Compare commits
7 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
76071ef0d7 | ||
|
|
4844d823d3 | ||
|
|
26d71e622b | ||
|
|
b3dafe507f | ||
|
|
99baf0d8b4 | ||
|
|
7aca5acc95 | ||
|
|
ea27ac12e1 |
Vendored
+6
-5
@@ -6,7 +6,7 @@ on:
|
||||
trivy_version:
|
||||
required: true
|
||||
type: string
|
||||
description: the trivy version
|
||||
description: 'The Trivy version in x.x.x format'
|
||||
|
||||
run-name: Bump trivy to v${{ inputs.trivy_version }}
|
||||
|
||||
@@ -15,11 +15,12 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Set new version from input
|
||||
run: echo "NEW_VERSION=${{ inputs.trivy_version }}" >> $GITHUB_ENV
|
||||
|
||||
- name: Update Trivy versions
|
||||
run: |
|
||||
find test/data -type f -name '*.test' | xargs sed -r -i 's/"version": "[0-9]+\.[0-9]+\.[0-9]+"/"version": "${{ inputs.trivy_version }}"/'
|
||||
sed -r -i '/^\| `version`/ s/[0-9]+\.[0-9]+\.[0-9]+/${{ inputs.trivy_version }}/g' README.md
|
||||
sed -r -i 's/(default:[ ]*'"'"')v[0-9]+\.[0-9]+\.[0-9]+/\1v${{ inputs.trivy_version }}/' action.yaml
|
||||
run: make bump-trivy
|
||||
|
||||
- name: Create PR
|
||||
id: create-pr
|
||||
|
||||
Vendored
+1
-1
@@ -6,7 +6,7 @@ on:
|
||||
workflow_dispatch:
|
||||
|
||||
env:
|
||||
TRIVY_VERSION: 0.60.0
|
||||
TRIVY_VERSION: 0.63.0
|
||||
BATS_LIB_PATH: '/usr/lib/'
|
||||
|
||||
jobs:
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
OS := $(shell uname)
|
||||
ifeq ($(OS), Darwin)
|
||||
BATS_LIB_PATH=/opt/homebrew/lib
|
||||
endif
|
||||
ifeq ($(OS), Linux)
|
||||
BATS_LIB_PATH=/usr/local/lib/
|
||||
endif
|
||||
SED = sed
|
||||
BATS_LIB_PATH = /usr/local/lib/
|
||||
|
||||
ifeq ($(OS), Darwin)
|
||||
SED = gsed
|
||||
BATS_LIB_PATH = /opt/homebrew/lib
|
||||
endif
|
||||
|
||||
.PHONY: test
|
||||
test:
|
||||
@@ -13,3 +13,10 @@ test:
|
||||
BATS_LIB_PATH=$(BATS_LIB_PATH) GITHUB_REPOSITORY_OWNER=aquasecurity\
|
||||
TRIVY_CACHE_DIR=.cache TRIVY_DISABLE_VEX_NOTICE=true TRIVY_DEBUG=true\
|
||||
bats --recursive --timing --verbose-run .
|
||||
|
||||
bump-trivy:
|
||||
@[ $$NEW_VERSION ] || ( echo "env 'NEW_VERSION' is not set"; exit 1 )
|
||||
@CURRENT_VERSION=$$(grep "TRIVY_VERSION:" .github/workflows/test.yaml | awk '{print $$2}');\
|
||||
echo Current version: $$CURRENT_VERSION ;\
|
||||
echo New version: $$NEW_VERSION ;\
|
||||
$(SED) -i -e "s/$$CURRENT_VERSION/$$NEW_VERSION/g" README.md action.yaml .github/workflows/test.yaml ;\
|
||||
|
||||
@@ -43,7 +43,7 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
@@ -72,7 +72,7 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -206,7 +206,7 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -215,7 +215,7 @@ jobs:
|
||||
uses: aquasecurity/setup-trivy@v0.2.0
|
||||
with:
|
||||
cache: true
|
||||
version: v0.60.1
|
||||
version: v0.63.0
|
||||
|
||||
- name: Run Trivy vulnerability scanner in repo mode
|
||||
uses: aquasecurity/trivy-action@master
|
||||
@@ -307,7 +307,7 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -394,7 +394,7 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -429,7 +429,7 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -468,7 +468,7 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -502,7 +502,7 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -537,7 +537,7 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -652,7 +652,7 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -688,7 +688,7 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -724,7 +724,7 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -757,7 +757,7 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -820,40 +820,47 @@ Configuration priority:
|
||||
|
||||
Following inputs can be used as `step.with` keys:
|
||||
|
||||
| Name | Type | Default | Description |
|
||||
|------------------------------|---------|------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |
|
||||
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
|
||||
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
|
||||
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
|
||||
| `format` | String | `table` | Output format (`table`, `json`, `template`, `sarif`, `cyclonedx`, `spdx`, `spdx-json`, `github`, `cosign-vuln`) |
|
||||
| `template` | String | | Output template (`@$HOME/.local/bin/trivy-bin/contrib/gitlab.tpl`, `@$HOME/.local/bin/trivy-bin/contrib/junit.tpl`) |
|
||||
| `tf-vars` | String | | path to Terraform variables file |
|
||||
| `output` | String | | Save results to a file |
|
||||
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
|
||||
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
|
||||
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
|
||||
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
|
||||
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
|
||||
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
|
||||
| `cache-dir` | String | `$GITHUB_WORKSPACE/.cache/trivy` | Cache directory. NOTE: This value cannot be configured by `trivy.yaml`. |
|
||||
| `timeout` | String | `5m0s` | Scan timeout duration |
|
||||
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
|
||||
| `hide-progress` | String | `false` | Suppress progress bar and log output |
|
||||
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
|
||||
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`misconfig`,`license`) |
|
||||
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
|
||||
| `trivy-config` | String | | Path to trivy.yaml config |
|
||||
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
|
||||
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
|
||||
| `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values |
|
||||
| `version` | String | `v0.60.0` | Trivy version to use, e.g. `latest` or `v0.60.0` |
|
||||
| `skip-setup-trivy` | Boolean | false | Skip calling the `setup-trivy` action to install `trivy` |
|
||||
| `token-setup-trivy` | Boolean | | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository |
|
||||
| Name | Type | Default | Description |
|
||||
|------------------------------|---------|------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |
|
||||
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
|
||||
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
|
||||
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
|
||||
| `format` | String | `table` | Output format (`table`, `json`, `template`, `sarif`, `cyclonedx`, `spdx`, `spdx-json`, `github`, `cosign-vuln`) |
|
||||
| `template` | String | | Output template (`@$HOME/.local/bin/trivy-bin/contrib/gitlab.tpl`, `@$HOME/.local/bin/trivy-bin/contrib/junit.tpl`) |
|
||||
| `tf-vars` | String | | path to Terraform variables file |
|
||||
| `output` | String | | Save results to a file |
|
||||
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
|
||||
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
|
||||
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
|
||||
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
|
||||
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
|
||||
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
|
||||
| `cache-dir` | String | `$GITHUB_WORKSPACE/.cache/trivy` | Cache directory. NOTE: This value cannot be configured by `trivy.yaml`. |
|
||||
| `timeout` | String | `5m0s` | Scan timeout duration |
|
||||
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
|
||||
| `hide-progress` | String | `false` | Suppress progress bar and log output |
|
||||
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
|
||||
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`misconfig`,`license`) |
|
||||
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
|
||||
| `trivy-config` | String | | Path to trivy.yaml config |
|
||||
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
|
||||
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
|
||||
| `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values (`unix:/` or other prefix is required) |
|
||||
| `version` | String | `v0.63.0` | Trivy version to use, e.g. `latest` or `v0.63.0` |
|
||||
| `skip-setup-trivy` | Boolean | false | Skip calling the `setup-trivy` action to install `trivy` |
|
||||
| `token-setup-trivy` | Boolean | | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository |
|
||||
|
||||
### Environment variables
|
||||
You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
|
||||
|
||||
**NB** In some older versions of the Action there was a bug that caused inputs from one call to the Action to leak
|
||||
over to subsequent calls to the Action. This could cause workflows that call the Action multiple times e.g. to run
|
||||
multiple scans, or the same scans with different output formats, to not produce the desired output. You can see if this
|
||||
is the case by looking at the GitHub Actions step information, if the `env` section shown in your Actions output
|
||||
contains `TRIVY_*` environment variables you did not explicitly set then you may be affected by this bug and should
|
||||
upgrade to the latest Action version.
|
||||
|
||||
### Trivy config file
|
||||
When using the `trivy-config` [Input](#inputs), you can set options using the [Trivy config file][trivy-config] (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
|
||||
|
||||
|
||||
+36
-4
@@ -98,7 +98,7 @@ inputs:
|
||||
version:
|
||||
description: 'Trivy version to use'
|
||||
required: false
|
||||
default: 'v0.60.0'
|
||||
default: 'v0.63.0'
|
||||
cache:
|
||||
description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.'
|
||||
required: false
|
||||
@@ -122,7 +122,11 @@ runs:
|
||||
steps:
|
||||
- name: Install Trivy
|
||||
if: ${{ inputs.skip-setup-trivy == 'false' }}
|
||||
uses: aquasecurity/setup-trivy@v0.2.2
|
||||
# Pin to hash instead of tag for aquasecurity/setup-trivy action so that GitHub Actions
|
||||
# "allowing select actions" feature can be used to whitelist the dependent action by a hash.
|
||||
# This is needed since some organizations have a policy to only allow pinned 3rd party actions to
|
||||
# be used.
|
||||
uses: aquasecurity/setup-trivy@ff1b8b060f23b650436d419b5e13f67f5d4c3087 # equivalent to `v0.2.2`
|
||||
with:
|
||||
version: ${{ inputs.version }}
|
||||
cache: ${{ inputs.cache }}
|
||||
@@ -147,6 +151,14 @@ runs:
|
||||
env:
|
||||
GITHUB_ACTION_PATH: ${{ github.action_path }}
|
||||
|
||||
# Create and Clear Trivy Envs file
|
||||
#Â See #422 for context
|
||||
- name: Clear Trivy Envs file
|
||||
shell: bash
|
||||
run: |
|
||||
rm -f trivy_envs.txt
|
||||
touch trivy_envs.txt
|
||||
|
||||
- name: Set Trivy environment variables
|
||||
shell: bash
|
||||
run: |
|
||||
@@ -154,14 +166,26 @@ runs:
|
||||
# This limitation affects how we handle default values and empty inputs.
|
||||
# For more information, see: https://github.com/actions/runner/issues/924
|
||||
|
||||
# Function to set environment variable only if the input is provided and different from default
|
||||
# The following logic implements the configuration priority described in the README:
|
||||
#
|
||||
# Inputs
|
||||
# Environment Variables
|
||||
# Config File
|
||||
# Defaults
|
||||
#
|
||||
# As noted above defaults are awkward to handle as GitHub Actions will inject those values as the input
|
||||
# if the caller doesn't provide them, thus if the input matches the default we don't set it as we
|
||||
# can't tell the difference. Plus if we did set it when it was the default value then it could potentially
|
||||
# override an external environment variable, or something in the callers configuration file, which then wouldn't
|
||||
# match the configuration priority that is documented.
|
||||
set_env_var_if_provided() {
|
||||
local var_name="$1"
|
||||
local input_value="$2"
|
||||
local default_value="$3"
|
||||
|
||||
if [ ! -z "$input_value" ] && [ "$input_value" != "$default_value" ]; then
|
||||
echo "$var_name=$input_value" >> $GITHUB_ENV
|
||||
# If action was provided with explicit input by the caller set that
|
||||
echo "export $var_name=$input_value" >> trivy_envs.txt
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -202,3 +226,11 @@ runs:
|
||||
|
||||
# For Trivy
|
||||
TRIVY_CACHE_DIR: ${{ inputs.cache-dir }} # Always set
|
||||
|
||||
# Remove Trivy envs to keep envs within this action and avoid env leaks
|
||||
#Â See #422 for context
|
||||
- name: Remove Trivy Envs file
|
||||
if: ${{ always() }}
|
||||
shell: bash
|
||||
run: |
|
||||
rm -f trivy_envs.txt
|
||||
|
||||
+9
-1
@@ -1,6 +1,14 @@
|
||||
#!/bin/bash
|
||||
set -euo pipefail
|
||||
|
||||
# Read TRIVY_* envs from file, previously they were written to the GITHUB_ENV file but GitHub Actions automatically
|
||||
# injects those into subsequent job steps which means inputs from one trivy-action invocation were leaking over to
|
||||
# any subsequent invocation which led to unexpected/undesireable behaviour from a user perspective
|
||||
# See #422 for more context around this
|
||||
if [ -f ./trivy_envs.txt ]; then
|
||||
source ./trivy_envs.txt
|
||||
fi
|
||||
|
||||
# Set artifact reference
|
||||
scanType="${INPUT_SCAN_TYPE:-image}"
|
||||
scanRef="${INPUT_SCAN_REF:-.}"
|
||||
@@ -54,4 +62,4 @@ if [ "${TRIVY_FORMAT:-}" = "github" ]; then
|
||||
fi
|
||||
fi
|
||||
|
||||
exit $returnCode
|
||||
exit $returnCode
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
{
|
||||
"SchemaVersion": 2,
|
||||
"CreatedAt": "2025-06-03T01:26:45.367171-06:00",
|
||||
"ArtifactName": "alpine:3.10",
|
||||
"ArtifactType": "container_image",
|
||||
"Metadata": {
|
||||
"Size": 5842432,
|
||||
"OS": {
|
||||
"Family": "alpine",
|
||||
"Name": "3.10.9",
|
||||
@@ -50,7 +52,14 @@
|
||||
],
|
||||
"Image": "sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Layers": [
|
||||
{
|
||||
"Size": 5842432,
|
||||
"Digest": "sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5",
|
||||
"DiffID": "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
|
||||
}
|
||||
]
|
||||
},
|
||||
"Results": [
|
||||
{
|
||||
@@ -63,8 +72,8 @@
|
||||
"PkgID": "apk-tools@2.10.6-r0",
|
||||
"PkgName": "apk-tools",
|
||||
"PkgIdentifier": {
|
||||
"PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64&distro=3.10.9",
|
||||
"UID": "99f6581ffed6b22"
|
||||
"PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64\u0026distro=3.10.9",
|
||||
"UID": "b7a64ae671a99195"
|
||||
},
|
||||
"InstalledVersion": "2.10.6-r0",
|
||||
"FixedVersion": "2.10.7-r0",
|
||||
|
||||
@@ -39,6 +39,7 @@ function reset_envs() {
|
||||
for var in $(env | grep '^TRIVY_\|^INPUT_' | cut -d= -f1); do
|
||||
unset "$var"
|
||||
done
|
||||
rm -f trivy_envs.txt
|
||||
}
|
||||
|
||||
function compare_files() {
|
||||
@@ -149,4 +150,31 @@ function compare_files() {
|
||||
./entrypoint.sh
|
||||
compare_files tfvars.json ./test/data/with-tf-vars/report.json
|
||||
reset_envs
|
||||
}
|
||||
|
||||
@test "trivy image via environment file" {
|
||||
# trivy image --severity CRITICAL --output image.test knqyf263/vuln-image:1.2.3
|
||||
# Action injects inputs into the script via environment variables
|
||||
echo "export TRIVY_OUTPUT=image.test" >> trivy_envs.txt
|
||||
echo "export TRIVY_SEVERITY=CRITICAL" >> trivy_envs.txt
|
||||
echo "export INPUT_SCAN_TYPE=image" >> trivy_envs.txt
|
||||
echo "export INPUT_SCAN_REF=knqyf263/vuln-image:1.2.3" >> trivy_envs.txt
|
||||
./entrypoint.sh
|
||||
compare_files image.test ./test/data/image-scan/report
|
||||
reset_envs
|
||||
}
|
||||
|
||||
@test "trivy image via environment file overrides env leakages" {
|
||||
# trivy image --severity CRITICAL --output image.test knqyf263/vuln-image:1.2.3
|
||||
# Action injects inputs into the script via environment variables
|
||||
# If caller mixes old and new trivy-action version they could still have env leakage so verify that env vars already
|
||||
# in the env are overridden by those from the envs file
|
||||
export INPUT_SCAN_REF=no/such-image:1.2.3
|
||||
echo "export TRIVY_OUTPUT=image.test" >> trivy_envs.txt
|
||||
echo "export TRIVY_SEVERITY=CRITICAL" >> trivy_envs.txt
|
||||
echo "export INPUT_SCAN_TYPE=image" >> trivy_envs.txt
|
||||
echo "export INPUT_SCAN_REF=knqyf263/vuln-image:1.2.3" >> trivy_envs.txt
|
||||
./entrypoint.sh
|
||||
compare_files image.test ./test/data/image-scan/report
|
||||
reset_envs
|
||||
}
|
||||
Reference in New Issue
Block a user