Compare commits
11 Commits
0.3.0
...
volume-mounts
| Author | SHA1 | Date | |
|---|---|---|---|
|
74194a9efa | ||
|
|
7b7aa264d8 | ||
|
|
63b6e4c61b | ||
|
|
49e970d7ac | ||
|
|
c666240787 | ||
|
|
e27605859b | ||
|
|
2b22459068 | ||
|
|
4b3b5f928b | ||
|
|
1a53202fc4 | ||
|
|
df3fb7d00b | ||
|
|
987beb8186 |
Vendored
+4
-1
@@ -1,7 +1,7 @@
|
||||
name: "build"
|
||||
on: [push, pull_request]
|
||||
env:
|
||||
TRIVY_VERSION: 0.27.1
|
||||
TRIVY_VERSION: 0.29.1
|
||||
jobs:
|
||||
build:
|
||||
name: build
|
||||
@@ -13,6 +13,9 @@ jobs:
|
||||
with:
|
||||
bats-version: 1.2.1
|
||||
|
||||
- name: Setup Bats libs
|
||||
uses: brokenpip3/setup-bats-libs@0.1.0
|
||||
|
||||
- name: Check out code
|
||||
uses: actions/checkout@v1
|
||||
|
||||
|
||||
Vendored
+3
-1
@@ -1,2 +1,4 @@
|
||||
.idea/
|
||||
*.test
|
||||
*.test
|
||||
!test/data/*.test
|
||||
trivyignores
|
||||
|
||||
+3
-2
@@ -1,5 +1,6 @@
|
||||
FROM aquasec/trivy:0.27.1
|
||||
FROM ghcr.io/aquasecurity/trivy:0.29.1
|
||||
COPY entrypoint.sh /
|
||||
RUN apk --no-cache add bash
|
||||
RUN apk --no-cache add bash curl
|
||||
RUN chmod +x /entrypoint.sh
|
||||
ADD $GITHUB_WORKSPACE /github_workspace
|
||||
ENTRYPOINT ["/entrypoint.sh"]
|
||||
|
||||
@@ -35,11 +35,11 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
|
||||
- name: Build an image from Dockerfile
|
||||
run: |
|
||||
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
|
||||
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
@@ -80,7 +80,7 @@ jobs:
|
||||
output: 'trivy-results.sarif'
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
@@ -115,8 +115,8 @@ jobs:
|
||||
output: 'trivy-results.sarif'
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
if: always()
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
if: always()
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
@@ -152,7 +152,7 @@ jobs:
|
||||
severity: 'CRITICAL'
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
@@ -187,7 +187,7 @@ jobs:
|
||||
severity: 'CRITICAL'
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
@@ -222,11 +222,43 @@ jobs:
|
||||
severity: 'CRITICAL,HIGH'
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
|
||||
### Using Trivy to generate SBOM
|
||||
It's possible for Trivy to generate an SBOM of your dependencies and submit them to a consumer like GitHub Dependency Snapshot.
|
||||
|
||||
The sending of SBOM to GitHub feature is only available if you currently have [GitHub Dependency Snapshot](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) available to you in your repo.
|
||||
|
||||
In order to send results to the GitHub Dependency Snapshot, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)
|
||||
```yaml
|
||||
---
|
||||
name: Pull Request
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
pull_request:
|
||||
jobs:
|
||||
build:
|
||||
name: Checks
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Snapshots
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
scan-type: 'fs'
|
||||
format: 'github'
|
||||
output: 'dependency-results.sbom.json'
|
||||
image-ref: '.'
|
||||
github-pat: '<github_pat_token>'
|
||||
```
|
||||
|
||||
### Using Trivy to scan your private registry
|
||||
It's also possible to scan your private registry with Trivy's built-in image scan. All you have to do is set ENV vars.
|
||||
|
||||
@@ -247,7 +279,7 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
@@ -256,10 +288,10 @@ jobs:
|
||||
output: 'trivy-results.sarif'
|
||||
env:
|
||||
TRIVY_USERNAME: Username
|
||||
TRIVY_PASSWORD: Password
|
||||
TRIVY_PASSWORD: Password
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
@@ -283,7 +315,7 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
@@ -296,7 +328,7 @@ jobs:
|
||||
AWS_DEFAULT_REGION: us-west-2
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
@@ -319,7 +351,7 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
@@ -330,7 +362,7 @@ jobs:
|
||||
GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
@@ -352,7 +384,7 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
@@ -361,10 +393,10 @@ jobs:
|
||||
output: 'trivy-results.sarif'
|
||||
env:
|
||||
TRIVY_USERNAME: Username
|
||||
TRIVY_PASSWORD: Password
|
||||
TRIVY_PASSWORD: Password
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
@@ -375,26 +407,29 @@ jobs:
|
||||
|
||||
Following inputs can be used as `step.with` keys:
|
||||
|
||||
| Name | Type | Default | Description |
|
||||
|------------------|---------|------------------------------------|-----------------------------------------------|
|
||||
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs`|
|
||||
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
|
||||
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
|
||||
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.`|
|
||||
| `format` | String | `table` | Output format (`table`, `json`, `sarif`) |
|
||||
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`)|
|
||||
| `output` | String | | Save results to a file |
|
||||
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
|
||||
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
|
||||
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
|
||||
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
|
||||
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
|
||||
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
|
||||
| `cache-dir` | String | | Cache directory |
|
||||
| `timeout` | String | `5m0s` | Scan timeout duration |
|
||||
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
|
||||
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
|
||||
| `security-checks`| String | `vuln` | comma-separated list of what security issues to detect (`vuln`,`config`)|
|
||||
| Name | Type | Default | Description |
|
||||
|-------------------|---------|------------------------------------|-------------------------------------------------------------------------------------------------|
|
||||
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |
|
||||
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
|
||||
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
|
||||
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
|
||||
| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) |
|
||||
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |
|
||||
| `output` | String | | Save results to a file |
|
||||
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
|
||||
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
|
||||
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
|
||||
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
|
||||
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
|
||||
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
|
||||
| `cache-dir` | String | | Cache directory |
|
||||
| `timeout` | String | `5m0s` | Scan timeout duration |
|
||||
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
|
||||
| `hide-progress` | String | `true` | Suppress progress bar |
|
||||
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
|
||||
| `security-checks` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
|
||||
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
|
||||
| `github-pat` | String | | GitHub Personal Access Token (PAT) for sending SBOM scan results to GitHub Dependency Snapshots |
|
||||
|
||||
[release]: https://github.com/aquasecurity/trivy-action/releases/latest
|
||||
[release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github
|
||||
|
||||
+14
-3
@@ -20,7 +20,6 @@ inputs:
|
||||
exit-code:
|
||||
description: 'exit code when vulnerabilities were found'
|
||||
required: false
|
||||
default: '0'
|
||||
ignore-unfixed:
|
||||
description: 'ignore unfixed vulnerabilities'
|
||||
required: false
|
||||
@@ -38,7 +37,7 @@ inputs:
|
||||
required: false
|
||||
default: 'table'
|
||||
template:
|
||||
description: 'use an existing template for rendering output (@/contrib/sarif.tpl, @/contrib/gitlab.tpl, @/contrib/junit.tpl'
|
||||
description: 'use an existing template for rendering output (@/contrib/gitlab.tpl, @/contrib/junit.tpl, @/contrib/html.tpl)'
|
||||
required: false
|
||||
default: ''
|
||||
output:
|
||||
@@ -68,7 +67,6 @@ inputs:
|
||||
hide-progress:
|
||||
description: 'hide progress output'
|
||||
required: false
|
||||
default: 'true'
|
||||
list-all-pkgs:
|
||||
description: 'output all packages regardless of vulnerability'
|
||||
required: false
|
||||
@@ -77,6 +75,17 @@ inputs:
|
||||
description: 'comma-separated list of what security issues to detect'
|
||||
required: false
|
||||
default: ''
|
||||
trivyignores:
|
||||
description: 'comma-separated list of relative paths in repository to one or more .trivyignore files'
|
||||
required: false
|
||||
default: ''
|
||||
artifact-type:
|
||||
description: 'input artifact type (image, fs, repo, archive) for SBOM generation'
|
||||
required: false
|
||||
github-pat:
|
||||
description: 'GitHub Personal Access Token (PAT) for submitting SBOM to GitHub Dependency Snapshot API'
|
||||
required: false
|
||||
|
||||
runs:
|
||||
using: 'docker'
|
||||
image: "Dockerfile"
|
||||
@@ -100,3 +109,5 @@ runs:
|
||||
- '-q ${{ inputs.skip-files }}'
|
||||
- '-r ${{ inputs.list-all-pkgs }}'
|
||||
- '-s ${{ inputs.security-checks }}'
|
||||
- '-t ${{ inputs.trivyignores }}'
|
||||
- '-u ${{ inputs.github-pat }}'
|
||||
|
||||
+29
-6
@@ -1,6 +1,6 @@
|
||||
#!/bin/bash
|
||||
set -e
|
||||
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:" o; do
|
||||
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:" o; do
|
||||
case "${o}" in
|
||||
a)
|
||||
export scanType=${OPTARG}
|
||||
@@ -59,6 +59,12 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:" o; do
|
||||
s)
|
||||
export securityChecks=${OPTARG}
|
||||
;;
|
||||
t)
|
||||
export trivyIgnores=${OPTARG}
|
||||
;;
|
||||
u)
|
||||
export githubPAT=${OPTARG}
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
@@ -81,6 +87,7 @@ fi
|
||||
|
||||
SARIF_ARGS=""
|
||||
ARGS=""
|
||||
format=$(echo $format | xargs)
|
||||
if [ $format ];then
|
||||
ARGS="$ARGS --format $format"
|
||||
fi
|
||||
@@ -94,14 +101,11 @@ if [ "$ignoreUnfixed" == "true" ] && [ "$scanType" != "config" ];then
|
||||
ARGS="$ARGS --ignore-unfixed"
|
||||
SARIF_ARGS="$SARIF_ARGS --ignore-unfixed"
|
||||
fi
|
||||
if [ $vulnType ] && [ "$scanType" != "config" ];then
|
||||
if [ $vulnType ] && [ "$scanType" != "config" ] && [ "$scanType" != "sbom" ];then
|
||||
ARGS="$ARGS --vuln-type $vulnType"
|
||||
SARIF_ARGS="$SARIF_ARGS --vuln-type $vulnType"
|
||||
fi
|
||||
if [ $securityChecks ] && [ "$scanType" == "fs" ];then
|
||||
ARGS="$ARGS --security-checks $securityChecks"
|
||||
fi
|
||||
if [ $securityChecks ] && [ "$scanType" == "repo" ];then
|
||||
if [ $securityChecks ];then
|
||||
ARGS="$ARGS --security-checks $securityChecks"
|
||||
fi
|
||||
if [ $severity ];then
|
||||
@@ -117,6 +121,20 @@ if [ $skipDirs ];then
|
||||
SARIF_ARGS="$SARIF_ARGS --skip-dirs $i"
|
||||
done
|
||||
fi
|
||||
if [ $trivyIgnores ];then
|
||||
for f in $(echo $trivyIgnores | tr "," "\n")
|
||||
do
|
||||
if [ -f "$f" ]; then
|
||||
echo "Found ignorefile '${f}':"
|
||||
cat "${f}"
|
||||
cat "${f}" >> ./trivyignores
|
||||
else
|
||||
echo "ERROR: cannot find ignorefile '${f}'."
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
ARGS="$ARGS --ignorefile ./trivyignores"
|
||||
fi
|
||||
if [ $timeout ];then
|
||||
ARGS="$ARGS --timeout $timeout"
|
||||
fi
|
||||
@@ -152,4 +170,9 @@ if [[ "${format}" == "sarif" ]]; then
|
||||
trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
|
||||
fi
|
||||
|
||||
if [[ "${format}" == "github" ]] && [[ "$(echo $githubPAT | xargs)" != "" ]]; then
|
||||
echo "Uploading GitHub Dependency Snapshot"
|
||||
curl -u "${githubPAT}" -H 'Content-Type: application/json' 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./$(echo $output | xargs)
|
||||
fi
|
||||
|
||||
exit $returnCode
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
# test data #1 for trivy-ignores option
|
||||
CVE-2020-25576
|
||||
CVE-2019-15551
|
||||
@@ -0,0 +1,2 @@
|
||||
# test data #2 for trivy-ignores option
|
||||
CVE-2019-15554
|
||||
+56
-8
@@ -1,8 +1,56 @@
|
||||
+---------------------------+------------+-----------+----------+------------------------------------------+
|
||||
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
|
||||
+---------------------------+------------+-----------+----------+------------------------------------------+
|
||||
| Dockerfile Security Check | DS002 | root user | HIGH | Specify at least 1 USER |
|
||||
| | | | | command in Dockerfile with |
|
||||
| | | | | non-root user as argument |
|
||||
| | | | | -->avd.aquasec.com/appshield/ds002 |
|
||||
+---------------------------+------------+-----------+----------+------------------------------------------+
|
||||
{
|
||||
"SchemaVersion": 2,
|
||||
"ArtifactName": ".",
|
||||
"ArtifactType": "filesystem",
|
||||
"Metadata": {
|
||||
"ImageConfig": {
|
||||
"architecture": "",
|
||||
"created": "0001-01-01T00:00:00Z",
|
||||
"os": "",
|
||||
"rootfs": {
|
||||
"type": "",
|
||||
"diff_ids": null
|
||||
},
|
||||
"config": {}
|
||||
}
|
||||
},
|
||||
"Results": [
|
||||
{
|
||||
"Target": "Dockerfile",
|
||||
"Class": "config",
|
||||
"Type": "dockerfile",
|
||||
"MisconfSummary": {
|
||||
"Successes": 21,
|
||||
"Failures": 1,
|
||||
"Exceptions": 0
|
||||
},
|
||||
"Misconfigurations": [
|
||||
{
|
||||
"Type": "Dockerfile Security Check",
|
||||
"ID": "DS002",
|
||||
"Title": "Image user should not be 'root'",
|
||||
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
|
||||
"Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
|
||||
"Namespace": "builtin.dockerfile.DS002",
|
||||
"Query": "data.builtin.dockerfile.DS002.deny",
|
||||
"Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
|
||||
"Severity": "HIGH",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
|
||||
"References": [
|
||||
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
|
||||
"https://avd.aquasec.com/misconfig/ds002"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Dockerfile",
|
||||
"Service": "general",
|
||||
"Code": {
|
||||
"Lines": null
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
@@ -20,7 +20,7 @@
|
||||
"Class": "config",
|
||||
"Type": "dockerfile",
|
||||
"MisconfSummary": {
|
||||
"Successes": 22,
|
||||
"Successes": 21,
|
||||
"Failures": 1,
|
||||
"Exceptions": 0
|
||||
},
|
||||
@@ -28,21 +28,27 @@
|
||||
{
|
||||
"Type": "Dockerfile Security Check",
|
||||
"ID": "DS002",
|
||||
"Title": "root user",
|
||||
"Title": "Image user should not be 'root'",
|
||||
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
|
||||
"Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
|
||||
"Namespace": "appshield.dockerfile.DS002",
|
||||
"Query": "data.appshield.dockerfile.DS002.deny",
|
||||
"Namespace": "builtin.dockerfile.DS002",
|
||||
"Query": "data.builtin.dockerfile.DS002.deny",
|
||||
"Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
|
||||
"Severity": "HIGH",
|
||||
"PrimaryURL": "https://avd.aquasec.com/appshield/ds002",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
|
||||
"References": [
|
||||
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
|
||||
"https://avd.aquasec.com/appshield/ds002"
|
||||
"https://avd.aquasec.com/misconfig/ds002"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"IacMetadata": {}
|
||||
"CauseMetadata": {
|
||||
"Provider": "Dockerfile",
|
||||
"Service": "general",
|
||||
"Code": {
|
||||
"Lines": null
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
+2516
-53
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
+1478
-107
File diff suppressed because it is too large
Load Diff
+26
-11
@@ -1,50 +1,65 @@
|
||||
#!/usr/bin/env bats
|
||||
load '/usr/lib/bats-support/load.bash'
|
||||
load '/usr/lib/bats-assert/load.bash'
|
||||
|
||||
@test "trivy image" {
|
||||
# trivy image --severity CRITICAL -o image.test knqyf263/vuln-image:1.2.3
|
||||
./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b table' '-h image.test' '-g CRITICAL'
|
||||
# trivy image --severity CRITICAL --format json --output image.test knqyf263/vuln-image:1.2.3
|
||||
./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b json' '-h image.test' '-g CRITICAL'
|
||||
result="$(diff ./test/data/image.test image.test)"
|
||||
[ "$result" == '' ]
|
||||
}
|
||||
|
||||
@test "trivy image sarif report" {
|
||||
# trivy image --severity CRITICAL -f sarif -o image-sarif.test knqyf263/vuln-image:1.2.3
|
||||
# trivy image --severity CRITICAL -f sarif --output image-sarif.test knqyf263/vuln-image:1.2.3
|
||||
./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b sarif' '-h image-sarif.test' '-g CRITICAL'
|
||||
result="$(diff ./test/data/image-sarif.test image-sarif.test)"
|
||||
[ "$result" == '' ]
|
||||
}
|
||||
|
||||
@test "trivy config" {
|
||||
# trivy conf -o config.test .
|
||||
./entrypoint.sh '-a config' '-j .' '-b table' '-h config.test'
|
||||
# trivy config --format json --output config.test .
|
||||
./entrypoint.sh '-a config' '-j .' '-b json' '-h config.test'
|
||||
result="$(diff ./test/data/config.test config.test)"
|
||||
[ "$result" == '' ]
|
||||
}
|
||||
|
||||
@test "trivy rootfs" {
|
||||
# trivy rootfs -o rootfs.test -f json .
|
||||
# trivy rootfs --format json --output rootfs.test .
|
||||
./entrypoint.sh '-a rootfs' '-j .' '-b json' '-h rootfs.test'
|
||||
result="$(diff ./test/data/rootfs.test rootfs.test)"
|
||||
[ "$result" == '' ]
|
||||
}
|
||||
|
||||
@test "trivy fs" {
|
||||
# trivy fs -f json -o fs.test .
|
||||
# trivy fs --format json --output fs.test .
|
||||
./entrypoint.sh '-a fs' '-j .' '-b json' '-h fs.test'
|
||||
result="$(diff ./test/data/fs.test fs.test)"
|
||||
[ "$result" == '' ]
|
||||
}
|
||||
|
||||
@test "trivy fs with securityChecks option" {
|
||||
# trivy fs -f json --security-checks=vuln,config -o fs.test .
|
||||
# trivy fs --format json --security-checks=vuln,config --output fs-scheck.test .
|
||||
./entrypoint.sh '-a fs' '-j .' '-b json' '-s vuln,config,secret' '-h fs-scheck.test'
|
||||
result="$(diff ./test/data/fs.test fs.test)"
|
||||
result="$(diff ./test/data/fs-scheck.test fs-scheck.test)"
|
||||
[ "$result" == '' ]
|
||||
}
|
||||
|
||||
@test "trivy repo with securityCheck secret only" {
|
||||
# trivy repo -f json -o repo.test --security-checks=secret https://github.com/krol3/demo-trivy/
|
||||
# trivy repo --format json --output repo.test --security-checks=secret https://github.com/krol3/demo-trivy/
|
||||
./entrypoint.sh '-b json' '-h repo.test' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
|
||||
result="$(diff ./test/data/repo.test repo.test)"
|
||||
[ "$result" == '' ]
|
||||
}
|
||||
}
|
||||
|
||||
@test "trivy image with trivyIgnores option" {
|
||||
# cat ./test/data/.trivyignore1 ./test/data/.trivyignore2 > ./trivyignores ; trivy image --severity CRITICAL --format json --output image-trivyignores.test --ignorefile ./trivyignores knqyf263/vuln-image:1.2.3
|
||||
./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b json' '-h image-trivyignores.test' '-g CRITICAL' '-t ./test/data/.trivyignore1,./test/data/.trivyignore2'
|
||||
result="$(diff ./test/data/image-trivyignores.test image-trivyignores.test)"
|
||||
[ "$result" == '' ]
|
||||
}
|
||||
|
||||
@test "trivy image with sbom output" {
|
||||
# trivy image --format github knqyf263/vuln-image:1.2.3
|
||||
run ./entrypoint.sh "-a image" "-b github" "-i knqyf263/vuln-image:1.2.3"
|
||||
assert_output --partial '"package_url": "pkg:apk/ca-certificates@20171114-r0",' # TODO: Output contains time, need to mock
|
||||
}
|
||||
|
||||
+1
-1
@@ -29,6 +29,6 @@ jobs:
|
||||
severity: 'CRITICAL,HIGH'
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
|
||||
Reference in New Issue
Block a user