Compare commits
28 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| c13c370e94 | |||
|
0231551320 | ||
|
|
22438a4357 | ||
|
|
0024b3f39e | ||
|
|
83690f7d38 | ||
|
|
df65449f48 | ||
|
|
0317097f59 | ||
|
|
b6643a29fe | ||
|
|
f9424c10c3 | ||
|
|
85abccb4a4 | ||
|
|
a1698702b6 | ||
|
|
71f6a8fb8b | ||
|
|
bf330b1153 | ||
|
|
644762e8d4 | ||
|
|
f2e28516ef | ||
|
|
636fd3c4eb | ||
|
|
7c0244b8c6 | ||
|
|
c26e17b164 | ||
|
|
77137e9dc3 | ||
|
|
e7fbf034e4 | ||
|
|
dc5a429b52 | ||
|
|
76071ef0d7 | ||
|
|
4844d823d3 | ||
|
|
26d71e622b | ||
|
|
b3dafe507f | ||
|
|
99baf0d8b4 | ||
|
|
7aca5acc95 | ||
|
|
ea27ac12e1 |
27
.github/workflows/bump-trivy.yaml
vendored
27
.github/workflows/bump-trivy.yaml
vendored
@@ -6,7 +6,7 @@ on:
|
||||
trivy_version:
|
||||
required: true
|
||||
type: string
|
||||
description: the trivy version
|
||||
description: 'The Trivy version in x.x.x format'
|
||||
|
||||
run-name: Bump trivy to v${{ inputs.trivy_version }}
|
||||
|
||||
@@ -15,11 +15,30 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Update Trivy versions
|
||||
env:
|
||||
NEW_VERSION: ${{ inputs.trivy_version }}
|
||||
run: make bump-trivy
|
||||
|
||||
- name: Setup Bats and bats libs
|
||||
id: setup-bats
|
||||
uses: bats-core/bats-action@3.0.1
|
||||
|
||||
- name: Install Trivy
|
||||
run: |
|
||||
find test/data -type f -name '*.test' | xargs sed -r -i 's/"version": "[0-9]+\.[0-9]+\.[0-9]+"/"version": "${{ inputs.trivy_version }}"/'
|
||||
sed -r -i '/^\| `version`/ s/[0-9]+\.[0-9]+\.[0-9]+/${{ inputs.trivy_version }}/g' README.md
|
||||
sed -r -i 's/(default:[ ]*'"'"')v[0-9]+\.[0-9]+\.[0-9]+/\1v${{ inputs.trivy_version }}/' action.yaml
|
||||
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ inputs.trivy_version }}
|
||||
trivy --version
|
||||
|
||||
- name: Update golden files
|
||||
env:
|
||||
BATS_LIB_PATH: ${{ steps.setup-bats.outputs.lib-path }}
|
||||
run: make update-golden
|
||||
|
||||
- name: Run tests
|
||||
env:
|
||||
BATS_LIB_PATH: ${{ steps.setup-bats.outputs.lib-path }}
|
||||
run: make test
|
||||
|
||||
- name: Create PR
|
||||
id: create-pr
|
||||
|
||||
5
.github/workflows/sync-trivy-checks.yaml
vendored
5
.github/workflows/sync-trivy-checks.yaml
vendored
@@ -11,7 +11,10 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
|
||||
- name: setup-oras
|
||||
uses: oras-project/setup-oras@v1.2.3
|
||||
|
||||
- name: Login to GitHub Packages Container registry
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
|
||||
3
.github/workflows/sync-trivy-db.yaml
vendored
3
.github/workflows/sync-trivy-db.yaml
vendored
@@ -12,6 +12,9 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: setup-oras
|
||||
uses: oras-project/setup-oras@v1.2.3
|
||||
|
||||
- name: Login to GitHub Packages Container registry
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
|
||||
3
.github/workflows/sync-trivy-java-db.yaml
vendored
3
.github/workflows/sync-trivy-java-db.yaml
vendored
@@ -12,6 +12,9 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: setup-oras
|
||||
uses: oras-project/setup-oras@v1.2.3
|
||||
|
||||
- name: Login to GitHub Packages Container registry
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
|
||||
11
.github/workflows/test.yaml
vendored
11
.github/workflows/test.yaml
vendored
@@ -6,7 +6,7 @@ on:
|
||||
workflow_dispatch:
|
||||
|
||||
env:
|
||||
TRIVY_VERSION: 0.60.0
|
||||
TRIVY_VERSION: 0.68.1
|
||||
BATS_LIB_PATH: '/usr/lib/'
|
||||
|
||||
jobs:
|
||||
@@ -16,7 +16,8 @@ jobs:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Setup Bats and bats libs
|
||||
uses: bats-core/bats-action@2.0.0
|
||||
id: setup-bats
|
||||
uses: bats-core/bats-action@3.0.1
|
||||
|
||||
- name: Install Trivy
|
||||
run: |
|
||||
@@ -24,8 +25,6 @@ jobs:
|
||||
trivy --version
|
||||
|
||||
- name: Test
|
||||
run: bats --recursive --timing --verbose-run .
|
||||
env:
|
||||
TRIVY_CACHE_DIR: .cache
|
||||
TRIVY_DISABLE_VEX_NOTICE: true
|
||||
TRIVY_DEBUG: true
|
||||
BATS_LIB_PATH: ${{ steps.setup-bats.outputs.lib-path }}
|
||||
run: make test
|
||||
|
||||
38
Makefile
38
Makefile
@@ -1,15 +1,37 @@
|
||||
OS := $(shell uname)
|
||||
|
||||
ifeq ($(OS), Darwin)
|
||||
BATS_LIB_PATH=/opt/homebrew/lib
|
||||
endif
|
||||
ifeq ($(OS), Linux)
|
||||
BATS_LIB_PATH=/usr/local/lib/
|
||||
SED = gsed
|
||||
BATS_LIB_PATH ?= /opt/homebrew/lib
|
||||
else
|
||||
SED = sed
|
||||
BATS_LIB_PATH ?= /usr/local/lib/
|
||||
endif
|
||||
|
||||
BATS_ENV := BATS_LIB_PATH=$(BATS_LIB_PATH) \
|
||||
GITHUB_REPOSITORY_OWNER=aquasecurity \
|
||||
TRIVY_CACHE_DIR=.cache \
|
||||
TRIVY_DISABLE_VEX_NOTICE=true \
|
||||
TRIVY_DEBUG=true
|
||||
|
||||
BATS_FLAGS := --recursive --timing --verbose-run .
|
||||
|
||||
.PHONY: test
|
||||
test:
|
||||
test: init-cache
|
||||
$(BATS_ENV) bats $(BATS_FLAGS)
|
||||
|
||||
.PHONY: update-golden
|
||||
update-golden: init-cache
|
||||
UPDATE_GOLDEN=1 $(BATS_ENV) bats $(BATS_FLAGS)
|
||||
|
||||
.PHONY: init-cache
|
||||
init-cache:
|
||||
mkdir -p .cache
|
||||
BATS_LIB_PATH=$(BATS_LIB_PATH) GITHUB_REPOSITORY_OWNER=aquasecurity\
|
||||
TRIVY_CACHE_DIR=.cache TRIVY_DISABLE_VEX_NOTICE=true TRIVY_DEBUG=true\
|
||||
bats --recursive --timing --verbose-run .
|
||||
rm -f .cache/fanal/fanal.db
|
||||
|
||||
bump-trivy:
|
||||
@[ $$NEW_VERSION ] || ( echo "env 'NEW_VERSION' is not set"; exit 1 )
|
||||
@CURRENT_VERSION=$$(grep "TRIVY_VERSION:" .github/workflows/test.yaml | awk '{print $$2}');\
|
||||
echo Current version: $$CURRENT_VERSION ;\
|
||||
echo New version: $$NEW_VERSION ;\
|
||||
$(SED) -i -e "s/$$CURRENT_VERSION/$$NEW_VERSION/g" README.md action.yaml .github/workflows/test.yaml ;\
|
||||
|
||||
211
README.md
211
README.md
@@ -43,14 +43,14 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
uses: actions/checkout@v4
|
||||
- name: Build an image from Dockerfile
|
||||
run: docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
uses: aquasecurity/trivy-action@0.33.1
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'table'
|
||||
@@ -72,13 +72,13 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Run Trivy vulnerability scanner in fs mode
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
uses: aquasecurity/trivy-action@0.33.1
|
||||
with:
|
||||
scan-type: 'fs'
|
||||
scan-ref: '.'
|
||||
@@ -119,7 +119,7 @@ If you want to disable caching, set the `cache` input to `false`, but we recomme
|
||||
|
||||
```yaml
|
||||
- name: Run Trivy scanner without cache
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
uses: aquasecurity/trivy-action@0.33.1
|
||||
with:
|
||||
scan-type: 'fs'
|
||||
scan-ref: '.'
|
||||
@@ -180,7 +180,7 @@ When running a scan, set the environment variables `TRIVY_SKIP_DB_UPDATE` and `T
|
||||
|
||||
```yaml
|
||||
- name: Run Trivy scanner without downloading DBs
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
uses: aquasecurity/trivy-action@0.33.1
|
||||
with:
|
||||
scan-type: 'image'
|
||||
scan-ref: 'myimage'
|
||||
@@ -206,7 +206,7 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -215,7 +215,7 @@ jobs:
|
||||
uses: aquasecurity/setup-trivy@v0.2.0
|
||||
with:
|
||||
cache: true
|
||||
version: v0.60.1
|
||||
version: v0.68.1
|
||||
|
||||
- name: Run Trivy vulnerability scanner in repo mode
|
||||
uses: aquasecurity/trivy-action@master
|
||||
@@ -287,7 +287,7 @@ Therefore, you can't install `Trivy` using the `setup-trivy` action.
|
||||
To fix this problem, you need to overwrite the token for `setup-trivy` using `token-setup-trivy` input:
|
||||
```yaml
|
||||
- name: Run Trivy scanner without cache
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
uses: aquasecurity/trivy-action@0.33.1
|
||||
with:
|
||||
scan-type: 'fs'
|
||||
scan-ref: '.'
|
||||
@@ -307,7 +307,7 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -318,7 +318,7 @@ jobs:
|
||||
docker save -o vuln-image.tar <your-docker-image>
|
||||
|
||||
- name: Run Trivy vulnerability scanner in tarball mode
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
uses: aquasecurity/trivy-action@0.33.1
|
||||
with:
|
||||
input: /github/workspace/vuln-image.tar
|
||||
severity: 'CRITICAL,HIGH'
|
||||
@@ -342,10 +342,10 @@ jobs:
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
uses: aquasecurity/trivy-action@0.33.1
|
||||
with:
|
||||
scan-type: "fs"
|
||||
scan-ref: .
|
||||
@@ -371,10 +371,10 @@ jobs:
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
uses: aquasecurity/trivy-action@0.33.1
|
||||
with:
|
||||
scan-type: "fs"
|
||||
scan-ref: .
|
||||
@@ -394,7 +394,10 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
permissions:
|
||||
contents: read # Required to checkout and read repo files
|
||||
security-events: write # Required to upload SARIF files to Security tab
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -404,14 +407,14 @@ jobs:
|
||||
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
uses: aquasecurity/trivy-action@0.33.1
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'sarif'
|
||||
output: 'trivy-results.sarif'
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
uses: github/codeql-action/upload-sarif@v4
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
@@ -429,7 +432,10 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
permissions:
|
||||
contents: read # Required to checkout and read repo files
|
||||
security-events: write # Required to upload SARIF files to Security tab
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -439,14 +445,14 @@ jobs:
|
||||
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
uses: aquasecurity/trivy-action@0.33.1
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'sarif'
|
||||
output: 'trivy-results.sarif'
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
uses: github/codeql-action/upload-sarif@v4
|
||||
if: always()
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
@@ -455,7 +461,7 @@ jobs:
|
||||
See this for more details: https://docs.github.com/en/actions/learn-github-actions/expressions#always
|
||||
|
||||
### Using Trivy to scan your Git repo
|
||||
It's also possible to scan your git repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
|
||||
It's also possible to scan your git repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerabilities that might get introduced with each PR.
|
||||
|
||||
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
|
||||
```yaml
|
||||
@@ -468,13 +474,16 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
permissions:
|
||||
contents: read # Required to checkout and read repo files
|
||||
security-events: write # Required to upload SARIF files to Security tab
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Run Trivy vulnerability scanner in repo mode
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
uses: aquasecurity/trivy-action@0.33.1
|
||||
with:
|
||||
scan-type: 'fs'
|
||||
ignore-unfixed: true
|
||||
@@ -483,13 +492,13 @@ jobs:
|
||||
severity: 'CRITICAL'
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
uses: github/codeql-action/upload-sarif@v4
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
|
||||
### Using Trivy to scan your rootfs directories
|
||||
It's also possible to scan your rootfs directories with Trivy's built-in rootfs scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
|
||||
It's also possible to scan your rootfs directories with Trivy's built-in rootfs scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerabilities that might get introduced with each PR.
|
||||
|
||||
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
|
||||
```yaml
|
||||
@@ -502,13 +511,16 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
permissions:
|
||||
contents: read # Required to checkout and read repo files
|
||||
security-events: write # Required to upload SARIF files to Security tab
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Run Trivy vulnerability scanner with rootfs command
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
uses: aquasecurity/trivy-action@0.33.1
|
||||
with:
|
||||
scan-type: 'rootfs'
|
||||
scan-ref: 'rootfs-example-binary'
|
||||
@@ -518,13 +530,15 @@ jobs:
|
||||
severity: 'CRITICAL'
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
uses: github/codeql-action/upload-sarif@v4
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
|
||||
### Using Trivy to scan Infrastructure as Code
|
||||
It's also possible to scan your IaC repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
|
||||
It's also possible to scan your IaC repos with Trivy's built-in repo scan.
|
||||
This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo.
|
||||
This helps you identify potential vulnerabilities that might get introduced with each PR.
|
||||
|
||||
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
|
||||
```yaml
|
||||
@@ -537,13 +551,16 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
permissions:
|
||||
contents: read # Required to checkout and read repo files
|
||||
security-events: write # Required to upload SARIF files to Security tab
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Run Trivy vulnerability scanner in IaC mode
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
uses: aquasecurity/trivy-action@0.33.1
|
||||
with:
|
||||
scan-type: 'config'
|
||||
hide-progress: true
|
||||
@@ -553,11 +570,26 @@ jobs:
|
||||
severity: 'CRITICAL,HIGH'
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
if: always()
|
||||
uses: github/codeql-action/upload-sarif@v4
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
|
||||
**Note**: If your Terraform configuration contains private modules, configure Git to authenticate with the repository hosting them.
|
||||
This can be done by adding a step in your CI workflow that sets up access, for example using a Personal Access Token (PAT) or SSH keys:
|
||||
|
||||
```yaml
|
||||
- name: Configure Git for private modules
|
||||
run: |
|
||||
git config --global url."https://$GITHUB_USER:$PRIVATE_REPO_TOKEN@github.com/".insteadOf "https://github.com/"
|
||||
env:
|
||||
GITHUB_USER: ${{ github.actor }}
|
||||
PRIVATE_REPO_TOKEN: ${{ secrets.PRIVATE_REPO_TOKEN }}
|
||||
```
|
||||
This ensures Trivy can download private modules.
|
||||
|
||||
|
||||
### Using Trivy to generate SBOM
|
||||
It's possible for Trivy to generate an [SBOM](https://www.aquasec.com/cloud-native-academy/supply-chain-security/sbom/) of your dependencies and submit them to a consumer like [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).
|
||||
|
||||
@@ -585,12 +617,12 @@ jobs:
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
uses: aquasecurity/trivy-action@0.33.1
|
||||
with:
|
||||
scan-type: 'fs'
|
||||
format: 'github'
|
||||
output: 'dependency-results.sbom.json'
|
||||
image-ref: '.'
|
||||
scan-ref: '.'
|
||||
github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
|
||||
```
|
||||
|
||||
@@ -615,7 +647,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Scan image in a private registry
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
uses: aquasecurity/trivy-action@0.33.1
|
||||
with:
|
||||
image-ref: "private_image_registry/image_name:image_tag"
|
||||
scan-type: image
|
||||
@@ -652,13 +684,16 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
permissions:
|
||||
contents: read # Required to checkout and read repo files
|
||||
security-events: write # Required to upload SARIF results to the GitHub Security tab
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
uses: aquasecurity/trivy-action@0.33.1
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'sarif'
|
||||
@@ -668,7 +703,7 @@ jobs:
|
||||
TRIVY_PASSWORD: Password
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
uses: github/codeql-action/upload-sarif@v4
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
@@ -688,13 +723,16 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
permissions:
|
||||
contents: read # Required to checkout and read repo files
|
||||
security-events: write # Required to upload SARIF files to Security tab
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
uses: aquasecurity/trivy-action@0.33.1
|
||||
with:
|
||||
image-ref: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}'
|
||||
format: 'sarif'
|
||||
@@ -705,7 +743,7 @@ jobs:
|
||||
AWS_DEFAULT_REGION: us-west-2
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
uses: github/codeql-action/upload-sarif@v4
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
@@ -724,13 +762,16 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
permissions:
|
||||
contents: read # Required to checkout and read repo files
|
||||
security-events: write # Required to upload SARIF files to Security tab
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
uses: aquasecurity/trivy-action@0.33.1
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'sarif'
|
||||
@@ -739,7 +780,7 @@ jobs:
|
||||
GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
uses: github/codeql-action/upload-sarif@v4
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
@@ -757,13 +798,16 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
permissions:
|
||||
contents: read # Required to checkout and read repo files
|
||||
security-events: write # Required to upload SARIF files to Security tab
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
uses: aquasecurity/trivy-action@0.33.1
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'sarif'
|
||||
@@ -773,7 +817,7 @@ jobs:
|
||||
TRIVY_PASSWORD: Password
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
uses: github/codeql-action/upload-sarif@v4
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
@@ -786,7 +830,7 @@ This step is especially useful for private repositories without [GitHub Advanced
|
||||
|
||||
```yaml
|
||||
- name: Run Trivy scanner
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
uses: aquasecurity/trivy-action@0.33.1
|
||||
with:
|
||||
scan-type: config
|
||||
hide-progress: true
|
||||
@@ -820,40 +864,47 @@ Configuration priority:
|
||||
|
||||
Following inputs can be used as `step.with` keys:
|
||||
|
||||
| Name | Type | Default | Description |
|
||||
|------------------------------|---------|------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |
|
||||
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
|
||||
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
|
||||
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
|
||||
| `format` | String | `table` | Output format (`table`, `json`, `template`, `sarif`, `cyclonedx`, `spdx`, `spdx-json`, `github`, `cosign-vuln`) |
|
||||
| `template` | String | | Output template (`@$HOME/.local/bin/trivy-bin/contrib/gitlab.tpl`, `@$HOME/.local/bin/trivy-bin/contrib/junit.tpl`) |
|
||||
| `tf-vars` | String | | path to Terraform variables file |
|
||||
| `output` | String | | Save results to a file |
|
||||
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
|
||||
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
|
||||
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
|
||||
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
|
||||
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
|
||||
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
|
||||
| `cache-dir` | String | `$GITHUB_WORKSPACE/.cache/trivy` | Cache directory. NOTE: This value cannot be configured by `trivy.yaml`. |
|
||||
| `timeout` | String | `5m0s` | Scan timeout duration |
|
||||
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
|
||||
| `hide-progress` | String | `false` | Suppress progress bar and log output |
|
||||
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
|
||||
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`misconfig`,`license`) |
|
||||
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
|
||||
| `trivy-config` | String | | Path to trivy.yaml config |
|
||||
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
|
||||
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
|
||||
| `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values |
|
||||
| `version` | String | `v0.60.0` | Trivy version to use, e.g. `latest` or `v0.60.0` |
|
||||
| `skip-setup-trivy` | Boolean | false | Skip calling the `setup-trivy` action to install `trivy` |
|
||||
| `token-setup-trivy` | Boolean | | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository |
|
||||
| Name | Type | Default | Description |
|
||||
|------------------------------|---------|------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |
|
||||
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
|
||||
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
|
||||
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
|
||||
| `format` | String | `table` | Output format (`table`, `json`, `template`, `sarif`, `cyclonedx`, `spdx`, `spdx-json`, `github`, `cosign-vuln`) |
|
||||
| `template` | String | | Output template (`@$HOME/.local/bin/trivy-bin/contrib/gitlab.tpl`, `@$HOME/.local/bin/trivy-bin/contrib/junit.tpl`) |
|
||||
| `tf-vars` | String | | path to Terraform variables file |
|
||||
| `output` | String | | Save results to a file |
|
||||
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
|
||||
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
|
||||
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
|
||||
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
|
||||
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
|
||||
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
|
||||
| `cache-dir` | String | `$GITHUB_WORKSPACE/.cache/trivy` | Cache directory. NOTE: This value cannot be configured by `trivy.yaml`. |
|
||||
| `timeout` | String | `5m0s` | Scan timeout duration |
|
||||
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
|
||||
| `hide-progress` | String | `false` | Suppress progress bar and log output |
|
||||
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
|
||||
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`misconfig`,`license`) |
|
||||
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
|
||||
| `trivy-config` | String | | Path to trivy.yaml config |
|
||||
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
|
||||
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
|
||||
| `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values (`unix:/` or other prefix is required) |
|
||||
| `version` | String | `v0.68.1` | Trivy version to use, e.g. `latest` or `v0.68.1` |
|
||||
| `skip-setup-trivy` | Boolean | false | Skip calling the `setup-trivy` action to install `trivy` |
|
||||
| `token-setup-trivy` | Boolean | | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository |
|
||||
|
||||
### Environment variables
|
||||
You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
|
||||
|
||||
**NB** In some older versions of the Action there was a bug that caused inputs from one call to the Action to leak
|
||||
over to subsequent calls to the Action. This could cause workflows that call the Action multiple times e.g. to run
|
||||
multiple scans, or the same scans with different output formats, to not produce the desired output. You can see if this
|
||||
is the case by looking at the GitHub Actions step information, if the `env` section shown in your Actions output
|
||||
contains `TRIVY_*` environment variables you did not explicitly set then you may be affected by this bug and should
|
||||
upgrade to the latest Action version.
|
||||
|
||||
### Trivy config file
|
||||
When using the `trivy-config` [Input](#inputs), you can set options using the [Trivy config file][trivy-config] (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
|
||||
|
||||
|
||||
42
action.yaml
42
action.yaml
@@ -98,7 +98,7 @@ inputs:
|
||||
version:
|
||||
description: 'Trivy version to use'
|
||||
required: false
|
||||
default: 'v0.60.0'
|
||||
default: 'v0.68.1'
|
||||
cache:
|
||||
description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.'
|
||||
required: false
|
||||
@@ -122,7 +122,11 @@ runs:
|
||||
steps:
|
||||
- name: Install Trivy
|
||||
if: ${{ inputs.skip-setup-trivy == 'false' }}
|
||||
uses: aquasecurity/setup-trivy@v0.2.2
|
||||
# Pin to hash instead of tag for aquasecurity/setup-trivy action so that GitHub Actions
|
||||
# "allowing select actions" feature can be used to whitelist the dependent action by a hash.
|
||||
# This is needed since some organizations have a policy to only allow pinned 3rd party actions to
|
||||
# be used.
|
||||
uses: aquasecurity/setup-trivy@e6c2c5e321ed9123bda567646e2f96565e34abe1 # equivalent to `v0.2.4`
|
||||
with:
|
||||
version: ${{ inputs.version }}
|
||||
cache: ${{ inputs.cache }}
|
||||
@@ -135,7 +139,7 @@ runs:
|
||||
|
||||
- name: Restore DB from cache
|
||||
if: ${{ inputs.cache == 'true' }}
|
||||
uses: actions/cache@v4
|
||||
uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
|
||||
with:
|
||||
path: ${{ inputs.cache-dir }}
|
||||
key: cache-trivy-${{ steps.date.outputs.date }}
|
||||
@@ -147,6 +151,14 @@ runs:
|
||||
env:
|
||||
GITHUB_ACTION_PATH: ${{ github.action_path }}
|
||||
|
||||
# Create and Clear Trivy Envs file
|
||||
#Â See #422 for context
|
||||
- name: Clear Trivy Envs file
|
||||
shell: bash
|
||||
run: |
|
||||
rm -f trivy_envs.txt
|
||||
touch trivy_envs.txt
|
||||
|
||||
- name: Set Trivy environment variables
|
||||
shell: bash
|
||||
run: |
|
||||
@@ -154,14 +166,26 @@ runs:
|
||||
# This limitation affects how we handle default values and empty inputs.
|
||||
# For more information, see: https://github.com/actions/runner/issues/924
|
||||
|
||||
# Function to set environment variable only if the input is provided and different from default
|
||||
# The following logic implements the configuration priority described in the README:
|
||||
#
|
||||
# Inputs
|
||||
# Environment Variables
|
||||
# Config File
|
||||
# Defaults
|
||||
#
|
||||
# As noted above defaults are awkward to handle as GitHub Actions will inject those values as the input
|
||||
# if the caller doesn't provide them, thus if the input matches the default we don't set it as we
|
||||
# can't tell the difference. Plus if we did set it when it was the default value then it could potentially
|
||||
# override an external environment variable, or something in the callers configuration file, which then wouldn't
|
||||
# match the configuration priority that is documented.
|
||||
set_env_var_if_provided() {
|
||||
local var_name="$1"
|
||||
local input_value="$2"
|
||||
local default_value="$3"
|
||||
|
||||
if [ ! -z "$input_value" ] && [ "$input_value" != "$default_value" ]; then
|
||||
echo "$var_name=$input_value" >> $GITHUB_ENV
|
||||
# If action was provided with explicit input by the caller set that
|
||||
echo "export $var_name=$input_value" >> trivy_envs.txt
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -202,3 +226,11 @@ runs:
|
||||
|
||||
# For Trivy
|
||||
TRIVY_CACHE_DIR: ${{ inputs.cache-dir }} # Always set
|
||||
|
||||
# Remove Trivy envs to keep envs within this action and avoid env leaks
|
||||
#Â See #422 for context
|
||||
- name: Remove Trivy Envs file
|
||||
if: ${{ always() }}
|
||||
shell: bash
|
||||
run: |
|
||||
rm -f trivy_envs.txt
|
||||
|
||||
@@ -1,6 +1,14 @@
|
||||
#!/bin/bash
|
||||
set -euo pipefail
|
||||
|
||||
# Read TRIVY_* envs from file, previously they were written to the GITHUB_ENV file but GitHub Actions automatically
|
||||
# injects those into subsequent job steps which means inputs from one trivy-action invocation were leaking over to
|
||||
# any subsequent invocation which led to unexpected/undesireable behaviour from a user perspective
|
||||
# See #422 for more context around this
|
||||
if [ -f ./trivy_envs.txt ]; then
|
||||
source ./trivy_envs.txt
|
||||
fi
|
||||
|
||||
# Set artifact reference
|
||||
scanType="${INPUT_SCAN_TYPE:-image}"
|
||||
scanRef="${INPUT_SCAN_REF:-.}"
|
||||
@@ -54,4 +62,4 @@ if [ "${TRIVY_FORMAT:-}" = "github" ]; then
|
||||
fi
|
||||
fi
|
||||
|
||||
exit $returnCode
|
||||
exit $returnCode
|
||||
|
||||
3
renovate.json
Normal file
3
renovate.json
Normal file
@@ -0,0 +1,3 @@
|
||||
{
|
||||
"$schema": "https://docs.renovatebot.com/renovate-schema.json"
|
||||
}
|
||||
@@ -2,18 +2,6 @@
|
||||
"SchemaVersion": 2,
|
||||
"ArtifactName": "test/data/config-scan",
|
||||
"ArtifactType": "filesystem",
|
||||
"Metadata": {
|
||||
"ImageConfig": {
|
||||
"architecture": "",
|
||||
"created": "0001-01-01T00:00:00Z",
|
||||
"os": "",
|
||||
"rootfs": {
|
||||
"type": "",
|
||||
"diff_ids": null
|
||||
},
|
||||
"config": {}
|
||||
}
|
||||
},
|
||||
"Results": [
|
||||
{
|
||||
"Target": ".",
|
||||
@@ -50,7 +38,6 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0086"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -90,8 +77,7 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -111,7 +97,6 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0087"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -151,8 +136,7 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -172,7 +156,6 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0088"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -212,8 +195,7 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -234,7 +216,6 @@
|
||||
"https://avd.aquasec.com/misconfig/s3-bucket-logging"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -274,8 +255,7 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -295,7 +275,6 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0090"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket_versioning.bucket_versioning",
|
||||
"Provider": "AWS",
|
||||
@@ -416,7 +395,6 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0091"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -456,8 +434,7 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -477,7 +454,6 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0093"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -517,8 +493,7 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -538,7 +513,6 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0094"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -578,8 +552,7 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -599,7 +572,6 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0132"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -639,8 +611,7 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
|
||||
@@ -51,7 +51,8 @@ Total: 19 (CRITICAL: 19)
|
||||
│ │ │ │ │ │ │ Windows Subsystem for... │
|
||||
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │
|
||||
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
|
||||
│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: bzip2: Data integrity error when decompressing (with │
|
||||
│ │ │ │ │ │ │ data integrity tests fail).... │
|
||||
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
|
||||
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libcurl │ CVE-2018-16839 │ │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
|
||||
|
||||
@@ -1,18 +1,15 @@
|
||||
{
|
||||
"SchemaVersion": 2,
|
||||
"ArtifactID": "sha256:79ce4c2f8371bef1ce2a321518d3136bc1bd8f3c307ed679944a38e7cbd76c14",
|
||||
"ArtifactName": "https://github.com/krol3/demo-trivy/",
|
||||
"ArtifactType": "repository",
|
||||
"Metadata": {
|
||||
"ImageConfig": {
|
||||
"architecture": "",
|
||||
"created": "0001-01-01T00:00:00Z",
|
||||
"os": "",
|
||||
"rootfs": {
|
||||
"type": "",
|
||||
"diff_ids": null
|
||||
},
|
||||
"config": {}
|
||||
}
|
||||
"RepoURL": "https://github.com/krol3/demo-trivy/",
|
||||
"Branch": "main",
|
||||
"Commit": "547db823c73fdb3385871f6235e946c72291f734",
|
||||
"CommitMsg": "chore: add gitignore",
|
||||
"Author": "carolina valencia <krol3@users.noreply.github.com>",
|
||||
"Committer": "carolina valencia <krol3@users.noreply.github.com>"
|
||||
},
|
||||
"Results": [
|
||||
{
|
||||
@@ -69,7 +66,7 @@
|
||||
]
|
||||
},
|
||||
"Match": "export GITHUB_PAT=****************************************",
|
||||
"Layer": {}
|
||||
"Offset": 63
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
@@ -51,7 +51,8 @@ Total: 19 (CRITICAL: 19)
|
||||
│ │ │ │ │ │ │ Windows Subsystem for... │
|
||||
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │
|
||||
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
|
||||
│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: bzip2: Data integrity error when decompressing (with │
|
||||
│ │ │ │ │ │ │ data integrity tests fail).... │
|
||||
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
|
||||
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libcurl │ CVE-2018-16839 │ │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
|
||||
|
||||
@@ -2,18 +2,6 @@
|
||||
"SchemaVersion": 2,
|
||||
"ArtifactName": "test/data/with-tf-vars/main.tf",
|
||||
"ArtifactType": "filesystem",
|
||||
"Metadata": {
|
||||
"ImageConfig": {
|
||||
"architecture": "",
|
||||
"created": "0001-01-01T00:00:00Z",
|
||||
"os": "",
|
||||
"rootfs": {
|
||||
"type": "",
|
||||
"diff_ids": null
|
||||
},
|
||||
"config": {}
|
||||
}
|
||||
},
|
||||
"Results": [
|
||||
{
|
||||
"Target": ".",
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
{
|
||||
"SchemaVersion": 2,
|
||||
"ArtifactID": "sha256:aab05ff324c90bb728aa5177b75d7e39d363be13323873de70959d2251edcebc",
|
||||
"ArtifactName": "alpine:3.10",
|
||||
"ArtifactType": "container_image",
|
||||
"Metadata": {
|
||||
"Size": 5842432,
|
||||
"OS": {
|
||||
"Family": "alpine",
|
||||
"Name": "3.10.9",
|
||||
@@ -18,6 +20,7 @@
|
||||
"RepoDigests": [
|
||||
"alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98"
|
||||
],
|
||||
"Reference": "alpine:3.10",
|
||||
"ImageConfig": {
|
||||
"architecture": "amd64",
|
||||
"container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4",
|
||||
@@ -50,7 +53,14 @@
|
||||
],
|
||||
"Image": "sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Layers": [
|
||||
{
|
||||
"Size": 5842432,
|
||||
"Digest": "sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5",
|
||||
"DiffID": "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
|
||||
}
|
||||
]
|
||||
},
|
||||
"Results": [
|
||||
{
|
||||
@@ -64,7 +74,7 @@
|
||||
"PkgName": "apk-tools",
|
||||
"PkgIdentifier": {
|
||||
"PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64&distro=3.10.9",
|
||||
"UID": "99f6581ffed6b22"
|
||||
"UID": "b7a64ae671a99195"
|
||||
},
|
||||
"InstalledVersion": "2.10.6-r0",
|
||||
"FixedVersion": "2.10.7-r0",
|
||||
@@ -80,6 +90,7 @@
|
||||
"Name": "Alpine Secdb",
|
||||
"URL": "https://secdb.alpinelinux.org/"
|
||||
},
|
||||
"Fingerprint": "sha256:f86484d912018e22a8212a9c21359a64583d86342016ed1c57e3b3d6e9afa63c",
|
||||
"Title": "libfetch: an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes leads to information leak or crash",
|
||||
"Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
|
||||
"Severity": "CRITICAL",
|
||||
@@ -114,7 +125,7 @@
|
||||
"https://www.cve.org/CVERecord?id=CVE-2021-36159"
|
||||
],
|
||||
"PublishedDate": "2021-08-03T14:15:08.233Z",
|
||||
"LastModifiedDate": "2023-11-07T03:36:43.337Z"
|
||||
"LastModifiedDate": "2024-11-21T06:13:13.57Z"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
@@ -5,6 +5,7 @@ setup_file() {
|
||||
export TRIVY_DB_REPOSITORY=ghcr.io/${owner}/trivy-db-act:latest
|
||||
export TRIVY_JAVA_DB_REPOSITORY=ghcr.io/${owner}/trivy-java-db-act:latest
|
||||
export TRIVY_CHECKS_BUNDLE_REPOSITORY=ghcr.io/${owner}/trivy-checks-act:latest
|
||||
export TRIVY_LIST_ALL_PKGS=false
|
||||
}
|
||||
|
||||
setup() {
|
||||
@@ -16,7 +17,7 @@ setup() {
|
||||
function remove_json_fields() {
|
||||
local file="$1"
|
||||
if [[ "$file" == *.json ]]; then
|
||||
jq 'del(.CreatedAt)' "$file" > tmp && mv tmp "$file"
|
||||
jq 'del(.CreatedAt, .ReportID)' "$file" > tmp && mv tmp "$file"
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -39,6 +40,7 @@ function reset_envs() {
|
||||
for var in $(env | grep '^TRIVY_\|^INPUT_' | cut -d= -f1); do
|
||||
unset "$var"
|
||||
done
|
||||
rm -f trivy_envs.txt
|
||||
}
|
||||
|
||||
function compare_files() {
|
||||
@@ -56,9 +58,16 @@ function compare_files() {
|
||||
remove_github_fields "$file1"
|
||||
remove_github_fields "$file2"
|
||||
|
||||
run diff "$file1" "$file2"
|
||||
echo "$output"
|
||||
assert_files_equal "$file1" "$file2"
|
||||
if [ "${UPDATE_GOLDEN}" = "1" ]; then
|
||||
cp "$file1" "$file2"
|
||||
echo "Updated golden file: $file2"
|
||||
else
|
||||
run diff "$file1" "$file2"
|
||||
echo "$output"
|
||||
assert_files_equal "$file1" "$file2"
|
||||
fi
|
||||
|
||||
rm -f "$file1"
|
||||
}
|
||||
|
||||
@test "trivy repo with securityCheck secret only" {
|
||||
@@ -149,4 +158,31 @@ function compare_files() {
|
||||
./entrypoint.sh
|
||||
compare_files tfvars.json ./test/data/with-tf-vars/report.json
|
||||
reset_envs
|
||||
}
|
||||
|
||||
@test "trivy image via environment file" {
|
||||
# trivy image --severity CRITICAL --output image.test knqyf263/vuln-image:1.2.3
|
||||
# Action injects inputs into the script via environment variables
|
||||
echo "export TRIVY_OUTPUT=image.test" >> trivy_envs.txt
|
||||
echo "export TRIVY_SEVERITY=CRITICAL" >> trivy_envs.txt
|
||||
echo "export INPUT_SCAN_TYPE=image" >> trivy_envs.txt
|
||||
echo "export INPUT_SCAN_REF=knqyf263/vuln-image:1.2.3" >> trivy_envs.txt
|
||||
./entrypoint.sh
|
||||
compare_files image.test ./test/data/image-scan/report
|
||||
reset_envs
|
||||
}
|
||||
|
||||
@test "trivy image via environment file overrides env leakages" {
|
||||
# trivy image --severity CRITICAL --output image.test knqyf263/vuln-image:1.2.3
|
||||
# Action injects inputs into the script via environment variables
|
||||
# If caller mixes old and new trivy-action version they could still have env leakage so verify that env vars already
|
||||
# in the env are overridden by those from the envs file
|
||||
export INPUT_SCAN_REF=no/such-image:1.2.3
|
||||
echo "export TRIVY_OUTPUT=image.test" >> trivy_envs.txt
|
||||
echo "export TRIVY_SEVERITY=CRITICAL" >> trivy_envs.txt
|
||||
echo "export INPUT_SCAN_TYPE=image" >> trivy_envs.txt
|
||||
echo "export INPUT_SCAN_REF=knqyf263/vuln-image:1.2.3" >> trivy_envs.txt
|
||||
./entrypoint.sh
|
||||
compare_files image.test ./test/data/image-scan/report
|
||||
reset_envs
|
||||
}
|
||||
Reference in New Issue
Block a user