chore: bump trivy to v0.60.0 (#453 )

Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
Improve README/SBOM (#439 )
2025-03-13 20:58:00 -06:00 · 2025-03-12 16:11:45 -06:00 · 2025-03-12 16:11:20 -06:00 · 2025-01-07 16:37:47 -07:00
9 changed files with 85 additions and 23 deletions
@@ -6,7 +6,7 @@ on:
  workflow_dispatch:

 env:
-  TRIVY_VERSION: 0.57.1
+  TRIVY_VERSION: 0.60.0
  BATS_LIB_PATH: '/usr/lib/'

 jobs:
@@ -215,7 +215,7 @@ jobs:
      uses: aquasecurity/setup-trivy@v0.2.0
      with:
        cache: true
-        version: v0.57.1
+        version: v0.60.1

    - name: Run Trivy vulnerability scanner in repo mode
      uses: aquasecurity/trivy-action@master
@@ -567,7 +567,7 @@ In order to send results to GitHub Dependency Graph, you will need to create a [

 ```yaml
 ---
-name: Pull Request
+name: Generate SBOM
 on:
  push:
    branches:
@@ -578,9 +578,8 @@ permissions:
  contents: write

 jobs:
-  build:
-    name: Checks
-    runs-on: ubuntu-20.04
+  generate-sbom:
+    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
@@ -601,7 +600,7 @@ You can upload the report as an artifact and download it, for instance using the

 ```yaml
 ---
-name: Pull Request
+name: Generate SBOM
 on:
  push:
    branches:
@@ -612,9 +611,8 @@ permissions:
  contents: write

 jobs:
-  build:
-    name: Checks
-    runs-on: ubuntu-20.04
+  generate-sbom:
+    runs-on: ubuntu-latest
    steps:
      - name: Scan image in a private registry
        uses: aquasecurity/trivy-action@0.28.0
@@ -849,7 +847,7 @@ Following inputs can be used as `step.with` keys:
 | `github-pat`                 | String  |                                    | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN        |
 | `limit-severities-for-sarif` | Boolean | false                              | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
 | `docker-host`                | String  |                                    | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values                                      |
-| `version`                    | String  | `v0.56.2`                          | Trivy version to use, e.g. `latest` or `v0.56.2`                                                                                                               |
+| `version`                    | String  | `v0.60.0`                          | Trivy version to use, e.g. `latest` or `v0.60.0`                                                                                                               |
 | `skip-setup-trivy`           | Boolean | false                              | Skip calling the `setup-trivy` action to install `trivy`                                                                                                       |
 | `token-setup-trivy`          | Boolean |                                    | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository                                                                              |

@@ -8,7 +8,7 @@ inputs:
    required: false
    default: 'image'
  image-ref:
-    description: 'image reference(for backward compatibility)'
+    description: 'image reference (for backward compatibility)'
    required: false
  input:
    description: 'reference of tar file to scan'
@@ -98,7 +98,7 @@ inputs:
  version:
    description: 'Trivy version to use'
    required: false
-    default: 'v0.57.1'
+    default: 'v0.60.0'
  cache:
    description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.'
    required: false
@@ -205,7 +205,7 @@
                "text": "S3 buckets should each define an aws_s3_bucket_public_access_block"
              },
              "fullDescription": {
-                "text": "The &#34;block public access&#34; settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.\n"
+                "text": "The \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.\n"
              },
              "defaultConfiguration": {
                "level": "note"
@@ -90,7 +90,8 @@
                  "LastCause": true
                }
              ]
-            }
+            },
+            "RenderedCause": {}
          }
        },
        {
@@ -150,7 +151,8 @@
                  "LastCause": true
                }
              ]
-            }
+            },
+            "RenderedCause": {}
          }
        },
        {
@@ -210,7 +212,8 @@
                  "LastCause": true
                }
              ]
-            }
+            },
+            "RenderedCause": {}
          }
        },
        {
@@ -271,7 +274,8 @@
                  "LastCause": true
                }
              ]
-            }
+            },
+            "RenderedCause": {}
          }
        },
        {
@@ -388,7 +392,11 @@
                  "EndLine": 18
                }
              }
-            ]
+            ],
+            "RenderedCause": {
+              "Raw": "resource \"aws_s3_bucket_versioning\" \"bucket_versioning\" {\n  versioning_configuration {\n    status = \"Disabled\"\n  }\n}",
+              "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket_versioning\"\u001b[0m \u001b[38;5;37m\"bucket_versioning\"\u001b[0m {\n  versioning_configuration {\n    \u001b[38;5;245mstatus\u001b[0m = \u001b[38;5;37m\"Disabled\"\n\u001b[0m  }\n}"
+            }
          }
        },
        {
@@ -448,7 +456,8 @@
                  "LastCause": true
                }
              ]
-            }
+            },
+            "RenderedCause": {}
          }
        },
        {
@@ -508,7 +517,8 @@
                  "LastCause": true
                }
              ]
-            }
+            },
+            "RenderedCause": {}
          }
        },
        {
@@ -568,7 +578,8 @@
                  "LastCause": true
                }
              ]
-            }
+            },
+            "RenderedCause": {}
          }
        },
        {
@@ -628,7 +639,8 @@
                  "LastCause": true
                }
              ]
-            }
+            },
+            "RenderedCause": {}
          }
        }
      ]
@@ -0,0 +1,12 @@
+
+Report Summary
+
+┌────────┬──────┬─────────────────┬─────────┐
+│ Target │ Type │ Vulnerabilities │ Secrets │
+├────────┼──────┼─────────────────┼─────────┤
+│   -    │  -   │        -        │    -    │
+└────────┴──────┴─────────────────┴─────────┘
+Legend:
+- '-': Not scanned
+- '0': Clean (no security findings detected)
+
@@ -1,4 +1,18 @@

+Report Summary
+
+┌──────────────────────────────────────────┬────────┬─────────────────┬─────────┐
+│                  Target                  │  Type  │ Vulnerabilities │ Secrets │
+├──────────────────────────────────────────┼────────┼─────────────────┼─────────┤
+│ knqyf263/vuln-image:1.2.3 (alpine 3.7.1) │ alpine │       19        │    -    │
+├──────────────────────────────────────────┼────────┼─────────────────┼─────────┤
+│ rust-app/Cargo.lock                      │ cargo  │        4        │    -    │
+└──────────────────────────────────────────┴────────┴─────────────────┴─────────┘
+Legend:
+- '-': Not scanned
+- '0': Clean (no security findings detected)
+
+
 knqyf263/vuln-image:1.2.3 (alpine 3.7.1)
 ========================================
 Total: 19 (CRITICAL: 19)
@@ -0,0 +1,12 @@
+
+Report Summary
+
+┌────────┬──────┬─────────────────┬─────────┐
+│ Target │ Type │ Vulnerabilities │ Secrets │
+├────────┼──────┼─────────────────┼─────────┤
+│   -    │  -   │        -        │    -    │
+└────────┴──────┴─────────────────┴─────────┘
+Legend:
+- '-': Not scanned
+- '0': Clean (no security findings detected)
+
@@ -1,4 +1,18 @@

+Report Summary
+
+┌──────────────────────────────────────────┬────────┬─────────────────┬─────────┐
+│                  Target                  │  Type  │ Vulnerabilities │ Secrets │
+├──────────────────────────────────────────┼────────┼─────────────────┼─────────┤
+│ knqyf263/vuln-image:1.2.3 (alpine 3.7.1) │ alpine │       19        │    -    │
+├──────────────────────────────────────────┼────────┼─────────────────┼─────────┤
+│ rust-app/Cargo.lock                      │ cargo  │        1        │    -    │
+└──────────────────────────────────────────┴────────┴─────────────────┴─────────┘
+Legend:
+- '-': Not scanned
+- '0': Clean (no security findings detected)
+
+
 knqyf263/vuln-image:1.2.3 (alpine 3.7.1)
 ========================================
 Total: 19 (CRITICAL: 19)
Author	SHA1	Message	Date
Nikita Pivkin	6c175e9c40	chore: bump trivy to v0.60.0 (#453 ) Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>	2025-03-13 20:58:00 -06:00
Alex B	53e8848d3e	Improve README/SBOM (#439 ) * Improve README/SBOM * Use logical workflow name * Use modern ubuntu version * Update README.md	2025-03-12 16:11:45 -06:00
Yuta Tokoi	ef1b561207	fix: typo in description of an input for action.yaml (#452 )	2025-03-12 16:11:20 -06:00
Mario Apra	a11da62073	fix: Update default trivy version in README (#444 ) As part of PR #434 the default trivy version got bumped but the readme didn't reflect it.	2025-01-07 16:37:47 -07:00