actions/trivy-action
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: actions:0.22.0
Branches Tags
actions:master actions:fix-gh-actions actions:bump-trivy-1751468699 actions:update-default-version actions:use-pinned-version actions:update-to-v0.45.0 actions:update-trivy-v0.43.1 actions:bump-trivy-3 actions:bump-trivy actions:add-support-for-trivy-config actions:fix-golden-files actions:exit-code-test actions:update-tarball-docs actions:volume-mounts actions:update-readme actions:revert-45-fix_sarif_duplicate_rule_id actions:knqyf263-patch-1 actions:artifact_types actions:sarif-support-2
actions:0.33.1 actions:0.33.0 actions:0.32.0 actions:0.31.0 actions:0.30.0 actions:0.29.0 actions:0.28.0 actions:0.27.0 actions:0.26.0 actions:0.25.0 actions:0.24.0 actions:0.23.0 actions:0.22.0 actions:0.21.0 actions:0.20.0 actions:0.19.0 actions:0.18.0 actions:0.17.0 actions:0.16.1 actions:0.16.0 actions:0.15.0 actions:0.14.0 actions:0.13.1 actions:0.13.0 actions:0.12.0 actions:0.11.2 actions:0.11.1 actions:0.11.0 actions:0.10.0 actions:0.9.2 actions:0.9.1 actions:0.9.0 actions:0.8.0 actions:0.7.1 actions:0.7.0 actions:0.6.2 actions:0.6.1 actions:0.6.0 actions:0.5.1 actions:0.5.0 actions:0.4.1 actions:0.4.0 actions:0.3.0 actions:0.2.5 actions:0.2.4 actions:0.2.3 actions:0.2.2 actions:0.2.1 actions:0.2.0 actions:0.1.0 actions:0.0.22 actions:0.0.21 actions:0.0.20 actions:0.0.19 actions:0.0.18 actions:0.0.17 actions:0.0.16 actions:0.0.15 actions:0.0.14 actions:0.0.13 actions:0.0.12 actions:0.0.11 actions:v0.0.10 actions:0.0.10 actions:0.0.9 actions:0.0.8 actions:0.0.7 actions:0.0.6 actions:0.0.5 actions:0.0.4 actions:0.0.3 actions:0.0.2 actions:0.0.1
...
compare: actions:0.27.0
Branches Tags
actions:master actions:fix-gh-actions actions:bump-trivy-1751468699 actions:update-default-version actions:use-pinned-version actions:update-to-v0.45.0 actions:update-trivy-v0.43.1 actions:bump-trivy-3 actions:bump-trivy actions:add-support-for-trivy-config actions:fix-golden-files actions:exit-code-test actions:update-tarball-docs actions:volume-mounts actions:update-readme actions:revert-45-fix_sarif_duplicate_rule_id actions:knqyf263-patch-1 actions:artifact_types actions:sarif-support-2
actions:0.33.1 actions:0.33.0 actions:0.32.0 actions:0.31.0 actions:0.30.0 actions:0.29.0 actions:0.28.0 actions:0.27.0 actions:0.26.0 actions:0.25.0 actions:0.24.0 actions:0.23.0 actions:0.22.0 actions:0.21.0 actions:0.20.0 actions:0.19.0 actions:0.18.0 actions:0.17.0 actions:0.16.1 actions:0.16.0 actions:0.15.0 actions:0.14.0 actions:0.13.1 actions:0.13.0 actions:0.12.0 actions:0.11.2 actions:0.11.1 actions:0.11.0 actions:0.10.0 actions:0.9.2 actions:0.9.1 actions:0.9.0 actions:0.8.0 actions:0.7.1 actions:0.7.0 actions:0.6.2 actions:0.6.1 actions:0.6.0 actions:0.5.1 actions:0.5.0 actions:0.4.1 actions:0.4.0 actions:0.3.0 actions:0.2.5 actions:0.2.4 actions:0.2.3 actions:0.2.2 actions:0.2.1 actions:0.2.0 actions:0.1.0 actions:0.0.22 actions:0.0.21 actions:0.0.20 actions:0.0.19 actions:0.0.18 actions:0.0.17 actions:0.0.16 actions:0.0.15 actions:0.0.14 actions:0.0.13 actions:0.0.12 actions:0.0.11 actions:v0.0.10 actions:0.0.10 actions:0.0.9 actions:0.0.8 actions:0.0.7 actions:0.0.6 actions:0.0.5 actions:0.0.4 actions:0.0.3 actions:0.0.2 actions:0.0.1

12 Commits
0.22.0 ... 0.27.0

Author SHA1 Message Date
Teppei Fukuda
5681af892c fix: set envs only when passed (#405) 
* fix: set envs when passed

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* use inputs.<input_id>.default

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* Revert "use inputs.<input_id>.default"

This reverts commit 1a12292eac.

---------

Signed-off-by: knqyf263 <knqyf263@gmail.com>
 2024-10-10 22:48:38 -06:00
Nikita Pivkin
807896715e chore: update description for scanners and format inputs (#407) 
Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
 2024-10-09 15:37:31 -06:00
DmitriyLewen
0fa0cdb177 ci: use setup-trivy to install Trivy (#406) 2024-10-09 15:36:41 -06:00
Teppei Fukuda
a20de5420d feat: store artifacts in cache by default (#399) 
* feat: migrate to a composite action

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* Fix tests

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* Delete an unused input

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* test: expect status code 0

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* test: not use run

https://bats-core.readthedocs.io/en/stable/writing-tests.html#when-not-to-use-run

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* feat: add 'cache' input

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* docs: update README

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* feat: pin Trivy version

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* fix: bump trivy version

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* feat: use date for cache key

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* chore: delete a comment

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* docs: update README

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* refactor: resolve conflicts and use envs

Signed-off-by: knqyf263 <knqyf263@gmail.com>

---------

Signed-off-by: knqyf263 <knqyf263@gmail.com>
 2024-10-08 14:20:38 -06:00
DmitriyLewen
1b8b83dcc2 docs: add usage info about action/cache for trivy databases (#397) 
* docs: add info about using `action/cache` for `trivy-db`

* docs: add info about trivy-java-db and trivy-checks
 2024-10-07 22:05:39 -06:00
simar7
f781cce5aa feat(trivy): Bump to support v0.56.1 (#387) 
* feat(trivy): Bump to support v0.55.2

* fix tests

* update github workflow

* upgrade to v0.56.0

* bump to trivy v0.56.1

* update tests
 2024-10-07 14:14:19 -06:00
Nikita Pivkin
54f21d8382 ci: sync trivy-checks version 1 (#398) 
Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
 2024-10-07 12:23:44 -06:00
Oussama Bounaim
89b14e517d Upgrade GitHub actions (#374) 
* Upgrade Github checkout action

* Upgrade Github upload-sarif action

* Upgrade Github checkout action - Pipeline
 2024-10-02 14:41:43 -06:00
Nikita Pivkin
97646fedde chore: use checks bundle snapshot from trivy-action (#388) 
Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
 2024-09-19 08:58:52 -06:00
chris
d9cd5b1c23 fix(Makefile): recursive option typo (#371) 2024-07-09 10:07:51 -06:00
Vinayak S
6e7b7d1fd3 Upgrade trivy to v0.53.0 (#369) 
* Upgrade trivy to v0.53.0

* update tests

---------

Co-authored-by: Simar <simar@linux.com>
 2024-07-09 00:19:25 -06:00
Vinayak S
7c2007bcb5 Upgrade trivy to v0.52.2 (#367) 
* Upgrade trivy to v0.52.2

* Upgrade trivy to v0.52.2
 2024-06-17 16:53:33 -06:00
17 changed files with 395 additions and 1447 deletions
Expand all files Collapse all files
.github/workflows/bump-trivy.yaml
Vendored
+3 -2
View File
@@ -14,11 +14,12 @@ jobs:
bump:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Update Trivy versions
run: |
sed -r -i "s/ghcr.io\/aquasecurity\/trivy:[0-9]+\.[0-9]+\.[0-9]+/ghcr.io\/aquasecurity\/trivy:${{ inputs.trivy_version }}/" Dockerfile
find test/data -type f -name '*.test' | xargs sed -r -i 's/"version": "[0-9]+\.[0-9]+\.[0-9]+"/"version": "${{ inputs.trivy_version }}"/'
sed -r -i '/^\| `version`/ s/[0-9]+\.[0-9]+\.[0-9]+/${{ inputs.trivy_version }}/g' README.md
sed -r -i 's/(default:[ ]*'"'"')v[0-9]+\.[0-9]+\.[0-9]+/\1v${{ inputs.trivy_version }}/' action.yaml
- name: Create PR
id: create-pr
.github/workflows/sync-trivy-checks.yaml
Vendored
+1 -1
View File
@@ -21,4 +21,4 @@ jobs:
- name: Copy Trivy Checks
run: |
oras cp ghcr.io/aquasecurity/trivy-checks:0 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
oras cp ghcr.io/aquasecurity/trivy-checks:1 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
.github/workflows/test.yaml
Vendored
+6 -4
View File
@@ -6,7 +6,7 @@ on:
workflow_dispatch:
env:
TRIVY_VERSION: 0.52.0
TRIVY_VERSION: 0.56.1
BATS_LIB_PATH: '/usr/lib/'
jobs:
@@ -24,6 +24,8 @@ jobs:
trivy --version
- name: Test
run: |
chmod +x entrypoint.sh
bats -r -T .
run: bats --recursive --timing --verbose-run .
env:
TRIVY_CACHE_DIR: .cache
TRIVY_DISABLE_VEX_NOTICE: true
TRIVY_DEBUG: true
.gitignore
Vendored
+3 -1
View File
@@ -2,4 +2,6 @@
*.test
!test/data/*.test
trivyignores
.vscode/
.vscode/
.cache
Dockerfile
-5
View File
@@ -1,5 +0,0 @@
FROM ghcr.io/aquasecurity/trivy:0.52.0
COPY entrypoint.sh /
RUN apk --no-cache add bash curl npm
RUN chmod +x /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
Makefile
+13 -2
View File
@@ -1,4 +1,15 @@
.PHONY: test
OS := $(shell uname)
ifeq ($(OS), Darwin)
BATS_LIB_PATH=/opt/homebrew/lib
endif
ifeq ($(OS), Linux)
BATS_LIB_PATH=/usr/local/lib/
endif
.PHONY: test
test:
BATS_LIB_PATH=/usr/local/lib/ bats -r .
mkdir -p .cache
BATS_LIB_PATH=$(BATS_LIB_PATH) GITHUB_REPOSITORY_OWNER=aquasecurity\
TRIVY_CACHE_DIR=.cache TRIVY_DISABLE_VEX_NOTICE=true TRIVY_DEBUG=true\
bats --recursive --timing --verbose-run .
README.md
+123 -33
View File
@@ -10,12 +10,22 @@
## Table of Contents
- [Usage](#usage)
- [Workflow](#workflow)
- [Docker Image Scanning](#using-trivy-with-github-code-scanning)
- [Git Repository Scanning](#using-trivy-to-scan-your-git-repo)
- [Customizing](#customizing)
- [Inputs](#inputs)
* [Usage](#usage)
* [Scan CI Pipeline](#scan-ci-pipeline)
* [Scan CI Pipeline (w/ Trivy Config)](#scan-ci-pipeline-w-trivy-config)
* [Cache](#cache)
* [Scanning a Tarball](#scanning-a-tarball)
* [Using Trivy with GitHub Code Scanning](#using-trivy-with-github-code-scanning)
* [Using Trivy to scan your Git repo](#using-trivy-to-scan-your-git-repo)
* [Using Trivy to scan your rootfs directories](#using-trivy-to-scan-your-rootfs-directories)
* [Using Trivy to scan Infrastructure as Code](#using-trivy-to-scan-infrastructure-as-code)
* [Using Trivy to generate SBOM](#using-trivy-to-generate-sbom)
* [Using Trivy to scan your private registry](#using-trivy-to-scan-your-private-registry)
* [Using Trivy if you don't have code scanning enabled](#using-trivy-if-you-dont-have-code-scanning-enabled)
* [Customizing](#customizing)
* [inputs](#inputs)
* [Environment variables](#environment-variables)
* [Trivy config file](#trivy-config-file)
## Usage
@@ -34,10 +44,9 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Build an image from Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
run: docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.20.0
with:
@@ -64,7 +73,7 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/trivy-action@0.20.0
@@ -95,6 +104,86 @@ Trivy uses [Viper](https://github.com/spf13/viper) which has a defined precedenc
- Config file
- Default
### Cache
The action has a built-in functionality for caching and restoring [the vulnerability DB](https://github.com/aquasecurity/trivy-db), [the Java DB](https://github.com/aquasecurity/trivy-java-db) and [the checks bundle](https://github.com/aquasecurity/trivy-checks) if they are downloaded during the scan.
The cache is stored in the `$GITHUB_WORKSPACE/.cache/trivy` directory by default.
The cache is restored before the scan starts and saved after the scan finishes.
It uses [actions/cache](https://github.com/actions/cache) under the hood but requires less configuration settings.
The cache input is optional, and caching is turned on by default.
#### Disabling caching
If you want to disable caching, set the `cache` input to `false`, but we recommend keeping it enabled to avoid rate limiting issues.
```yaml
- name: Run Trivy scanner without cache
uses: aquasecurity/trivy-action@0.20.0
with:
scan-type: 'fs'
scan-ref: '.'
cache: 'false'
```
#### Updating caches in the default branch
Please note that there are [restrictions on cache access](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache) between branches in GitHub Actions.
By default, a workflow can access and restore a cache created in either the current branch or the default branch (usually `main` or `master`).
If you need to share caches across branches, you may need to create a cache in the default branch and restore it in the current branch.
To optimize your workflow, you can set up a cron job to regularly update the cache in the default branch.
This allows subsequent scans to use the cached DB without downloading it again.
```yaml
# Note: This workflow only updates the cache. You should create a separate workflow for your actual Trivy scans.
# In your scan workflow, set TRIVY_SKIP_DB_UPDATE=true and TRIVY_SKIP_JAVA_DB_UPDATE=true.
name: Update Trivy Cache
on:
schedule:
- cron: '0 0 * * *' # Run daily at midnight UTC
workflow_dispatch: # Allow manual triggering
jobs:
update-trivy-db:
runs-on: ubuntu-latest
steps:
- name: Get current date
id: date
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
- name: Download and extract the vulnerability DB
run: |
mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
oras pull ghcr.io/aquasecurity/trivy-db:2
tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
rm db.tar.gz
- name: Download and extract the Java DB
run: |
mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
oras pull ghcr.io/aquasecurity/trivy-java-db:1
tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
rm javadb.tar.gz
- name: Cache DBs
uses: actions/cache/save@v4
with:
path: ${{ github.workspace }}/.cache/trivy
key: cache-trivy-${{ steps.date.outputs.date }}
```
When running a scan, set the environment variables `TRIVY_SKIP_DB_UPDATE` and `TRIVY_SKIP_JAVA_DB_UPDATE` to skip the download process.
```yaml
- name: Run Trivy scanner without downloading DBs
uses: aquasecurity/trivy-action@0.20.0
with:
scan-type: 'image'
scan-ref: 'myimage'
env:
TRIVY_SKIP_DB_UPDATE: true
TRIVY_SKIP_JAVA_DB_UPDATE: true
```
### Scanning a Tarball
```yaml
name: build
@@ -109,7 +198,7 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Generate tarball from image
run: |
@@ -138,7 +227,7 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Build an image from Dockerfile
run: |
@@ -152,7 +241,7 @@ jobs:
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
@@ -173,7 +262,7 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Build an image from Dockerfile
run: |
@@ -187,7 +276,7 @@ jobs:
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'
@@ -212,7 +301,7 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@0.20.0
@@ -224,7 +313,7 @@ jobs:
severity: 'CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
@@ -246,7 +335,7 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner with rootfs command
uses: aquasecurity/trivy-action@0.20.0
@@ -259,7 +348,7 @@ jobs:
severity: 'CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
@@ -281,7 +370,7 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in IaC mode
uses: aquasecurity/trivy-action@0.20.0
@@ -295,7 +384,7 @@ jobs:
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
@@ -325,7 +414,7 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
uses: aquasecurity/trivy-action@0.20.0
@@ -399,7 +488,7 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.20.0
@@ -412,7 +501,7 @@ jobs:
TRIVY_PASSWORD: Password
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
@@ -435,7 +524,7 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.20.0
@@ -449,7 +538,7 @@ jobs:
AWS_DEFAULT_REGION: us-west-2
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
@@ -471,7 +560,7 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.20.0
@@ -483,7 +572,7 @@ jobs:
GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
@@ -504,7 +593,7 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.20.0
@@ -517,7 +606,7 @@ jobs:
TRIVY_PASSWORD: Password
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
@@ -570,7 +659,7 @@ Following inputs can be used as `step.with` keys:
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) |
| `format` | String | `table` | Output format (`table`, `json`, `template`, `sarif`, `cyclonedx`, `spdx`, `spdx-json`, `github`, `cosign-vuln`) |
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |
| `tf-vars` | String | | path to Terraform variables file |
| `output` | String | | Save results to a file |
@@ -580,17 +669,18 @@ Following inputs can be used as `step.with` keys:
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
| `cache-dir` | String | | Cache directory |
| `cache-dir` | String | `$GITHUB_WORKSPACE/.cache/trivy` | Cache directory. NOTE: This value cannot be configured by `trivy.yaml`. |
| `timeout` | String | `5m0s` | Scan timeout duration |
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
| `hide-progress` | String | `false` | Suppress progress bar and log output |
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`misconfig`,`license`) |
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
| `trivy-config` | String | | Path to trivy.yaml config |
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
| `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values |
| `version` | String | `v0.56.1` | Trivy version to use, e.g. `latest` or `v0.56.1` |
### Environment variables
You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
action.yaml
+93 -33
View File
@@ -1,6 +1,7 @@
name: 'Aqua Security Trivy'
description: 'Scans container images for vulnerabilities with Trivy'
author: 'Aqua Security'
inputs:
scan-type:
description: 'Scan type to use for scanning vulnerability'
@@ -24,7 +25,7 @@ inputs:
description: 'ignore unfixed vulnerabilities'
required: false
default: 'false'
vuln-type:
vuln-type: # TODO: rename to pkg-types
description: 'comma-separated list of vulnerability types (os,library)'
required: false
default: 'os,library'
@@ -55,7 +56,7 @@ inputs:
cache-dir:
description: 'specify where the cache is stored'
required: false
default: ''
default: '${{ github.workspace }}/.cache/trivy'
timeout:
description: 'timeout (default 5m0s)'
required: false
@@ -79,9 +80,6 @@ inputs:
description: 'comma-separated list of relative paths in repository to one or more .trivyignore files'
required: false
default: ''
artifact-type:
description: 'input artifact type (image, fs, repo, archive) for SBOM generation'
required: false
github-pat:
description: 'GitHub Personal Access Token (PAT) for submitting SBOM to GitHub Dependency Snapshot API'
required: false
@@ -97,33 +95,95 @@ inputs:
docker-host:
description: 'unix domain socket path to use for docker scanning, ex. unix:///var/run/docker.sock'
required: false
version:
description: 'Trivy version to use'
required: false
default: 'v0.56.1'
cache:
description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.'
required: false
default: 'true'
runs:
using: 'docker'
image: "Dockerfile"
args:
- '-a ${{ inputs.scan-type }}'
- '-b ${{ inputs.format }}'
- '-c ${{ inputs.template }}'
- '-d ${{ inputs.exit-code }}'
- '-e ${{ inputs.ignore-unfixed }}'
- '-f ${{ inputs.vuln-type }}'
- '-g ${{ inputs.severity }}'
- '-h ${{ inputs.output }}'
- '-i ${{ inputs.image-ref }}'
- '-j ${{ inputs.scan-ref }}'
- '-k ${{ inputs.skip-dirs }}'
- '-l ${{ inputs.input }}'
- '-m ${{ inputs.cache-dir }}'
- '-n ${{ inputs.timeout }}'
- '-o ${{ inputs.ignore-policy }}'
- '-p ${{ inputs.hide-progress }}'
- '-q ${{ inputs.skip-files }}'
- '-r ${{ inputs.list-all-pkgs }}'
- '-s ${{ inputs.scanners }}'
- '-t ${{ inputs.trivyignores }}'
- '-u ${{ inputs.github-pat }}'
- '-v ${{ inputs.trivy-config }}'
- '-x ${{ inputs.tf-vars }}'
- '-z ${{ inputs.limit-severities-for-sarif }}'
- '-y ${{ inputs.docker-host }}'
using: 'composite'
steps:
- name: Install Trivy
uses: aquasecurity/setup-trivy@v0.1.0
with:
version: ${{ inputs.version }}
cache: ${{ inputs.cache }}
- name: Get current date
id: date
shell: bash
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
- name: Restore DB from cache
if: ${{ inputs.cache == 'true' }}
uses: actions/cache@v4
with:
path: ${{ inputs.cache-dir }}
key: cache-trivy-${{ steps.date.outputs.date }}
restore-keys: cache-trivy-
- name: Set GitHub Path
run: echo "$GITHUB_ACTION_PATH" >> $GITHUB_PATH
shell: bash
env:
GITHUB_ACTION_PATH: ${{ github.action_path }}
- name: Set Trivy environment variables
shell: bash
run: |
# Note: There is currently no way to distinguish between undefined variables and empty strings in GitHub Actions.
# This limitation affects how we handle default values and empty inputs.
# For more information, see: https://github.com/actions/runner/issues/924
# Function to set environment variable only if the input is provided and different from default
set_env_var_if_provided() {
local var_name="$1"
local input_value="$2"
local default_value="$3"
if [ ! -z "$input_value" ] && [ "$input_value" != "$default_value" ]; then
echo "$var_name=$input_value" >> $GITHUB_ENV
fi
}
# Set environment variables, handling those with default values
# cf. https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables
set_env_var_if_provided "TRIVY_INPUT" "${{ inputs.input }}" ""
set_env_var_if_provided "TRIVY_EXIT_CODE" "${{ inputs.exit-code }}" ""
set_env_var_if_provided "TRIVY_IGNORE_UNFIXED" "${{ inputs.ignore-unfixed }}" "false"
set_env_var_if_provided "TRIVY_PKG_TYPES" "${{ inputs.vuln-type }}" "os,library"
set_env_var_if_provided "TRIVY_SEVERITY" "${{ inputs.severity }}" "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
set_env_var_if_provided "TRIVY_FORMAT" "${{ inputs.format }}" "table"
set_env_var_if_provided "TRIVY_TEMPLATE" "${{ inputs.template }}" ""
set_env_var_if_provided "TRIVY_OUTPUT" "${{ inputs.output }}" ""
set_env_var_if_provided "TRIVY_SKIP_DIRS" "${{ inputs.skip-dirs }}" ""
set_env_var_if_provided "TRIVY_SKIP_FILES" "${{ inputs.skip-files }}" ""
set_env_var_if_provided "TRIVY_TIMEOUT" "${{ inputs.timeout }}" ""
set_env_var_if_provided "TRIVY_IGNORE_POLICY" "${{ inputs.ignore-policy }}" ""
set_env_var_if_provided "TRIVY_QUIET" "${{ inputs.hide-progress }}" ""
set_env_var_if_provided "TRIVY_LIST_ALL_PKGS" "${{ inputs.list-all-pkgs }}" "false"
set_env_var_if_provided "TRIVY_SCANNERS" "${{ inputs.scanners }}" ""
set_env_var_if_provided "TRIVY_CONFIG" "${{ inputs.trivy-config }}" ""
set_env_var_if_provided "TRIVY_TF_VARS" "${{ inputs.tf-vars }}" ""
set_env_var_if_provided "TRIVY_DOCKER_HOST" "${{ inputs.docker-host }}" ""
- name: Run Trivy
shell: bash
run: entrypoint.sh
env:
# For shell script
# > If the action is written using a composite, then it will not automatically get INPUT_<VARIABLE_NAME>
# cf. https://docs.github.com/en/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
INPUT_SCAN_TYPE: ${{ inputs.scan-type }}
INPUT_IMAGE_REF: ${{ inputs.image-ref }}
INPUT_SCAN_REF: ${{ inputs.scan-ref }}
INPUT_TRIVYIGNORES: ${{ inputs.trivyignores }}
INPUT_GITHUB_PAT: ${{ inputs.github-pat }}
INPUT_LIMIT_SEVERITIES_FOR_SARIF: ${{ inputs.limit-severities-for-sarif }}
# For Trivy
TRIVY_CACHE_DIR: ${{ inputs.cache-dir }} # Always set
entrypoint.sh
+39 -198
View File
@@ -1,216 +1,57 @@
#!/bin/bash
set -e
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:x:y:z:" o; do
case "${o}" in
a)
export scanType=${OPTARG}
;;
b)
export format=${OPTARG}
;;
c)
export template=${OPTARG}
;;
d)
export exitCode=${OPTARG}
;;
e)
export ignoreUnfixed=${OPTARG}
;;
f)
export vulnType=${OPTARG}
;;
g)
export severity=${OPTARG}
;;
h)
export output=${OPTARG}
;;
i)
export imageRef=${OPTARG}
;;
j)
export scanRef=${OPTARG}
;;
k)
export skipDirs=${OPTARG}
;;
l)
export input=${OPTARG}
;;
m)
export cacheDir=${OPTARG}
;;
n)
export timeout=${OPTARG}
;;
o)
export ignorePolicy=${OPTARG}
;;
p)
export hideProgress=${OPTARG}
;;
q)
export skipFiles=${OPTARG}
;;
r)
export listAllPkgs=${OPTARG}
;;
s)
export scanners=${OPTARG}
;;
t)
export trivyIgnores=${OPTARG}
;;
u)
export githubPAT=${OPTARG}
;;
v)
export trivyConfig=${OPTARG}
;;
x)
export tfVars=${OPTARG}
;;
y)
export dockerHost=${OPTARG}
;;
z)
export limitSeveritiesForSARIF=${OPTARG}
;;
esac
done
set -euo pipefail
scanType=$(echo $scanType | tr -d '\r')
export artifactRef="${imageRef}"
if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "filesystem" ] || [ "${scanType}" = "config" ] || [ "${scanType}" = "rootfs" ] || [ "${scanType}" = "sbom" ];then
artifactRef=$(echo $scanRef | tr -d '\r')
fi
input=$(echo $input | tr -d '\r')
if [ $input ]; then
artifactRef="--input $input"
fi
#trim leading spaces for boolean params
ignoreUnfixed=$(echo $ignoreUnfixed | tr -d '\r')
hideProgress=$(echo $hideProgress | tr -d '\r')
limitSeveritiesForSARIF=$(echo $limitSeveritiesForSARIF | tr -d '\r')
GLOBAL_ARGS=""
if [ $cacheDir ];then
GLOBAL_ARGS="$GLOBAL_ARGS --cache-dir $cacheDir"
# Set artifact reference
scanType="${INPUT_SCAN_TYPE:-image}"
scanRef="${INPUT_SCAN_REF:-.}"
if [ -n "${INPUT_IMAGE_REF:-}" ]; then
scanRef="${INPUT_IMAGE_REF}" # backwards compatibility
fi
SARIF_ARGS=""
ARGS=""
format=$(echo $format | xargs)
if [ $format ];then
ARGS="$ARGS --format $format"
fi
if [ $template ] ;then
ARGS="$ARGS --template $template"
fi
if [ $exitCode ];then
ARGS="$ARGS --exit-code $exitCode"
SARIF_ARGS="$SARIF_ARGS --exit-code $exitCode"
fi
if [ "$ignoreUnfixed" == "true" ] && [ "$scanType" != "config" ];then
ARGS="$ARGS --ignore-unfixed"
SARIF_ARGS="$SARIF_ARGS --ignore-unfixed"
fi
if [ $vulnType ] && [ "$scanType" != "config" ] && [ "$scanType" != "sbom" ];then
ARGS="$ARGS --vuln-type $vulnType"
SARIF_ARGS="$SARIF_ARGS --vuln-type $vulnType"
fi
if [ $scanners ];then
ARGS="$ARGS --scanners $scanners"
SARIF_ARGS="$SARIF_ARGS --scanners $scanners"
fi
if [ $severity ];then
ARGS="$ARGS --severity $severity"
fi
if [ $output ];then
ARGS="$ARGS --output $output"
fi
if [ $skipDirs ];then
for i in $(echo $skipDirs | tr "," "\n")
do
ARGS="$ARGS --skip-dirs $i"
SARIF_ARGS="$SARIF_ARGS --skip-dirs $i"
done
fi
if [ $tfVars ] && [ "$scanType" == "config" ];then
ARGS="$ARGS --tf-vars $tfVars"
fi
# Handle trivy ignores
if [ -n "${INPUT_TRIVYIGNORES:-}" ]; then
ignorefile="./trivyignores"
if [ $trivyIgnores ];then
for f in $(echo $trivyIgnores | tr "," "\n")
do
# Clear the ignore file if it exists, or create a new empty file
: > "$ignorefile"
for f in ${INPUT_TRIVYIGNORES//,/ }; do
if [ -f "$f" ]; then
echo "Found ignorefile '${f}':"
cat "${f}"
cat "${f}" >> ./trivyignores
cat "${f}" >> "$ignorefile"
else
echo "ERROR: cannot find ignorefile '${f}'."
echo "ERROR: cannot find ignorefile '${f}'." >&2
exit 1
fi
done
ARGS="$ARGS --ignorefile ./trivyignores"
fi
if [ $timeout ];then
ARGS="$ARGS --timeout $timeout"
SARIF_ARGS="$SARIF_ARGS --timeout $timeout"
fi
if [ $ignorePolicy ];then
ARGS="$ARGS --ignore-policy $ignorePolicy"
SARIF_ARGS="$SARIF_ARGS --ignore-policy $ignorePolicy"
fi
if [ "$hideProgress" == "true" ];then
ARGS="$ARGS --quiet"
SARIF_ARGS="$SARIF_ARGS --quiet"
fi
if [ $dockerHost ];then
ARGS="$ARGS --docker-host $dockerHost"
export TRIVY_IGNOREFILE="$ignorefile"
fi
listAllPkgs=$(echo $listAllPkgs | tr -d '\r')
if [ "$listAllPkgs" == "true" ];then
ARGS="$ARGS --list-all-pkgs"
fi
if [ "$skipFiles" ];then
for i in $(echo $skipFiles | tr "," "\n")
do
ARGS="$ARGS --skip-files $i"
SARIF_ARGS="$SARIF_ARGS --skip-files $i"
done
fi
trivyConfig=$(echo $trivyConfig | tr -d '\r')
# To make sure that uploda GitHub Dependency Snapshot succeeds, disable the script that fails first.
set +e
if [ "${format}" == "sarif" ] && [ "${limitSeveritiesForSARIF}" != "true" ]; then
# SARIF is special. We output all vulnerabilities,
# regardless of severity level specified in this report.
# This is a feature, not a bug :)
echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
elif [ $trivyConfig ]; then
echo "Running Trivy with trivy.yaml config from: " $trivyConfig
trivy --config $trivyConfig ${scanType} ${artifactRef}
else
echo "Running trivy with options: trivy ${scanType} ${ARGS}" "${artifactRef}"
echo "Global options: " "${GLOBAL_ARGS}"
trivy $GLOBAL_ARGS ${scanType} ${ARGS} ${artifactRef}
fi
returnCode=$?
set -e
if [[ "${format}" == "github" ]]; then
if [[ "$(echo $githubPAT | xargs)" != "" ]]; then
printf "\n Uploading GitHub Dependency Snapshot"
curl -H 'Accept: application/vnd.github+json' -H "Authorization: token $githubPAT" 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./$(echo $output | xargs)
# Handle SARIF
if [ "${TRIVY_FORMAT:-}" = "sarif" ]; then
if [ "${INPUT_LIMIT_SEVERITIES_FOR_SARIF:-false,,}" != "true" ]; then
echo "Building SARIF report with all severities"
unset TRIVY_SEVERITY
else
printf "\n Failing GitHub Dependency Snapshot. Missing github-pat"
echo "Building SARIF report"
fi
fi
exit $returnCode
# Run Trivy
cmd=(trivy "$scanType" "$scanRef")
echo "Running Trivy with options: ${cmd[*]}"
"${cmd[@]}"
returnCode=$?
if [ "${TRIVY_FORMAT:-}" = "github" ]; then
if [ -n "${INPUT_GITHUB_PAT:-}" ]; then
printf "\n Uploading GitHub Dependency Snapshot"
curl -H 'Accept: application/vnd.github+json' -H "Authorization: token ${INPUT_GITHUB_PAT}" \
"https://api.github.com/repos/$GITHUB_REPOSITORY/dependency-graph/snapshots" -d @"${TRIVY_OUTPUT:-}"
else
printf "\n Failing GitHub Dependency Snapshot. Missing github-pat" >&2
fi
fi
exit $returnCode
test/data/config-sarif-report/report.sarif
+5 -443
View File
@@ -1,6 +1,6 @@
{
"version": "2.1.0",
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
"runs": [
{
"tool": {
@@ -9,87 +9,6 @@
"informationUri": "https://github.com/aquasecurity/trivy",
"name": "Trivy",
"rules": [
{
"id": "AVD-AWS-0086",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 Access block should block public ACL"
},
"fullDescription": {
"text": "\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n"
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0086",
"help": {
"text": "Misconfiguration AVD-AWS-0086\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should block public ACL\nMessage: No public access block so not blocking public acls\nLink: [AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)\n\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n",
"markdown": "**Misconfiguration AVD-AWS-0086**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should block public ACL|No public access block so not blocking public acls|[AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)|\n\n\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n"
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
},
{
"id": "AVD-AWS-0087",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 Access block should block public policy"
},
"fullDescription": {
"text": "\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n"
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0087",
"help": {
"text": "Misconfiguration AVD-AWS-0087\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should block public policy\nMessage: No public access block so not blocking public policies\nLink: [AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)\n\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n",
"markdown": "**Misconfiguration AVD-AWS-0087**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should block public policy|No public access block so not blocking public policies|[AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)|\n\n\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n"
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
},
{
"id": "AVD-AWS-0088",
"name": "Misconfiguration",
"shortDescription": {
"text": "Unencrypted S3 bucket."
},
"fullDescription": {
"text": "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0088",
"help": {
"text": "Misconfiguration AVD-AWS-0088\nType: Terraform Security Check\nSeverity: HIGH\nCheck: Unencrypted S3 bucket.\nMessage: Bucket does not have encryption enabled\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.",
"markdown": "**Misconfiguration AVD-AWS-0088**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|Unencrypted S3 bucket.|Bucket does not have encryption enabled|[AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)|\n\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised."
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
},
{
"id": "AVD-AWS-0089",
"name": "Misconfiguration",
@@ -116,231 +35,14 @@
"LOW"
]
}
},
{
"id": "AVD-AWS-0090",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 Data should be versioned"
},
"fullDescription": {
"text": "\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n"
},
"defaultConfiguration": {
"level": "warning"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0090",
"help": {
"text": "Misconfiguration AVD-AWS-0090\nType: Terraform Security Check\nSeverity: MEDIUM\nCheck: S3 Data should be versioned\nMessage: Bucket does not have versioning enabled\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n",
"markdown": "**Misconfiguration AVD-AWS-0090**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|MEDIUM|S3 Data should be versioned|Bucket does not have versioning enabled|[AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)|\n\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n"
},
"properties": {
"precision": "very-high",
"security-severity": "5.5",
"tags": [
"misconfiguration",
"security",
"MEDIUM"
]
}
},
{
"id": "AVD-AWS-0091",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 Access Block should Ignore Public Acl"
},
"fullDescription": {
"text": "\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n"
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0091",
"help": {
"text": "Misconfiguration AVD-AWS-0091\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access Block should Ignore Public Acl\nMessage: No public access block so not ignoring public acls\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n",
"markdown": "**Misconfiguration AVD-AWS-0091**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access Block should Ignore Public Acl|No public access block so not ignoring public acls|[AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)|\n\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n"
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
},
{
"id": "AVD-AWS-0093",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 Access block should restrict public bucket to limit access"
},
"fullDescription": {
"text": "S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0093",
"help": {
"text": "Misconfiguration AVD-AWS-0093\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should restrict public bucket to limit access\nMessage: No public access block so not restricting public buckets\nLink: [AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.",
"markdown": "**Misconfiguration AVD-AWS-0093**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should restrict public bucket to limit access|No public access block so not restricting public buckets|[AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)|\n\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy."
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
},
{
"id": "AVD-AWS-0094",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 buckets should each define an aws_s3_bucket_public_access_block"
},
"fullDescription": {
"text": "The \u0026#34;block public access\u0026#34; settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it."
},
"defaultConfiguration": {
"level": "note"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0094",
"help": {
"text": "Misconfiguration AVD-AWS-0094\nType: Terraform Security Check\nSeverity: LOW\nCheck: S3 buckets should each define an aws_s3_bucket_public_access_block\nMessage: Bucket does not have a corresponding public access block.\nLink: [AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.",
"markdown": "**Misconfiguration AVD-AWS-0094**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|LOW|S3 buckets should each define an aws_s3_bucket_public_access_block|Bucket does not have a corresponding public access block.|[AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)|\n\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it."
},
"properties": {
"precision": "very-high",
"security-severity": "2.0",
"tags": [
"misconfiguration",
"security",
"LOW"
]
}
},
{
"id": "AVD-AWS-0132",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 encryption should use Customer Managed Keys"
},
"fullDescription": {
"text": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0132",
"help": {
"text": "Misconfiguration AVD-AWS-0132\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 encryption should use Customer Managed Keys\nMessage: Bucket does not encrypt data with a customer managed key.\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.",
"markdown": "**Misconfiguration AVD-AWS-0132**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 encryption should use Customer Managed Keys|Bucket does not encrypt data with a customer managed key.|[AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)|\n\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys."
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
}
],
"version": "0.50.0"
]
}
},
"results": [
{
"ruleId": "AVD-AWS-0086",
"ruleIndex": 0,
"level": "error",
"message": {
"text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0086\nSeverity: HIGH\nMessage: No public access block so not blocking public acls\nLink: [AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0087",
"ruleIndex": 1,
"level": "error",
"message": {
"text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0087\nSeverity: HIGH\nMessage: No public access block so not blocking public policies\nLink: [AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0088",
"ruleIndex": 2,
"level": "error",
"message": {
"text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0088\nSeverity: HIGH\nMessage: Bucket does not have encryption enabled\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0089",
"ruleIndex": 3,
"ruleIndex": 0,
"level": "note",
"message": {
"text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0089\nSeverity: LOW\nMessage: Bucket has logging disabled\nLink: [AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)"
@@ -364,149 +66,9 @@
}
}
]
},
{
"ruleId": "AVD-AWS-0090",
"ruleIndex": 4,
"level": "warning",
"message": {
"text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0090\nSeverity: MEDIUM\nMessage: Bucket does not have versioning enabled\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 16,
"startColumn": 1,
"endLine": 16,
"endColumn": 1
}
},
"message": {
"text": "main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0091",
"ruleIndex": 5,
"level": "error",
"message": {
"text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0091\nSeverity: HIGH\nMessage: No public access block so not ignoring public acls\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0093",
"ruleIndex": 6,
"level": "error",
"message": {
"text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0093\nSeverity: HIGH\nMessage: No public access block so not restricting public buckets\nLink: [AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0094",
"ruleIndex": 7,
"level": "note",
"message": {
"text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0094\nSeverity: LOW\nMessage: Bucket does not have a corresponding public access block.\nLink: [AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0132",
"ruleIndex": 8,
"level": "error",
"message": {
"text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0132\nSeverity: HIGH\nMessage: Bucket does not encrypt data with a customer managed key.\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "main.tf"
}
}
]
}
],
"columnKind": "utf16CodeUnits",
"originalUriBaseIds": {
"ROOTPATH": {
"uri": "file://D:\\projects\\trivy-action\\test\\data\\config-sarif-report/"
}
}
"columnKind": "utf16CodeUnits"
}
]
}
}
test/data/config-scan/report.json
+2 -532
View File
@@ -1,6 +1,5 @@
{
"SchemaVersion": 2,
"CreatedAt": "2024-04-12T16:53:35.5567541+03:00",
"ArtifactName": "test/data/config-scan",
"ArtifactType": "filesystem",
"Metadata": {
@@ -31,188 +30,11 @@
"Class": "config",
"Type": "terraform",
"MisconfSummary": {
"Successes": 1,
"Failures": 9,
"Successes": 0,
"Failures": 1,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0086",
"AVDID": "AVD-AWS-0086",
"Title": "S3 Access block should block public ACL",
"Description": "\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n",
"Message": "No public access block so not blocking public acls",
"Query": "data..",
"Resolution": "Enable blocking any PUT calls with a public ACL specified",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0086",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0086"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0087",
"AVDID": "AVD-AWS-0087",
"Title": "S3 Access block should block public policy",
"Description": "\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n",
"Message": "No public access block so not blocking public policies",
"Query": "data..",
"Resolution": "Prevent policies that allow public access being PUT",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0087",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0087"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0088",
"AVDID": "AVD-AWS-0088",
"Title": "Unencrypted S3 bucket.",
"Description": "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.",
"Message": "Bucket does not have encryption enabled",
"Query": "data..",
"Resolution": "Configure bucket encryption",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0088",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html",
"https://avd.aquasec.com/misconfig/avd-aws-0088"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0089",
@@ -272,358 +94,6 @@
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0090",
"AVDID": "AVD-AWS-0090",
"Title": "S3 Data should be versioned",
"Description": "\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n",
"Message": "Bucket does not have versioning enabled",
"Query": "data..",
"Resolution": "Enable versioning to protect against accidental/malicious removal or modification",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0090",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html",
"https://avd.aquasec.com/misconfig/avd-aws-0090"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket_versioning.bucket_versioning",
"Provider": "AWS",
"Service": "s3",
"StartLine": 16,
"EndLine": 16,
"Code": {
"Lines": [
{
"Number": 12,
"Content": "resource \"aws_s3_bucket_versioning\" \"bucket_versioning\" {",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket_versioning\"\u001b[0m \u001b[38;5;37m\"bucket_versioning\"\u001b[0m {",
"FirstCause": false,
"LastCause": false
},
{
"Number": 13,
"Content": " bucket = aws_s3_bucket.bucket.id",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = aws_s3_bucket.bucket.id",
"FirstCause": false,
"LastCause": false
},
{
"Number": 14,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"FirstCause": false,
"LastCause": false
},
{
"Number": 15,
"Content": " versioning_configuration {",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " versioning_configuration {",
"FirstCause": false,
"LastCause": false
},
{
"Number": 16,
"Content": " status = var.bucket_versioning_enabled",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mstatus\u001b[0m = \u001b[38;5;33mvar\u001b[0m.bucket_versioning_enabled",
"FirstCause": true,
"LastCause": true
},
{
"Number": 17,
"Content": " }",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " }",
"FirstCause": false,
"LastCause": false
},
{
"Number": 18,
"Content": "}",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": "}",
"FirstCause": false,
"LastCause": false
}
]
},
"Occurrences": [
{
"Resource": "versioning_configuration",
"Filename": "main.tf",
"Location": {
"StartLine": 15,
"EndLine": 17
}
},
{
"Resource": "aws_s3_bucket_versioning.bucket_versioning",
"Filename": "main.tf",
"Location": {
"StartLine": 12,
"EndLine": 18
}
}
]
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0091",
"AVDID": "AVD-AWS-0091",
"Title": "S3 Access Block should Ignore Public Acl",
"Description": "\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n",
"Message": "No public access block so not ignoring public acls",
"Query": "data..",
"Resolution": "Enable ignoring the application of public ACLs in PUT calls",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0091",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0091"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0093",
"AVDID": "AVD-AWS-0093",
"Title": "S3 Access block should restrict public bucket to limit access",
"Description": "S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.",
"Message": "No public access block so not restricting public buckets",
"Query": "data..",
"Resolution": "Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0093",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0093"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0094",
"AVDID": "AVD-AWS-0094",
"Title": "S3 buckets should each define an aws_s3_bucket_public_access_block",
"Description": "The \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.",
"Message": "Bucket does not have a corresponding public access block.",
"Query": "data..",
"Resolution": "Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0094",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0094"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0132",
"AVDID": "AVD-AWS-0132",
"Title": "S3 encryption should use Customer Managed Keys",
"Description": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.",
"Message": "Bucket does not encrypt data with a customer managed key.",
"Query": "data..",
"Resolution": "Enable encryption using customer managed keys",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0132",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html",
"https://avd.aquasec.com/misconfig/avd-aws-0132"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
}
]
}
test/data/github-dep-snapshot/report.gsbom
+59 -166
View File
@@ -2,23 +2,18 @@
"version": 0,
"detector": {
"name": "trivy",
"version": "0.50.0",
"url": "https://github.com/aquasecurity/trivy"
},
"metadata": {
"aquasecurity:trivy:RepoDigest": "knqyf263/vuln-image@sha256:1e8b199249d6d0ef3419ddc6eda2348d9fbdb10d350d3bb70aa98e87faa227c9",
"aquasecurity:trivy:RepoTag": "knqyf263/vuln-image:1.2.3"
},
"job": {
"correlator": "_"
},
"scanned": "2024-04-12T16:02:51+03:00",
"manifests": {
"knqyf263/vuln-image:1.2.3 (alpine 3.7.1)": {
"name": "alpine",
"resolved": {
".composer-phpext-rundeps": {
"package_url": "pkg:apk/alpine/.composer-phpext-rundeps@0?arch=noarch\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/.composer-phpext-rundeps@0?arch=noarch&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libsodium@1.0.15-r0",
@@ -28,7 +23,7 @@
"scope": "runtime"
},
".persistent-deps": {
"package_url": "pkg:apk/alpine/.persistent-deps@0?arch=noarch\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/.persistent-deps@0?arch=noarch&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"ca-certificates@20171114-r0",
@@ -40,7 +35,7 @@
"scope": "runtime"
},
".php-rundeps": {
"package_url": "pkg:apk/alpine/.php-rundeps@0?arch=noarch\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/.php-rundeps@0?arch=noarch&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libcurl@7.61.1-r0",
@@ -55,7 +50,7 @@
"scope": "runtime"
},
"alpine-baselayout": {
"package_url": "pkg:apk/alpine/alpine-baselayout@3.0.5-r2?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/alpine-baselayout@3.0.5-r2?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"busybox@1.27.2-r11",
@@ -64,12 +59,12 @@
"scope": "runtime"
},
"alpine-keys": {
"package_url": "pkg:apk/alpine/alpine-keys@2.1-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/alpine-keys@2.1-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"scope": "runtime"
},
"apk-tools": {
"package_url": "pkg:apk/alpine/apk-tools@2.10.1-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/apk-tools@2.10.1-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libcrypto@2.6.5-r0",
@@ -80,7 +75,7 @@
"scope": "runtime"
},
"apr": {
"package_url": "pkg:apk/alpine/apr@1.6.3-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/apr@1.6.3-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libuuid@2.31-r0",
@@ -89,7 +84,7 @@
"scope": "runtime"
},
"apr-util": {
"package_url": "pkg:apk/alpine/apr-util@1.6.1-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/apr-util@1.6.1-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"apr@1.6.3-r0",
@@ -100,7 +95,7 @@
"scope": "runtime"
},
"bash": {
"package_url": "pkg:apk/alpine/bash@4.4.19-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/bash@4.4.19-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"busybox@1.27.2-r11",
@@ -111,7 +106,7 @@
"scope": "runtime"
},
"busybox": {
"package_url": "pkg:apk/alpine/busybox@1.27.2-r11?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/busybox@1.27.2-r11?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -119,7 +114,7 @@
"scope": "runtime"
},
"ca-certificates": {
"package_url": "pkg:apk/alpine/ca-certificates@20171114-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/ca-certificates@20171114-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"busybox@1.27.2-r11",
@@ -129,7 +124,7 @@
"scope": "runtime"
},
"curl": {
"package_url": "pkg:apk/alpine/curl@7.61.0-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/curl@7.61.0-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"ca-certificates@20171114-r0",
@@ -140,7 +135,7 @@
"scope": "runtime"
},
"db": {
"package_url": "pkg:apk/alpine/db@5.3.28-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/db@5.3.28-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -148,7 +143,7 @@
"scope": "runtime"
},
"expat": {
"package_url": "pkg:apk/alpine/expat@2.2.5-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/expat@2.2.5-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -156,7 +151,7 @@
"scope": "runtime"
},
"gdbm": {
"package_url": "pkg:apk/alpine/gdbm@1.13-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/gdbm@1.13-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -164,7 +159,7 @@
"scope": "runtime"
},
"git": {
"package_url": "pkg:apk/alpine/git@2.15.2-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/git@2.15.2-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"expat@2.2.5-r0",
@@ -176,7 +171,7 @@
"scope": "runtime"
},
"libbz2": {
"package_url": "pkg:apk/alpine/libbz2@1.0.6-r6?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libbz2@1.0.6-r6?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -184,7 +179,7 @@
"scope": "runtime"
},
"libc-utils": {
"package_url": "pkg:apk/alpine/libc-utils@0.7.1-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libc-utils@0.7.1-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl-utils@1.1.18-r3"
@@ -192,7 +187,7 @@
"scope": "runtime"
},
"libcurl": {
"package_url": "pkg:apk/alpine/libcurl@7.61.1-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libcurl@7.61.1-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"ca-certificates@20171114-r0",
@@ -205,7 +200,7 @@
"scope": "runtime"
},
"libedit": {
"package_url": "pkg:apk/alpine/libedit@20170329.3.1-r3?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libedit@20170329.3.1-r3?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3",
@@ -214,7 +209,7 @@
"scope": "runtime"
},
"libffi": {
"package_url": "pkg:apk/alpine/libffi@3.2.1-r4?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libffi@3.2.1-r4?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -222,7 +217,7 @@
"scope": "runtime"
},
"libressl": {
"package_url": "pkg:apk/alpine/libressl@2.6.5-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libressl@2.6.5-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libcrypto@2.6.5-r0",
@@ -233,7 +228,7 @@
"scope": "runtime"
},
"libressl2.6-libcrypto": {
"package_url": "pkg:apk/alpine/libressl2.6-libcrypto@2.6.5-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libressl2.6-libcrypto@2.6.5-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -241,7 +236,7 @@
"scope": "runtime"
},
"libressl2.6-libssl": {
"package_url": "pkg:apk/alpine/libressl2.6-libssl@2.6.5-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libressl2.6-libssl@2.6.5-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libcrypto@2.6.5-r0",
@@ -250,7 +245,7 @@
"scope": "runtime"
},
"libressl2.6-libtls": {
"package_url": "pkg:apk/alpine/libressl2.6-libtls@2.6.5-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libressl2.6-libtls@2.6.5-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libcrypto@2.6.5-r0",
@@ -260,7 +255,7 @@
"scope": "runtime"
},
"libsasl": {
"package_url": "pkg:apk/alpine/libsasl@2.1.26-r11?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libsasl@2.1.26-r11?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"db@5.3.28-r0",
@@ -269,7 +264,7 @@
"scope": "runtime"
},
"libsodium": {
"package_url": "pkg:apk/alpine/libsodium@1.0.15-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libsodium@1.0.15-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -277,7 +272,7 @@
"scope": "runtime"
},
"libssh2": {
"package_url": "pkg:apk/alpine/libssh2@1.8.0-r2?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libssh2@1.8.0-r2?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libcrypto@2.6.5-r0",
@@ -287,7 +282,7 @@
"scope": "runtime"
},
"libuuid": {
"package_url": "pkg:apk/alpine/libuuid@2.31-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libuuid@2.31-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -295,7 +290,7 @@
"scope": "runtime"
},
"libxml2": {
"package_url": "pkg:apk/alpine/libxml2@2.9.7-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libxml2@2.9.7-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3",
@@ -304,7 +299,7 @@
"scope": "runtime"
},
"mercurial": {
"package_url": "pkg:apk/alpine/mercurial@4.5.2-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/mercurial@4.5.2-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3",
@@ -313,12 +308,12 @@
"scope": "runtime"
},
"musl": {
"package_url": "pkg:apk/alpine/musl@1.1.18-r3?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/musl@1.1.18-r3?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"scope": "runtime"
},
"musl-utils": {
"package_url": "pkg:apk/alpine/musl-utils@1.1.18-r3?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/musl-utils@1.1.18-r3?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3",
@@ -327,7 +322,7 @@
"scope": "runtime"
},
"ncurses-libs": {
"package_url": "pkg:apk/alpine/ncurses-libs@6.0_p20171125-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/ncurses-libs@6.0_p20171125-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3",
@@ -337,7 +332,7 @@
"scope": "runtime"
},
"ncurses-terminfo": {
"package_url": "pkg:apk/alpine/ncurses-terminfo@6.0_p20171125-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/ncurses-terminfo@6.0_p20171125-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"ncurses-terminfo-base@6.0_p20171125-r1"
@@ -345,12 +340,12 @@
"scope": "runtime"
},
"ncurses-terminfo-base": {
"package_url": "pkg:apk/alpine/ncurses-terminfo-base@6.0_p20171125-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/ncurses-terminfo-base@6.0_p20171125-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"scope": "runtime"
},
"openssh": {
"package_url": "pkg:apk/alpine/openssh@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/openssh@7.5_p1-r9?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libcrypto@2.6.5-r0",
@@ -362,7 +357,7 @@
"scope": "runtime"
},
"openssh-client": {
"package_url": "pkg:apk/alpine/openssh-client@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/openssh-client@7.5_p1-r9?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libcrypto@2.6.5-r0",
@@ -373,7 +368,7 @@
"scope": "runtime"
},
"openssh-keygen": {
"package_url": "pkg:apk/alpine/openssh-keygen@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/openssh-keygen@7.5_p1-r9?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libcrypto@2.6.5-r0",
@@ -382,7 +377,7 @@
"scope": "runtime"
},
"openssh-server": {
"package_url": "pkg:apk/alpine/openssh-server@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/openssh-server@7.5_p1-r9?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libcrypto@2.6.5-r0",
@@ -394,12 +389,12 @@
"scope": "runtime"
},
"openssh-server-common": {
"package_url": "pkg:apk/alpine/openssh-server-common@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/openssh-server-common@7.5_p1-r9?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"scope": "runtime"
},
"openssh-sftp-server": {
"package_url": "pkg:apk/alpine/openssh-sftp-server@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/openssh-sftp-server@7.5_p1-r9?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -407,7 +402,7 @@
"scope": "runtime"
},
"patch": {
"package_url": "pkg:apk/alpine/patch@2.7.5-r2?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/patch@2.7.5-r2?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -415,7 +410,7 @@
"scope": "runtime"
},
"pcre2": {
"package_url": "pkg:apk/alpine/pcre2@10.30-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/pcre2@10.30-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -423,7 +418,7 @@
"scope": "runtime"
},
"pkgconf": {
"package_url": "pkg:apk/alpine/pkgconf@1.3.10-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/pkgconf@1.3.10-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -431,7 +426,7 @@
"scope": "runtime"
},
"python2": {
"package_url": "pkg:apk/alpine/python2@2.7.15-r2?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/python2@2.7.15-r2?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"expat@2.2.5-r0",
@@ -449,7 +444,7 @@
"scope": "runtime"
},
"readline": {
"package_url": "pkg:apk/alpine/readline@7.0.003-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/readline@7.0.003-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3",
@@ -458,7 +453,7 @@
"scope": "runtime"
},
"scanelf": {
"package_url": "pkg:apk/alpine/scanelf@1.2.2-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/scanelf@1.2.2-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -466,7 +461,7 @@
"scope": "runtime"
},
"serf": {
"package_url": "pkg:apk/alpine/serf@1.3.9-r3?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/serf@1.3.9-r3?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"apr-util@1.6.1-r1",
@@ -479,7 +474,7 @@
"scope": "runtime"
},
"sqlite-libs": {
"package_url": "pkg:apk/alpine/sqlite-libs@3.21.0-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/sqlite-libs@3.21.0-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -487,7 +482,7 @@
"scope": "runtime"
},
"ssl_client": {
"package_url": "pkg:apk/alpine/ssl_client@1.27.2-r11?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/ssl_client@1.27.2-r11?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libtls@2.6.5-r0",
@@ -496,7 +491,7 @@
"scope": "runtime"
},
"subversion": {
"package_url": "pkg:apk/alpine/subversion@1.9.7-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/subversion@1.9.7-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"apr-util@1.6.1-r1",
@@ -509,7 +504,7 @@
"scope": "runtime"
},
"subversion-libs": {
"package_url": "pkg:apk/alpine/subversion-libs@1.9.7-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/subversion-libs@1.9.7-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"apr-util@1.6.1-r1",
@@ -525,7 +520,7 @@
"scope": "runtime"
},
"tar": {
"package_url": "pkg:apk/alpine/tar@1.29-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/tar@1.29-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -533,7 +528,7 @@
"scope": "runtime"
},
"tini": {
"package_url": "pkg:apk/alpine/tini@0.16.1-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/tini@0.16.1-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -541,7 +536,7 @@
"scope": "runtime"
},
"xz": {
"package_url": "pkg:apk/alpine/xz@5.2.3-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/xz@5.2.3-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3",
@@ -550,7 +545,7 @@
"scope": "runtime"
},
"xz-libs": {
"package_url": "pkg:apk/alpine/xz-libs@5.2.3-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/xz-libs@5.2.3-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -558,7 +553,7 @@
"scope": "runtime"
},
"zlib": {
"package_url": "pkg:apk/alpine/zlib@1.2.11-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/zlib@1.2.11-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -567,108 +562,6 @@
}
}
},
"php-app/composer.lock": {
"name": "composer",
"file": {
"source_location": "knqyf263/vuln-image:1.2.3@sha256:1e8b199249d6d0ef3419ddc6eda2348d9fbdb10d350d3bb70aa98e87faa227c9"
},
"resolved": {
"guzzlehttp/guzzle": {
"package_url": "pkg:composer/guzzlehttp/guzzle@6.2.0",
"relationship": "direct",
"dependencies": [
"guzzlehttp/promises@v1.3.1",
"guzzlehttp/psr7@1.5.2"
],
"scope": "runtime"
},
"guzzlehttp/promises": {
"package_url": "pkg:composer/guzzlehttp/promises@v1.3.1",
"relationship": "direct",
"scope": "runtime"
},
"guzzlehttp/psr7": {
"package_url": "pkg:composer/guzzlehttp/psr7@1.5.2",
"relationship": "direct",
"dependencies": [
"psr/http-message@1.0.1",
"ralouphie/getallheaders@2.0.5"
],
"scope": "runtime"
},
"laravel/installer": {
"package_url": "pkg:composer/laravel/installer@v2.0.1",
"relationship": "direct",
"dependencies": [
"guzzlehttp/guzzle@6.2.0",
"symfony/console@v4.2.7",
"symfony/filesystem@v4.2.7",
"symfony/process@v4.2.7"
],
"scope": "runtime"
},
"pear/log": {
"package_url": "pkg:composer/pear/log@1.13.1",
"relationship": "direct",
"dependencies": [
"pear/pear_exception@v1.0.0"
],
"scope": "runtime"
},
"pear/pear_exception": {
"package_url": "pkg:composer/pear/pear_exception@v1.0.0",
"relationship": "direct",
"scope": "runtime"
},
"psr/http-message": {
"package_url": "pkg:composer/psr/http-message@1.0.1",
"relationship": "direct",
"scope": "runtime"
},
"ralouphie/getallheaders": {
"package_url": "pkg:composer/ralouphie/getallheaders@2.0.5",
"relationship": "direct",
"scope": "runtime"
},
"symfony/console": {
"package_url": "pkg:composer/symfony/console@v4.2.7",
"relationship": "direct",
"dependencies": [
"symfony/contracts@v1.0.2",
"symfony/polyfill-mbstring@v1.11.0"
],
"scope": "runtime"
},
"symfony/contracts": {
"package_url": "pkg:composer/symfony/contracts@v1.0.2",
"relationship": "direct",
"scope": "runtime"
},
"symfony/filesystem": {
"package_url": "pkg:composer/symfony/filesystem@v4.2.7",
"relationship": "direct",
"dependencies": [
"symfony/polyfill-ctype@v1.11.0"
],
"scope": "runtime"
},
"symfony/polyfill-ctype": {
"package_url": "pkg:composer/symfony/polyfill-ctype@v1.11.0",
"relationship": "direct",
"scope": "runtime"
},
"symfony/polyfill-mbstring": {
"package_url": "pkg:composer/symfony/polyfill-mbstring@v1.11.0",
"relationship": "direct",
"scope": "runtime"
},
"symfony/process": {
"package_url": "pkg:composer/symfony/process@v4.2.7",
"relationship": "direct",
"scope": "runtime"
}
}
},
"rust-app/Cargo.lock": {
"name": "cargo",
"file": {
@@ -1235,4 +1128,4 @@
}
}
}
}
}
test/data/secret-scan/report.json
-1
View File
@@ -1,6 +1,5 @@
{
"SchemaVersion": 2,
"CreatedAt": "2024-01-02T23:40:04.647712097Z",
"ArtifactName": "https://github.com/krol3/demo-trivy/",
"ArtifactType": "repository",
"Metadata": {
test/data/with-tf-vars/report.json
+1 -7
View File
@@ -1,6 +1,5 @@
{
"SchemaVersion": 2,
"CreatedAt": "2024-04-12T14:09:09.5680191+03:00",
"ArtifactName": "test/data/with-tf-vars/main.tf",
"ArtifactType": "filesystem",
"Metadata": {
@@ -29,12 +28,7 @@
{
"Target": "main.tf",
"Class": "config",
"Type": "terraform",
"MisconfSummary": {
"Successes": 1,
"Failures": 0,
"Exceptions": 0
}
"Type": "terraform"
}
]
}
test/data/with-trivy-yaml-cfg/report.json
+2 -3
View File
@@ -1,6 +1,5 @@
{
"SchemaVersion": 2,
"CreatedAt": "2024-01-02T23:40:21.039454971Z",
"ArtifactName": "alpine:3.10",
"ArtifactType": "container_image",
"Metadata": {
@@ -64,8 +63,8 @@
"PkgID": "apk-tools@2.10.6-r0",
"PkgName": "apk-tools",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64\u0026distro=3.10.9",
"UID": "a6adb154870b6380"
"PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64&distro=3.10.9",
"UID": "99f6581ffed6b22"
},
"InstalledVersion": "2.10.6-r0",
"FixedVersion": "2.10.7-r0",
test/test.bats
+43 -14
View File
@@ -4,7 +4,7 @@ setup_file() {
local owner=$GITHUB_REPOSITORY_OWNER
export TRIVY_DB_REPOSITORY=ghcr.io/${owner}/trivy-db-act:latest
export TRIVY_JAVA_DB_REPOSITORY=ghcr.io/${owner}/trivy-java-db-act:latest
export TRIVY_POLICY_BUNDLE_REPOSITORY=ghcr.io/${owner}/trivy-checks-act:latest
export TRIVY_CHECKS_BUNDLE_REPOSITORY=ghcr.io/${owner}/trivy-checks-act:latest
}
setup() {
@@ -34,6 +34,13 @@ function remove_github_fields() {
fi
}
function reset_envs() {
local var
for var in $(env | grep '^TRIVY_\|^INPUT_' | cut -d= -f1); do
unset "$var"
done
}
function compare_files() {
local file1="$1"
local file2="$2"
@@ -56,68 +63,90 @@ function compare_files() {
@test "trivy repo with securityCheck secret only" {
# trivy repo -f json -o repo.test --scanners=secret https://github.com/krol3/demo-trivy/
run ./entrypoint.sh '-b json' '-h repo.json' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
export TRIVY_FORMAT=json TRIVY_OUTPUT=repo.json TRIVY_SCANNERS=secret INPUT_SCAN_TYPE=repo INPUT_SCAN_REF="https://github.com/krol3/demo-trivy/"
./entrypoint.sh
compare_files repo.json ./test/data/secret-scan/report.json
reset_envs
}
@test "trivy image" {
# trivy image --severity CRITICAL -o image.test knqyf263/vuln-image:1.2.3
run ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image.test' '-g CRITICAL'
export TRIVY_OUTPUT=image.test TRIVY_SEVERITY=CRITICAL INPUT_SCAN_TYPE=image INPUT_SCAN_REF=knqyf263/vuln-image:1.2.3
./entrypoint.sh
compare_files image.test ./test/data/image-scan/report
reset_envs
}
@test "trivy config sarif report" {
# trivy config -f sarif -o config-sarif.test ./test/data/config-sarif-report
run ./entrypoint.sh '-a config' '-b sarif' '-h config-sarif.sarif' '-j ./test/data/config-sarif-report/main.tf'
export TRIVY_FORMAT=sarif TRIVY_OUTPUT=config-sarif.sarif INPUT_SCAN_TYPE=config INPUT_SCAN_REF=./test/data/config-sarif-report
./entrypoint.sh
compare_files config-sarif.sarif ./test/data/config-sarif-report/report.sarif
reset_envs
}
@test "trivy config" {
# trivy config -f json -o config.json ./test/data/config-scan
run ./entrypoint.sh '-a config' '-b json' '-j ./test/data/config-scan' '-h config.json'
export TRIVY_FORMAT=json TRIVY_OUTPUT=config.json INPUT_SCAN_TYPE=config INPUT_SCAN_REF=./test/data/config-scan
./entrypoint.sh
compare_files config.json ./test/data/config-scan/report.json
reset_envs
}
@test "trivy rootfs" {
# trivy rootfs --output rootfs.test ./test/data/rootfs-scan
# TODO: add data
run ./entrypoint.sh '-a rootfs' '-j ./test/data/rootfs-scan' '-h rootfs.test'
export TRIVY_OUTPUT=rootfs.test INPUT_SCAN_TYPE=rootfs INPUT_SCAN_REF=./test/data/rootfs-scan
./entrypoint.sh
compare_files rootfs.test ./test/data/rootfs-scan/report
reset_envs
}
@test "trivy fs" {
# trivy fs --output fs.test ./test/data/fs-scan
# TODO: add data
run ./entrypoint.sh '-a fs' '-j ./test/data/fs-scan' '-h fs.test'
export TRIVY_OUTPUT=fs.test INPUT_SCAN_TYPE=fs INPUT_SCAN_REF=./test/data/fs-scan
./entrypoint.sh
compare_files fs.test ./test/data/fs-scan/report
reset_envs
}
@test "trivy image with trivyIgnores option" {
# cat ./test/data/with-ignore-files/.trivyignore1 ./test/data/with-ignore-files/.trivyignore2 > ./trivyignores ; trivy image --severity CRITICAL --output image-trivyignores.test --ignorefile ./trivyignores knqyf263/vuln-image:1.2.3
run ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image-trivyignores.test' '-g CRITICAL' '-t ./test/data/with-ignore-files/.trivyignore1,./test/data/with-ignore-files/.trivyignore2'
export TRIVY_OUTPUT=image-trivyignores.test TRIVY_SEVERITY=CRITICAL INPUT_SCAN_TYPE=image INPUT_IMAGE_REF=knqyf263/vuln-image:1.2.3 INPUT_TRIVYIGNORES="./test/data/with-ignore-files/.trivyignore1,./test/data/with-ignore-files/.trivyignore2"
./entrypoint.sh
compare_files image-trivyignores.test ./test/data/with-ignore-files/report
reset_envs
}
@test "trivy image with sbom output" {
# trivy image --format github knqyf263/vuln-image:1.2.3
run ./entrypoint.sh "-a image" "-b github" "-h github-dep-snapshot.gsbom" "-i knqyf263/vuln-image:1.2.3"
# trivy image --format github knqyf263/vuln-image:1.2.3
export TRIVY_FORMAT=github TRIVY_OUTPUT=github-dep-snapshot.gsbom INPUT_SCAN_TYPE=image INPUT_SCAN_REF=knqyf263/vuln-image:1.2.3
./entrypoint.sh
compare_files github-dep-snapshot.gsbom ./test/data/github-dep-snapshot/report.gsbom
reset_envs
}
@test "trivy image with trivy.yaml config" {
# trivy --config=./test/data/with-trivy-yaml-cfg/trivy.yaml image alpine:3.10
run ./entrypoint.sh "-v ./test/data/with-trivy-yaml-cfg/trivy.yaml" "-a image" "-i alpine:3.10"
export TRIVY_CONFIG=./test/data/with-trivy-yaml-cfg/trivy.yaml INPUT_SCAN_TYPE=image INPUT_SCAN_REF=alpine:3.10
./entrypoint.sh
compare_files yamlconfig.json ./test/data/with-trivy-yaml-cfg/report.json
reset_envs
}
@test "trivy image with custom docker-host" {
# trivy image --docker-host unix:///var/run/docker.sock --severity CRITICAL --output image.test knqyf263/vuln-image:1.2.3
run ./entrypoint.sh '-y unix:///var/run/docker.sock' '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image.test' '-g CRITICAL'
export TRIVY_OUTPUT=image.test TRIVY_SEVERITY=CRITICAL INPUT_SCAN_TYPE=image INPUT_SCAN_REF=knqyf263/vuln-image:1.2.3 TRIVY_DOCKER_HOST=unix:///var/run/docker.sock
./entrypoint.sh
compare_files image.test ./test/data/image-scan/report
reset_envs
}
@test "trivy config with terraform variables" {
# trivy config -f json -o tfvars.json --severity MEDIUM --tf-vars ./test/data/with-tf-vars/dev.tfvars ./test/data/with-tf-vars/main.tf
run ./entrypoint.sh "-a config" "-j ./test/data/with-tf-vars/main.tf" "-h tfvars.json" "-g MEDIUM" "-x ./test/data/with-tf-vars/dev.tfvars" "-b json"
# trivy config -f json -o tfvars.json --severity MEDIUM --tf-vars ./test/data/with-tf-vars/dev.tfvars ./test/data/with-tf-vars/main.tf
export TRIVY_FORMAT=json TRIVY_SEVERITY=MEDIUM TRIVY_OUTPUT=tfvars.json INPUT_SCAN_TYPE=config INPUT_SCAN_REF=./test/data/with-tf-vars/main.tf TRIVY_TF_VARS=./test/data/with-tf-vars/dev.tfvars
./entrypoint.sh
compare_files tfvars.json ./test/data/with-tf-vars/report.json
reset_envs
}
workflow.yml
+2 -2
View File
@@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Build an image from Dockerfile
run: |
@@ -29,6 +29,6 @@ jobs:
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'