:update-trivy-v0.43.1 actions:bump-trivy-3 actions:bump-trivy actions:add-support-for-trivy-config actions:fix-golden-files actions:exit-code-test actions:update-tarball-docs actions:volume-mounts actions:update-readme actions:revert-45-fix_sarif_duplicate_rule_id actions:knqyf263-patch-1 actions:artifact_types actions:sarif-support-2
actions:0.33.1 actions:0.33.0 actions:0.32.0 actions:0.31.0 actions:0.30.0 actions:0.29.0 actions:0.28.0 actions:0.27.0 actions:0.26.0 actions:0.25.0 actions:0.24.0 actions:0.23.0 actions:0.22.0 actions:0.21.0 actions:0.20.0 actions:0.19.0 actions:0.18.0 actions:0.17.0 actions:0.16.1 actions:0.16.0 actions:0.15.0 actions:0.14.0 actions:0.13.1 actions:0.13.0 actions:0.12.0 actions:0.11.2 actions:0.11.1 actions:0.11.0 actions:0.10.0 actions:0.9.2 actions:0.9.1 actions:0.9.0 actions:0.8.0 actions:0.7.1 actions:0.7.0 actions:0.6.2 actions:0.6.1 actions:0.6.0 actions:0.5.1 actions:0.5.0 actions:0.4.1 actions:0.4.0 actions:0.3.0 actions:0.2.5 actions:0.2.4 actions:0.2.3 actions:0.2.2 actions:0.2.1 actions:0.2.0 actions:0.1.0 actions:0.0.22 actions:0.0.21 actions:0.0.20 actions:0.0.19 actions:0.0.18 actions:0.0.17 actions:0.0.16 actions:0.0.15 actions:0.0.14 actions:0.0.13 actions:0.0.12 actions:0.0.11 actions:v0.0.10 actions:0.0.10 actions:0.0.9 actions:0.0.8 actions:0.0.7 actions:0.0.6 actions:0.0.5 actions:0.0.4 actions:0.0.3 actions:0.0.2 actions:0.0.1
...
compare: actions:bump-trivy
Branches Tags
actions:master actions:fix-gh-actions actions:bump-trivy-1751468699 actions:update-default-version actions:use-pinned-version actions:update-to-v0.45.0 actions:update-trivy-v0.43.1 actions:bump-trivy-3 actions:bump-trivy actions:add-support-for-trivy-config actions:fix-golden-files actions:exit-code-test actions:update-tarball-docs actions:volume-mounts actions:update-readme actions:revert-45-fix_sarif_duplicate_rule_id actions:knqyf263-patch-1 actions:artifact_types actions:sarif-support-2
actions:0.33.1 actions:0.33.0 actions:0.32.0 actions:0.31.0 actions:0.30.0 actions:0.29.0 actions:0.28.0 actions:0.27.0 actions:0.26.0 actions:0.25.0 actions:0.24.0 actions:0.23.0 actions:0.22.0 actions:0.21.0 actions:0.20.0 actions:0.19.0 actions:0.18.0 actions:0.17.0 actions:0.16.1 actions:0.16.0 actions:0.15.0 actions:0.14.0 actions:0.13.1 actions:0.13.0 actions:0.12.0 actions:0.11.2 actions:0.11.1 actions:0.11.0 actions:0.10.0 actions:0.9.2 actions:0.9.1 actions:0.9.0 actions:0.8.0 actions:0.7.1 actions:0.7.0 actions:0.6.2 actions:0.6.1 actions:0.6.0 actions:0.5.1 actions:0.5.0 actions:0.4.1 actions:0.4.0 actions:0.3.0 actions:0.2.5 actions:0.2.4 actions:0.2.3 actions:0.2.2 actions:0.2.1 actions:0.2.0 actions:0.1.0 actions:0.0.22 actions:0.0.21 actions:0.0.20 actions:0.0.19 actions:0.0.18 actions:0.0.17 actions:0.0.16 actions:0.0.15 actions:0.0.14 actions:0.0.13 actions:0.0.12 actions:0.0.11 actions:v0.0.10 actions:0.0.10 actions:0.0.9 actions:0.0.8 actions:0.0.7 actions:0.0.6 actions:0.0.5 actions:0.0.4 actions:0.0.3 actions:0.0.2 actions:0.0.1

16 Commits
0.2.4 ... bump-trivy

Author SHA1 Message Date
simar7
fb5e1b36be Update Dockerfile 2022-07-26 13:07:30 -07:00
simar7
503d3abc15 feat(yaml): Add support for trivy.yaml (#143) 
* feat(yaml): Add support for trivy.yaml

Signed-off-by: Simar <simar@linux.com>

* chore: fixing test using trivy v 0.30.0

* chore(deps): Update to use Trivy v0.30.2

Signed-off-by: Simar <simar@linux.com>

Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-07-21 16:36:46 -07:00
simar7
0105373003 docs(trivy): Add instructions to scan tarballs. (#134) 
Signed-off-by: Simar <simar@linux.com>
 2022-06-29 14:34:09 -07:00
simar7
bc615ae2d7 fix(tests): Update test golden files for Trivy v0.29.2 (#136) 
Fixes: https://github.com/aquasecurity/trivy-action/issues/133
Fixes: https://github.com/aquasecurity/trivy-action/issues/135

Signed-off-by: Simar <simar@linux.com>
 2022-06-29 14:33:23 -07:00
simar7
7b7aa264d8 feat(SBOM): Support SBOM generation (#129) 
* feat(sbom): Support SBOM generation

Signed-off-by: Simar <simar@linux.com>

* Update README.md

Co-authored-by: Itay Shakury <itay@itaysk.com>

* feat(sbom): Send results within the entrypoint.sh

* fix(sbom): Fix leading whitespaces for format var.

Signed-off-by: Simar <simar@linux.com>

* docs(sbom): Update README.md

* docs(sbom): Update README.md

* chore(trivy): Bump Trivy version to 0.29.1

Signed-off-by: Simar <simar@linux.com>

* feat(sbom): Change to fs scan.

Signed-off-by: Simar <simar@linux.com>

* fix(tests): Update SARIF goldenfile

Co-authored-by: Itay Shakury <itay@itaysk.com>
 2022-06-22 11:24:39 -07:00
nleconte-csgroup
63b6e4c61b docs: added missing HTML template and removed deprecated SARIF template (#132) 
* docs: add missing template

* docs: add missing template and remove deprecated

Add missing HTML template
Remove deprecated SARIF template

* docs: remove deprecated SARIF template
 2022-06-21 11:46:57 -07:00
Carol Valencia
49e970d7ac chore: pinning 0.29.0 trivy (#128) 
Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-06-17 13:27:39 -07:00
Achton Smidt Winther
c666240787 Add missing option to README. (#127) 2022-06-16 08:25:13 -07:00
David Calvert
e27605859b feat: update codeql-action/upload-sarif to v2 (#124) 2022-06-15 09:16:34 -07:00
Achton Smidt Winther
2b22459068 Update tests for 0.28.1 and convert to JSON (#126) 
* Fix bug with test for securityChecks option which caused it to be skipped.

* Convert tests to JSON output only, and update them for Trivy 0.28.1.

* Update CI test to use Trivy 0.28.1.
 2022-06-15 08:23:38 -07:00
Achton Smidt Winther
4b3b5f928b Add support for --ignorefile option (.trivyignore) (#122) 
* Add support for supplying one or more .trivyignore files.

* Fix gitignore for test data.

* Add test for trivyignores option.

* Be explicit about the trivy options we use during testing.

* Add documentation of trivyignores option.
 2022-06-14 07:41:49 -07:00
Tanguy Segarra
1a53202fc4 Use AWS public ECR instead of rate-limiting dockerhub (#118) 2022-06-08 11:17:38 -07:00
James Luther
df3fb7d00b Update Trivy Version in Dockerfile (#117) 
Updated the dockerfile to use the latest release of Trivy.
 2022-06-02 14:53:00 -07:00
Tanguy Segarra
987beb8186 Enable security checks option for image type (#112) 
* Enable security checks option for image type

* Readme: update security checks option

* action.yaml: add default value for security checks option

* echo env var

* action.yaml: remove default value for security checks

* remove useless echo
 2022-06-02 14:52:06 -07:00
Carol Valencia
4b9b6fb4ef chore: update test to version 0.27.1 (#106) 
* chore: update test to version 0.27.0

* chore: add test file secret and update to 0.27.1

* fix: support repository with securityCheck secret

Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-05-09 13:12:55 -07:00
Carol Valencia
2b30463ddb chore: Update trivy version to 0.26.0 (#102) 
* chore: Update trivy version to 0.25.3

* feat: trivy fs - securityCheck test

* chore: update trivy 0.26.0

Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-04-18 08:40:37 -07:00
21 changed files with 3263 additions and 288 deletions
Expand all files Collapse all files
.github/workflows/build.yaml
Vendored
+7 -3
View File
@@ -1,7 +1,8 @@
name: "build"
on: [push, pull_request]
env:
TRIVY_VERSION: 0.25.0
TRIVY_VERSION: 0.30.4
BATS_LIB_PATH: '/usr/lib/'
jobs:
build:
name: build
@@ -11,7 +12,10 @@ jobs:
- name: Setup BATS
uses: mig4/setup-bats@v1
with:
bats-version: 1.2.1
bats-version: 1.7.0
- name: Setup Bats libs
uses: brokenpip3/setup-bats-libs@0.1.0
- name: Check out code
uses: actions/checkout@v1
@@ -21,4 +25,4 @@ jobs:
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
- name: Test
run: bats -r .
run: BATS_LIB_PATH=${{ env.BATS_LIB_PATH }} bats --recursive --timing .
.gitignore
Vendored
+3 -1
View File
@@ -1,2 +1,4 @@
.idea/
*.test
*.test
!test/data/*.test
trivyignores
Dockerfile
+2 -2
View File
@@ -1,5 +1,5 @@
FROM aquasec/trivy:0.25.0
FROM ghcr.io/aquasecurity/trivy:0.30.4
COPY entrypoint.sh /
RUN apk --no-cache add bash
RUN apk --no-cache add bash curl
RUN chmod +x /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
README.md
+135 -40
View File
@@ -19,7 +19,7 @@
## Usage
### Workflow
### Scan CI Pipeline
```yaml
name: build
@@ -31,15 +31,13 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build an image from Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
@@ -51,6 +49,68 @@ jobs:
severity: 'CRITICAL,HIGH'
```
### Scan CI Pipeline (w/ Trivy Config)
```yaml
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@add-support-for-trivy-config
with:
scan-type: 'fs'
ignore-unfixed: true
trivy-config: ./trivy.yaml
```
In this case `trivy.yaml` is a YAML configuration that is checked in as part of the repo. Detailed information is available on the Trivy website but an example is as follows:
```yaml
format: json
exit-code: 1
severity: CRITICAL
```
It is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes.
### Scanning a Tarball
```yaml
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Generate tarball from image
run: |
docker pull <your-docker-image>
docker save -o vuln-image.tar <your-docker-image>
- name: Run Trivy vulnerability scanner in tarball mode
uses: aquasecurity/trivy-action@master
with:
input: /github/workspace/vuln-image.tar
severity: 'CRITICAL,HIGH'
```
### Using Trivy with GitHub Code Scanning
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
```yaml
@@ -80,7 +140,7 @@ jobs:
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
```
@@ -115,8 +175,8 @@ jobs:
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
if: always()
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: 'trivy-results.sarif'
```
@@ -152,7 +212,7 @@ jobs:
severity: 'CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
```
@@ -187,7 +247,7 @@ jobs:
severity: 'CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
```
@@ -222,11 +282,43 @@ jobs:
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
```
### Using Trivy to generate SBOM
It's possible for Trivy to generate an SBOM of your dependencies and submit them to a consumer like GitHub Dependency Snapshot.
The sending of SBOM to GitHub feature is only available if you currently have [GitHub Dependency Snapshot](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) available to you in your repo.
In order to send results to the GitHub Dependency Snapshot, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)
```yaml
---
name: Pull Request
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Checks
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Snapshots
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
format: 'github'
output: 'dependency-results.sbom.json'
image-ref: '.'
github-pat: '<github_pat_token>'
```
### Using Trivy to scan your private registry
It's also possible to scan your private registry with Trivy's built-in image scan. All you have to do is set ENV vars.
@@ -247,7 +339,7 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
@@ -256,10 +348,10 @@ jobs:
output: 'trivy-results.sarif'
env:
TRIVY_USERNAME: Username
TRIVY_PASSWORD: Password
TRIVY_PASSWORD: Password
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
```
@@ -283,7 +375,7 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
@@ -296,7 +388,7 @@ jobs:
AWS_DEFAULT_REGION: us-west-2
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
```
@@ -319,7 +411,7 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
@@ -330,7 +422,7 @@ jobs:
GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
```
@@ -352,7 +444,7 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
@@ -361,10 +453,10 @@ jobs:
output: 'trivy-results.sarif'
env:
TRIVY_USERNAME: Username
TRIVY_PASSWORD: Password
TRIVY_PASSWORD: Password
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
```
@@ -375,26 +467,29 @@ jobs:
Following inputs can be used as `step.with` keys:
| Name | Type | Default | Description |
|------------------|---------|------------------------------------|-----------------------------------------------|
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs`|
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.`|
| `format` | String | `table` | Output format (`table`, `json`, `sarif`) |
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`)|
| `output` | String | | Save results to a file |
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
| `cache-dir` | String | | Cache directory |
| `timeout` | String | `5m0s` | Scan timeout duration |
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
| `security-checks`| String | `vuln` | comma-separated list of what security issues to detect (`vuln`,`config`)|
| Name | Type | Default | Description |
|-------------------|---------|------------------------------------|-------------------------------------------------------------------------------------------------|
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) |
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |
| `output` | String | | Save results to a file |
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
| `cache-dir` | String | | Cache directory |
| `timeout` | String | `5m0s` | Scan timeout duration |
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
| `hide-progress` | String | `true` | Suppress progress bar |
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
| `security-checks` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
| `github-pat` | String | | GitHub Personal Access Token (PAT) for sending SBOM scan results to GitHub Dependency Snapshots |
[release]: https://github.com/aquasecurity/trivy-action/releases/latest
[release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github
action.yaml
+18 -3
View File
@@ -20,7 +20,6 @@ inputs:
exit-code:
description: 'exit code when vulnerabilities were found'
required: false
default: '0'
ignore-unfixed:
description: 'ignore unfixed vulnerabilities'
required: false
@@ -38,7 +37,7 @@ inputs:
required: false
default: 'table'
template:
description: 'use an existing template for rendering output (@/contrib/sarif.tpl, @/contrib/gitlab.tpl, @/contrib/junit.tpl'
description: 'use an existing template for rendering output (@/contrib/gitlab.tpl, @/contrib/junit.tpl, @/contrib/html.tpl)'
required: false
default: ''
output:
@@ -68,7 +67,6 @@ inputs:
hide-progress:
description: 'hide progress output'
required: false
default: 'true'
list-all-pkgs:
description: 'output all packages regardless of vulnerability'
required: false
@@ -77,6 +75,20 @@ inputs:
description: 'comma-separated list of what security issues to detect'
required: false
default: ''
trivyignores:
description: 'comma-separated list of relative paths in repository to one or more .trivyignore files'
required: false
default: ''
artifact-type:
description: 'input artifact type (image, fs, repo, archive) for SBOM generation'
required: false
github-pat:
description: 'GitHub Personal Access Token (PAT) for submitting SBOM to GitHub Dependency Snapshot API'
required: false
trivy-config:
description: 'path to trivy.yaml config'
required: false
runs:
using: 'docker'
image: "Dockerfile"
@@ -100,3 +112,6 @@ runs:
- '-q ${{ inputs.skip-files }}'
- '-r ${{ inputs.list-all-pkgs }}'
- '-s ${{ inputs.security-checks }}'
- '-t ${{ inputs.trivyignores }}'
- '-u ${{ inputs.github-pat }}'
- '-v ${{ inputs.trivy-config }}'
entrypoint.sh
+44 -7
View File
@@ -1,6 +1,6 @@
#!/bin/bash
set -e
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:" o; do
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" o; do
case "${o}" in
a)
export scanType=${OPTARG}
@@ -59,9 +59,19 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:" o; do
s)
export securityChecks=${OPTARG}
;;
t)
export trivyIgnores=${OPTARG}
;;
u)
export githubPAT=${OPTARG}
;;
v)
export trivyConfig=${OPTARG}
;;
esac
done
scanType=$(echo $scanType | tr -d '\r')
export artifactRef="${imageRef}"
if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "config" ] || [ "${scanType}" = "rootfs" ];then
@@ -81,6 +91,7 @@ fi
SARIF_ARGS=""
ARGS=""
format=$(echo $format | xargs)
if [ $format ];then
ARGS="$ARGS --format $format"
fi
@@ -94,11 +105,11 @@ if [ "$ignoreUnfixed" == "true" ] && [ "$scanType" != "config" ];then
ARGS="$ARGS --ignore-unfixed"
SARIF_ARGS="$SARIF_ARGS --ignore-unfixed"
fi
if [ $vulnType ] && [ "$scanType" != "config" ];then
if [ $vulnType ] && [ "$scanType" != "config" ] && [ "$scanType" != "sbom" ];then
ARGS="$ARGS --vuln-type $vulnType"
SARIF_ARGS="$SARIF_ARGS --vuln-type $vulnType"
fi
if [ $securityChecks ] && [ "$scanType" == "fs" ];then
if [ $securityChecks ];then
ARGS="$ARGS --security-checks $securityChecks"
fi
if [ $severity ];then
@@ -114,6 +125,20 @@ if [ $skipDirs ];then
SARIF_ARGS="$SARIF_ARGS --skip-dirs $i"
done
fi
if [ $trivyIgnores ];then
for f in $(echo $trivyIgnores | tr "," "\n")
do
if [ -f "$f" ]; then
echo "Found ignorefile '${f}':"
cat "${f}"
cat "${f}" >> ./trivyignores
else
echo "ERROR: cannot find ignorefile '${f}'."
exit 1
fi
done
ARGS="$ARGS --ignorefile ./trivyignores"
fi
if [ $timeout ];then
ARGS="$ARGS --timeout $timeout"
fi
@@ -136,10 +161,17 @@ if [ "$skipFiles" ];then
done
fi
echo "Running trivy with options: ${ARGS}" "${artifactRef}"
echo "Global options: " "${GLOBAL_ARGS}"
trivy $GLOBAL_ARGS ${scanType} $ARGS ${artifactRef}
returnCode=$?
trivyConfig=$(echo $trivyConfig | tr -d '\r')
if [ $trivyConfig ]; then
echo "Running Trivy with trivy.yaml config from: " $trivyConfig
trivy --config $trivyConfig ${scanType} $ARGS ${artifactRef}
returnCode=$?
else
echo "Running trivy with options: ${ARGS}" "${artifactRef}"
echo "Global options: " "${GLOBAL_ARGS}"
trivy $GLOBAL_ARGS ${scanType} $ARGS ${artifactRef}
returnCode=$?
fi
# SARIF is special. We output all vulnerabilities,
# regardless of severity level specified in this report.
@@ -149,4 +181,9 @@ if [[ "${format}" == "sarif" ]]; then
trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
fi
if [[ "${format}" == "github" ]] && [[ "$(echo $githubPAT | xargs)" != "" ]]; then
echo "Uploading GitHub Dependency Snapshot"
curl -u "${githubPAT}" -H 'Content-Type: application/json' 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./$(echo $output | xargs)
fi
exit $returnCode
test/data/.trivyignore1
+3
View File
@@ -0,0 +1,3 @@
# test data #1 for trivy-ignores option
CVE-2020-25576
CVE-2019-15551
test/data/.trivyignore2
+2
View File
@@ -0,0 +1,2 @@
# test data #2 for trivy-ignores option
CVE-2019-15554
test/data/config-sarif.test
+77
View File
@@ -0,0 +1,77 @@
{
"version": "2.1.0",
"$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
"runs": [
{
"tool": {
"driver": {
"fullName": "Trivy Vulnerability Scanner",
"informationUri": "https://github.com/aquasecurity/trivy",
"name": "Trivy",
"rules": [
{
"id": "DS002",
"name": "Misconfiguration",
"shortDescription": {
"text": "DS002"
},
"fullDescription": {
"text": "Running containers with \u0026#39;root\u0026#39; user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a \u0026#39;USER\u0026#39; statement to the Dockerfile."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/ds002",
"help": {
"text": "Misconfiguration DS002\nType: Dockerfile Security Check\nSeverity: HIGH\nCheck: Image user should not be 'root'\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"markdown": "**Misconfiguration DS002**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|HIGH|Image user should not be 'root'|Specify at least 1 USER command in Dockerfile with non-root user as argument|[DS002](https://avd.aquasec.com/misconfig/ds002)|\n\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile."
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
}
],
"version": "0.30.4"
}
},
"results": [
{
"ruleId": "DS002",
"ruleIndex": 0,
"level": "error",
"message": {
"text": "Artifact: Dockerfile\nType: dockerfile\nVulnerability DS002\nSeverity: HIGH\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "Dockerfile",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
}
}
]
}
],
"columnKind": "utf16CodeUnits",
"originalUriBaseIds": {
"ROOTPATH": {
"uri": "file:///"
}
}
}
]
}
test/data/config.test
+56 -8
View File
@@ -1,8 +1,56 @@
+---------------------------+------------+-----------+----------+------------------------------------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
+---------------------------+------------+-----------+----------+------------------------------------------+
| Dockerfile Security Check | DS002 | root user | HIGH | Specify at least 1 USER |
| | | | | command in Dockerfile with |
| | | | | non-root user as argument |
| | | | | -->avd.aquasec.com/appshield/ds002 |
+---------------------------+------------+-----------+----------+------------------------------------------+
{
"SchemaVersion": 2,
"ArtifactName": ".",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "Dockerfile",
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 21,
"Failures": 1,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Dockerfile Security Check",
"ID": "DS002",
"Title": "Image user should not be 'root'",
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
"Namespace": "builtin.dockerfile.DS002",
"Query": "data.builtin.dockerfile.DS002.deny",
"Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
"References": [
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
"https://avd.aquasec.com/misconfig/ds002"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"Code": {
"Lines": null
}
}
}
]
}
]
}
test/data/fs-scheck.test
+56
View File
@@ -0,0 +1,56 @@
{
"SchemaVersion": 2,
"ArtifactName": ".",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "Dockerfile",
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 21,
"Failures": 1,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Dockerfile Security Check",
"ID": "DS002",
"Title": "Image user should not be 'root'",
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
"Namespace": "builtin.dockerfile.DS002",
"Query": "data.builtin.dockerfile.DS002.deny",
"Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
"References": [
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
"https://avd.aquasec.com/misconfig/ds002"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"Code": {
"Lines": null
}
}
}
]
}
]
}
test/data/fs.test
-17
View File
@@ -1,17 +0,0 @@
{
"SchemaVersion": 2,
"ArtifactName": ".",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
}
}
test/data/image-sarif.test
+2516 -53
View File
File diff suppressed because it is too large Load Diff
test/data/image-trivyignores.test
+86
View File
@@ -0,0 +1,86 @@
knqyf263/vuln-image:1.2.3 (alpine 3.7.1)
========================================
Total: 19 (CRITICAL: 19)
┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ curl │ CVE-2018-14618 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r0 │ curl: NTLM password overflow via integer overflow │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-14618 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ curl │ CVE-2018-16839 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
│ │ │ │ │ │ in Curl_sasl_create_plain_message() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16839 │
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16840 │ │ │ │ curl: Use-after-free when closing "easy" handle in │
│ │ │ │ │ │ Curl_close() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16840 │
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16842 │ │ │ │ curl: Heap-based buffer over-read in the curl tool warning │
│ │ │ │ │ │ formatting │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16842 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ curl │ CVE-2019-3822 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3822 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5481 │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5482 │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ git │ CVE-2018-17456 │ │ 2.15.2-r0 │ 2.15.3-r0 │ git: arbitrary code execution via .gitmodules │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-17456 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ git │ CVE-2019-1353 │ CRITICAL │ 2.15.2-r0 │ 2.15.4-r0 │ git: NTFS protections inactive when running Git in the │
│ │ │ │ │ │ Windows Subsystem for... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libbz2 │ CVE-2019-12900 │ CRITICAL │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl │ CVE-2018-16839 │ CRITICAL │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
│ │ │ │ │ │ in Curl_sasl_create_plain_message() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16839 │
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16840 │ │ │ │ curl: Use-after-free when closing "easy" handle in │
│ │ │ │ │ │ Curl_close() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16840 │
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16842 │ │ │ │ curl: Heap-based buffer over-read in the curl tool warning │
│ │ │ │ │ │ formatting │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16842 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl │ CVE-2019-3822 │ CRITICAL │ 7.61.1-r0 │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3822 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5481 │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5482 │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ musl │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │
│ │ │ │ │ │ adjustment im ...... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-14697 │
├─────────────┤ │ │ │ │ │
│ musl-utils │ │ │ │ │ │
│ │ │ │ │ │ │
│ │ │ │ │ │ │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ sqlite-libs │ CVE-2019-8457 │ CRITICAL │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │
└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
rust-app/Cargo.lock (cargo)
===========================
Total: 1 (CRITICAL: 1)
┌──────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ smallvec │ CVE-2021-25900 │ CRITICAL │ 0.6.9 │ 0.6.14, 1.6.1 │ An issue was discovered in the smallvec crate before 0.6.14 │
│ │ │ │ │ │ and 1.x... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25900 │
└──────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
test/data/image.test
+98 -107
View File
@@ -1,107 +1,98 @@
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
| curl | CVE-2018-14618 | CRITICAL | 7.61.0-r0 | 7.61.1-r0 | curl: NTLM password overflow |
| | | | | | via integer overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-14618 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2018-16839 | | | 7.61.1-r1 | curl: Integer overflow leading |
| | | | | | to heap-based buffer overflow in |
| | | | | | Curl_sasl_create_plain_message() |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-16839 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2018-16840 | | | | curl: Use-after-free when closing |
| | | | | | "easy" handle in Curl_close() |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-16840 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2018-16842 | | | | curl: Heap-based buffer over-read |
| | | | | | in the curl tool warning formatting |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-16842 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2019-3822 | | | 7.61.1-r2 | curl: NTLMv2 type-3 header |
| | | | | | stack buffer overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-3822 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2019-5481 | | | 7.61.1-r3 | curl: double free due to |
| | | | | | subsequent call of realloc() |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-5481 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2019-5482 | | | | curl: heap buffer overflow in |
| | | | | | function tftp_receive_packet() |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-5482 |
+-------------+------------------+ +-------------------+---------------+---------------------------------------+
| git | CVE-2018-17456 | | 2.15.2-r0 | 2.15.3-r0 | git: arbitrary code |
| | | | | | execution via .gitmodules |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-17456 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2019-1353 | | | 2.15.4-r0 | git: NTFS protections inactive |
| | | | | | when running Git in the |
| | | | | | Windows Subsystem for... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1353 |
+-------------+------------------+ +-------------------+---------------+---------------------------------------+
| libbz2 | CVE-2019-12900 | | 1.0.6-r6 | 1.0.6-r7 | bzip2: out-of-bounds write |
| | | | | | in function BZ2_decompress |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-12900 |
+-------------+------------------+ +-------------------+---------------+---------------------------------------+
| libcurl | CVE-2018-16839 | | 7.61.1-r0 | 7.61.1-r1 | curl: Integer overflow leading |
| | | | | | to heap-based buffer overflow in |
| | | | | | Curl_sasl_create_plain_message() |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-16839 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2018-16840 | | | | curl: Use-after-free when closing |
| | | | | | "easy" handle in Curl_close() |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-16840 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2018-16842 | | | | curl: Heap-based buffer over-read |
| | | | | | in the curl tool warning formatting |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-16842 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2019-3822 | | | 7.61.1-r2 | curl: NTLMv2 type-3 header |
| | | | | | stack buffer overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-3822 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2019-5481 | | | 7.61.1-r3 | curl: double free due to |
| | | | | | subsequent call of realloc() |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-5481 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2019-5482 | | | | curl: heap buffer overflow in |
| | | | | | function tftp_receive_packet() |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-5482 |
+-------------+------------------+ +-------------------+---------------+---------------------------------------+
| musl | CVE-2019-14697 | | 1.1.18-r3 | 1.1.18-r4 | musl libc through 1.1.23 |
| | | | | | has an x87 floating-point |
| | | | | | stack adjustment im ...... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14697 |
+-------------+ + + + + +
| musl-utils | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+-------------+------------------+ +-------------------+---------------+---------------------------------------+
| sqlite-libs | CVE-2019-8457 | | 3.21.0-r1 | 3.25.3-r1 | sqlite: heap out-of-bound |
| | | | | | read in function rtreenode() |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-8457 |
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
+-----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-----------+------------------+----------+-------------------+---------------+---------------------------------------+
| rand_core | CVE-2020-25576 | CRITICAL | 0.4.0 | 0.3.1, 0.4.2 | An issue was discovered |
| | | | | | in the rand_core crate |
| | | | | | before 0.4.2 for Rust.... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-25576 |
+-----------+------------------+ +-------------------+---------------+---------------------------------------+
| smallvec | CVE-2019-15551 | | 0.6.9 | 0.6.10 | An issue was discovered |
| | | | | | in the smallvec crate |
| | | | | | before 0.6.10 for Rust.... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-15551 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2019-15554 | | | | An issue was discovered |
| | | | | | in the smallvec crate |
| | | | | | before 0.6.10 for Rust.... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-15554 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2021-25900 | | | 0.6.14, 1.6.1 | An issue was discovered |
| | | | | | in the smallvec crate |
| | | | | | before 0.6.14 and 1.x... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-25900 |
+-----------+------------------+----------+-------------------+---------------+---------------------------------------+
knqyf263/vuln-image:1.2.3 (alpine 3.7.1)
========================================
Total: 19 (CRITICAL: 19)
┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ curl │ CVE-2018-14618 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r0 │ curl: NTLM password overflow via integer overflow
│ https://avd.aquasec.com/nvd/cve-2018-14618 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ curl │ CVE-2018-16839 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
│ │ │ │ in Curl_sasl_create_plain_message() │
│ https://avd.aquasec.com/nvd/cve-2018-16839
├────────────────┤ │ ├──────────────────────────────────────────────────────────────┤
│ CVE-2018-16840 │ │ curl: Use-after-free when closing "easy" handle in │
│ Curl_close() │
│ https://avd.aquasec.com/nvd/cve-2018-16840
├────────────────┤ │ ├──────────────────────────────────────────────────────────────┤
│ CVE-2018-16842 │ │ │ curl: Heap-based buffer over-read in the curl tool warning │
│ │ formatting
│ https://avd.aquasec.com/nvd/cve-2018-16842
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ curl │ CVE-2019-3822 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3822
├────────────────┤ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ CVE-2019-5481 │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │
│ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │
├────────────────┤ ├──────────────────────────────────────────────────────────────┤
│ CVE-2019-5482 │ │ curl: heap buffer overflow in function tftp_receive_packet()
│ https://avd.aquasec.com/nvd/cve-2019-5482
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
git CVE-2018-17456 2.15.2-r0 2.15.3-r0 git: arbitrary code execution via .gitmodules
│ https://avd.aquasec.com/nvd/cve-2018-17456
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ git │ CVE-2019-1353 │ CRITICAL │ 2.15.2-r0 │ 2.15.4-r0 │ git: NTFS protections inactive when running Git in the │
│ │ Windows Subsystem for... │
│ https://avd.aquasec.com/nvd/cve-2019-1353
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libbz2 │ CVE-2019-12900 │ CRITICAL │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl │ CVE-2018-16839 │ CRITICAL │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
│ in Curl_sasl_create_plain_message() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16839 │
├────────────────┤ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16840 │ │ curl: Use-after-free when closing "easy" handle in
Curl_close() │
│ https://avd.aquasec.com/nvd/cve-2018-16840 │
├────────────────┤ ├──────────────────────────────────────────────────────────────┤
CVE-2018-16842 │ curl: Heap-based buffer over-read in the curl tool warning
│ │ │ │ │ formatting
│ https://avd.aquasec.com/nvd/cve-2018-16842 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl │ CVE-2019-3822 │ CRITICAL │ 7.61.1-r0 │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
│ https://avd.aquasec.com/nvd/cve-2019-3822
├────────────────┤ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ CVE-2019-5481 │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │
│ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481
├────────────────┤ │ ├──────────────────────────────────────────────────────────────┤
│ CVE-2019-5482 │ │ curl: heap buffer overflow in function tftp_receive_packet() │
│ │ https://avd.aquasec.com/nvd/cve-2019-5482 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ musl │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack
│ adjustment im ...... │
│ │ │ │ https://avd.aquasec.com/nvd/cve-2019-14697 │
├─────────────┤ │ │
│ musl-utils │ │ │
│ │ │ │ │ │
│ │ │ │ │ │ │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ sqlite-libs │ CVE-2019-8457 │ CRITICAL │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode()
│ https://avd.aquasec.com/nvd/cve-2019-8457
└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
rust-app/Cargo.lock (cargo)
===========================
Total: 4 (CRITICAL: 4)
┌───────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title
├───────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ rand_core │ CVE-2020-25576 │ CRITICAL │ 0.4.0 │ 0.3.1, 0.4.2 │ An issue was discovered in the rand_core crate before 0.4.2 │
│ │ │ │ │ │ for Rust.... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-25576 │
├───────────┼────────────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ smallvec │ CVE-2019-15551 │ │ 0.6.9 │ 0.6.10 │ An issue was discovered in the smallvec crate before 0.6.10 │
│ │ │ │ │ │ for Rust....
│ https://avd.aquasec.com/nvd/cve-2019-15551
├────────────────┤ │ │ ├─────────────────────────────────────────────────────────────┤
│ CVE-2019-15554 │ │ An issue was discovered in the smallvec crate before 0.6.10 │
│ │ │ │ │ │ for Rust.... │
│ │ https://avd.aquasec.com/nvd/cve-2019-15554
├────────────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ CVE-2021-25900 │ │ 0.6.14, 1.6.1 │ An issue was discovered in the smallvec crate before 0.6.14 │
│ and 1.x... │
│ │ https://avd.aquasec.com/nvd/cve-2021-25900 │
└───────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
test/data/repo.test
+61 -2
View File
@@ -1,6 +1,6 @@
{
"SchemaVersion": 2,
"ArtifactName": "https://github.com/aquasecurity/trivy-action/",
"ArtifactName": "https://github.com/krol3/demo-trivy/",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
@@ -13,5 +13,64 @@
},
"config": {}
}
}
},
"Results": [
{
"Target": "env",
"Class": "secret",
"Secrets": [
{
"RuleID": "github-pat",
"Category": "GitHub",
"Severity": "CRITICAL",
"Title": "GitHub Personal Access Token",
"StartLine": 5,
"EndLine": 5,
"Code": {
"Lines": [
{
"Number": 3,
"Content": "export AWS_ACCESS_KEY_ID=1234567",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": "export AWS_ACCESS_KEY_ID=1234567",
"FirstCause": false,
"LastCause": false
},
{
"Number": 4,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"FirstCause": false,
"LastCause": false
},
{
"Number": 5,
"Content": "export GITHUB_PAT=****************************************",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "export GITHUB_PAT=****************************************",
"FirstCause": true,
"LastCause": true
},
{
"Number": 6,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"FirstCause": false,
"LastCause": false
}
]
},
"Match": "export GITHUB_PAT=****************************************"
}
]
}
]
}
test/data/rootfs.test
-17
View File
@@ -1,17 +0,0 @@
{
"SchemaVersion": 2,
"ArtifactName": ".",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
}
}
test/data/trivy.yaml
+2
View File
@@ -0,0 +1,2 @@
format: json
severity: CRITICAL
test/data/yamlconfig.test
+29
View File
@@ -0,0 +1,29 @@
{
"SchemaVersion": 2,
"ArtifactName": ".",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "Dockerfile",
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 6,
"Failures": 0,
"Exceptions": 0
}
}
]
}
test/test.bats
+67 -27
View File
@@ -1,43 +1,83 @@
#!/usr/bin/env bats
bats_load_library bats-support
bats_load_library bats-assert
bats_load_library bats-file
@test "trivy image" {
# trivy image --severity CRITICAL -o image.test knqyf263/vuln-image:1.2.3
./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b table' '-h image.test' '-g CRITICAL'
result="$(diff ./test/data/image.test image.test)"
[ "$result" == '' ]
@test "trivy repo with securityCheck secret only" {
# trivy repo --format json --output repo.test --security-checks=secret https://github.com/krol3/demo-trivy/
run ./entrypoint.sh '-b json' '-h repo.test' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
run diff repo.test ./test/data/repo.test
echo "$output"
assert_files_equal repo.test ./test/data/repo.test
}
@test "trivy image sarif report" {
# trivy image --severity CRITICAL -f sarif -o image-sarif.test knqyf263/vuln-image:1.2.3
./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b sarif' '-h image-sarif.test' '-g CRITICAL'
result="$(diff ./test/data/image-sarif.test image-sarif.test)"
[ "$result" == '' ]
@test "trivy image" {
# trivy image --severity CRITICAL --output image.test knqyf263/vuln-image:1.2.3
run ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image.test' '-g CRITICAL'
run diff image.test ./test/data/image.test
echo "$output"
assert_files_equal image.test ./test/data/image.test
}
@test "trivy config sarif report" {
# trivy config --format sarif --output config-sarif.test .
run ./entrypoint.sh '-a config' '-b sarif' '-h config-sarif.test' '-j .'
run diff config-sarif.test ./test/data/config-sarif.test
echo "$output"
assert_files_equal config-sarif.test ./test/data/config-sarif.test
}
@test "trivy config" {
# trivy conf -o config.test .
./entrypoint.sh '-a config' '-j .' '-b table' '-h config.test'
result="$(diff ./test/data/config.test config.test)"
[ "$result" == '' ]
# trivy config --format json --output config.test .
run ./entrypoint.sh '-a config' '-b json' '-j .' '-h config.test'
run diff config.test ./test/data/config.test
echo "$output"
assert_files_equal config.test ./test/data/config.test
}
@test "trivy rootfs" {
# trivy rootfs -o rootfs.test -f json .
./entrypoint.sh '-a rootfs' '-j .' '-b json' '-h rootfs.test'
result="$(diff ./test/data/rootfs.test rootfs.test)"
[ "$result" == '' ]
# trivy rootfs --output rootfs.test .
run ./entrypoint.sh '-a rootfs' '-j .' '-h rootfs.test'
run diff rootfs.test ./test/data/rootfs.test
echo "$output"
assert_files_equal rootfs.test ./test/data/rootfs.test
}
@test "trivy fs" {
# trivy fs -f json -o fs.test .
./entrypoint.sh '-a fs' '-j .' '-b json' '-h fs.test'
result="$(diff ./test/data/fs.test fs.test)"
[ "$result" == '' ]
# trivy fs --output fs.test .
run ./entrypoint.sh '-a fs' '-j .' '-h fs.test'
run diff fs.test ./test/data/fs.test
echo "$output"
assert_files_equal fs.test ./test/data/fs.test
}
@test "trivy repo" {
# trivy repo -f json -o repo.test --severity CRITICAL https://github.com/aquasecurity/trivy-action/
./entrypoint.sh '-b json' '-h repo.test' '-g CRITICAL' '-a repo' '-j https://github.com/aquasecurity/trivy-action/'
result="$(diff ./test/data/repo.test repo.test)"
[ "$result" == '' ]
@test "trivy fs with securityChecks option" {
# trivy fs --format json --security-checks=vuln,config --output fs-scheck.test .
run ./entrypoint.sh '-a fs' '-b json' '-j .' '-s vuln,config,secret' '-h fs-scheck.test'
run diff fs-scheck.test ./test/data/fs-scheck.test
echo "$output"
assert_files_equal fs-scheck.test ./test/data/fs-scheck.test
}
@test "trivy image with trivyIgnores option" {
# cat ./test/data/.trivyignore1 ./test/data/.trivyignore2 > ./trivyignores ; trivy image --severity CRITICAL --output image-trivyignores.test --ignorefile ./trivyignores knqyf263/vuln-image:1.2.3
run ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image-trivyignores.test' '-g CRITICAL' '-t ./test/data/.trivyignore1,./test/data/.trivyignore2'
run diff image-trivyignores.test ./test/data/image-trivyignores.test
echo "$output"
assert_files_equal image-trivyignores.test ./test/data/image-trivyignores.test
}
@test "trivy image with sbom output" {
# trivy image --format github knqyf263/vuln-image:1.2.3
run ./entrypoint.sh "-a image" "-b github" "-i knqyf263/vuln-image:1.2.3"
assert_output --partial '"package_url": "pkg:apk/ca-certificates@20171114-r0",' # TODO: Output contains time, need to mock
}
@test "trivy repo with trivy.yaml config" {
# trivy --config=./data/trivy.yaml fs --security-checks=config,secret --output=yamlconfig.test .
run ./entrypoint.sh "-a fs" "-j ." "-s config,secret" "-v ./test/data/trivy.yaml" "-h yamlconfig.test"
run diff yamlconfig.test ./test/data/yamlconfig.test
echo "$output"
assert_files_equal yamlconfig.test ./test/data/yamlconfig.test
}
workflow.yml
+1 -1
View File
@@ -29,6 +29,6 @@ jobs:
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'