actions/trivy-action
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: actions:0.3.0
Branches Tags
actions:master actions:fix-gh-actions actions:bump-trivy-1751468699 actions:update-default-version actions:use-pinned-version actions:update-to-v0.45.0 actions:update-trivy-v0.43.1 actions:bump-trivy-3 actions:bump-trivy actions:add-support-for-trivy-config actions:fix-golden-files actions:exit-code-test actions:update-tarball-docs actions:volume-mounts actions:update-readme actions:revert-45-fix_sarif_duplicate_rule_id actions:knqyf263-patch-1 actions:artifact_types actions:sarif-support-2
actions:0.33.1 actions:0.33.0 actions:0.32.0 actions:0.31.0 actions:0.30.0 actions:0.29.0 actions:0.28.0 actions:0.27.0 actions:0.26.0 actions:0.25.0 actions:0.24.0 actions:0.23.0 actions:0.22.0 actions:0.21.0 actions:0.20.0 actions:0.19.0 actions:0.18.0 actions:0.17.0 actions:0.16.1 actions:0.16.0 actions:0.15.0 actions:0.14.0 actions:0.13.1 actions:0.13.0 actions:0.12.0 actions:0.11.2 actions:0.11.1 actions:0.11.0 actions:0.10.0 actions:0.9.2 actions:0.9.1 actions:0.9.0 actions:0.8.0 actions:0.7.1 actions:0.7.0 actions:0.6.2 actions:0.6.1 actions:0.6.0 actions:0.5.1 actions:0.5.0 actions:0.4.1 actions:0.4.0 actions:0.3.0 actions:0.2.5 actions:0.2.4 actions:0.2.3 actions:0.2.2 actions:0.2.1 actions:0.2.0 actions:0.1.0 actions:0.0.22 actions:0.0.21 actions:0.0.20 actions:0.0.19 actions:0.0.18 actions:0.0.17 actions:0.0.16 actions:0.0.15 actions:0.0.14 actions:0.0.13 actions:0.0.12 actions:0.0.11 actions:v0.0.10 actions:0.0.10 actions:0.0.9 actions:0.0.8 actions:0.0.7 actions:0.0.6 actions:0.0.5 actions:0.0.4 actions:0.0.3 actions:0.0.2 actions:0.0.1
..
compare: actions:0.26.0
Branches Tags
actions:master actions:fix-gh-actions actions:bump-trivy-1751468699 actions:update-default-version actions:use-pinned-version actions:update-to-v0.45.0 actions:update-trivy-v0.43.1 actions:bump-trivy-3 actions:bump-trivy actions:add-support-for-trivy-config actions:fix-golden-files actions:exit-code-test actions:update-tarball-docs actions:volume-mounts actions:update-readme actions:revert-45-fix_sarif_duplicate_rule_id actions:knqyf263-patch-1 actions:artifact_types actions:sarif-support-2
actions:0.33.1 actions:0.33.0 actions:0.32.0 actions:0.31.0 actions:0.30.0 actions:0.29.0 actions:0.28.0 actions:0.27.0 actions:0.26.0 actions:0.25.0 actions:0.24.0 actions:0.23.0 actions:0.22.0 actions:0.21.0 actions:0.20.0 actions:0.19.0 actions:0.18.0 actions:0.17.0 actions:0.16.1 actions:0.16.0 actions:0.15.0 actions:0.14.0 actions:0.13.1 actions:0.13.0 actions:0.12.0 actions:0.11.2 actions:0.11.1 actions:0.11.0 actions:0.10.0 actions:0.9.2 actions:0.9.1 actions:0.9.0 actions:0.8.0 actions:0.7.1 actions:0.7.0 actions:0.6.2 actions:0.6.1 actions:0.6.0 actions:0.5.1 actions:0.5.0 actions:0.4.1 actions:0.4.0 actions:0.3.0 actions:0.2.5 actions:0.2.4 actions:0.2.3 actions:0.2.2 actions:0.2.1 actions:0.2.0 actions:0.1.0 actions:0.0.22 actions:0.0.21 actions:0.0.20 actions:0.0.19 actions:0.0.18 actions:0.0.17 actions:0.0.16 actions:0.0.15 actions:0.0.14 actions:0.0.13 actions:0.0.12 actions:0.0.11 actions:v0.0.10 actions:0.0.10 actions:0.0.9 actions:0.0.8 actions:0.0.7 actions:0.0.6 actions:0.0.5 actions:0.0.4 actions:0.0.3 actions:0.0.2 actions:0.0.1

80 Commits
0.3.0 ... 0.26.0

Author SHA1 Message Date
Teppei Fukuda
a20de5420d feat: store artifacts in cache by default (#399) 
* feat: migrate to a composite action

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* Fix tests

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* Delete an unused input

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* test: expect status code 0

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* test: not use run

https://bats-core.readthedocs.io/en/stable/writing-tests.html#when-not-to-use-run

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* feat: add 'cache' input

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* docs: update README

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* feat: pin Trivy version

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* fix: bump trivy version

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* feat: use date for cache key

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* chore: delete a comment

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* docs: update README

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* refactor: resolve conflicts and use envs

Signed-off-by: knqyf263 <knqyf263@gmail.com>

---------

Signed-off-by: knqyf263 <knqyf263@gmail.com>
 2024-10-08 14:20:38 -06:00
DmitriyLewen
1b8b83dcc2 docs: add usage info about action/cache for trivy databases (#397) 
* docs: add info about using `action/cache` for `trivy-db`

* docs: add info about trivy-java-db and trivy-checks
 2024-10-07 22:05:39 -06:00
simar7
f781cce5aa feat(trivy): Bump to support v0.56.1 (#387) 
* feat(trivy): Bump to support v0.55.2

* fix tests

* update github workflow

* upgrade to v0.56.0

* bump to trivy v0.56.1

* update tests
 2024-10-07 14:14:19 -06:00
Nikita Pivkin
54f21d8382 ci: sync trivy-checks version 1 (#398) 
Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
 2024-10-07 12:23:44 -06:00
Oussama Bounaim
89b14e517d Upgrade GitHub actions (#374) 
* Upgrade Github checkout action

* Upgrade Github upload-sarif action

* Upgrade Github checkout action - Pipeline
 2024-10-02 14:41:43 -06:00
Nikita Pivkin
97646fedde chore: use checks bundle snapshot from trivy-action (#388) 
Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
 2024-09-19 08:58:52 -06:00
chris
d9cd5b1c23 fix(Makefile): recursive option typo (#371) 2024-07-09 10:07:51 -06:00
Vinayak S
6e7b7d1fd3 Upgrade trivy to v0.53.0 (#369) 
* Upgrade trivy to v0.53.0

* update tests

---------

Co-authored-by: Simar <simar@linux.com>
 2024-07-09 00:19:25 -06:00
Vinayak S
7c2007bcb5 Upgrade trivy to v0.52.2 (#367) 
* Upgrade trivy to v0.52.2

* Upgrade trivy to v0.52.2
 2024-06-17 16:53:33 -06:00
Francisco Javier Barón
595be6a0f6 Upgrade trivy to v0.52.0 (#364) 2024-06-06 17:41:36 -06:00
simar7
841fb371db chore(docs): Reference the use of a pinned version (#356) 2024-05-22 18:59:56 -06:00
Vinayak S
fd25fed697 bump trivy version to v0.51.2 (#360) 
* bump trivy version to v0.51.2

* bump trivy version to v0.51.2
 2024-05-21 16:33:02 -06:00
simar7
b2933f565d bump trivy version to v0.51.1 (#353) 
* bump trivy version to v0.51.1

* update tests
 2024-05-07 21:42:16 -06:00
simar7
b2cd5ff52c Update bump-trivy.yaml 2024-05-07 18:03:36 -06:00
Nikita Pivkin
6f8c23760b update tests (#334) 
* update tests

* rename trivy images

* rename workflow steps
 2024-05-06 23:18:53 -06:00
Simar
7088d18dcb Revert "fix: 🐛 allow trivy-config and other options to be used together (#338)" 
This reverts commit ee6a4f5af1.
 2024-04-26 01:13:05 -06:00
arairyus
ee6a4f5af1 fix: 🐛 allow trivy-config and other options to be used together (#338) 2024-04-25 23:57:46 -06:00
Pedro Freitas
b5f4977b78 Bump trivy version to v0.50.2 (#341) 
Co-authored-by: pdefreitas <5927433+pdefreitas@users.noreply.github.com>
 2024-04-22 22:07:09 -06:00
Lukas Gravley
207cd40078 Fix docker host bug (#329) 
* Update entrypoint.sh

should be a value not boolean

* Update action.yaml

add example

* Update README.md
 2024-04-04 22:59:05 -06:00
uridium
840deb4908 Browse scan reports without GitHub Advanced Security license (#328) 2024-04-04 22:58:29 -06:00
Calin Marina
0f287db5d3 feat(image): add --docker-host option for GH Action users (#267) 
* add option to update docker-host via cli parameter

* chore: update test results

---------

Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com>
 2024-04-03 17:26:17 -06:00
uridium
f72b7e8127 Make 'hide-progress' input working again (#323) 
* Make hide-progress input working again

* Unify 'hide-progress' default value
 2024-03-28 19:06:30 -06:00
simar7
d710430a67 bump trivy version to v0.50.1 (#324) 2024-03-27 16:22:09 -06:00
cococig
062f259268 fix: Refer to scan-ref when scan-type is "sbom" (#314) 2024-02-22 14:28:04 -07:00
Maxime Durand
1f6384b6ce docs(report): improve documentation around Using Trivy to generate SBOM and sending it to Github (#307) 
* Improved documentation with details on how to send output as an artifact on Github and giving an example of a private image scan

* formatting

* better name for job
 2024-02-13 15:20:36 -07:00
Kyle Davies
84384bd6e7 Upgraded Trivy from 0.48.1 to v0.49.0 (#304) 2024-02-05 18:54:03 -07:00
Simão Silva
f3d98514b0 fix: Fix skip-files and hide-progress options not being applied when using Sarif report format (#297) 
* Update entrypoint.sh

* Update entrypoint.sh

* Update entrypoint.sh
 2024-01-14 14:28:49 -07:00
DmitriyLewen
0b9d17b6b5 docs: add configuration info for flags not supported by inputs (#296) 
* docs: add information about configuration flags not supported by inputs

* docs: add env and config file to Customizing
 2024-01-11 15:13:21 -07:00
Lucas Bickel
d43c1f16c0 docs: fix typo in README.md (#293) 
Signed-off-by: Lucas Bickel <hairmare@purplehaze.ch>
 2024-01-02 17:53:48 -07:00
Martin Kemp
5f1841df8d Update Trivy to 0.48.1 (#291) 
* Update Trivy to 0.48.1

Signed-off-by: Martin Kemp <me@martinke.mp>

* update tests

---------

Signed-off-by: Martin Kemp <me@martinke.mp>
Co-authored-by: Simar <simar@linux.com>
 2024-01-02 17:51:04 -07:00
Ivan Santos
91713af97d Update to trivy version 0.48.0 (#289) 
* Update to trivy version 0.48.0

 

---------

Signed-off-by: Simar <simar@linux.com>
Co-authored-by: Simar <simar@linux.com>
 2023-12-08 11:08:35 -07:00
Kyle Davies
22d2755f77 feature(config): add terraform variable files (#285) 
* Action now takes an input for terraform variable filess

* added tf-vars

* updated README.md

* Updated yamlconfig test to latest version of trivy output for that container

* updated for correct cpu type

* test trivy version change to 0.45.0

* run scan with correct parameters

* Added test for terraform tfvars

* Updated output for other tests

* use test data as path and updated tf vars to be relative

* removed quiet
 2023-12-04 16:27:47 -07:00
Kyle Davies
2b6a709cf9 Add filesystem alias (#269) 2023-11-06 18:35:42 -07:00
Victor Sollerhed
47e481a388 Update to trivy version 0.47.0 in Dockerfile (#280) 
See:
- https://github.com/aquasecurity/trivy/releases/tag/v0.47.0
 2023-11-06 18:35:08 -07:00
Liam MacPherson
7b07fa7d6a fix: set return code after each Trivy call (#247) 
This change moves the return code to outside the trivy call. This fixes
#228 as the return code was not being propagated.
 2023-11-06 18:32:48 -07:00
Witold Ślęczkowski
f78e9ecf42 Update Dockerfile to 0.46.1 (#277) 
This update fixes https://github.com/aquasecurity/trivy/issues/5441
 2023-10-30 18:28:16 -06:00
Brandon Helms
b77b85c025 Update Dockerfile to 0.46.0 (#274) 
* Update Dockerfile to 0.46.0

This will address bugs before 0.46.0

* updating tests
 2023-10-25 11:39:02 -06:00
Pavel Kutáč
69cbbc0cbb fix: mark image-ref attribute optional (#261) 2023-09-14 22:32:56 -06:00
simar7
fbd16365eb feat(trivy): Bump to v0.45.0 (#256) 2023-09-01 11:44:50 -06:00
Anais Urlichs
559eb1224e Merge pull request #234 from jdsmithit/patch-1 
Update README.md to change the example to the new default brach name …
 2023-08-07 12:32:05 +01:00
Nikita Pivkin
e602665a11 ci: add workflow to bump trivy (#245) 
* ci: add workflow to bump trivy

* update trivy version in tests

* dispatch event workflow_dispatch

* use ORG_REPO_TOKEN secret
 2023-07-25 15:58:10 -06:00
simar7
3dd517d8c9 chore(deps): Update trivy to v0.43.1 (#243) 
* chore(deps): Update trivy to v0.43.1

* fix tests

Signed-off-by: Simar <simar@linux.com>

---------

Signed-off-by: Simar <simar@linux.com>
 2023-07-17 11:07:42 +03:00
Simar
41f05d9ecf Revert "Include args when using trivy config file (#231)" 
Fixes: https://github.com/aquasecurity/trivy-action/issues/238

This reverts commit 82ec0dd604.
 2023-06-09 16:37:19 -06:00
Daniel Chabr
0cd397afbf bump trivy to v0.42.1 (#240) 
* bump trivy to v0.42.1

* revert formatting
 2023-06-09 12:01:09 -06:00
Roger Coll
b43daad0c3 feat: add exit-code parameter to sarif format (#213) 2023-06-05 11:19:20 -06:00
abriko
dedfa59531 Enhance GitHub Dependency Snapshot upload (#233) 2023-06-05 11:12:39 -06:00
Daniel Chabr
f96f79aa22 bump trivy to v0.42.0 (#237) 
* chore(deps): update trivy to v0.42.0

* revert formatting

* revert formatting again

* update sarif version in tests
 2023-06-05 11:08:24 -06:00
Herman Wika Horn
82ec0dd604 Include args when using trivy config file (#231) 
Previously, arguments provided using regular flags
were ignored if a trivy config file was provided

Note that this pull request makes no effort to
deduce or merge desired argument if the same
configuration with different values are provided
both within the config file and as flags. Behaviour
for this case would develop on the implementation
of trivy
 2023-05-31 14:47:20 -06:00
John Smith
463f27e2d8 Update README.md to change the example to the new default brach name main from master. 
Update README.md to change the example to the new default branch name "main" from "master".

I hope this will make the action slightly easier to work with for newer members of the community.
 2023-05-12 10:45:16 +01:00
Bruce Bujon
e5f43133f6 chore: Update Trivy to 0.40.0 (#223) 
* chore: Update trivy to 0.39.0

* chore: Update trivy to 0.40.0
 2023-04-18 17:44:36 -07:00
Guilherme Marz Vazzolla
1a09192c0e docs: improve SBOM documentation (#208) 
* fix: dependency graph name ocurrences

* feat: improve readability and add useful links

* feat: improve readability and instructions 

Improves readability and adds missing information about github_token, another authentication method.

* feat: add github_token instructions

* feat: add github_token to inputs table

* feat: add "what is an SBOM" link

* fix: GitHub dependency graph name ocurrence

* feat: improve SBOM input description

* fix: remove "on pull request" trigger

Co-authored-by: Duncan Casteleyn <10881109+DuncanCasteleyn@users.noreply.github.com>

* fix: outdated input name

---------

Co-authored-by: Duncan Casteleyn <10881109+DuncanCasteleyn@users.noreply.github.com>
 2023-03-28 17:48:04 -07:00
Viktor Sadovnikov
1f0aa582c8 Rename security-checks to scanners (#211) 
* Renaming securityChecks to runners

* Renaming securityChecks to runners

* Renaming securityChecks to runners

* Correcting README
 2023-03-06 21:00:01 -08:00
DmitriyLewen
43849adf01 bump trivy to v0.38.1 (#215) 2023-03-06 20:58:30 -08:00
Falk Puschner
8bd2f9fbda ⬆️ bump trivy action (#203) 2023-02-10 16:20:50 +09:00
simar7
cff3e9a7f6 feat(trivy): Bump Trivy to v0.37.1 (#199) 
Signed-off-by: Simar <simar@linux.com>
 2023-02-01 16:40:29 -08:00
Michael Cantú
ab15891596 Update README.md (#186) 
Fix typo
 2023-02-01 16:23:59 -08:00
Omar Silva
cacfd7a243 docs: add trivy-config to table (#195) 2023-02-01 16:19:16 -08:00
AndreyLevchenko
1e0bef4613 fix(sarif): Add option to limit severities for sarif (aquasecurity#192) (#198) 2023-02-01 16:18:31 -08:00
Aibek
9ab158e859 Add 0.34.0 release (#177) 
* bump to ghcr.io/aquasecurity/trivy:0.33.0

* fix tests

* bump to 0.34.0
 2022-10-31 17:18:27 -07:00
Lior Vaisman Argon
e55de85bee Add npm to action Dockerfile (#176) 2022-10-25 07:04:22 -07:00
chejn
d63413b0a4 Fix github dependency submission API call (#162) 
* Update entrypoint.sh

* Update entrypoint.sh

* Update entrypoint.sh
 2022-08-17 14:54:57 -07:00
simar7
1db49f5326 feat(trivy): Bump Trivy to v0.31.0 (#165) 
Fixes: https://github.com/aquasecurity/trivy-action/issues/164

Signed-off-by: Simar <simar@linux.com>

Signed-off-by: Simar <simar@linux.com>
 2022-08-16 17:25:38 -07:00
Engin Diri
12814ff8bc docs: correct format and add output on config scan with sarif (#159) 2022-08-15 11:09:42 -07:00
simar7
cb606dfdb0 fix(sarif): Add timeout and security-checks for sarif (#156) 2022-08-03 17:32:25 -07:00
Carol Valencia
0d7cf2ddfb chore: improve message output sbom with gh (#145) 
* fix: merge with master- entrypoint

* chore: gitignore .vscode

Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-08-02 15:24:58 -07:00
simar7
5144f05a8d fix(config): Drop mixing of options with yaml config. (#148) 
Also adds some documentation explaining how the config
and flags are used in conjunction with each other.

Fixes: https://github.com/aquasecurity/trivy-action/issues/147

Signed-off-by: Simar <simar@linux.com>
 2022-07-29 14:30:07 -07:00
simar7
81b9a6f5ab Update Dockerfile (#152) 2022-07-26 13:08:58 -07:00
simar7
503d3abc15 feat(yaml): Add support for trivy.yaml (#143) 
* feat(yaml): Add support for trivy.yaml

Signed-off-by: Simar <simar@linux.com>

* chore: fixing test using trivy v 0.30.0

* chore(deps): Update to use Trivy v0.30.2

Signed-off-by: Simar <simar@linux.com>

Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-07-21 16:36:46 -07:00
simar7
0105373003 docs(trivy): Add instructions to scan tarballs. (#134) 
Signed-off-by: Simar <simar@linux.com>
 2022-06-29 14:34:09 -07:00
simar7
bc615ae2d7 fix(tests): Update test golden files for Trivy v0.29.2 (#136) 
Fixes: https://github.com/aquasecurity/trivy-action/issues/133
Fixes: https://github.com/aquasecurity/trivy-action/issues/135

Signed-off-by: Simar <simar@linux.com>
 2022-06-29 14:33:23 -07:00
simar7
7b7aa264d8 feat(SBOM): Support SBOM generation (#129) 
* feat(sbom): Support SBOM generation

Signed-off-by: Simar <simar@linux.com>

* Update README.md

Co-authored-by: Itay Shakury <itay@itaysk.com>

* feat(sbom): Send results within the entrypoint.sh

* fix(sbom): Fix leading whitespaces for format var.

Signed-off-by: Simar <simar@linux.com>

* docs(sbom): Update README.md

* docs(sbom): Update README.md

* chore(trivy): Bump Trivy version to 0.29.1

Signed-off-by: Simar <simar@linux.com>

* feat(sbom): Change to fs scan.

Signed-off-by: Simar <simar@linux.com>

* fix(tests): Update SARIF goldenfile

Co-authored-by: Itay Shakury <itay@itaysk.com>
 2022-06-22 11:24:39 -07:00
nleconte-csgroup
63b6e4c61b docs: added missing HTML template and removed deprecated SARIF template (#132) 
* docs: add missing template

* docs: add missing template and remove deprecated

Add missing HTML template
Remove deprecated SARIF template

* docs: remove deprecated SARIF template
 2022-06-21 11:46:57 -07:00
Carol Valencia
49e970d7ac chore: pinning 0.29.0 trivy (#128) 
Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-06-17 13:27:39 -07:00
Achton Smidt Winther
c666240787 Add missing option to README. (#127) 2022-06-16 08:25:13 -07:00
David Calvert
e27605859b feat: update codeql-action/upload-sarif to v2 (#124) 2022-06-15 09:16:34 -07:00
Achton Smidt Winther
2b22459068 Update tests for 0.28.1 and convert to JSON (#126) 
* Fix bug with test for securityChecks option which caused it to be skipped.

* Convert tests to JSON output only, and update them for Trivy 0.28.1.

* Update CI test to use Trivy 0.28.1.
 2022-06-15 08:23:38 -07:00
Achton Smidt Winther
4b3b5f928b Add support for --ignorefile option (.trivyignore) (#122) 
* Add support for supplying one or more .trivyignore files.

* Fix gitignore for test data.

* Add test for trivyignores option.

* Be explicit about the trivy options we use during testing.

* Add documentation of trivyignores option.
 2022-06-14 07:41:49 -07:00
Tanguy Segarra
1a53202fc4 Use AWS public ECR instead of rate-limiting dockerhub (#118) 2022-06-08 11:17:38 -07:00
James Luther
df3fb7d00b Update Trivy Version in Dockerfile (#117) 
Updated the dockerfile to use the latest release of Trivy.
 2022-06-02 14:53:00 -07:00
Tanguy Segarra
987beb8186 Enable security checks option for image type (#112) 
* Enable security checks option for image type

* Readme: update security checks option

* action.yaml: add default value for security checks option

* echo env var

* action.yaml: remove default value for security checks

* remove useless echo
 2022-06-02 14:52:06 -07:00
38 changed files with 2615 additions and 1503 deletions
Expand all files Collapse all files

24
.github/workflows/build.yaml vendored
View File

@@ -1,24 +0,0 @@
name: "build"
on: [push, pull_request]
env:
TRIVY_VERSION: 0.27.1
jobs:
build:
name: build
runs-on: ubuntu-20.04
steps:
- name: Setup BATS
uses: mig4/setup-bats@v1
with:
bats-version: 1.2.1
- name: Check out code
uses: actions/checkout@v1
- name: Install Trivy
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
- name: Test
run: bats -r .

40
.github/workflows/bump-trivy.yaml vendored Normal file
View File

@@ -0,0 +1,40 @@
name: Bump trivy
on:
workflow_dispatch:
inputs:
trivy_version:
required: true
type: string
description: the trivy version
run-name: Bump trivy to v${{ inputs.trivy_version }}
jobs:
bump:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Update Trivy versions
run: |
find test/data -type f -name '*.test' | xargs sed -r -i 's/"version": "[0-9]+\.[0-9]+\.[0-9]+"/"version": "${{ inputs.trivy_version }}"/'
sed -r -i '/^\| `version`/ s/[0-9]+\.[0-9]+\.[0-9]+/${{ inputs.trivy_version }}/g' README.md
sed -r -i 's/(default:[ ]*'"'"')v[0-9]+\.[0-9]+\.[0-9]+/\1v${{ inputs.trivy_version }}/' action.yaml
- name: Create PR
id: create-pr
uses: peter-evans/create-pull-request@v5
with:
token: ${{ secrets.ORG_REPO_TOKEN }}
title: "chore(deps): Update trivy to v${{ inputs.trivy_version }}"
commit-message: "chore(deps): Update trivy to v${{ inputs.trivy_version }}"
committer: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
branch-suffix: timestamp
branch: bump-trivy
delete-branch: true
- name: Check outputs
run: |
echo "Pull Request Number - ${{ steps.create-pr.outputs.pull-request-number }}"
echo "Pull Request URL - ${{ steps.create-pr.outputs.pull-request-url }}"

24
.github/workflows/sync-trivy-checks.yaml vendored Normal file
View File

@@ -0,0 +1,24 @@
name: Sync Trivy Checks
on:
workflow_dispatch:
env:
IMAGE_NAME: ${{ github.repository_owner }}/trivy-checks-act
REGISTRY: ghcr.io
jobs:
sync-trivy-checks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Login to GitHub Packages Container registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Copy Trivy Checks
run: |
oras cp ghcr.io/aquasecurity/trivy-checks:1 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest

24
.github/workflows/sync-trivy-db.yaml vendored Normal file
View File

@@ -0,0 +1,24 @@
name: Sync Trivy DB
on:
workflow_dispatch:
env:
IMAGE_NAME: ${{ github.repository_owner }}/trivy-db-act
REGISTRY: ghcr.io
jobs:
sync-trivy-db:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Login to GitHub Packages Container registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Copy Trivy DB
run: |
oras cp ghcr.io/aquasecurity/trivy-db:2 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest

24
.github/workflows/sync-trivy-java-db.yaml vendored Normal file
View File

@@ -0,0 +1,24 @@
name: Sync Trivy Java DB
on:
workflow_dispatch:
env:
IMAGE_NAME: ${{ github.repository_owner }}/trivy-java-db-act
REGISTRY: ghcr.io
jobs:
sync-trivy-db:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Login to GitHub Packages Container registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Copy Trivy Java DB
run: |
oras cp ghcr.io/aquasecurity/trivy-java-db:1 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest

31
.github/workflows/test.yaml vendored Normal file
View File

@@ -0,0 +1,31 @@
name: Test
on:
push:
pull_request:
workflow_dispatch:
env:
TRIVY_VERSION: 0.56.1
BATS_LIB_PATH: '/usr/lib/'
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Bats and bats libs
uses: bats-core/bats-action@2.0.0
- name: Install Trivy
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
trivy --version
- name: Test
run: bats --recursive --timing --verbose-run .
env:
TRIVY_CACHE_DIR: .cache
TRIVY_DISABLE_VEX_NOTICE: true
TRIVY_DEBUG: true

7
.gitignore vendored
View File

@@ -1,2 +1,7 @@
.idea/
*.test
*.test
!test/data/*.test
trivyignores
.vscode/
.cache

5
Dockerfile
View File

@@ -1,5 +0,0 @@
FROM aquasec/trivy:0.27.1
COPY entrypoint.sh /
RUN apk --no-cache add bash
RUN chmod +x /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]

15
Makefile Normal file
View File

@@ -0,0 +1,15 @@
OS := $(shell uname)
ifeq ($(OS), Darwin)
BATS_LIB_PATH=/opt/homebrew/lib
endif
ifeq ($(OS), Linux)
BATS_LIB_PATH=/usr/local/lib/
endif
.PHONY: test
test:
mkdir -p .cache
BATS_LIB_PATH=$(BATS_LIB_PATH) GITHUB_REPOSITORY_OWNER=aquasecurity\
TRIVY_CACHE_DIR=.cache TRIVY_DISABLE_VEX_NOTICE=true TRIVY_DEBUG=true\
bats --recursive --timing --verbose-run .

474
README.md
View File

@@ -10,38 +10,45 @@
## Table of Contents
- [Usage](#usage)
- [Workflow](#workflow)
- [Docker Image Scanning](#using-trivy-with-github-code-scanning)
- [Git Repository Scanning](#using-trivy-to-scan-your-git-repo)
- [Customizing](#customizing)
- [Inputs](#inputs)
* [Usage](#usage)
* [Scan CI Pipeline](#scan-ci-pipeline)
* [Scan CI Pipeline (w/ Trivy Config)](#scan-ci-pipeline-w-trivy-config)
* [Cache](#cache)
* [Scanning a Tarball](#scanning-a-tarball)
* [Using Trivy with GitHub Code Scanning](#using-trivy-with-github-code-scanning)
* [Using Trivy to scan your Git repo](#using-trivy-to-scan-your-git-repo)
* [Using Trivy to scan your rootfs directories](#using-trivy-to-scan-your-rootfs-directories)
* [Using Trivy to scan Infrastructure as Code](#using-trivy-to-scan-infrastructure-as-code)
* [Using Trivy to generate SBOM](#using-trivy-to-generate-sbom)
* [Using Trivy to scan your private registry](#using-trivy-to-scan-your-private-registry)
* [Using Trivy if you don't have code scanning enabled](#using-trivy-if-you-dont-have-code-scanning-enabled)
* [Customizing](#customizing)
* [inputs](#inputs)
* [Environment variables](#environment-variables)
* [Trivy config file](#trivy-config-file)
## Usage
### Workflow
### Scan CI Pipeline
```yaml
name: build
on:
push:
branches:
- master
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Build an image from Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
run: docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.20.0
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'table'
@@ -51,6 +58,160 @@ jobs:
severity: 'CRITICAL,HIGH'
```
### Scan CI Pipeline (w/ Trivy Config)
```yaml
name: build
on:
push:
branches:
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/trivy-action@0.20.0
with:
scan-type: 'fs'
scan-ref: '.'
trivy-config: trivy.yaml
```
In this case `trivy.yaml` is a YAML configuration that is checked in as part of the repo. Detailed information is available on the Trivy website but an example is as follows:
```yaml
format: json
exit-code: 1
severity: CRITICAL
secret:
config: config/trivy/secret.yaml
```
It is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes. Defining the following is required as they cannot be defined with the config file:
- `scan-ref`: If using `fs, repo` scans.
- `image-ref`: If using `image` scan.
- `scan-type`: To define the scan type, e.g. `image`, `fs`, `repo`, etc.
#### Order of preference for options
Trivy uses [Viper](https://github.com/spf13/viper) which has a defined precedence order for options. The order is as follows:
- GitHub Action flag
- Environment variable
- Config file
- Default
### Cache
The action has a built-in functionality for caching and restoring [the vulnerability DB](https://github.com/aquasecurity/trivy-db), [the Java DB](https://github.com/aquasecurity/trivy-java-db) and [the checks bundle](https://github.com/aquasecurity/trivy-checks) if they are downloaded during the scan.
The cache is stored in the `$GITHUB_WORKSPACE/.cache/trivy` directory by default.
The cache is restored before the scan starts and saved after the scan finishes.
It uses [actions/cache](https://github.com/actions/cache) under the hood but requires less configuration settings.
The cache input is optional, and caching is turned on by default.
#### Disabling caching
If you want to disable caching, set the `cache` input to `false`, but we recommend keeping it enabled to avoid rate limiting issues.
```yaml
- name: Run Trivy scanner without cache
uses: aquasecurity/trivy-action@0.20.0
with:
scan-type: 'fs'
scan-ref: '.'
cache: 'false'
```
#### Updating caches in the default branch
Please note that there are [restrictions on cache access](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache) between branches in GitHub Actions.
By default, a workflow can access and restore a cache created in either the current branch or the default branch (usually `main` or `master`).
If you need to share caches across branches, you may need to create a cache in the default branch and restore it in the current branch.
To optimize your workflow, you can set up a cron job to regularly update the cache in the default branch.
This allows subsequent scans to use the cached DB without downloading it again.
```yaml
# Note: This workflow only updates the cache. You should create a separate workflow for your actual Trivy scans.
# In your scan workflow, set TRIVY_SKIP_DB_UPDATE=true and TRIVY_SKIP_JAVA_DB_UPDATE=true.
name: Update Trivy Cache
on:
schedule:
- cron: '0 0 * * *' # Run daily at midnight UTC
workflow_dispatch: # Allow manual triggering
jobs:
update-trivy-db:
runs-on: ubuntu-latest
steps:
- name: Get current date
id: date
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
- name: Download and extract the vulnerability DB
run: |
mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
oras pull ghcr.io/aquasecurity/trivy-db:2
tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
rm db.tar.gz
- name: Download and extract the Java DB
run: |
mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
oras pull ghcr.io/aquasecurity/trivy-java-db:1
tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
rm javadb.tar.gz
- name: Cache DBs
uses: actions/cache/save@v4
with:
path: ${{ github.workspace }}/.cache/trivy
key: cache-trivy-${{ steps.date.outputs.date }}
```
When running a scan, set the environment variables `TRIVY_SKIP_DB_UPDATE` and `TRIVY_SKIP_JAVA_DB_UPDATE` to skip the download process.
```yaml
- name: Run Trivy scanner without downloading DBs
uses: aquasecurity/trivy-action@0.20.0
with:
scan-type: 'image'
scan-ref: 'myimage'
env:
TRIVY_SKIP_DB_UPDATE: true
TRIVY_SKIP_JAVA_DB_UPDATE: true
```
### Scanning a Tarball
```yaml
name: build
on:
push:
branches:
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Generate tarball from image
run: |
docker pull <your-docker-image>
docker save -o vuln-image.tar <your-docker-image>
- name: Run Trivy vulnerability scanner in tarball mode
uses: aquasecurity/trivy-action@0.20.0
with:
input: /github/workspace/vuln-image.tar
severity: 'CRITICAL,HIGH'
```
### Using Trivy with GitHub Code Scanning
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
```yaml
@@ -58,29 +219,29 @@ name: build
on:
push:
branches:
- master
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v4
- name: Build an image from Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.20.0
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
@@ -93,30 +254,30 @@ name: build
on:
push:
branches:
- master
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v4
- name: Build an image from Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.20.0
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
if: always()
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'
```
@@ -132,18 +293,18 @@ name: build
on:
push:
branches:
- master
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.20.0
with:
scan-type: 'fs'
ignore-unfixed: true
@@ -152,7 +313,7 @@ jobs:
severity: 'CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
@@ -166,18 +327,18 @@ name: build
on:
push:
branches:
- master
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner with rootfs command
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.20.0
with:
scan-type: 'rootfs'
scan-ref: 'rootfs-example-binary'
@@ -187,12 +348,12 @@ jobs:
severity: 'CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
### Using Trivy to scan Infrastucture as Code
### Using Trivy to scan Infrastructure as Code
It's also possible to scan your IaC repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
@@ -201,32 +362,113 @@ name: build
on:
push:
branches:
- master
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in IaC mode
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.20.0
with:
scan-type: 'config'
hide-progress: false
format: 'table'
hide-progress: true
format: 'sarif'
output: 'trivy-results.sarif'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
### Using Trivy to generate SBOM
It's possible for Trivy to generate an [SBOM](https://www.aquasec.com/cloud-native-academy/supply-chain-security/sbom/) of your dependencies and submit them to a consumer like [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).
The [sending of an SBOM to GitHub](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) feature is only available if you currently have GitHub Dependency Graph [enabled in your repo](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository).
In order to send results to GitHub Dependency Graph, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) or use the [GitHub installation access token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication) (also known as `GITHUB_TOKEN`):
```yaml
---
name: Pull Request
on:
push:
branches:
- main
## GITHUB_TOKEN authentication, add only if you're not going to use a PAT
permissions:
contents: write
jobs:
build:
name: Checks
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
uses: aquasecurity/trivy-action@0.20.0
with:
scan-type: 'fs'
format: 'github'
output: 'dependency-results.sbom.json'
image-ref: '.'
github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
```
When scanning images you may want to parse the actual output JSON as Github Dependency doesn't show all details like the file path of each dependency for instance.
You can upload the report as an artifact and download it, for instance using the [upload-artifact action](https://github.com/actions/upload-artifact):
```yaml
---
name: Pull Request
on:
push:
branches:
- main
## GITHUB_TOKEN authentication, add only if you're not going to use a PAT
permissions:
contents: write
jobs:
build:
name: Checks
runs-on: ubuntu-20.04
steps:
- name: Scan image in a private registry
uses: aquasecurity/trivy-action@0.20.0
with:
image-ref: "private_image_registry/image_name:image_tag"
scan-type: image
format: 'github'
output: 'dependency-results.sbom.json'
github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
severity: "MEDIUM,HIGH,CRITICAL"
scanners: "vuln"
env:
TRIVY_USERNAME: "image_registry_admin_username"
TRIVY_PASSWORD: "image_registry_admin_password"
- name: Upload trivy report as a Github artifact
uses: actions/upload-artifact@v4
with:
name: trivy-sbom-report
path: '${{ github.workspace }}/dependency-results.sbom.json'
retention-days: 20 # 90 is the default
```
### Using Trivy to scan your private registry
It's also possible to scan your private registry with Trivy's built-in image scan. All you have to do is set ENV vars.
@@ -238,28 +480,28 @@ name: build
on:
push:
branches:
- master
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.20.0
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
env:
TRIVY_USERNAME: Username
TRIVY_PASSWORD: Password
TRIVY_PASSWORD: Password
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
@@ -274,18 +516,18 @@ name: build
on:
push:
branches:
- master
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.20.0
with:
image-ref: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}'
format: 'sarif'
@@ -296,7 +538,7 @@ jobs:
AWS_DEFAULT_REGION: us-west-2
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
@@ -310,18 +552,18 @@ name: build
on:
push:
branches:
- master
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.20.0
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
@@ -330,7 +572,7 @@ jobs:
GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
@@ -343,58 +585,108 @@ name: build
on:
push:
branches:
- master
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.20.0
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
env:
TRIVY_USERNAME: Username
TRIVY_PASSWORD: Password
TRIVY_PASSWORD: Password
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
### Using Trivy if you don't have code scanning enabled
It's also possible to browse a scan result in a workflow summary.
This step is especially useful for private repositories without [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) license.
```yaml
- name: Run Trivy scanner
uses: aquasecurity/trivy-action@0.20.0
with:
scan-type: config
hide-progress: true
output: trivy.txt
- name: Publish Trivy Output to Summary
run: |
if [[ -s trivy.txt ]]; then
{
echo "### Security Output"
echo "<details><summary>Click to expand</summary>"
echo ""
echo '```terraform'
cat trivy.txt
echo '```'
echo "</details>"
} >> $GITHUB_STEP_SUMMARY
fi
```
## Customizing
Configuration priority:
- [Inputs](#inputs)
- [Environment variables](#environment-variables)
- [Trivy config file](#trivy-config-file)
- Default values
### inputs
Following inputs can be used as `step.with` keys:
| Name | Type | Default | Description |
|------------------|---------|------------------------------------|-----------------------------------------------|
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs`|
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.`|
| `format` | String | `table` | Output format (`table`, `json`, `sarif`) |
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`)|
| `output` | String | | Save results to a file |
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
| `cache-dir` | String | | Cache directory |
| `timeout` | String | `5m0s` | Scan timeout duration |
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
| `security-checks`| String | `vuln` | comma-separated list of what security issues to detect (`vuln`,`config`)|
| Name | Type | Default | Description |
|------------------------------|---------|------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) |
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |
| `tf-vars` | String | | path to Terraform variables file |
| `output` | String | | Save results to a file |
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
| `cache-dir` | String | `$GITHUB_WORKSPACE/.cache/trivy` | Cache directory |
| `timeout` | String | `5m0s` | Scan timeout duration |
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
| `hide-progress` | String | `false` | Suppress progress bar and log output |
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
| `trivy-config` | String | | Path to trivy.yaml config |
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
| `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values |
| `version` | String | `v0.56.1` | Trivy version to use, e.g. `latest` or `v0.56.1` |
### Environment variables
You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
### Trivy config file
When using the `trivy-config` [Input](#inputs), you can set options using the [Trivy config file][trivy-config] (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
[release]: https://github.com/aquasecurity/trivy-action/releases/latest
[release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github
@@ -402,3 +694,5 @@ Following inputs can be used as `step.with` keys:
[marketplace-img]: https://img.shields.io/badge/marketplace-trivy--action-blue?logo=github
[license]: https://github.com/aquasecurity/trivy-action/blob/master/LICENSE
[license-img]: https://img.shields.io/github/license/aquasecurity/trivy-action
[trivy-env]: https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables
[trivy-config]: https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/

125
action.yaml
View File

@@ -1,6 +1,7 @@
name: 'Aqua Security Trivy'
description: 'Scans container images for vulnerabilities with Trivy'
author: 'Aqua Security'
inputs:
scan-type:
description: 'Scan type to use for scanning vulnerability'
@@ -8,7 +9,7 @@ inputs:
default: 'image'
image-ref:
description: 'image reference(for backward compatibility)'
required: true
required: false
input:
description: 'reference of tar file to scan'
required: false
@@ -20,12 +21,11 @@ inputs:
exit-code:
description: 'exit code when vulnerabilities were found'
required: false
default: '0'
ignore-unfixed:
description: 'ignore unfixed vulnerabilities'
required: false
default: 'false'
vuln-type:
vuln-type: # TODO: rename to pkg-types
description: 'comma-separated list of vulnerability types (os,library)'
required: false
default: 'os,library'
@@ -38,7 +38,7 @@ inputs:
required: false
default: 'table'
template:
description: 'use an existing template for rendering output (@/contrib/sarif.tpl, @/contrib/gitlab.tpl, @/contrib/junit.tpl'
description: 'use an existing template for rendering output (@/contrib/gitlab.tpl, @/contrib/junit.tpl, @/contrib/html.tpl)'
required: false
default: ''
output:
@@ -56,7 +56,7 @@ inputs:
cache-dir:
description: 'specify where the cache is stored'
required: false
default: ''
default: '${{ github.workspace }}/.cache/trivy'
timeout:
description: 'timeout (default 5m0s)'
required: false
@@ -66,37 +66,102 @@ inputs:
required: false
default: ''
hide-progress:
description: 'hide progress output'
description: 'suppress progress bar and log output'
required: false
default: 'true'
list-all-pkgs:
description: 'output all packages regardless of vulnerability'
required: false
default: 'false'
security-checks:
scanners:
description: 'comma-separated list of what security issues to detect'
required: false
default: ''
trivyignores:
description: 'comma-separated list of relative paths in repository to one or more .trivyignore files'
required: false
default: ''
github-pat:
description: 'GitHub Personal Access Token (PAT) for submitting SBOM to GitHub Dependency Snapshot API'
required: false
trivy-config:
description: 'path to trivy.yaml config'
required: false
tf-vars:
description: "path to terraform tfvars file"
required: false
limit-severities-for-sarif:
description: 'limit severities for SARIF format'
required: false
docker-host:
description: 'unix domain socket path to use for docker scanning, ex. unix:///var/run/docker.sock'
required: false
version:
description: 'Trivy version to use'
required: false
default: 'v0.56.1'
cache:
description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.'
required: false
default: 'true'
runs:
using: 'docker'
image: "Dockerfile"
args:
- '-a ${{ inputs.scan-type }}'
- '-b ${{ inputs.format }}'
- '-c ${{ inputs.template }}'
- '-d ${{ inputs.exit-code }}'
- '-e ${{ inputs.ignore-unfixed }}'
- '-f ${{ inputs.vuln-type }}'
- '-g ${{ inputs.severity }}'
- '-h ${{ inputs.output }}'
- '-i ${{ inputs.image-ref }}'
- '-j ${{ inputs.scan-ref }}'
- '-k ${{ inputs.skip-dirs }}'
- '-l ${{ inputs.input }}'
- '-m ${{ inputs.cache-dir }}'
- '-n ${{ inputs.timeout }}'
- '-o ${{ inputs.ignore-policy }}'
- '-p ${{ inputs.hide-progress }}'
- '-q ${{ inputs.skip-files }}'
- '-r ${{ inputs.list-all-pkgs }}'
- '-s ${{ inputs.security-checks }}'
using: 'composite'
steps:
- name: Install Trivy
shell: bash
run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin ${{ inputs.version }}
- name: Get current date
id: date
shell: bash
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
- name: Restore DB from cache
if: ${{ inputs.cache == 'true' }}
uses: actions/cache@v4
with:
path: ${{ inputs.cache-dir }}
key: cache-trivy-${{ steps.date.outputs.date }}
restore-keys: cache-trivy-
- name: Set GitHub Path
run: echo "$GITHUB_ACTION_PATH" >> $GITHUB_PATH
shell: bash
env:
GITHUB_ACTION_PATH: ${{ github.action_path }}
- name: Run Trivy
shell: bash
run: entrypoint.sh
env:
# For shell script
# > If the action is written using a composite, then it will not automatically get INPUT_<VARIABLE_NAME>
# cf. https://docs.github.com/en/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
INPUT_SCAN_TYPE: ${{ inputs.scan-type }}
INPUT_IMAGE_REF: ${{ inputs.image-ref }}
INPUT_SCAN_REF: ${{ inputs.scan-ref }}
INPUT_TRIVYIGNORES: ${{ inputs.trivyignores }}
INPUT_GITHUB_PAT: ${{ inputs.github-pat }}
INPUT_LIMIT_SEVERITIES_FOR_SARIF: ${{ inputs.limit-severities-for-sarif }}
# For Trivy
# cf. https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables
TRIVY_INPUT: ${{ inputs.input }}
TRIVY_EXIT_CODE: ${{ inputs.exit-code }}
TRIVY_IGNORE_UNFIXED: ${{ inputs.ignore-unfixed }}
TRIVY_PKG_TYPES: ${{ inputs.vuln-type }}
TRIVY_SEVERITY: ${{ inputs.severity }}
TRIVY_FORMAT: ${{ inputs.format }}
TRIVY_TEMPLATE: ${{ inputs.template }}
TRIVY_OUTPUT: ${{ inputs.output }}
TRIVY_SKIP_DIRS: ${{ inputs.skip-dirs }}
TRIVY_SKIP_FILES: ${{ inputs.skip-files }}
TRIVY_CACHE_DIR: ${{ inputs.cache-dir }}
TRIVY_TIMEOUT: ${{ inputs.timeout }}
TRIVY_IGNORE_POLICY: ${{ inputs.ignore-policy }}
TRIVY_QUIET: ${{ inputs.hide-progress }}
TRIVY_LIST_ALL_PKGS: ${{ inputs.list-all-pkgs }}
TRIVY_SCANNERS: ${{ inputs.scanners }}
TRIVY_CONFIG: ${{ inputs.trivy-config }}
TRIVY_TF_VARS: ${{ inputs.tf-vars }}
TRIVY_DOCKER_HOST: ${{ inputs.docker-host }}

186
entrypoint.sh
View File

@@ -1,155 +1,57 @@
#!/bin/bash
set -e
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:" o; do
case "${o}" in
a)
export scanType=${OPTARG}
;;
b)
export format=${OPTARG}
;;
c)
export template=${OPTARG}
;;
d)
export exitCode=${OPTARG}
;;
e)
export ignoreUnfixed=${OPTARG}
;;
f)
export vulnType=${OPTARG}
;;
g)
export severity=${OPTARG}
;;
h)
export output=${OPTARG}
;;
i)
export imageRef=${OPTARG}
;;
j)
export scanRef=${OPTARG}
;;
k)
export skipDirs=${OPTARG}
;;
l)
export input=${OPTARG}
;;
m)
export cacheDir=${OPTARG}
;;
n)
export timeout=${OPTARG}
;;
o)
export ignorePolicy=${OPTARG}
;;
p)
export hideProgress=${OPTARG}
;;
q)
export skipFiles=${OPTARG}
;;
r)
export listAllPkgs=${OPTARG}
;;
s)
export securityChecks=${OPTARG}
;;
esac
done
set -euo pipefail
scanType=$(echo $scanType | tr -d '\r')
export artifactRef="${imageRef}"
if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "config" ] || [ "${scanType}" = "rootfs" ];then
artifactRef=$(echo $scanRef | tr -d '\r')
fi
input=$(echo $input | tr -d '\r')
if [ $input ]; then
artifactRef="--input $input"
fi
ignoreUnfixed=$(echo $ignoreUnfixed | tr -d '\r')
hideProgress=$(echo $hideProgress | tr -d '\r')
GLOBAL_ARGS=""
if [ $cacheDir ];then
GLOBAL_ARGS="$GLOBAL_ARGS --cache-dir $cacheDir"
# Set artifact reference
scanType="${INPUT_SCAN_TYPE:-image}"
scanRef="${INPUT_SCAN_REF:-.}"
if [ -n "${INPUT_IMAGE_REF:-}" ]; then
scanRef="${INPUT_IMAGE_REF}" # backwards compatibility
fi
SARIF_ARGS=""
ARGS=""
if [ $format ];then
ARGS="$ARGS --format $format"
fi
if [ $template ] ;then
ARGS="$ARGS --template $template"
fi
if [ $exitCode ];then
ARGS="$ARGS --exit-code $exitCode"
fi
if [ "$ignoreUnfixed" == "true" ] && [ "$scanType" != "config" ];then
ARGS="$ARGS --ignore-unfixed"
SARIF_ARGS="$SARIF_ARGS --ignore-unfixed"
fi
if [ $vulnType ] && [ "$scanType" != "config" ];then
ARGS="$ARGS --vuln-type $vulnType"
SARIF_ARGS="$SARIF_ARGS --vuln-type $vulnType"
fi
if [ $securityChecks ] && [ "$scanType" == "fs" ];then
ARGS="$ARGS --security-checks $securityChecks"
fi
if [ $securityChecks ] && [ "$scanType" == "repo" ];then
ARGS="$ARGS --security-checks $securityChecks"
fi
if [ $severity ];then
ARGS="$ARGS --severity $severity"
fi
if [ $output ];then
ARGS="$ARGS --output $output"
fi
if [ $skipDirs ];then
for i in $(echo $skipDirs | tr "," "\n")
do
ARGS="$ARGS --skip-dirs $i"
SARIF_ARGS="$SARIF_ARGS --skip-dirs $i"
# Handle trivy ignores
if [ -n "${INPUT_TRIVYIGNORES:-}" ]; then
ignorefile="./trivyignores"
# Clear the ignore file if it exists, or create a new empty file
: > "$ignorefile"
for f in ${INPUT_TRIVYIGNORES//,/ }; do
if [ -f "$f" ]; then
echo "Found ignorefile '${f}':"
cat "${f}"
cat "${f}" >> "$ignorefile"
else
echo "ERROR: cannot find ignorefile '${f}'." >&2
exit 1
fi
done
fi
if [ $timeout ];then
ARGS="$ARGS --timeout $timeout"
fi
if [ $ignorePolicy ];then
ARGS="$ARGS --ignore-policy $ignorePolicy"
SARIF_ARGS="$SARIF_ARGS --ignore-policy $ignorePolicy"
fi
if [ "$hideProgress" == "true" ];then
ARGS="$ARGS --no-progress"
export TRIVY_IGNOREFILE="$ignorefile"
fi
listAllPkgs=$(echo $listAllPkgs | tr -d '\r')
if [ "$listAllPkgs" == "true" ];then
ARGS="$ARGS --list-all-pkgs"
fi
if [ "$skipFiles" ];then
for i in $(echo $skipFiles | tr "," "\n")
do
ARGS="$ARGS --skip-files $i"
done
# Handle SARIF
if [ "${TRIVY_FORMAT:-}" = "sarif" ]; then
if [ "${INPUT_LIMIT_SEVERITIES_FOR_SARIF:-false,,}" != "true" ]; then
echo "Building SARIF report with all severities"
unset TRIVY_SEVERITY
else
echo "Building SARIF report"
fi
fi
echo "Running trivy with options: ${ARGS}" "${artifactRef}"
echo "Global options: " "${GLOBAL_ARGS}"
trivy $GLOBAL_ARGS ${scanType} $ARGS ${artifactRef}
# Run Trivy
cmd=(trivy "$scanType" "$scanRef")
echo "Running Trivy with options: ${cmd[*]}"
"${cmd[@]}"
returnCode=$?
# SARIF is special. We output all vulnerabilities,
# regardless of severity level specified in this report.
# This is a feature, not a bug :)
if [[ "${format}" == "sarif" ]]; then
echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
if [ "${TRIVY_FORMAT:-}" = "github" ]; then
if [ -n "${INPUT_GITHUB_PAT:-}" ]; then
printf "\n Uploading GitHub Dependency Snapshot"
curl -H 'Accept: application/vnd.github+json' -H "Authorization: token ${INPUT_GITHUB_PAT}" \
"https://api.github.com/repos/$GITHUB_REPOSITORY/dependency-graph/snapshots" -d @"${TRIVY_OUTPUT:-}"
else
printf "\n Failing GitHub Dependency Snapshot. Missing github-pat" >&2
fi
fi
exit $returnCode
exit $returnCode

18
test/data/config-sarif-report/main.tf Normal file
View File

@@ -0,0 +1,18 @@
# test data for trivy config with terraform variables
variable "bucket_versioning_enabled" {
type = string
default = "Disabled"
}
resource "aws_s3_bucket" "bucket" {
bucket = "trivy-action-bucket"
}
resource "aws_s3_bucket_versioning" "bucket_versioning" {
bucket = aws_s3_bucket.bucket.id
versioning_configuration {
status = var.bucket_versioning_enabled
}
}

74
test/data/config-sarif-report/report.sarif Normal file
View File

@@ -0,0 +1,74 @@
{
"version": "2.1.0",
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
"runs": [
{
"tool": {
"driver": {
"fullName": "Trivy Vulnerability Scanner",
"informationUri": "https://github.com/aquasecurity/trivy",
"name": "Trivy",
"rules": [
{
"id": "AVD-AWS-0089",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 Bucket Logging"
},
"fullDescription": {
"text": "Ensures S3 bucket logging is enabled for S3 buckets"
},
"defaultConfiguration": {
"level": "note"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0089",
"help": {
"text": "Misconfiguration AVD-AWS-0089\nType: Terraform Security Check\nSeverity: LOW\nCheck: S3 Bucket Logging\nMessage: Bucket has logging disabled\nLink: [AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)\nEnsures S3 bucket logging is enabled for S3 buckets",
"markdown": "**Misconfiguration AVD-AWS-0089**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|LOW|S3 Bucket Logging|Bucket has logging disabled|[AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)|\n\nEnsures S3 bucket logging is enabled for S3 buckets"
},
"properties": {
"precision": "very-high",
"security-severity": "2.0",
"tags": [
"misconfiguration",
"security",
"LOW"
]
}
}
]
}
},
"results": [
{
"ruleId": "AVD-AWS-0089",
"ruleIndex": 0,
"level": "note",
"message": {
"text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0089\nSeverity: LOW\nMessage: Bucket has logging disabled\nLink: [AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "main.tf"
}
}
]
}
],
"columnKind": "utf16CodeUnits"
}
]
}

18
test/data/config-scan/main.tf Normal file
View File

@@ -0,0 +1,18 @@
# test data for trivy config with terraform variables
variable "bucket_versioning_enabled" {
type = string
default = "Disabled"
}
resource "aws_s3_bucket" "bucket" {
bucket = "trivy-action-bucket"
}
resource "aws_s3_bucket_versioning" "bucket_versioning" {
bucket = aws_s3_bucket.bucket.id
versioning_configuration {
status = var.bucket_versioning_enabled
}
}

101
test/data/config-scan/report.json Normal file
View File

@@ -0,0 +1,101 @@
{
"SchemaVersion": 2,
"ArtifactName": "test/data/config-scan",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": ".",
"Class": "config",
"Type": "terraform",
"MisconfSummary": {
"Successes": 2,
"Failures": 0,
"Exceptions": 0
}
},
{
"Target": "main.tf",
"Class": "config",
"Type": "terraform",
"MisconfSummary": {
"Successes": 0,
"Failures": 1,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0089",
"AVDID": "AVD-AWS-0089",
"Title": "S3 Bucket Logging",
"Description": "Ensures S3 bucket logging is enabled for S3 buckets",
"Message": "Bucket has logging disabled",
"Namespace": "builtin.aws.s3.aws0089",
"Query": "data.builtin.aws.s3.aws0089.deny",
"Resolution": "Add a logging block to the resource to enable access logging",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0089",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html",
"https://avd.aquasec.com/misconfig/avd-aws-0089"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
}
]
}
]
}

8
test/data/config.test
View File

@@ -1,8 +0,0 @@
+---------------------------+------------+-----------+----------+------------------------------------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
+---------------------------+------------+-----------+----------+------------------------------------------+
| Dockerfile Security Check | DS002 | root user | HIGH | Specify at least 1 USER |
| | | | | command in Dockerfile with |
| | | | | non-root user as argument |
| | | | | -->avd.aquasec.com/appshield/ds002 |
+---------------------------+------------+-----------+----------+------------------------------------------+

0
test/data/fs-scan/report Normal file
View File

50
test/data/fs-scheck.test
View File

@@ -1,50 +0,0 @@
{
"SchemaVersion": 2,
"ArtifactName": ".",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "Dockerfile",
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 22,
"Failures": 1,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Dockerfile Security Check",
"ID": "DS002",
"Title": "root user",
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
"Namespace": "appshield.dockerfile.DS002",
"Query": "data.appshield.dockerfile.DS002.deny",
"Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/appshield/ds002",
"References": [
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
"https://avd.aquasec.com/appshield/ds002"
],
"Status": "FAIL",
"Layer": {},
"IacMetadata": {}
}
]
}
]
}

17
test/data/fs.test
View File

@@ -1,17 +0,0 @@
{
"SchemaVersion": 2,
"ArtifactName": ".",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
}
}

1131
test/data/github-dep-snapshot/report.gsbom Normal file
View File

File diff suppressed because it is too large Load Diff

941
test/data/image-sarif.test
View File

@@ -1,941 +0,0 @@
{
"version": "2.1.0",
"$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
"runs": [
{
"tool": {
"driver": {
"fullName": "Trivy Vulnerability Scanner",
"informationUri": "https://github.com/aquasecurity/trivy",
"name": "Trivy",
"rules": [
{
"id": "CVE-2018-14618",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2018-14618"
},
"fullDescription": {
"text": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)"
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2018-14618",
"help": {
"text": "Vulnerability CVE-2018-14618\nSeverity: CRITICAL\nPackage: curl\nFixed Version: 7.61.1-r0\nLink: [CVE-2018-14618](https://avd.aquasec.com/nvd/cve-2018-14618)\ncurl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)",
"markdown": "**Vulnerability CVE-2018-14618**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|curl|7.61.1-r0|[CVE-2018-14618](https://avd.aquasec.com/nvd/cve-2018-14618)|\n\ncurl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)"
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2018-16839",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2018-16839"
},
"fullDescription": {
"text": "Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2018-16839",
"help": {
"text": "Vulnerability CVE-2018-16839\nSeverity: CRITICAL\nPackage: libcurl\nFixed Version: 7.61.1-r1\nLink: [CVE-2018-16839](https://avd.aquasec.com/nvd/cve-2018-16839)\nCurl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.",
"markdown": "**Vulnerability CVE-2018-16839**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|libcurl|7.61.1-r1|[CVE-2018-16839](https://avd.aquasec.com/nvd/cve-2018-16839)|\n\nCurl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service."
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2018-16840",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2018-16840"
},
"fullDescription": {
"text": "A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an \u0026#39;easy\u0026#39; handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2018-16840",
"help": {
"text": "Vulnerability CVE-2018-16840\nSeverity: CRITICAL\nPackage: libcurl\nFixed Version: 7.61.1-r1\nLink: [CVE-2018-16840](https://avd.aquasec.com/nvd/cve-2018-16840)\nA heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct.",
"markdown": "**Vulnerability CVE-2018-16840**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|libcurl|7.61.1-r1|[CVE-2018-16840](https://avd.aquasec.com/nvd/cve-2018-16840)|\n\nA heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct."
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2018-16842",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2018-16842"
},
"fullDescription": {
"text": "Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2018-16842",
"help": {
"text": "Vulnerability CVE-2018-16842\nSeverity: CRITICAL\nPackage: libcurl\nFixed Version: 7.61.1-r1\nLink: [CVE-2018-16842](https://avd.aquasec.com/nvd/cve-2018-16842)\nCurl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.",
"markdown": "**Vulnerability CVE-2018-16842**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|libcurl|7.61.1-r1|[CVE-2018-16842](https://avd.aquasec.com/nvd/cve-2018-16842)|\n\nCurl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service."
},
"properties": {
"precision": "very-high",
"security-severity": "9.1",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2019-3822",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2019-3822"
},
"fullDescription": {
"text": "libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large \u0026#39;nt response\u0026#39; data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a \u0026#39;large value\u0026#39; needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-3822",
"help": {
"text": "Vulnerability CVE-2019-3822\nSeverity: CRITICAL\nPackage: libcurl\nFixed Version: 7.61.1-r2\nLink: [CVE-2019-3822](https://avd.aquasec.com/nvd/cve-2019-3822)\nlibcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.",
"markdown": "**Vulnerability CVE-2019-3822**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|libcurl|7.61.1-r2|[CVE-2019-3822](https://avd.aquasec.com/nvd/cve-2019-3822)|\n\nlibcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header."
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2019-5481",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2019-5481"
},
"fullDescription": {
"text": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-5481",
"help": {
"text": "Vulnerability CVE-2019-5481\nSeverity: CRITICAL\nPackage: libcurl\nFixed Version: 7.61.1-r3\nLink: [CVE-2019-5481](https://avd.aquasec.com/nvd/cve-2019-5481)\nDouble-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
"markdown": "**Vulnerability CVE-2019-5481**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|libcurl|7.61.1-r3|[CVE-2019-5481](https://avd.aquasec.com/nvd/cve-2019-5481)|\n\nDouble-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3."
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2019-5482",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2019-5482"
},
"fullDescription": {
"text": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-5482",
"help": {
"text": "Vulnerability CVE-2019-5482\nSeverity: CRITICAL\nPackage: libcurl\nFixed Version: 7.61.1-r3\nLink: [CVE-2019-5482](https://avd.aquasec.com/nvd/cve-2019-5482)\nHeap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
"markdown": "**Vulnerability CVE-2019-5482**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|libcurl|7.61.1-r3|[CVE-2019-5482](https://avd.aquasec.com/nvd/cve-2019-5482)|\n\nHeap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3."
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2018-17456",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2018-17456"
},
"fullDescription": {
"text": "Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive \u0026#34;git clone\u0026#34; of a superproject if a .gitmodules file has a URL field beginning with a \u0026#39;-\u0026#39; character."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2018-17456",
"help": {
"text": "Vulnerability CVE-2018-17456\nSeverity: CRITICAL\nPackage: git\nFixed Version: 2.15.3-r0\nLink: [CVE-2018-17456](https://avd.aquasec.com/nvd/cve-2018-17456)\nGit before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive \"git clone\" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.",
"markdown": "**Vulnerability CVE-2018-17456**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|git|2.15.3-r0|[CVE-2018-17456](https://avd.aquasec.com/nvd/cve-2018-17456)|\n\nGit before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive \"git clone\" of a superproject if a .gitmodules file has a URL field beginning with a '-' character."
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2019-1353",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2019-1353"
},
"fullDescription": {
"text": "An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as \u0026#34;WSL\u0026#34;) while accessing a working directory on a regular Windows drive, none of the NTFS protections were active."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-1353",
"help": {
"text": "Vulnerability CVE-2019-1353\nSeverity: CRITICAL\nPackage: git\nFixed Version: 2.15.4-r0\nLink: [CVE-2019-1353](https://avd.aquasec.com/nvd/cve-2019-1353)\nAn issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as \"WSL\") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active.",
"markdown": "**Vulnerability CVE-2019-1353**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|git|2.15.4-r0|[CVE-2019-1353](https://avd.aquasec.com/nvd/cve-2019-1353)|\n\nAn issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as \"WSL\") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active."
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2019-12900",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2019-12900"
},
"fullDescription": {
"text": "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-12900",
"help": {
"text": "Vulnerability CVE-2019-12900\nSeverity: CRITICAL\nPackage: libbz2\nFixed Version: 1.0.6-r7\nLink: [CVE-2019-12900](https://avd.aquasec.com/nvd/cve-2019-12900)\nBZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.",
"markdown": "**Vulnerability CVE-2019-12900**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|libbz2|1.0.6-r7|[CVE-2019-12900](https://avd.aquasec.com/nvd/cve-2019-12900)|\n\nBZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors."
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2019-14697",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2019-14697"
},
"fullDescription": {
"text": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application\u0026#39;s source code."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-14697",
"help": {
"text": "Vulnerability CVE-2019-14697\nSeverity: CRITICAL\nPackage: musl-utils\nFixed Version: 1.1.18-r4\nLink: [CVE-2019-14697](https://avd.aquasec.com/nvd/cve-2019-14697)\nmusl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
"markdown": "**Vulnerability CVE-2019-14697**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|musl-utils|1.1.18-r4|[CVE-2019-14697](https://avd.aquasec.com/nvd/cve-2019-14697)|\n\nmusl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code."
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2019-8457",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2019-8457"
},
"fullDescription": {
"text": "SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-8457",
"help": {
"text": "Vulnerability CVE-2019-8457\nSeverity: CRITICAL\nPackage: sqlite-libs\nFixed Version: 3.25.3-r1\nLink: [CVE-2019-8457](https://avd.aquasec.com/nvd/cve-2019-8457)\nSQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.",
"markdown": "**Vulnerability CVE-2019-8457**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|sqlite-libs|3.25.3-r1|[CVE-2019-8457](https://avd.aquasec.com/nvd/cve-2019-8457)|\n\nSQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables."
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2020-25576",
"name": "LanguageSpecificPackageVulnerability",
"shortDescription": {
"text": "CVE-2020-25576"
},
"fullDescription": {
"text": "An issue was discovered in the rand_core crate before 0.4.2 for Rust. Casting of byte slices to integer slices mishandles alignment constraints."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2020-25576",
"help": {
"text": "Vulnerability CVE-2020-25576\nSeverity: CRITICAL\nPackage: rand_core\nFixed Version: 0.3.1, 0.4.2\nLink: [CVE-2020-25576](https://avd.aquasec.com/nvd/cve-2020-25576)\nAn issue was discovered in the rand_core crate before 0.4.2 for Rust. Casting of byte slices to integer slices mishandles alignment constraints.",
"markdown": "**Vulnerability CVE-2020-25576**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|rand_core|0.3.1, 0.4.2|[CVE-2020-25576](https://avd.aquasec.com/nvd/cve-2020-25576)|\n\nAn issue was discovered in the rand_core crate before 0.4.2 for Rust. Casting of byte slices to integer slices mishandles alignment constraints."
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2019-15551",
"name": "LanguageSpecificPackageVulnerability",
"shortDescription": {
"text": "CVE-2019-15551"
},
"fullDescription": {
"text": "An issue was discovered in the smallvec crate before 0.6.10 for Rust. There is a double free for certain grow attempts with the current capacity."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-15551",
"help": {
"text": "Vulnerability CVE-2019-15551\nSeverity: CRITICAL\nPackage: smallvec\nFixed Version: 0.6.10\nLink: [CVE-2019-15551](https://avd.aquasec.com/nvd/cve-2019-15551)\nAn issue was discovered in the smallvec crate before 0.6.10 for Rust. There is a double free for certain grow attempts with the current capacity.",
"markdown": "**Vulnerability CVE-2019-15551**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|smallvec|0.6.10|[CVE-2019-15551](https://avd.aquasec.com/nvd/cve-2019-15551)|\n\nAn issue was discovered in the smallvec crate before 0.6.10 for Rust. There is a double free for certain grow attempts with the current capacity."
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2019-15554",
"name": "LanguageSpecificPackageVulnerability",
"shortDescription": {
"text": "CVE-2019-15554"
},
"fullDescription": {
"text": "An issue was discovered in the smallvec crate before 0.6.10 for Rust. There is memory corruption for certain grow attempts with less than the current capacity."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-15554",
"help": {
"text": "Vulnerability CVE-2019-15554\nSeverity: CRITICAL\nPackage: smallvec\nFixed Version: 0.6.10\nLink: [CVE-2019-15554](https://avd.aquasec.com/nvd/cve-2019-15554)\nAn issue was discovered in the smallvec crate before 0.6.10 for Rust. There is memory corruption for certain grow attempts with less than the current capacity.",
"markdown": "**Vulnerability CVE-2019-15554**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|smallvec|0.6.10|[CVE-2019-15554](https://avd.aquasec.com/nvd/cve-2019-15554)|\n\nAn issue was discovered in the smallvec crate before 0.6.10 for Rust. There is memory corruption for certain grow attempts with less than the current capacity."
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2021-25900",
"name": "LanguageSpecificPackageVulnerability",
"shortDescription": {
"text": "CVE-2021-25900"
},
"fullDescription": {
"text": "An issue was discovered in the smallvec crate before 0.6.14 and 1.x before 1.6.1 for Rust. There is a heap-based buffer overflow in SmallVec::insert_many."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2021-25900",
"help": {
"text": "Vulnerability CVE-2021-25900\nSeverity: CRITICAL\nPackage: smallvec\nFixed Version: 0.6.14, 1.6.1\nLink: [CVE-2021-25900](https://avd.aquasec.com/nvd/cve-2021-25900)\nAn issue was discovered in the smallvec crate before 0.6.14 and 1.x before 1.6.1 for Rust. There is a heap-based buffer overflow in SmallVec::insert_many.",
"markdown": "**Vulnerability CVE-2021-25900**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|smallvec|0.6.14, 1.6.1|[CVE-2021-25900](https://avd.aquasec.com/nvd/cve-2021-25900)|\n\nAn issue was discovered in the smallvec crate before 0.6.14 and 1.x before 1.6.1 for Rust. There is a heap-based buffer overflow in SmallVec::insert_many."
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
}
],
"version": "0.27.1"
}
},
"results": [
{
"ruleId": "CVE-2018-14618",
"ruleIndex": 0,
"level": "error",
"message": {
"text": "Package: curl\nInstalled Version: 7.61.0-r0\nVulnerability CVE-2018-14618\nSeverity: CRITICAL\nFixed Version: 7.61.1-r0\nLink: [CVE-2018-14618](https://avd.aquasec.com/nvd/cve-2018-14618)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2018-16839",
"ruleIndex": 1,
"level": "error",
"message": {
"text": "Package: curl\nInstalled Version: 7.61.0-r0\nVulnerability CVE-2018-16839\nSeverity: CRITICAL\nFixed Version: 7.61.1-r1\nLink: [CVE-2018-16839](https://avd.aquasec.com/nvd/cve-2018-16839)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2018-16840",
"ruleIndex": 2,
"level": "error",
"message": {
"text": "Package: curl\nInstalled Version: 7.61.0-r0\nVulnerability CVE-2018-16840\nSeverity: CRITICAL\nFixed Version: 7.61.1-r1\nLink: [CVE-2018-16840](https://avd.aquasec.com/nvd/cve-2018-16840)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2018-16842",
"ruleIndex": 3,
"level": "error",
"message": {
"text": "Package: curl\nInstalled Version: 7.61.0-r0\nVulnerability CVE-2018-16842\nSeverity: CRITICAL\nFixed Version: 7.61.1-r1\nLink: [CVE-2018-16842](https://avd.aquasec.com/nvd/cve-2018-16842)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2019-3822",
"ruleIndex": 4,
"level": "error",
"message": {
"text": "Package: curl\nInstalled Version: 7.61.0-r0\nVulnerability CVE-2019-3822\nSeverity: CRITICAL\nFixed Version: 7.61.1-r2\nLink: [CVE-2019-3822](https://avd.aquasec.com/nvd/cve-2019-3822)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2019-5481",
"ruleIndex": 5,
"level": "error",
"message": {
"text": "Package: curl\nInstalled Version: 7.61.0-r0\nVulnerability CVE-2019-5481\nSeverity: CRITICAL\nFixed Version: 7.61.1-r3\nLink: [CVE-2019-5481](https://avd.aquasec.com/nvd/cve-2019-5481)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2019-5482",
"ruleIndex": 6,
"level": "error",
"message": {
"text": "Package: curl\nInstalled Version: 7.61.0-r0\nVulnerability CVE-2019-5482\nSeverity: CRITICAL\nFixed Version: 7.61.1-r3\nLink: [CVE-2019-5482](https://avd.aquasec.com/nvd/cve-2019-5482)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2018-17456",
"ruleIndex": 7,
"level": "error",
"message": {
"text": "Package: git\nInstalled Version: 2.15.2-r0\nVulnerability CVE-2018-17456\nSeverity: CRITICAL\nFixed Version: 2.15.3-r0\nLink: [CVE-2018-17456](https://avd.aquasec.com/nvd/cve-2018-17456)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2019-1353",
"ruleIndex": 8,
"level": "error",
"message": {
"text": "Package: git\nInstalled Version: 2.15.2-r0\nVulnerability CVE-2019-1353\nSeverity: CRITICAL\nFixed Version: 2.15.4-r0\nLink: [CVE-2019-1353](https://avd.aquasec.com/nvd/cve-2019-1353)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2019-12900",
"ruleIndex": 9,
"level": "error",
"message": {
"text": "Package: libbz2\nInstalled Version: 1.0.6-r6\nVulnerability CVE-2019-12900\nSeverity: CRITICAL\nFixed Version: 1.0.6-r7\nLink: [CVE-2019-12900](https://avd.aquasec.com/nvd/cve-2019-12900)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2018-16839",
"ruleIndex": 1,
"level": "error",
"message": {
"text": "Package: libcurl\nInstalled Version: 7.61.1-r0\nVulnerability CVE-2018-16839\nSeverity: CRITICAL\nFixed Version: 7.61.1-r1\nLink: [CVE-2018-16839](https://avd.aquasec.com/nvd/cve-2018-16839)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2018-16840",
"ruleIndex": 2,
"level": "error",
"message": {
"text": "Package: libcurl\nInstalled Version: 7.61.1-r0\nVulnerability CVE-2018-16840\nSeverity: CRITICAL\nFixed Version: 7.61.1-r1\nLink: [CVE-2018-16840](https://avd.aquasec.com/nvd/cve-2018-16840)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2018-16842",
"ruleIndex": 3,
"level": "error",
"message": {
"text": "Package: libcurl\nInstalled Version: 7.61.1-r0\nVulnerability CVE-2018-16842\nSeverity: CRITICAL\nFixed Version: 7.61.1-r1\nLink: [CVE-2018-16842](https://avd.aquasec.com/nvd/cve-2018-16842)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2019-3822",
"ruleIndex": 4,
"level": "error",
"message": {
"text": "Package: libcurl\nInstalled Version: 7.61.1-r0\nVulnerability CVE-2019-3822\nSeverity: CRITICAL\nFixed Version: 7.61.1-r2\nLink: [CVE-2019-3822](https://avd.aquasec.com/nvd/cve-2019-3822)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2019-5481",
"ruleIndex": 5,
"level": "error",
"message": {
"text": "Package: libcurl\nInstalled Version: 7.61.1-r0\nVulnerability CVE-2019-5481\nSeverity: CRITICAL\nFixed Version: 7.61.1-r3\nLink: [CVE-2019-5481](https://avd.aquasec.com/nvd/cve-2019-5481)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2019-5482",
"ruleIndex": 6,
"level": "error",
"message": {
"text": "Package: libcurl\nInstalled Version: 7.61.1-r0\nVulnerability CVE-2019-5482\nSeverity: CRITICAL\nFixed Version: 7.61.1-r3\nLink: [CVE-2019-5482](https://avd.aquasec.com/nvd/cve-2019-5482)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2019-14697",
"ruleIndex": 10,
"level": "error",
"message": {
"text": "Package: musl\nInstalled Version: 1.1.18-r3\nVulnerability CVE-2019-14697\nSeverity: CRITICAL\nFixed Version: 1.1.18-r4\nLink: [CVE-2019-14697](https://avd.aquasec.com/nvd/cve-2019-14697)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2019-14697",
"ruleIndex": 10,
"level": "error",
"message": {
"text": "Package: musl-utils\nInstalled Version: 1.1.18-r3\nVulnerability CVE-2019-14697\nSeverity: CRITICAL\nFixed Version: 1.1.18-r4\nLink: [CVE-2019-14697](https://avd.aquasec.com/nvd/cve-2019-14697)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2019-8457",
"ruleIndex": 11,
"level": "error",
"message": {
"text": "Package: sqlite-libs\nInstalled Version: 3.21.0-r1\nVulnerability CVE-2019-8457\nSeverity: CRITICAL\nFixed Version: 3.25.3-r1\nLink: [CVE-2019-8457](https://avd.aquasec.com/nvd/cve-2019-8457)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2020-25576",
"ruleIndex": 12,
"level": "error",
"message": {
"text": "Package: rand_core\nInstalled Version: 0.4.0\nVulnerability CVE-2020-25576\nSeverity: CRITICAL\nFixed Version: 0.3.1, 0.4.2\nLink: [CVE-2020-25576](https://avd.aquasec.com/nvd/cve-2020-25576)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "rust-app/Cargo.lock",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2019-15551",
"ruleIndex": 13,
"level": "error",
"message": {
"text": "Package: smallvec\nInstalled Version: 0.6.9\nVulnerability CVE-2019-15551\nSeverity: CRITICAL\nFixed Version: 0.6.10\nLink: [CVE-2019-15551](https://avd.aquasec.com/nvd/cve-2019-15551)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "rust-app/Cargo.lock",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2019-15554",
"ruleIndex": 14,
"level": "error",
"message": {
"text": "Package: smallvec\nInstalled Version: 0.6.9\nVulnerability CVE-2019-15554\nSeverity: CRITICAL\nFixed Version: 0.6.10\nLink: [CVE-2019-15554](https://avd.aquasec.com/nvd/cve-2019-15554)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "rust-app/Cargo.lock",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2021-25900",
"ruleIndex": 15,
"level": "error",
"message": {
"text": "Package: smallvec\nInstalled Version: 0.6.9\nVulnerability CVE-2021-25900\nSeverity: CRITICAL\nFixed Version: 0.6.14, 1.6.1\nLink: [CVE-2021-25900](https://avd.aquasec.com/nvd/cve-2021-25900)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "rust-app/Cargo.lock",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
}
],
"columnKind": "utf16CodeUnits",
"originalUriBaseIds": {
"ROOTPATH": {
"uri": "file:///"
}
}
}
]
}

98
test/data/image-scan/report Normal file
View File

@@ -0,0 +1,98 @@
knqyf263/vuln-image:1.2.3 (alpine 3.7.1)
========================================
Total: 19 (CRITICAL: 19)
┌─────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ curl │ CVE-2018-14618 │ CRITICAL │ fixed │ 7.61.0-r0 │ 7.61.1-r0 │ curl: NTLM password overflow via integer overflow │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-14618 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16839 │ │ │ │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
│ │ │ │ │ │ │ in Curl_sasl_create_plain_message() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16839 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16840 │ │ │ │ │ curl: Use-after-free when closing "easy" handle in │
│ │ │ │ │ │ │ Curl_close() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16840 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16842 │ │ │ │ │ curl: Heap-based buffer over-read in the curl tool warning │
│ │ │ │ │ │ │ formatting │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16842 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-3822 │ │ │ │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3822 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5481 │ │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5482 │ │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ git │ CVE-2018-17456 │ │ │ 2.15.2-r0 │ 2.15.3-r0 │ git: arbitrary code execution via .gitmodules │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-17456 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-1353 │ │ │ │ 2.15.4-r0 │ git: NTFS protections inactive when running Git in the │
│ │ │ │ │ │ │ Windows Subsystem for... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl │ CVE-2018-16839 │ │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
│ │ │ │ │ │ │ in Curl_sasl_create_plain_message() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16839 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16840 │ │ │ │ │ curl: Use-after-free when closing "easy" handle in │
│ │ │ │ │ │ │ Curl_close() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16840 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16842 │ │ │ │ │ curl: Heap-based buffer over-read in the curl tool warning │
│ │ │ │ │ │ │ formatting │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16842 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-3822 │ │ │ │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3822 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5481 │ │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5482 │ │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ musl │ CVE-2019-14697 │ │ │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │
│ │ │ │ │ │ │ adjustment im ...... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-14697 │
├─────────────┤ │ │ │ │ │ │
│ musl-utils │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ sqlite-libs │ CVE-2019-8457 │ │ │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │
└─────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
rust-app/Cargo.lock (cargo)
===========================
Total: 4 (CRITICAL: 4)
┌───────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ rand_core │ CVE-2020-25576 │ CRITICAL │ fixed │ 0.4.0 │ 0.4.2, 0.3.1 │ An issue was discovered in the rand_core crate before 0.4.2 │
│ │ │ │ │ │ │ for Rust.... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-25576 │
├───────────┼────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ smallvec │ CVE-2019-15551 │ │ │ 0.6.9 │ 0.6.10 │ An issue was discovered in the smallvec crate before 0.6.10 │
│ │ │ │ │ │ │ for Rust.... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-15551 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2019-15554 │ │ │ │ │ An issue was discovered in the smallvec crate before 0.6.10 │
│ │ │ │ │ │ │ for Rust.... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-15554 │
│ ├────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2021-25900 │ │ │ │ 0.6.14, 1.6.1 │ An issue was discovered in the smallvec crate before 0.6.14 │
│ │ │ │ │ │ │ and 1.x... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25900 │
└───────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

107
test/data/image.test
View File

@@ -1,107 +0,0 @@
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
| curl | CVE-2018-14618 | CRITICAL | 7.61.0-r0 | 7.61.1-r0 | curl: NTLM password overflow |
| | | | | | via integer overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-14618 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2018-16839 | | | 7.61.1-r1 | curl: Integer overflow leading |
| | | | | | to heap-based buffer overflow in |
| | | | | | Curl_sasl_create_plain_message() |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-16839 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2018-16840 | | | | curl: Use-after-free when closing |
| | | | | | "easy" handle in Curl_close() |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-16840 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2018-16842 | | | | curl: Heap-based buffer over-read |
| | | | | | in the curl tool warning formatting |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-16842 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2019-3822 | | | 7.61.1-r2 | curl: NTLMv2 type-3 header |
| | | | | | stack buffer overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-3822 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2019-5481 | | | 7.61.1-r3 | curl: double free due to |
| | | | | | subsequent call of realloc() |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-5481 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2019-5482 | | | | curl: heap buffer overflow in |
| | | | | | function tftp_receive_packet() |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-5482 |
+-------------+------------------+ +-------------------+---------------+---------------------------------------+
| git | CVE-2018-17456 | | 2.15.2-r0 | 2.15.3-r0 | git: arbitrary code |
| | | | | | execution via .gitmodules |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-17456 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2019-1353 | | | 2.15.4-r0 | git: NTFS protections inactive |
| | | | | | when running Git in the |
| | | | | | Windows Subsystem for... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1353 |
+-------------+------------------+ +-------------------+---------------+---------------------------------------+
| libbz2 | CVE-2019-12900 | | 1.0.6-r6 | 1.0.6-r7 | bzip2: out-of-bounds write |
| | | | | | in function BZ2_decompress |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-12900 |
+-------------+------------------+ +-------------------+---------------+---------------------------------------+
| libcurl | CVE-2018-16839 | | 7.61.1-r0 | 7.61.1-r1 | curl: Integer overflow leading |
| | | | | | to heap-based buffer overflow in |
| | | | | | Curl_sasl_create_plain_message() |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-16839 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2018-16840 | | | | curl: Use-after-free when closing |
| | | | | | "easy" handle in Curl_close() |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-16840 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2018-16842 | | | | curl: Heap-based buffer over-read |
| | | | | | in the curl tool warning formatting |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-16842 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2019-3822 | | | 7.61.1-r2 | curl: NTLMv2 type-3 header |
| | | | | | stack buffer overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-3822 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2019-5481 | | | 7.61.1-r3 | curl: double free due to |
| | | | | | subsequent call of realloc() |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-5481 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2019-5482 | | | | curl: heap buffer overflow in |
| | | | | | function tftp_receive_packet() |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-5482 |
+-------------+------------------+ +-------------------+---------------+---------------------------------------+
| musl | CVE-2019-14697 | | 1.1.18-r3 | 1.1.18-r4 | musl libc through 1.1.23 |
| | | | | | has an x87 floating-point |
| | | | | | stack adjustment im ...... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14697 |
+-------------+ + + + + +
| musl-utils | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+-------------+------------------+ +-------------------+---------------+---------------------------------------+
| sqlite-libs | CVE-2019-8457 | | 3.21.0-r1 | 3.25.3-r1 | sqlite: heap out-of-bound |
| | | | | | read in function rtreenode() |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-8457 |
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
+-----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-----------+------------------+----------+-------------------+---------------+---------------------------------------+
| rand_core | CVE-2020-25576 | CRITICAL | 0.4.0 | 0.3.1, 0.4.2 | An issue was discovered |
| | | | | | in the rand_core crate |
| | | | | | before 0.4.2 for Rust.... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-25576 |
+-----------+------------------+ +-------------------+---------------+---------------------------------------+
| smallvec | CVE-2019-15551 | | 0.6.9 | 0.6.10 | An issue was discovered |
| | | | | | in the smallvec crate |
| | | | | | before 0.6.10 for Rust.... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-15551 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2019-15554 | | | | An issue was discovered |
| | | | | | in the smallvec crate |
| | | | | | before 0.6.10 for Rust.... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-15554 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2021-25900 | | | 0.6.14, 1.6.1 | An issue was discovered |
| | | | | | in the smallvec crate |
| | | | | | before 0.6.14 and 1.x... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-25900 |
+-----------+------------------+----------+-------------------+---------------+---------------------------------------+

34
test/data/repo.test
View File

@@ -1,34 +0,0 @@
{
"SchemaVersion": 2,
"ArtifactName": "https://github.com/krol3/demo-trivy/",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "env",
"Class": "secret",
"Secrets": [
{
"RuleID": "github-pat",
"Category": "GitHub",
"Severity": "CRITICAL",
"Title": "GitHub Personal Access Token",
"StartLine": 5,
"EndLine": 5,
"Match": "export GITHUB_PAT=*****"
}
]
}
]
}

0
test/data/rootfs-scan/report Normal file
View File

17
test/data/rootfs.test
View File

@@ -1,17 +0,0 @@
{
"SchemaVersion": 2,
"ArtifactName": ".",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
}
}

77
test/data/secret-scan/report.json Normal file
View File

@@ -0,0 +1,77 @@
{
"SchemaVersion": 2,
"ArtifactName": "https://github.com/krol3/demo-trivy/",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "env",
"Class": "secret",
"Secrets": [
{
"RuleID": "github-pat",
"Category": "GitHub",
"Severity": "CRITICAL",
"Title": "GitHub Personal Access Token",
"StartLine": 5,
"EndLine": 5,
"Code": {
"Lines": [
{
"Number": 3,
"Content": "export AWS_ACCESS_KEY_ID=1234567",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": "export AWS_ACCESS_KEY_ID=1234567",
"FirstCause": false,
"LastCause": false
},
{
"Number": 4,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"FirstCause": false,
"LastCause": false
},
{
"Number": 5,
"Content": "export GITHUB_PAT=****************************************",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "export GITHUB_PAT=****************************************",
"FirstCause": true,
"LastCause": true
},
{
"Number": 6,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"FirstCause": false,
"LastCause": false
}
]
},
"Match": "export GITHUB_PAT=****************************************",
"Layer": {}
}
]
}
]
}

3
test/data/with-ignore-files/.trivyignore1 Normal file
View File

@@ -0,0 +1,3 @@
# test data #1 for trivy-ignores option
CVE-2020-25576
CVE-2019-15551

2
test/data/with-ignore-files/.trivyignore2 Normal file
View File

@@ -0,0 +1,2 @@
# test data #2 for trivy-ignores option
CVE-2019-15554

86
test/data/with-ignore-files/report Normal file
View File

@@ -0,0 +1,86 @@
knqyf263/vuln-image:1.2.3 (alpine 3.7.1)
========================================
Total: 19 (CRITICAL: 19)
┌─────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ curl │ CVE-2018-14618 │ CRITICAL │ fixed │ 7.61.0-r0 │ 7.61.1-r0 │ curl: NTLM password overflow via integer overflow │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-14618 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16839 │ │ │ │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
│ │ │ │ │ │ │ in Curl_sasl_create_plain_message() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16839 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16840 │ │ │ │ │ curl: Use-after-free when closing "easy" handle in │
│ │ │ │ │ │ │ Curl_close() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16840 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16842 │ │ │ │ │ curl: Heap-based buffer over-read in the curl tool warning │
│ │ │ │ │ │ │ formatting │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16842 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-3822 │ │ │ │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3822 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5481 │ │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5482 │ │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ git │ CVE-2018-17456 │ │ │ 2.15.2-r0 │ 2.15.3-r0 │ git: arbitrary code execution via .gitmodules │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-17456 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-1353 │ │ │ │ 2.15.4-r0 │ git: NTFS protections inactive when running Git in the │
│ │ │ │ │ │ │ Windows Subsystem for... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl │ CVE-2018-16839 │ │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
│ │ │ │ │ │ │ in Curl_sasl_create_plain_message() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16839 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16840 │ │ │ │ │ curl: Use-after-free when closing "easy" handle in │
│ │ │ │ │ │ │ Curl_close() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16840 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2018-16842 │ │ │ │ │ curl: Heap-based buffer over-read in the curl tool warning │
│ │ │ │ │ │ │ formatting │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16842 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-3822 │ │ │ │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3822 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5481 │ │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5482 │ │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ musl │ CVE-2019-14697 │ │ │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │
│ │ │ │ │ │ │ adjustment im ...... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-14697 │
├─────────────┤ │ │ │ │ │ │
│ musl-utils │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ sqlite-libs │ CVE-2019-8457 │ │ │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │
└─────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
rust-app/Cargo.lock (cargo)
===========================
Total: 1 (CRITICAL: 1)
┌──────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ smallvec │ CVE-2021-25900 │ CRITICAL │ fixed │ 0.6.9 │ 0.6.14, 1.6.1 │ An issue was discovered in the smallvec crate before 0.6.14 │
│ │ │ │ │ │ │ and 1.x... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25900 │
└──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

2
test/data/with-tf-vars/dev.tfvars Normal file
View File

@@ -0,0 +1,2 @@
# test data for trivy config with terraform variables
bucket_versioning_enabled="Enabled"

18
test/data/with-tf-vars/main.tf Normal file
View File

@@ -0,0 +1,18 @@
# test data for trivy config with terraform variables
variable "bucket_versioning_enabled" {
type = string
default = "Disabled"
}
resource "aws_s3_bucket" "bucket" {
bucket = "trivy-action-bucket"
}
resource "aws_s3_bucket_versioning" "bucket_versioning" {
bucket = aws_s3_bucket.bucket.id
versioning_configuration {
status = var.bucket_versioning_enabled
}
}

34
test/data/with-tf-vars/report.json Normal file
View File

@@ -0,0 +1,34 @@
{
"SchemaVersion": 2,
"ArtifactName": "test/data/with-tf-vars/main.tf",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": ".",
"Class": "config",
"Type": "terraform",
"MisconfSummary": {
"Successes": 2,
"Failures": 0,
"Exceptions": 0
}
},
{
"Target": "main.tf",
"Class": "config",
"Type": "terraform"
}
]
}

122
test/data/with-trivy-yaml-cfg/report.json Normal file
View File

@@ -0,0 +1,122 @@
{
"SchemaVersion": 2,
"ArtifactName": "alpine:3.10",
"ArtifactType": "container_image",
"Metadata": {
"OS": {
"Family": "alpine",
"Name": "3.10.9",
"EOSL": true
},
"ImageID": "sha256:e7b300aee9f9bf3433d32bc9305bfdd22183beb59d933b48d77ab56ba53a197a",
"DiffIDs": [
"sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
],
"RepoTags": [
"alpine:3.10"
],
"RepoDigests": [
"alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98"
],
"ImageConfig": {
"architecture": "amd64",
"container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4",
"created": "2021-04-14T19:20:05.338397761Z",
"docker_version": "19.03.12",
"history": [
{
"created": "2021-04-14T19:20:04.987219124Z",
"created_by": "/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / "
},
{
"created": "2021-04-14T19:20:05.338397761Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]",
"empty_layer": true
}
],
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
]
},
"config": {
"Cmd": [
"/bin/sh"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Image": "sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8"
}
}
},
"Results": [
{
"Target": "alpine:3.10 (alpine 3.10.9)",
"Class": "os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2021-36159",
"PkgID": "apk-tools@2.10.6-r0",
"PkgName": "apk-tools",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64&distro=3.10.9",
"UID": "99f6581ffed6b22"
},
"InstalledVersion": "2.10.6-r0",
"FixedVersion": "2.10.7-r0",
"Status": "fixed",
"Layer": {
"Digest": "sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5",
"DiffID": "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-36159",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Title": "libfetch: an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes leads to information leak or crash",
"Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-125"
],
"VendorSeverity": {
"nvd": 4,
"redhat": 3
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"V2Score": 6.4,
"V3Score": 9.1
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"V3Score": 9.1
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2021-36159",
"https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch",
"https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749",
"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E",
"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E",
"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E",
"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E",
"https://nvd.nist.gov/vuln/detail/CVE-2021-36159",
"https://www.cve.org/CVERecord?id=CVE-2021-36159"
],
"PublishedDate": "2021-08-03T14:15:08.233Z",
"LastModifiedDate": "2023-11-07T03:36:43.337Z"
}
]
}
]
}

5
test/data/with-trivy-yaml-cfg/trivy.yaml Normal file
View File

@@ -0,0 +1,5 @@
format: json
severity: CRITICAL
vulnerability:
type: os
output: yamlconfig.json

170
test/test.bats
View File

@@ -1,50 +1,152 @@
#!/usr/bin/env bats
@test "trivy image" {
# trivy image --severity CRITICAL -o image.test knqyf263/vuln-image:1.2.3
./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b table' '-h image.test' '-g CRITICAL'
result="$(diff ./test/data/image.test image.test)"
[ "$result" == '' ]
setup_file() {
local owner=$GITHUB_REPOSITORY_OWNER
export TRIVY_DB_REPOSITORY=ghcr.io/${owner}/trivy-db-act:latest
export TRIVY_JAVA_DB_REPOSITORY=ghcr.io/${owner}/trivy-java-db-act:latest
export TRIVY_CHECKS_BUNDLE_REPOSITORY=ghcr.io/${owner}/trivy-checks-act:latest
}
@test "trivy image sarif report" {
# trivy image --severity CRITICAL -f sarif -o image-sarif.test knqyf263/vuln-image:1.2.3
./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b sarif' '-h image-sarif.test' '-g CRITICAL'
result="$(diff ./test/data/image-sarif.test image-sarif.test)"
[ "$result" == '' ]
setup() {
bats_load_library bats-support
bats_load_library bats-assert
bats_load_library bats-file
}
@test "trivy config" {
# trivy conf -o config.test .
./entrypoint.sh '-a config' '-j .' '-b table' '-h config.test'
result="$(diff ./test/data/config.test config.test)"
[ "$result" == '' ]
function remove_json_fields() {
local file="$1"
if [[ "$file" == *.json ]]; then
jq 'del(.CreatedAt)' "$file" > tmp && mv tmp "$file"
fi
}
@test "trivy rootfs" {
# trivy rootfs -o rootfs.test -f json .
./entrypoint.sh '-a rootfs' '-j .' '-b json' '-h rootfs.test'
result="$(diff ./test/data/rootfs.test rootfs.test)"
[ "$result" == '' ]
function remove_sarif_fields() {
local file="$1"
if [[ "$file" == *.sarif ]]; then
jq 'del(.runs[].tool.driver.version) | del(.runs[].originalUriBaseIds)' "$file" > tmp && mv tmp "$file"
fi
}
@test "trivy fs" {
# trivy fs -f json -o fs.test .
./entrypoint.sh '-a fs' '-j .' '-b json' '-h fs.test'
result="$(diff ./test/data/fs.test fs.test)"
[ "$result" == '' ]
function remove_github_fields() {
local file="$1"
if [[ "$file" == *.gsbom ]]; then
jq 'del(.detector.version) | del(.scanned) | del(.job) | del(.ref) | del(.sha)' "$file" > tmp && mv tmp "$file"
fi
}
@test "trivy fs with securityChecks option" {
# trivy fs -f json --security-checks=vuln,config -o fs.test .
./entrypoint.sh '-a fs' '-j .' '-b json' '-s vuln,config,secret' '-h fs-scheck.test'
result="$(diff ./test/data/fs.test fs.test)"
[ "$result" == '' ]
function reset_envs() {
local var
for var in $(env | grep '^TRIVY_\|^INPUT_' | cut -d= -f1); do
unset "$var"
done
}
function compare_files() {
local file1="$1"
local file2="$2"
# Some fields should be removed as they are environment dependent
# and may cause undesirable results when comparing files.
remove_json_fields "$file1"
remove_json_fields "$file2"
remove_sarif_fields "$file1"
remove_sarif_fields "$file2"
remove_github_fields "$file1"
remove_github_fields "$file2"
run diff "$file1" "$file2"
echo "$output"
assert_files_equal "$file1" "$file2"
}
@test "trivy repo with securityCheck secret only" {
# trivy repo -f json -o repo.test --security-checks=secret https://github.com/krol3/demo-trivy/
./entrypoint.sh '-b json' '-h repo.test' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
result="$(diff ./test/data/repo.test repo.test)"
[ "$result" == '' ]
# trivy repo -f json -o repo.test --scanners=secret https://github.com/krol3/demo-trivy/
export TRIVY_FORMAT=json TRIVY_OUTPUT=repo.json TRIVY_SCANNERS=secret INPUT_SCAN_TYPE=repo INPUT_SCAN_REF="https://github.com/krol3/demo-trivy/"
./entrypoint.sh
compare_files repo.json ./test/data/secret-scan/report.json
reset_envs
}
@test "trivy image" {
# trivy image --severity CRITICAL -o image.test knqyf263/vuln-image:1.2.3
export TRIVY_OUTPUT=image.test TRIVY_SEVERITY=CRITICAL INPUT_SCAN_TYPE=image INPUT_SCAN_REF=knqyf263/vuln-image:1.2.3
./entrypoint.sh
compare_files image.test ./test/data/image-scan/report
reset_envs
}
@test "trivy config sarif report" {
# trivy config -f sarif -o config-sarif.test ./test/data/config-sarif-report
export TRIVY_FORMAT=sarif TRIVY_OUTPUT=config-sarif.sarif INPUT_SCAN_TYPE=config INPUT_SCAN_REF=./test/data/config-sarif-report
./entrypoint.sh
compare_files config-sarif.sarif ./test/data/config-sarif-report/report.sarif
reset_envs
}
@test "trivy config" {
# trivy config -f json -o config.json ./test/data/config-scan
export TRIVY_FORMAT=json TRIVY_OUTPUT=config.json INPUT_SCAN_TYPE=config INPUT_SCAN_REF=./test/data/config-scan
./entrypoint.sh
compare_files config.json ./test/data/config-scan/report.json
reset_envs
}
@test "trivy rootfs" {
# trivy rootfs --output rootfs.test ./test/data/rootfs-scan
# TODO: add data
export TRIVY_OUTPUT=rootfs.test INPUT_SCAN_TYPE=rootfs INPUT_SCAN_REF=./test/data/rootfs-scan
./entrypoint.sh
compare_files rootfs.test ./test/data/rootfs-scan/report
reset_envs
}
@test "trivy fs" {
# trivy fs --output fs.test ./test/data/fs-scan
# TODO: add data
export TRIVY_OUTPUT=fs.test INPUT_SCAN_TYPE=fs INPUT_SCAN_REF=./test/data/fs-scan
./entrypoint.sh
compare_files fs.test ./test/data/fs-scan/report
reset_envs
}
@test "trivy image with trivyIgnores option" {
# cat ./test/data/with-ignore-files/.trivyignore1 ./test/data/with-ignore-files/.trivyignore2 > ./trivyignores ; trivy image --severity CRITICAL --output image-trivyignores.test --ignorefile ./trivyignores knqyf263/vuln-image:1.2.3
export TRIVY_OUTPUT=image-trivyignores.test TRIVY_SEVERITY=CRITICAL INPUT_SCAN_TYPE=image INPUT_IMAGE_REF=knqyf263/vuln-image:1.2.3 INPUT_TRIVYIGNORES="./test/data/with-ignore-files/.trivyignore1,./test/data/with-ignore-files/.trivyignore2"
./entrypoint.sh
compare_files image-trivyignores.test ./test/data/with-ignore-files/report
reset_envs
}
@test "trivy image with sbom output" {
# trivy image --format github knqyf263/vuln-image:1.2.3
export TRIVY_FORMAT=github TRIVY_OUTPUT=github-dep-snapshot.gsbom INPUT_SCAN_TYPE=image INPUT_SCAN_REF=knqyf263/vuln-image:1.2.3
./entrypoint.sh
compare_files github-dep-snapshot.gsbom ./test/data/github-dep-snapshot/report.gsbom
reset_envs
}
@test "trivy image with trivy.yaml config" {
# trivy --config=./test/data/with-trivy-yaml-cfg/trivy.yaml image alpine:3.10
export TRIVY_CONFIG=./test/data/with-trivy-yaml-cfg/trivy.yaml INPUT_SCAN_TYPE=image INPUT_SCAN_REF=alpine:3.10
./entrypoint.sh
compare_files yamlconfig.json ./test/data/with-trivy-yaml-cfg/report.json
reset_envs
}
@test "trivy image with custom docker-host" {
# trivy image --docker-host unix:///var/run/docker.sock --severity CRITICAL --output image.test knqyf263/vuln-image:1.2.3
export TRIVY_OUTPUT=image.test TRIVY_SEVERITY=CRITICAL INPUT_SCAN_TYPE=image INPUT_SCAN_REF=knqyf263/vuln-image:1.2.3 TRIVY_DOCKER_HOST=unix:///var/run/docker.sock
./entrypoint.sh
compare_files image.test ./test/data/image-scan/report
reset_envs
}
@test "trivy config with terraform variables" {
# trivy config -f json -o tfvars.json --severity MEDIUM --tf-vars ./test/data/with-tf-vars/dev.tfvars ./test/data/with-tf-vars/main.tf
export TRIVY_FORMAT=json TRIVY_SEVERITY=MEDIUM TRIVY_OUTPUT=tfvars.json INPUT_SCAN_TYPE=config INPUT_SCAN_REF=./test/data/with-tf-vars/main.tf TRIVY_TF_VARS=./test/data/with-tf-vars/dev.tfvars
./entrypoint.sh
compare_files tfvars.json ./test/data/with-tf-vars/report.json
reset_envs
}

6
workflow.yml
View File

@@ -7,10 +7,10 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Build an image from Dockerfile
run: |
@@ -29,6 +29,6 @@ jobs:
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'