actions/trivy-action
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: actions:0.20.0
Branches Tags
actions:master actions:fix-gh-actions actions:bump-trivy-1751468699 actions:update-default-version actions:use-pinned-version actions:update-to-v0.45.0 actions:update-trivy-v0.43.1 actions:bump-trivy-3 actions:bump-trivy actions:add-support-for-trivy-config actions:fix-golden-files actions:exit-code-test actions:update-tarball-docs actions:volume-mounts actions:update-readme actions:revert-45-fix_sarif_duplicate_rule_id actions:knqyf263-patch-1 actions:artifact_types actions:sarif-support-2
actions:0.33.1 actions:0.33.0 actions:0.32.0 actions:0.31.0 actions:0.30.0 actions:0.29.0 actions:0.28.0 actions:0.27.0 actions:0.26.0 actions:0.25.0 actions:0.24.0 actions:0.23.0 actions:0.22.0 actions:0.21.0 actions:0.20.0 actions:0.19.0 actions:0.18.0 actions:0.17.0 actions:0.16.1 actions:0.16.0 actions:0.15.0 actions:0.14.0 actions:0.13.1 actions:0.13.0 actions:0.12.0 actions:0.11.2 actions:0.11.1 actions:0.11.0 actions:0.10.0 actions:0.9.2 actions:0.9.1 actions:0.9.0 actions:0.8.0 actions:0.7.1 actions:0.7.0 actions:0.6.2 actions:0.6.1 actions:0.6.0 actions:0.5.1 actions:0.5.0 actions:0.4.1 actions:0.4.0 actions:0.3.0 actions:0.2.5 actions:0.2.4 actions:0.2.3 actions:0.2.2 actions:0.2.1 actions:0.2.0 actions:0.1.0 actions:0.0.22 actions:0.0.21 actions:0.0.20 actions:0.0.19 actions:0.0.18 actions:0.0.17 actions:0.0.16 actions:0.0.15 actions:0.0.14 actions:0.0.13 actions:0.0.12 actions:0.0.11 actions:v0.0.10 actions:0.0.10 actions:0.0.9 actions:0.0.8 actions:0.0.7 actions:0.0.6 actions:0.0.5 actions:0.0.4 actions:0.0.3 actions:0.0.2 actions:0.0.1
...
compare: actions:0.25.0
Branches Tags
actions:master actions:fix-gh-actions actions:bump-trivy-1751468699 actions:update-default-version actions:use-pinned-version actions:update-to-v0.45.0 actions:update-trivy-v0.43.1 actions:bump-trivy-3 actions:bump-trivy actions:add-support-for-trivy-config actions:fix-golden-files actions:exit-code-test actions:update-tarball-docs actions:volume-mounts actions:update-readme actions:revert-45-fix_sarif_duplicate_rule_id actions:knqyf263-patch-1 actions:artifact_types actions:sarif-support-2
actions:0.33.1 actions:0.33.0 actions:0.32.0 actions:0.31.0 actions:0.30.0 actions:0.29.0 actions:0.28.0 actions:0.27.0 actions:0.26.0 actions:0.25.0 actions:0.24.0 actions:0.23.0 actions:0.22.0 actions:0.21.0 actions:0.20.0 actions:0.19.0 actions:0.18.0 actions:0.17.0 actions:0.16.1 actions:0.16.0 actions:0.15.0 actions:0.14.0 actions:0.13.1 actions:0.13.0 actions:0.12.0 actions:0.11.2 actions:0.11.1 actions:0.11.0 actions:0.10.0 actions:0.9.2 actions:0.9.1 actions:0.9.0 actions:0.8.0 actions:0.7.1 actions:0.7.0 actions:0.6.2 actions:0.6.1 actions:0.6.0 actions:0.5.1 actions:0.5.0 actions:0.4.1 actions:0.4.0 actions:0.3.0 actions:0.2.5 actions:0.2.4 actions:0.2.3 actions:0.2.2 actions:0.2.1 actions:0.2.0 actions:0.1.0 actions:0.0.22 actions:0.0.21 actions:0.0.20 actions:0.0.19 actions:0.0.18 actions:0.0.17 actions:0.0.16 actions:0.0.15 actions:0.0.14 actions:0.0.13 actions:0.0.12 actions:0.0.11 actions:v0.0.10 actions:0.0.10 actions:0.0.9 actions:0.0.8 actions:0.0.7 actions:0.0.6 actions:0.0.5 actions:0.0.4 actions:0.0.3 actions:0.0.2 actions:0.0.1

10 Commits
0.20.0 ... 0.25.0

Author SHA1 Message Date
simar7
f781cce5aa feat(trivy): Bump to support v0.56.1 (#387) 
* feat(trivy): Bump to support v0.55.2

* fix tests

* update github workflow

* upgrade to v0.56.0

* bump to trivy v0.56.1

* update tests
 2024-10-07 14:14:19 -06:00
Nikita Pivkin
54f21d8382 ci: sync trivy-checks version 1 (#398) 
Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
 2024-10-07 12:23:44 -06:00
Oussama Bounaim
89b14e517d Upgrade GitHub actions (#374) 
* Upgrade Github checkout action

* Upgrade Github upload-sarif action

* Upgrade Github checkout action - Pipeline
 2024-10-02 14:41:43 -06:00
Nikita Pivkin
97646fedde chore: use checks bundle snapshot from trivy-action (#388) 
Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
 2024-09-19 08:58:52 -06:00
chris
d9cd5b1c23 fix(Makefile): recursive option typo (#371) 2024-07-09 10:07:51 -06:00
Vinayak S
6e7b7d1fd3 Upgrade trivy to v0.53.0 (#369) 
* Upgrade trivy to v0.53.0

* update tests

---------

Co-authored-by: Simar <simar@linux.com>
 2024-07-09 00:19:25 -06:00
Vinayak S
7c2007bcb5 Upgrade trivy to v0.52.2 (#367) 
* Upgrade trivy to v0.52.2

* Upgrade trivy to v0.52.2
 2024-06-17 16:53:33 -06:00
Francisco Javier BarĂłn
595be6a0f6 Upgrade trivy to v0.52.0 (#364) 2024-06-06 17:41:36 -06:00
simar7
841fb371db chore(docs): Reference the use of a pinned version (#356) 2024-05-22 18:59:56 -06:00
Vinayak S
fd25fed697 bump trivy version to v0.51.2 (#360) 
* bump trivy version to v0.51.2

* bump trivy version to v0.51.2
 2024-05-21 16:33:02 -06:00
15 changed files with 132 additions and 1200 deletions
Expand all files Collapse all files

2
.github/workflows/bump-trivy.yaml vendored
View File

@@ -14,7 +14,7 @@ jobs:
bump:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Update Trivy versions
run: |
sed -r -i "s/ghcr.io\/aquasecurity\/trivy:[0-9]+\.[0-9]+\.[0-9]+/ghcr.io\/aquasecurity\/trivy:${{ inputs.trivy_version }}/" Dockerfile

2
.github/workflows/sync-trivy-checks.yaml vendored
View File

@@ -21,4 +21,4 @@ jobs:
- name: Copy Trivy Checks
run: |
oras cp ghcr.io/aquasecurity/trivy-checks:0 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
oras cp ghcr.io/aquasecurity/trivy-checks:1 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest

6
.github/workflows/test.yaml vendored
View File

@@ -6,7 +6,7 @@ on:
workflow_dispatch:
env:
TRIVY_VERSION: 0.51.1
TRIVY_VERSION: 0.56.1
BATS_LIB_PATH: '/usr/lib/'
jobs:
@@ -26,4 +26,6 @@ jobs:
- name: Test
run: |
chmod +x entrypoint.sh
bats -r -T .
GITHUB_REPOSITORY_OWNER=aquasecurity\
TRIVY_CACHE_DIR=.cache TRIVY_DISABLE_VEX_NOTICE=true TRIVY_DEBUG=true\
bats --recursive --timing --verbose-run .

4
.gitignore vendored
View File

@@ -2,4 +2,6 @@
*.test
!test/data/*.test
trivyignores
.vscode/
.vscode/
.cache

2
Dockerfile
View File

@@ -1,4 +1,4 @@
FROM ghcr.io/aquasecurity/trivy:0.51.1
FROM ghcr.io/aquasecurity/trivy:0.56.1
COPY entrypoint.sh /
RUN apk --no-cache add bash curl npm
RUN chmod +x /entrypoint.sh

15
Makefile
View File

@@ -1,4 +1,15 @@
.PHONY: test
OS := $(shell uname)
ifeq ($(OS), Darwin)
BATS_LIB_PATH=/opt/homebrew/lib
endif
ifeq ($(OS), Linux)
BATS_LIB_PATH=/usr/local/lib/
endif
.PHONY: test
test:
BATS_LIB_PATH=/usr/local/lib/ bats -r .
mkdir -p .cache
BATS_LIB_PATH=$(BATS_LIB_PATH) GITHUB_REPOSITORY_OWNER=aquasecurity\
TRIVY_CACHE_DIR=.cache TRIVY_DISABLE_VEX_NOTICE=true TRIVY_DEBUG=true\
bats --recursive --timing --verbose-run .

74
README.md
View File

@@ -34,12 +34,12 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Build an image from Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.20.0
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'table'
@@ -64,10 +64,10 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.20.0
with:
scan-type: 'fs'
scan-ref: '.'
@@ -109,7 +109,7 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Generate tarball from image
run: |
@@ -117,7 +117,7 @@ jobs:
docker save -o vuln-image.tar <your-docker-image>
- name: Run Trivy vulnerability scanner in tarball mode
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.20.0
with:
input: /github/workspace/vuln-image.tar
severity: 'CRITICAL,HIGH'
@@ -138,21 +138,21 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Build an image from Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.20.0
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
@@ -173,21 +173,21 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Build an image from Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.20.0
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'
@@ -212,10 +212,10 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.20.0
with:
scan-type: 'fs'
ignore-unfixed: true
@@ -224,7 +224,7 @@ jobs:
severity: 'CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
@@ -246,10 +246,10 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner with rootfs command
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.20.0
with:
scan-type: 'rootfs'
scan-ref: 'rootfs-example-binary'
@@ -259,7 +259,7 @@ jobs:
severity: 'CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
@@ -281,10 +281,10 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in IaC mode
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.20.0
with:
scan-type: 'config'
hide-progress: true
@@ -295,7 +295,7 @@ jobs:
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
@@ -325,10 +325,10 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.20.0
with:
scan-type: 'fs'
format: 'github'
@@ -359,7 +359,7 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Scan image in a private registry
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.20.0
with:
image-ref: "private_image_registry/image_name:image_tag"
scan-type: image
@@ -399,10 +399,10 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.20.0
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
@@ -412,7 +412,7 @@ jobs:
TRIVY_PASSWORD: Password
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
@@ -435,10 +435,10 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.20.0
with:
image-ref: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}'
format: 'sarif'
@@ -449,7 +449,7 @@ jobs:
AWS_DEFAULT_REGION: us-west-2
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
@@ -471,10 +471,10 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.20.0
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
@@ -483,7 +483,7 @@ jobs:
GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
@@ -504,10 +504,10 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.20.0
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
@@ -517,7 +517,7 @@ jobs:
TRIVY_PASSWORD: Password
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
@@ -530,7 +530,7 @@ This step is especially useful for private repositories without [GitHub Advanced
```yaml
- name: Run Trivy scanner
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.20.0
with:
scan-type: config
hide-progress: true

448
test/data/config-sarif-report/report.sarif
View File

@@ -1,6 +1,6 @@
{
"version": "2.1.0",
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
"runs": [
{
"tool": {
@@ -9,87 +9,6 @@
"informationUri": "https://github.com/aquasecurity/trivy",
"name": "Trivy",
"rules": [
{
"id": "AVD-AWS-0086",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 Access block should block public ACL"
},
"fullDescription": {
"text": "\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n"
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0086",
"help": {
"text": "Misconfiguration AVD-AWS-0086\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should block public ACL\nMessage: No public access block so not blocking public acls\nLink: [AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)\n\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n",
"markdown": "**Misconfiguration AVD-AWS-0086**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should block public ACL|No public access block so not blocking public acls|[AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)|\n\n\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n"
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
},
{
"id": "AVD-AWS-0087",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 Access block should block public policy"
},
"fullDescription": {
"text": "\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n"
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0087",
"help": {
"text": "Misconfiguration AVD-AWS-0087\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should block public policy\nMessage: No public access block so not blocking public policies\nLink: [AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)\n\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n",
"markdown": "**Misconfiguration AVD-AWS-0087**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should block public policy|No public access block so not blocking public policies|[AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)|\n\n\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n"
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
},
{
"id": "AVD-AWS-0088",
"name": "Misconfiguration",
"shortDescription": {
"text": "Unencrypted S3 bucket."
},
"fullDescription": {
"text": "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0088",
"help": {
"text": "Misconfiguration AVD-AWS-0088\nType: Terraform Security Check\nSeverity: HIGH\nCheck: Unencrypted S3 bucket.\nMessage: Bucket does not have encryption enabled\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.",
"markdown": "**Misconfiguration AVD-AWS-0088**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|Unencrypted S3 bucket.|Bucket does not have encryption enabled|[AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)|\n\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised."
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
},
{
"id": "AVD-AWS-0089",
"name": "Misconfiguration",
@@ -116,231 +35,14 @@
"LOW"
]
}
},
{
"id": "AVD-AWS-0090",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 Data should be versioned"
},
"fullDescription": {
"text": "\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n"
},
"defaultConfiguration": {
"level": "warning"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0090",
"help": {
"text": "Misconfiguration AVD-AWS-0090\nType: Terraform Security Check\nSeverity: MEDIUM\nCheck: S3 Data should be versioned\nMessage: Bucket does not have versioning enabled\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n",
"markdown": "**Misconfiguration AVD-AWS-0090**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|MEDIUM|S3 Data should be versioned|Bucket does not have versioning enabled|[AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)|\n\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n"
},
"properties": {
"precision": "very-high",
"security-severity": "5.5",
"tags": [
"misconfiguration",
"security",
"MEDIUM"
]
}
},
{
"id": "AVD-AWS-0091",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 Access Block should Ignore Public Acl"
},
"fullDescription": {
"text": "\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n"
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0091",
"help": {
"text": "Misconfiguration AVD-AWS-0091\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access Block should Ignore Public Acl\nMessage: No public access block so not ignoring public acls\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n",
"markdown": "**Misconfiguration AVD-AWS-0091**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access Block should Ignore Public Acl|No public access block so not ignoring public acls|[AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)|\n\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n"
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
},
{
"id": "AVD-AWS-0093",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 Access block should restrict public bucket to limit access"
},
"fullDescription": {
"text": "S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0093",
"help": {
"text": "Misconfiguration AVD-AWS-0093\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should restrict public bucket to limit access\nMessage: No public access block so not restricting public buckets\nLink: [AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.",
"markdown": "**Misconfiguration AVD-AWS-0093**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should restrict public bucket to limit access|No public access block so not restricting public buckets|[AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)|\n\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy."
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
},
{
"id": "AVD-AWS-0094",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 buckets should each define an aws_s3_bucket_public_access_block"
},
"fullDescription": {
"text": "The \u0026#34;block public access\u0026#34; settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it."
},
"defaultConfiguration": {
"level": "note"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0094",
"help": {
"text": "Misconfiguration AVD-AWS-0094\nType: Terraform Security Check\nSeverity: LOW\nCheck: S3 buckets should each define an aws_s3_bucket_public_access_block\nMessage: Bucket does not have a corresponding public access block.\nLink: [AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.",
"markdown": "**Misconfiguration AVD-AWS-0094**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|LOW|S3 buckets should each define an aws_s3_bucket_public_access_block|Bucket does not have a corresponding public access block.|[AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)|\n\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it."
},
"properties": {
"precision": "very-high",
"security-severity": "2.0",
"tags": [
"misconfiguration",
"security",
"LOW"
]
}
},
{
"id": "AVD-AWS-0132",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 encryption should use Customer Managed Keys"
},
"fullDescription": {
"text": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0132",
"help": {
"text": "Misconfiguration AVD-AWS-0132\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 encryption should use Customer Managed Keys\nMessage: Bucket does not encrypt data with a customer managed key.\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.",
"markdown": "**Misconfiguration AVD-AWS-0132**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 encryption should use Customer Managed Keys|Bucket does not encrypt data with a customer managed key.|[AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)|\n\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys."
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
}
],
"version": "0.50.0"
]
}
},
"results": [
{
"ruleId": "AVD-AWS-0086",
"ruleIndex": 0,
"level": "error",
"message": {
"text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0086\nSeverity: HIGH\nMessage: No public access block so not blocking public acls\nLink: [AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0087",
"ruleIndex": 1,
"level": "error",
"message": {
"text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0087\nSeverity: HIGH\nMessage: No public access block so not blocking public policies\nLink: [AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0088",
"ruleIndex": 2,
"level": "error",
"message": {
"text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0088\nSeverity: HIGH\nMessage: Bucket does not have encryption enabled\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0089",
"ruleIndex": 3,
"ruleIndex": 0,
"level": "note",
"message": {
"text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0089\nSeverity: LOW\nMessage: Bucket has logging disabled\nLink: [AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)"
@@ -364,149 +66,9 @@
}
}
]
},
{
"ruleId": "AVD-AWS-0090",
"ruleIndex": 4,
"level": "warning",
"message": {
"text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0090\nSeverity: MEDIUM\nMessage: Bucket does not have versioning enabled\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 16,
"startColumn": 1,
"endLine": 16,
"endColumn": 1
}
},
"message": {
"text": "main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0091",
"ruleIndex": 5,
"level": "error",
"message": {
"text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0091\nSeverity: HIGH\nMessage: No public access block so not ignoring public acls\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0093",
"ruleIndex": 6,
"level": "error",
"message": {
"text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0093\nSeverity: HIGH\nMessage: No public access block so not restricting public buckets\nLink: [AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0094",
"ruleIndex": 7,
"level": "note",
"message": {
"text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0094\nSeverity: LOW\nMessage: Bucket does not have a corresponding public access block.\nLink: [AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0132",
"ruleIndex": 8,
"level": "error",
"message": {
"text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0132\nSeverity: HIGH\nMessage: Bucket does not encrypt data with a customer managed key.\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "main.tf"
}
}
]
}
],
"columnKind": "utf16CodeUnits",
"originalUriBaseIds": {
"ROOTPATH": {
"uri": "file://D:\\projects\\trivy-action\\test\\data\\config-sarif-report/"
}
}
"columnKind": "utf16CodeUnits"
}
]
}
}

534
test/data/config-scan/report.json
View File

@@ -1,6 +1,5 @@
{
"SchemaVersion": 2,
"CreatedAt": "2024-04-12T16:53:35.5567541+03:00",
"ArtifactName": "test/data/config-scan",
"ArtifactType": "filesystem",
"Metadata": {
@@ -31,188 +30,11 @@
"Class": "config",
"Type": "terraform",
"MisconfSummary": {
"Successes": 1,
"Failures": 9,
"Successes": 0,
"Failures": 1,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0086",
"AVDID": "AVD-AWS-0086",
"Title": "S3 Access block should block public ACL",
"Description": "\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n",
"Message": "No public access block so not blocking public acls",
"Query": "data..",
"Resolution": "Enable blocking any PUT calls with a public ACL specified",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0086",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0086"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0087",
"AVDID": "AVD-AWS-0087",
"Title": "S3 Access block should block public policy",
"Description": "\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n",
"Message": "No public access block so not blocking public policies",
"Query": "data..",
"Resolution": "Prevent policies that allow public access being PUT",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0087",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0087"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0088",
"AVDID": "AVD-AWS-0088",
"Title": "Unencrypted S3 bucket.",
"Description": "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.",
"Message": "Bucket does not have encryption enabled",
"Query": "data..",
"Resolution": "Configure bucket encryption",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0088",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html",
"https://avd.aquasec.com/misconfig/avd-aws-0088"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0089",
@@ -272,358 +94,6 @@
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0090",
"AVDID": "AVD-AWS-0090",
"Title": "S3 Data should be versioned",
"Description": "\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n",
"Message": "Bucket does not have versioning enabled",
"Query": "data..",
"Resolution": "Enable versioning to protect against accidental/malicious removal or modification",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0090",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html",
"https://avd.aquasec.com/misconfig/avd-aws-0090"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket_versioning.bucket_versioning",
"Provider": "AWS",
"Service": "s3",
"StartLine": 16,
"EndLine": 16,
"Code": {
"Lines": [
{
"Number": 12,
"Content": "resource \"aws_s3_bucket_versioning\" \"bucket_versioning\" {",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket_versioning\"\u001b[0m \u001b[38;5;37m\"bucket_versioning\"\u001b[0m {",
"FirstCause": false,
"LastCause": false
},
{
"Number": 13,
"Content": " bucket = aws_s3_bucket.bucket.id",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = aws_s3_bucket.bucket.id",
"FirstCause": false,
"LastCause": false
},
{
"Number": 14,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"FirstCause": false,
"LastCause": false
},
{
"Number": 15,
"Content": " versioning_configuration {",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " versioning_configuration {",
"FirstCause": false,
"LastCause": false
},
{
"Number": 16,
"Content": " status = var.bucket_versioning_enabled",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mstatus\u001b[0m = \u001b[38;5;33mvar\u001b[0m.bucket_versioning_enabled",
"FirstCause": true,
"LastCause": true
},
{
"Number": 17,
"Content": " }",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " }",
"FirstCause": false,
"LastCause": false
},
{
"Number": 18,
"Content": "}",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": "}",
"FirstCause": false,
"LastCause": false
}
]
},
"Occurrences": [
{
"Resource": "versioning_configuration",
"Filename": "main.tf",
"Location": {
"StartLine": 15,
"EndLine": 17
}
},
{
"Resource": "aws_s3_bucket_versioning.bucket_versioning",
"Filename": "main.tf",
"Location": {
"StartLine": 12,
"EndLine": 18
}
}
]
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0091",
"AVDID": "AVD-AWS-0091",
"Title": "S3 Access Block should Ignore Public Acl",
"Description": "\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n",
"Message": "No public access block so not ignoring public acls",
"Query": "data..",
"Resolution": "Enable ignoring the application of public ACLs in PUT calls",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0091",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0091"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0093",
"AVDID": "AVD-AWS-0093",
"Title": "S3 Access block should restrict public bucket to limit access",
"Description": "S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.",
"Message": "No public access block so not restricting public buckets",
"Query": "data..",
"Resolution": "Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0093",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0093"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0094",
"AVDID": "AVD-AWS-0094",
"Title": "S3 buckets should each define an aws_s3_bucket_public_access_block",
"Description": "The \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.",
"Message": "Bucket does not have a corresponding public access block.",
"Query": "data..",
"Resolution": "Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0094",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0094"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0132",
"AVDID": "AVD-AWS-0132",
"Title": "S3 encryption should use Customer Managed Keys",
"Description": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.",
"Message": "Bucket does not encrypt data with a customer managed key.",
"Query": "data..",
"Resolution": "Enable encryption using customer managed keys",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0132",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html",
"https://avd.aquasec.com/misconfig/avd-aws-0132"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
}
]
}

225
test/data/github-dep-snapshot/report.gsbom
View File

@@ -2,23 +2,18 @@
"version": 0,
"detector": {
"name": "trivy",
"version": "0.50.0",
"url": "https://github.com/aquasecurity/trivy"
},
"metadata": {
"aquasecurity:trivy:RepoDigest": "knqyf263/vuln-image@sha256:1e8b199249d6d0ef3419ddc6eda2348d9fbdb10d350d3bb70aa98e87faa227c9",
"aquasecurity:trivy:RepoTag": "knqyf263/vuln-image:1.2.3"
},
"job": {
"correlator": "_"
},
"scanned": "2024-04-12T16:02:51+03:00",
"manifests": {
"knqyf263/vuln-image:1.2.3 (alpine 3.7.1)": {
"name": "alpine",
"resolved": {
".composer-phpext-rundeps": {
"package_url": "pkg:apk/alpine/.composer-phpext-rundeps@0?arch=noarch\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/.composer-phpext-rundeps@0?arch=noarch&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libsodium@1.0.15-r0",
@@ -28,7 +23,7 @@
"scope": "runtime"
},
".persistent-deps": {
"package_url": "pkg:apk/alpine/.persistent-deps@0?arch=noarch\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/.persistent-deps@0?arch=noarch&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"ca-certificates@20171114-r0",
@@ -40,7 +35,7 @@
"scope": "runtime"
},
".php-rundeps": {
"package_url": "pkg:apk/alpine/.php-rundeps@0?arch=noarch\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/.php-rundeps@0?arch=noarch&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libcurl@7.61.1-r0",
@@ -55,7 +50,7 @@
"scope": "runtime"
},
"alpine-baselayout": {
"package_url": "pkg:apk/alpine/alpine-baselayout@3.0.5-r2?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/alpine-baselayout@3.0.5-r2?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"busybox@1.27.2-r11",
@@ -64,12 +59,12 @@
"scope": "runtime"
},
"alpine-keys": {
"package_url": "pkg:apk/alpine/alpine-keys@2.1-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/alpine-keys@2.1-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"scope": "runtime"
},
"apk-tools": {
"package_url": "pkg:apk/alpine/apk-tools@2.10.1-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/apk-tools@2.10.1-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libcrypto@2.6.5-r0",
@@ -80,7 +75,7 @@
"scope": "runtime"
},
"apr": {
"package_url": "pkg:apk/alpine/apr@1.6.3-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/apr@1.6.3-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libuuid@2.31-r0",
@@ -89,7 +84,7 @@
"scope": "runtime"
},
"apr-util": {
"package_url": "pkg:apk/alpine/apr-util@1.6.1-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/apr-util@1.6.1-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"apr@1.6.3-r0",
@@ -100,7 +95,7 @@
"scope": "runtime"
},
"bash": {
"package_url": "pkg:apk/alpine/bash@4.4.19-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/bash@4.4.19-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"busybox@1.27.2-r11",
@@ -111,7 +106,7 @@
"scope": "runtime"
},
"busybox": {
"package_url": "pkg:apk/alpine/busybox@1.27.2-r11?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/busybox@1.27.2-r11?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -119,7 +114,7 @@
"scope": "runtime"
},
"ca-certificates": {
"package_url": "pkg:apk/alpine/ca-certificates@20171114-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/ca-certificates@20171114-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"busybox@1.27.2-r11",
@@ -129,7 +124,7 @@
"scope": "runtime"
},
"curl": {
"package_url": "pkg:apk/alpine/curl@7.61.0-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/curl@7.61.0-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"ca-certificates@20171114-r0",
@@ -140,7 +135,7 @@
"scope": "runtime"
},
"db": {
"package_url": "pkg:apk/alpine/db@5.3.28-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/db@5.3.28-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -148,7 +143,7 @@
"scope": "runtime"
},
"expat": {
"package_url": "pkg:apk/alpine/expat@2.2.5-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/expat@2.2.5-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -156,7 +151,7 @@
"scope": "runtime"
},
"gdbm": {
"package_url": "pkg:apk/alpine/gdbm@1.13-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/gdbm@1.13-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -164,7 +159,7 @@
"scope": "runtime"
},
"git": {
"package_url": "pkg:apk/alpine/git@2.15.2-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/git@2.15.2-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"expat@2.2.5-r0",
@@ -176,7 +171,7 @@
"scope": "runtime"
},
"libbz2": {
"package_url": "pkg:apk/alpine/libbz2@1.0.6-r6?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libbz2@1.0.6-r6?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -184,7 +179,7 @@
"scope": "runtime"
},
"libc-utils": {
"package_url": "pkg:apk/alpine/libc-utils@0.7.1-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libc-utils@0.7.1-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl-utils@1.1.18-r3"
@@ -192,7 +187,7 @@
"scope": "runtime"
},
"libcurl": {
"package_url": "pkg:apk/alpine/libcurl@7.61.1-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libcurl@7.61.1-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"ca-certificates@20171114-r0",
@@ -205,7 +200,7 @@
"scope": "runtime"
},
"libedit": {
"package_url": "pkg:apk/alpine/libedit@20170329.3.1-r3?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libedit@20170329.3.1-r3?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3",
@@ -214,7 +209,7 @@
"scope": "runtime"
},
"libffi": {
"package_url": "pkg:apk/alpine/libffi@3.2.1-r4?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libffi@3.2.1-r4?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -222,7 +217,7 @@
"scope": "runtime"
},
"libressl": {
"package_url": "pkg:apk/alpine/libressl@2.6.5-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libressl@2.6.5-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libcrypto@2.6.5-r0",
@@ -233,7 +228,7 @@
"scope": "runtime"
},
"libressl2.6-libcrypto": {
"package_url": "pkg:apk/alpine/libressl2.6-libcrypto@2.6.5-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libressl2.6-libcrypto@2.6.5-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -241,7 +236,7 @@
"scope": "runtime"
},
"libressl2.6-libssl": {
"package_url": "pkg:apk/alpine/libressl2.6-libssl@2.6.5-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libressl2.6-libssl@2.6.5-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libcrypto@2.6.5-r0",
@@ -250,7 +245,7 @@
"scope": "runtime"
},
"libressl2.6-libtls": {
"package_url": "pkg:apk/alpine/libressl2.6-libtls@2.6.5-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libressl2.6-libtls@2.6.5-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libcrypto@2.6.5-r0",
@@ -260,7 +255,7 @@
"scope": "runtime"
},
"libsasl": {
"package_url": "pkg:apk/alpine/libsasl@2.1.26-r11?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libsasl@2.1.26-r11?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"db@5.3.28-r0",
@@ -269,7 +264,7 @@
"scope": "runtime"
},
"libsodium": {
"package_url": "pkg:apk/alpine/libsodium@1.0.15-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libsodium@1.0.15-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -277,7 +272,7 @@
"scope": "runtime"
},
"libssh2": {
"package_url": "pkg:apk/alpine/libssh2@1.8.0-r2?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libssh2@1.8.0-r2?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libcrypto@2.6.5-r0",
@@ -287,7 +282,7 @@
"scope": "runtime"
},
"libuuid": {
"package_url": "pkg:apk/alpine/libuuid@2.31-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libuuid@2.31-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -295,7 +290,7 @@
"scope": "runtime"
},
"libxml2": {
"package_url": "pkg:apk/alpine/libxml2@2.9.7-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libxml2@2.9.7-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3",
@@ -304,7 +299,7 @@
"scope": "runtime"
},
"mercurial": {
"package_url": "pkg:apk/alpine/mercurial@4.5.2-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/mercurial@4.5.2-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3",
@@ -313,12 +308,12 @@
"scope": "runtime"
},
"musl": {
"package_url": "pkg:apk/alpine/musl@1.1.18-r3?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/musl@1.1.18-r3?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"scope": "runtime"
},
"musl-utils": {
"package_url": "pkg:apk/alpine/musl-utils@1.1.18-r3?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/musl-utils@1.1.18-r3?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3",
@@ -327,7 +322,7 @@
"scope": "runtime"
},
"ncurses-libs": {
"package_url": "pkg:apk/alpine/ncurses-libs@6.0_p20171125-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/ncurses-libs@6.0_p20171125-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3",
@@ -337,7 +332,7 @@
"scope": "runtime"
},
"ncurses-terminfo": {
"package_url": "pkg:apk/alpine/ncurses-terminfo@6.0_p20171125-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/ncurses-terminfo@6.0_p20171125-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"ncurses-terminfo-base@6.0_p20171125-r1"
@@ -345,12 +340,12 @@
"scope": "runtime"
},
"ncurses-terminfo-base": {
"package_url": "pkg:apk/alpine/ncurses-terminfo-base@6.0_p20171125-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/ncurses-terminfo-base@6.0_p20171125-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"scope": "runtime"
},
"openssh": {
"package_url": "pkg:apk/alpine/openssh@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/openssh@7.5_p1-r9?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libcrypto@2.6.5-r0",
@@ -362,7 +357,7 @@
"scope": "runtime"
},
"openssh-client": {
"package_url": "pkg:apk/alpine/openssh-client@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/openssh-client@7.5_p1-r9?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libcrypto@2.6.5-r0",
@@ -373,7 +368,7 @@
"scope": "runtime"
},
"openssh-keygen": {
"package_url": "pkg:apk/alpine/openssh-keygen@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/openssh-keygen@7.5_p1-r9?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libcrypto@2.6.5-r0",
@@ -382,7 +377,7 @@
"scope": "runtime"
},
"openssh-server": {
"package_url": "pkg:apk/alpine/openssh-server@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/openssh-server@7.5_p1-r9?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libcrypto@2.6.5-r0",
@@ -394,12 +389,12 @@
"scope": "runtime"
},
"openssh-server-common": {
"package_url": "pkg:apk/alpine/openssh-server-common@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/openssh-server-common@7.5_p1-r9?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"scope": "runtime"
},
"openssh-sftp-server": {
"package_url": "pkg:apk/alpine/openssh-sftp-server@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/openssh-sftp-server@7.5_p1-r9?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -407,7 +402,7 @@
"scope": "runtime"
},
"patch": {
"package_url": "pkg:apk/alpine/patch@2.7.5-r2?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/patch@2.7.5-r2?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -415,7 +410,7 @@
"scope": "runtime"
},
"pcre2": {
"package_url": "pkg:apk/alpine/pcre2@10.30-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/pcre2@10.30-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -423,7 +418,7 @@
"scope": "runtime"
},
"pkgconf": {
"package_url": "pkg:apk/alpine/pkgconf@1.3.10-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/pkgconf@1.3.10-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -431,7 +426,7 @@
"scope": "runtime"
},
"python2": {
"package_url": "pkg:apk/alpine/python2@2.7.15-r2?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/python2@2.7.15-r2?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"expat@2.2.5-r0",
@@ -449,7 +444,7 @@
"scope": "runtime"
},
"readline": {
"package_url": "pkg:apk/alpine/readline@7.0.003-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/readline@7.0.003-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3",
@@ -458,7 +453,7 @@
"scope": "runtime"
},
"scanelf": {
"package_url": "pkg:apk/alpine/scanelf@1.2.2-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/scanelf@1.2.2-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -466,7 +461,7 @@
"scope": "runtime"
},
"serf": {
"package_url": "pkg:apk/alpine/serf@1.3.9-r3?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/serf@1.3.9-r3?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"apr-util@1.6.1-r1",
@@ -479,7 +474,7 @@
"scope": "runtime"
},
"sqlite-libs": {
"package_url": "pkg:apk/alpine/sqlite-libs@3.21.0-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/sqlite-libs@3.21.0-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -487,7 +482,7 @@
"scope": "runtime"
},
"ssl_client": {
"package_url": "pkg:apk/alpine/ssl_client@1.27.2-r11?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/ssl_client@1.27.2-r11?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libtls@2.6.5-r0",
@@ -496,7 +491,7 @@
"scope": "runtime"
},
"subversion": {
"package_url": "pkg:apk/alpine/subversion@1.9.7-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/subversion@1.9.7-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"apr-util@1.6.1-r1",
@@ -509,7 +504,7 @@
"scope": "runtime"
},
"subversion-libs": {
"package_url": "pkg:apk/alpine/subversion-libs@1.9.7-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/subversion-libs@1.9.7-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"apr-util@1.6.1-r1",
@@ -525,7 +520,7 @@
"scope": "runtime"
},
"tar": {
"package_url": "pkg:apk/alpine/tar@1.29-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/tar@1.29-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -533,7 +528,7 @@
"scope": "runtime"
},
"tini": {
"package_url": "pkg:apk/alpine/tini@0.16.1-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/tini@0.16.1-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -541,7 +536,7 @@
"scope": "runtime"
},
"xz": {
"package_url": "pkg:apk/alpine/xz@5.2.3-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/xz@5.2.3-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3",
@@ -550,7 +545,7 @@
"scope": "runtime"
},
"xz-libs": {
"package_url": "pkg:apk/alpine/xz-libs@5.2.3-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/xz-libs@5.2.3-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -558,7 +553,7 @@
"scope": "runtime"
},
"zlib": {
"package_url": "pkg:apk/alpine/zlib@1.2.11-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/zlib@1.2.11-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -567,108 +562,6 @@
}
}
},
"php-app/composer.lock": {
"name": "composer",
"file": {
"source_location": "knqyf263/vuln-image:1.2.3@sha256:1e8b199249d6d0ef3419ddc6eda2348d9fbdb10d350d3bb70aa98e87faa227c9"
},
"resolved": {
"guzzlehttp/guzzle": {
"package_url": "pkg:composer/guzzlehttp/guzzle@6.2.0",
"relationship": "direct",
"dependencies": [
"guzzlehttp/promises@v1.3.1",
"guzzlehttp/psr7@1.5.2"
],
"scope": "runtime"
},
"guzzlehttp/promises": {
"package_url": "pkg:composer/guzzlehttp/promises@v1.3.1",
"relationship": "direct",
"scope": "runtime"
},
"guzzlehttp/psr7": {
"package_url": "pkg:composer/guzzlehttp/psr7@1.5.2",
"relationship": "direct",
"dependencies": [
"psr/http-message@1.0.1",
"ralouphie/getallheaders@2.0.5"
],
"scope": "runtime"
},
"laravel/installer": {
"package_url": "pkg:composer/laravel/installer@v2.0.1",
"relationship": "direct",
"dependencies": [
"guzzlehttp/guzzle@6.2.0",
"symfony/console@v4.2.7",
"symfony/filesystem@v4.2.7",
"symfony/process@v4.2.7"
],
"scope": "runtime"
},
"pear/log": {
"package_url": "pkg:composer/pear/log@1.13.1",
"relationship": "direct",
"dependencies": [
"pear/pear_exception@v1.0.0"
],
"scope": "runtime"
},
"pear/pear_exception": {
"package_url": "pkg:composer/pear/pear_exception@v1.0.0",
"relationship": "direct",
"scope": "runtime"
},
"psr/http-message": {
"package_url": "pkg:composer/psr/http-message@1.0.1",
"relationship": "direct",
"scope": "runtime"
},
"ralouphie/getallheaders": {
"package_url": "pkg:composer/ralouphie/getallheaders@2.0.5",
"relationship": "direct",
"scope": "runtime"
},
"symfony/console": {
"package_url": "pkg:composer/symfony/console@v4.2.7",
"relationship": "direct",
"dependencies": [
"symfony/contracts@v1.0.2",
"symfony/polyfill-mbstring@v1.11.0"
],
"scope": "runtime"
},
"symfony/contracts": {
"package_url": "pkg:composer/symfony/contracts@v1.0.2",
"relationship": "direct",
"scope": "runtime"
},
"symfony/filesystem": {
"package_url": "pkg:composer/symfony/filesystem@v4.2.7",
"relationship": "direct",
"dependencies": [
"symfony/polyfill-ctype@v1.11.0"
],
"scope": "runtime"
},
"symfony/polyfill-ctype": {
"package_url": "pkg:composer/symfony/polyfill-ctype@v1.11.0",
"relationship": "direct",
"scope": "runtime"
},
"symfony/polyfill-mbstring": {
"package_url": "pkg:composer/symfony/polyfill-mbstring@v1.11.0",
"relationship": "direct",
"scope": "runtime"
},
"symfony/process": {
"package_url": "pkg:composer/symfony/process@v4.2.7",
"relationship": "direct",
"scope": "runtime"
}
}
},
"rust-app/Cargo.lock": {
"name": "cargo",
"file": {
@@ -1235,4 +1128,4 @@
}
}
}
}
}

1
test/data/secret-scan/report.json
View File

@@ -1,6 +1,5 @@
{
"SchemaVersion": 2,
"CreatedAt": "2024-01-02T23:40:04.647712097Z",
"ArtifactName": "https://github.com/krol3/demo-trivy/",
"ArtifactType": "repository",
"Metadata": {

8
test/data/with-tf-vars/report.json
View File

@@ -1,6 +1,5 @@
{
"SchemaVersion": 2,
"CreatedAt": "2024-04-12T14:09:09.5680191+03:00",
"ArtifactName": "test/data/with-tf-vars/main.tf",
"ArtifactType": "filesystem",
"Metadata": {
@@ -29,12 +28,7 @@
{
"Target": "main.tf",
"Class": "config",
"Type": "terraform",
"MisconfSummary": {
"Successes": 1,
"Failures": 0,
"Exceptions": 0
}
"Type": "terraform"
}
]
}

5
test/data/with-trivy-yaml-cfg/report.json
View File

@@ -1,6 +1,5 @@
{
"SchemaVersion": 2,
"CreatedAt": "2024-01-02T23:40:21.039454971Z",
"ArtifactName": "alpine:3.10",
"ArtifactType": "container_image",
"Metadata": {
@@ -64,8 +63,8 @@
"PkgID": "apk-tools@2.10.6-r0",
"PkgName": "apk-tools",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64\u0026distro=3.10.9",
"UID": "a6adb154870b6380"
"PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64&distro=3.10.9",
"UID": "99f6581ffed6b22"
},
"InstalledVersion": "2.10.6-r0",
"FixedVersion": "2.10.7-r0",

2
test/test.bats
View File

@@ -4,7 +4,7 @@ setup_file() {
local owner=$GITHUB_REPOSITORY_OWNER
export TRIVY_DB_REPOSITORY=ghcr.io/${owner}/trivy-db-act:latest
export TRIVY_JAVA_DB_REPOSITORY=ghcr.io/${owner}/trivy-java-db-act:latest
export TRIVY_POLICY_BUNDLE_REPOSITORY=ghcr.io/${owner}/trivy-checks-act:latest
export TRIVY_CHECKS_BUNDLE_REPOSITORY=ghcr.io/${owner}/trivy-checks-act:latest
}
setup() {

4
workflow.yml
View File

@@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Build an image from Dockerfile
run: |
@@ -29,6 +29,6 @@ jobs:
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'