Compare commits
20 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
f9424c10c3 | ||
|
|
85abccb4a4 | ||
|
|
a1698702b6 | ||
|
|
71f6a8fb8b | ||
|
|
bf330b1153 | ||
|
|
644762e8d4 | ||
|
|
f2e28516ef | ||
|
|
636fd3c4eb | ||
|
|
7c0244b8c6 | ||
|
|
c26e17b164 | ||
|
|
77137e9dc3 | ||
|
|
e7fbf034e4 | ||
|
|
dc5a429b52 | ||
|
|
76071ef0d7 | ||
|
|
4844d823d3 | ||
|
|
26d71e622b | ||
|
|
b3dafe507f | ||
|
|
99baf0d8b4 | ||
|
|
7aca5acc95 | ||
|
|
ea27ac12e1 |
14
.github/workflows/bump-trivy.yaml
vendored
14
.github/workflows/bump-trivy.yaml
vendored
@@ -6,7 +6,7 @@ on:
|
||||
trivy_version:
|
||||
required: true
|
||||
type: string
|
||||
description: the trivy version
|
||||
description: 'The Trivy version in x.x.x format'
|
||||
|
||||
run-name: Bump trivy to v${{ inputs.trivy_version }}
|
||||
|
||||
@@ -15,11 +15,15 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Set new version from input
|
||||
run: echo "NEW_VERSION=${{ inputs.trivy_version }}" >> $GITHUB_ENV
|
||||
|
||||
- name: Update Trivy versions
|
||||
run: |
|
||||
find test/data -type f -name '*.test' | xargs sed -r -i 's/"version": "[0-9]+\.[0-9]+\.[0-9]+"/"version": "${{ inputs.trivy_version }}"/'
|
||||
sed -r -i '/^\| `version`/ s/[0-9]+\.[0-9]+\.[0-9]+/${{ inputs.trivy_version }}/g' README.md
|
||||
sed -r -i 's/(default:[ ]*'"'"')v[0-9]+\.[0-9]+\.[0-9]+/\1v${{ inputs.trivy_version }}/' action.yaml
|
||||
run: make bump-trivy
|
||||
|
||||
- name: Update golden files
|
||||
run: make update-golden
|
||||
|
||||
- name: Create PR
|
||||
id: create-pr
|
||||
|
||||
5
.github/workflows/sync-trivy-checks.yaml
vendored
5
.github/workflows/sync-trivy-checks.yaml
vendored
@@ -11,7 +11,10 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
|
||||
- name: setup-oras
|
||||
uses: oras-project/setup-oras@v1.2.3
|
||||
|
||||
- name: Login to GitHub Packages Container registry
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
|
||||
3
.github/workflows/sync-trivy-db.yaml
vendored
3
.github/workflows/sync-trivy-db.yaml
vendored
@@ -12,6 +12,9 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: setup-oras
|
||||
uses: oras-project/setup-oras@v1.2.3
|
||||
|
||||
- name: Login to GitHub Packages Container registry
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
|
||||
3
.github/workflows/sync-trivy-java-db.yaml
vendored
3
.github/workflows/sync-trivy-java-db.yaml
vendored
@@ -12,6 +12,9 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: setup-oras
|
||||
uses: oras-project/setup-oras@v1.2.3
|
||||
|
||||
- name: Login to GitHub Packages Container registry
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
|
||||
2
.github/workflows/test.yaml
vendored
2
.github/workflows/test.yaml
vendored
@@ -6,7 +6,7 @@ on:
|
||||
workflow_dispatch:
|
||||
|
||||
env:
|
||||
TRIVY_VERSION: 0.60.0
|
||||
TRIVY_VERSION: 0.65.0
|
||||
BATS_LIB_PATH: '/usr/lib/'
|
||||
|
||||
jobs:
|
||||
|
||||
37
Makefile
37
Makefile
@@ -1,15 +1,36 @@
|
||||
OS := $(shell uname)
|
||||
SED = sed
|
||||
BATS_LIB_PATH = /usr/local/lib/
|
||||
|
||||
ifeq ($(OS), Darwin)
|
||||
BATS_LIB_PATH=/opt/homebrew/lib
|
||||
endif
|
||||
ifeq ($(OS), Linux)
|
||||
BATS_LIB_PATH=/usr/local/lib/
|
||||
SED = gsed
|
||||
BATS_LIB_PATH = /opt/homebrew/lib
|
||||
endif
|
||||
|
||||
BATS_ENV := BATS_LIB_PATH=$(BATS_LIB_PATH) \
|
||||
GITHUB_REPOSITORY_OWNER=aquasecurity \
|
||||
TRIVY_CACHE_DIR=.cache \
|
||||
TRIVY_DISABLE_VEX_NOTICE=true \
|
||||
TRIVY_DEBUG=true
|
||||
|
||||
BATS_FLAGS := --recursive --timing --verbose-run .
|
||||
|
||||
.PHONY: test
|
||||
test:
|
||||
test: init-cache
|
||||
$(BATS_ENV) bats $(BATS_FLAGS)
|
||||
|
||||
.PHONY: update-golden
|
||||
update-golden: init-cache
|
||||
UPDATE_GOLDEN=1 $(BATS_ENV) bats $(BATS_FLAGS)
|
||||
|
||||
.PHONY: init-cache
|
||||
init-cache:
|
||||
mkdir -p .cache
|
||||
BATS_LIB_PATH=$(BATS_LIB_PATH) GITHUB_REPOSITORY_OWNER=aquasecurity\
|
||||
TRIVY_CACHE_DIR=.cache TRIVY_DISABLE_VEX_NOTICE=true TRIVY_DEBUG=true\
|
||||
bats --recursive --timing --verbose-run .
|
||||
rm -f .cache/fanal/fanal.db
|
||||
|
||||
bump-trivy:
|
||||
@[ $$NEW_VERSION ] || ( echo "env 'NEW_VERSION' is not set"; exit 1 )
|
||||
@CURRENT_VERSION=$$(grep "TRIVY_VERSION:" .github/workflows/test.yaml | awk '{print $$2}');\
|
||||
echo Current version: $$CURRENT_VERSION ;\
|
||||
echo New version: $$NEW_VERSION ;\
|
||||
$(SED) -i -e "s/$$CURRENT_VERSION/$$NEW_VERSION/g" README.md action.yaml .github/workflows/test.yaml ;\
|
||||
|
||||
103
README.md
103
README.md
@@ -43,10 +43,10 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
uses: actions/checkout@v4
|
||||
- name: Build an image from Dockerfile
|
||||
run: docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
|
||||
- name: Run Trivy vulnerability scanner
|
||||
@@ -72,7 +72,7 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -206,7 +206,7 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -215,7 +215,7 @@ jobs:
|
||||
uses: aquasecurity/setup-trivy@v0.2.0
|
||||
with:
|
||||
cache: true
|
||||
version: v0.60.1
|
||||
version: v0.65.0
|
||||
|
||||
- name: Run Trivy vulnerability scanner in repo mode
|
||||
uses: aquasecurity/trivy-action@master
|
||||
@@ -307,7 +307,7 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -342,7 +342,7 @@ jobs:
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
@@ -371,7 +371,7 @@ jobs:
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
@@ -394,7 +394,7 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -429,7 +429,7 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -468,7 +468,7 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -502,7 +502,7 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -537,7 +537,7 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -590,7 +590,7 @@ jobs:
|
||||
scan-type: 'fs'
|
||||
format: 'github'
|
||||
output: 'dependency-results.sbom.json'
|
||||
image-ref: '.'
|
||||
scan-ref: '.'
|
||||
github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
|
||||
```
|
||||
|
||||
@@ -652,7 +652,7 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -688,7 +688,7 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -724,7 +724,7 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -757,7 +757,7 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -820,40 +820,47 @@ Configuration priority:
|
||||
|
||||
Following inputs can be used as `step.with` keys:
|
||||
|
||||
| Name | Type | Default | Description |
|
||||
|------------------------------|---------|------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |
|
||||
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
|
||||
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
|
||||
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
|
||||
| `format` | String | `table` | Output format (`table`, `json`, `template`, `sarif`, `cyclonedx`, `spdx`, `spdx-json`, `github`, `cosign-vuln`) |
|
||||
| `template` | String | | Output template (`@$HOME/.local/bin/trivy-bin/contrib/gitlab.tpl`, `@$HOME/.local/bin/trivy-bin/contrib/junit.tpl`) |
|
||||
| `tf-vars` | String | | path to Terraform variables file |
|
||||
| `output` | String | | Save results to a file |
|
||||
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
|
||||
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
|
||||
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
|
||||
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
|
||||
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
|
||||
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
|
||||
| `cache-dir` | String | `$GITHUB_WORKSPACE/.cache/trivy` | Cache directory. NOTE: This value cannot be configured by `trivy.yaml`. |
|
||||
| `timeout` | String | `5m0s` | Scan timeout duration |
|
||||
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
|
||||
| `hide-progress` | String | `false` | Suppress progress bar and log output |
|
||||
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
|
||||
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`misconfig`,`license`) |
|
||||
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
|
||||
| `trivy-config` | String | | Path to trivy.yaml config |
|
||||
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
|
||||
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
|
||||
| `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values |
|
||||
| `version` | String | `v0.60.0` | Trivy version to use, e.g. `latest` or `v0.60.0` |
|
||||
| `skip-setup-trivy` | Boolean | false | Skip calling the `setup-trivy` action to install `trivy` |
|
||||
| `token-setup-trivy` | Boolean | | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository |
|
||||
| Name | Type | Default | Description |
|
||||
|------------------------------|---------|------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |
|
||||
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
|
||||
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
|
||||
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
|
||||
| `format` | String | `table` | Output format (`table`, `json`, `template`, `sarif`, `cyclonedx`, `spdx`, `spdx-json`, `github`, `cosign-vuln`) |
|
||||
| `template` | String | | Output template (`@$HOME/.local/bin/trivy-bin/contrib/gitlab.tpl`, `@$HOME/.local/bin/trivy-bin/contrib/junit.tpl`) |
|
||||
| `tf-vars` | String | | path to Terraform variables file |
|
||||
| `output` | String | | Save results to a file |
|
||||
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
|
||||
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
|
||||
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
|
||||
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
|
||||
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
|
||||
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
|
||||
| `cache-dir` | String | `$GITHUB_WORKSPACE/.cache/trivy` | Cache directory. NOTE: This value cannot be configured by `trivy.yaml`. |
|
||||
| `timeout` | String | `5m0s` | Scan timeout duration |
|
||||
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
|
||||
| `hide-progress` | String | `false` | Suppress progress bar and log output |
|
||||
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
|
||||
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`misconfig`,`license`) |
|
||||
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
|
||||
| `trivy-config` | String | | Path to trivy.yaml config |
|
||||
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
|
||||
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
|
||||
| `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values (`unix:/` or other prefix is required) |
|
||||
| `version` | String | `v0.65.0` | Trivy version to use, e.g. `latest` or `v0.65.0` |
|
||||
| `skip-setup-trivy` | Boolean | false | Skip calling the `setup-trivy` action to install `trivy` |
|
||||
| `token-setup-trivy` | Boolean | | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository |
|
||||
|
||||
### Environment variables
|
||||
You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
|
||||
|
||||
**NB** In some older versions of the Action there was a bug that caused inputs from one call to the Action to leak
|
||||
over to subsequent calls to the Action. This could cause workflows that call the Action multiple times e.g. to run
|
||||
multiple scans, or the same scans with different output formats, to not produce the desired output. You can see if this
|
||||
is the case by looking at the GitHub Actions step information, if the `env` section shown in your Actions output
|
||||
contains `TRIVY_*` environment variables you did not explicitly set then you may be affected by this bug and should
|
||||
upgrade to the latest Action version.
|
||||
|
||||
### Trivy config file
|
||||
When using the `trivy-config` [Input](#inputs), you can set options using the [Trivy config file][trivy-config] (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
|
||||
|
||||
|
||||
42
action.yaml
42
action.yaml
@@ -98,7 +98,7 @@ inputs:
|
||||
version:
|
||||
description: 'Trivy version to use'
|
||||
required: false
|
||||
default: 'v0.60.0'
|
||||
default: 'v0.65.0'
|
||||
cache:
|
||||
description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.'
|
||||
required: false
|
||||
@@ -122,7 +122,11 @@ runs:
|
||||
steps:
|
||||
- name: Install Trivy
|
||||
if: ${{ inputs.skip-setup-trivy == 'false' }}
|
||||
uses: aquasecurity/setup-trivy@v0.2.2
|
||||
# Pin to hash instead of tag for aquasecurity/setup-trivy action so that GitHub Actions
|
||||
# "allowing select actions" feature can be used to whitelist the dependent action by a hash.
|
||||
# This is needed since some organizations have a policy to only allow pinned 3rd party actions to
|
||||
# be used.
|
||||
uses: aquasecurity/setup-trivy@ff1b8b060f23b650436d419b5e13f67f5d4c3087 # equivalent to `v0.2.2`
|
||||
with:
|
||||
version: ${{ inputs.version }}
|
||||
cache: ${{ inputs.cache }}
|
||||
@@ -135,7 +139,7 @@ runs:
|
||||
|
||||
- name: Restore DB from cache
|
||||
if: ${{ inputs.cache == 'true' }}
|
||||
uses: actions/cache@v4
|
||||
uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
|
||||
with:
|
||||
path: ${{ inputs.cache-dir }}
|
||||
key: cache-trivy-${{ steps.date.outputs.date }}
|
||||
@@ -147,6 +151,14 @@ runs:
|
||||
env:
|
||||
GITHUB_ACTION_PATH: ${{ github.action_path }}
|
||||
|
||||
# Create and Clear Trivy Envs file
|
||||
#Â See #422 for context
|
||||
- name: Clear Trivy Envs file
|
||||
shell: bash
|
||||
run: |
|
||||
rm -f trivy_envs.txt
|
||||
touch trivy_envs.txt
|
||||
|
||||
- name: Set Trivy environment variables
|
||||
shell: bash
|
||||
run: |
|
||||
@@ -154,14 +166,26 @@ runs:
|
||||
# This limitation affects how we handle default values and empty inputs.
|
||||
# For more information, see: https://github.com/actions/runner/issues/924
|
||||
|
||||
# Function to set environment variable only if the input is provided and different from default
|
||||
# The following logic implements the configuration priority described in the README:
|
||||
#
|
||||
# Inputs
|
||||
# Environment Variables
|
||||
# Config File
|
||||
# Defaults
|
||||
#
|
||||
# As noted above defaults are awkward to handle as GitHub Actions will inject those values as the input
|
||||
# if the caller doesn't provide them, thus if the input matches the default we don't set it as we
|
||||
# can't tell the difference. Plus if we did set it when it was the default value then it could potentially
|
||||
# override an external environment variable, or something in the callers configuration file, which then wouldn't
|
||||
# match the configuration priority that is documented.
|
||||
set_env_var_if_provided() {
|
||||
local var_name="$1"
|
||||
local input_value="$2"
|
||||
local default_value="$3"
|
||||
|
||||
if [ ! -z "$input_value" ] && [ "$input_value" != "$default_value" ]; then
|
||||
echo "$var_name=$input_value" >> $GITHUB_ENV
|
||||
# If action was provided with explicit input by the caller set that
|
||||
echo "export $var_name=$input_value" >> trivy_envs.txt
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -202,3 +226,11 @@ runs:
|
||||
|
||||
# For Trivy
|
||||
TRIVY_CACHE_DIR: ${{ inputs.cache-dir }} # Always set
|
||||
|
||||
# Remove Trivy envs to keep envs within this action and avoid env leaks
|
||||
#Â See #422 for context
|
||||
- name: Remove Trivy Envs file
|
||||
if: ${{ always() }}
|
||||
shell: bash
|
||||
run: |
|
||||
rm -f trivy_envs.txt
|
||||
|
||||
@@ -1,6 +1,14 @@
|
||||
#!/bin/bash
|
||||
set -euo pipefail
|
||||
|
||||
# Read TRIVY_* envs from file, previously they were written to the GITHUB_ENV file but GitHub Actions automatically
|
||||
# injects those into subsequent job steps which means inputs from one trivy-action invocation were leaking over to
|
||||
# any subsequent invocation which led to unexpected/undesireable behaviour from a user perspective
|
||||
# See #422 for more context around this
|
||||
if [ -f ./trivy_envs.txt ]; then
|
||||
source ./trivy_envs.txt
|
||||
fi
|
||||
|
||||
# Set artifact reference
|
||||
scanType="${INPUT_SCAN_TYPE:-image}"
|
||||
scanRef="${INPUT_SCAN_REF:-.}"
|
||||
@@ -54,4 +62,4 @@ if [ "${TRIVY_FORMAT:-}" = "github" ]; then
|
||||
fi
|
||||
fi
|
||||
|
||||
exit $returnCode
|
||||
exit $returnCode
|
||||
|
||||
@@ -2,18 +2,6 @@
|
||||
"SchemaVersion": 2,
|
||||
"ArtifactName": "test/data/config-scan",
|
||||
"ArtifactType": "filesystem",
|
||||
"Metadata": {
|
||||
"ImageConfig": {
|
||||
"architecture": "",
|
||||
"created": "0001-01-01T00:00:00Z",
|
||||
"os": "",
|
||||
"rootfs": {
|
||||
"type": "",
|
||||
"diff_ids": null
|
||||
},
|
||||
"config": {}
|
||||
}
|
||||
},
|
||||
"Results": [
|
||||
{
|
||||
"Target": ".",
|
||||
@@ -50,7 +38,6 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0086"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -90,8 +77,7 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -111,7 +97,6 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0087"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -151,8 +136,7 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -172,7 +156,6 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0088"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -212,8 +195,7 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -234,7 +216,6 @@
|
||||
"https://avd.aquasec.com/misconfig/s3-bucket-logging"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -274,8 +255,7 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -295,7 +275,6 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0090"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket_versioning.bucket_versioning",
|
||||
"Provider": "AWS",
|
||||
@@ -416,7 +395,6 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0091"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -456,8 +434,7 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -477,7 +454,6 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0093"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -517,8 +493,7 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -538,7 +513,6 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0094"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -578,8 +552,7 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -599,7 +572,6 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0132"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -639,8 +611,7 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
|
||||
@@ -51,7 +51,8 @@ Total: 19 (CRITICAL: 19)
|
||||
│ │ │ │ │ │ │ Windows Subsystem for... │
|
||||
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │
|
||||
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
|
||||
│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: bzip2: Data integrity error when decompressing (with │
|
||||
│ │ │ │ │ │ │ data integrity tests fail).... │
|
||||
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
|
||||
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libcurl │ CVE-2018-16839 │ │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
|
||||
|
||||
@@ -3,16 +3,12 @@
|
||||
"ArtifactName": "https://github.com/krol3/demo-trivy/",
|
||||
"ArtifactType": "repository",
|
||||
"Metadata": {
|
||||
"ImageConfig": {
|
||||
"architecture": "",
|
||||
"created": "0001-01-01T00:00:00Z",
|
||||
"os": "",
|
||||
"rootfs": {
|
||||
"type": "",
|
||||
"diff_ids": null
|
||||
},
|
||||
"config": {}
|
||||
}
|
||||
"RepoURL": "https://github.com/krol3/demo-trivy/",
|
||||
"Branch": "main",
|
||||
"Commit": "547db823c73fdb3385871f6235e946c72291f734",
|
||||
"CommitMsg": "chore: add gitignore",
|
||||
"Author": "carolina valencia <krol3@users.noreply.github.com>",
|
||||
"Committer": "carolina valencia <krol3@users.noreply.github.com>"
|
||||
},
|
||||
"Results": [
|
||||
{
|
||||
@@ -68,8 +64,7 @@
|
||||
}
|
||||
]
|
||||
},
|
||||
"Match": "export GITHUB_PAT=****************************************",
|
||||
"Layer": {}
|
||||
"Match": "export GITHUB_PAT=****************************************"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
@@ -51,7 +51,8 @@ Total: 19 (CRITICAL: 19)
|
||||
│ │ │ │ │ │ │ Windows Subsystem for... │
|
||||
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │
|
||||
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
|
||||
│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: bzip2: Data integrity error when decompressing (with │
|
||||
│ │ │ │ │ │ │ data integrity tests fail).... │
|
||||
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
|
||||
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libcurl │ CVE-2018-16839 │ │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
|
||||
|
||||
@@ -2,18 +2,6 @@
|
||||
"SchemaVersion": 2,
|
||||
"ArtifactName": "test/data/with-tf-vars/main.tf",
|
||||
"ArtifactType": "filesystem",
|
||||
"Metadata": {
|
||||
"ImageConfig": {
|
||||
"architecture": "",
|
||||
"created": "0001-01-01T00:00:00Z",
|
||||
"os": "",
|
||||
"rootfs": {
|
||||
"type": "",
|
||||
"diff_ids": null
|
||||
},
|
||||
"config": {}
|
||||
}
|
||||
},
|
||||
"Results": [
|
||||
{
|
||||
"Target": ".",
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
"ArtifactName": "alpine:3.10",
|
||||
"ArtifactType": "container_image",
|
||||
"Metadata": {
|
||||
"Size": 5842432,
|
||||
"OS": {
|
||||
"Family": "alpine",
|
||||
"Name": "3.10.9",
|
||||
@@ -50,7 +51,14 @@
|
||||
],
|
||||
"Image": "sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Layers": [
|
||||
{
|
||||
"Size": 5842432,
|
||||
"Digest": "sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5",
|
||||
"DiffID": "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
|
||||
}
|
||||
]
|
||||
},
|
||||
"Results": [
|
||||
{
|
||||
@@ -64,7 +72,7 @@
|
||||
"PkgName": "apk-tools",
|
||||
"PkgIdentifier": {
|
||||
"PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64&distro=3.10.9",
|
||||
"UID": "99f6581ffed6b22"
|
||||
"UID": "b7a64ae671a99195"
|
||||
},
|
||||
"InstalledVersion": "2.10.6-r0",
|
||||
"FixedVersion": "2.10.7-r0",
|
||||
@@ -114,7 +122,7 @@
|
||||
"https://www.cve.org/CVERecord?id=CVE-2021-36159"
|
||||
],
|
||||
"PublishedDate": "2021-08-03T14:15:08.233Z",
|
||||
"LastModifiedDate": "2023-11-07T03:36:43.337Z"
|
||||
"LastModifiedDate": "2024-11-21T06:13:13.57Z"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
@@ -39,6 +39,7 @@ function reset_envs() {
|
||||
for var in $(env | grep '^TRIVY_\|^INPUT_' | cut -d= -f1); do
|
||||
unset "$var"
|
||||
done
|
||||
rm -f trivy_envs.txt
|
||||
}
|
||||
|
||||
function compare_files() {
|
||||
@@ -56,9 +57,16 @@ function compare_files() {
|
||||
remove_github_fields "$file1"
|
||||
remove_github_fields "$file2"
|
||||
|
||||
run diff "$file1" "$file2"
|
||||
echo "$output"
|
||||
assert_files_equal "$file1" "$file2"
|
||||
if [ "${UPDATE_GOLDEN}" = "1" ]; then
|
||||
cp "$file1" "$file2"
|
||||
echo "Updated golden file: $file2"
|
||||
else
|
||||
run diff "$file1" "$file2"
|
||||
echo "$output"
|
||||
assert_files_equal "$file1" "$file2"
|
||||
fi
|
||||
|
||||
rm -f "$file1"
|
||||
}
|
||||
|
||||
@test "trivy repo with securityCheck secret only" {
|
||||
@@ -149,4 +157,31 @@ function compare_files() {
|
||||
./entrypoint.sh
|
||||
compare_files tfvars.json ./test/data/with-tf-vars/report.json
|
||||
reset_envs
|
||||
}
|
||||
|
||||
@test "trivy image via environment file" {
|
||||
# trivy image --severity CRITICAL --output image.test knqyf263/vuln-image:1.2.3
|
||||
# Action injects inputs into the script via environment variables
|
||||
echo "export TRIVY_OUTPUT=image.test" >> trivy_envs.txt
|
||||
echo "export TRIVY_SEVERITY=CRITICAL" >> trivy_envs.txt
|
||||
echo "export INPUT_SCAN_TYPE=image" >> trivy_envs.txt
|
||||
echo "export INPUT_SCAN_REF=knqyf263/vuln-image:1.2.3" >> trivy_envs.txt
|
||||
./entrypoint.sh
|
||||
compare_files image.test ./test/data/image-scan/report
|
||||
reset_envs
|
||||
}
|
||||
|
||||
@test "trivy image via environment file overrides env leakages" {
|
||||
# trivy image --severity CRITICAL --output image.test knqyf263/vuln-image:1.2.3
|
||||
# Action injects inputs into the script via environment variables
|
||||
# If caller mixes old and new trivy-action version they could still have env leakage so verify that env vars already
|
||||
# in the env are overridden by those from the envs file
|
||||
export INPUT_SCAN_REF=no/such-image:1.2.3
|
||||
echo "export TRIVY_OUTPUT=image.test" >> trivy_envs.txt
|
||||
echo "export TRIVY_SEVERITY=CRITICAL" >> trivy_envs.txt
|
||||
echo "export INPUT_SCAN_TYPE=image" >> trivy_envs.txt
|
||||
echo "export INPUT_SCAN_REF=knqyf263/vuln-image:1.2.3" >> trivy_envs.txt
|
||||
./entrypoint.sh
|
||||
compare_files image.test ./test/data/image-scan/report
|
||||
reset_envs
|
||||
}
|
||||
Reference in New Issue
Block a user