Merge pull request 'chore: Configure Renovate' (#2 ) from renovate/configure into master

Reviewed-on: #2
Add renovate.json
2025-12-29 20:05:22 +00:00 · 2025-12-29 20:04:59 +00:00 · 2025-12-11 14:34:44 +06:00 · 2025-12-11 05:31:14 +00:00 · 2025-12-10 22:30:00 -07:00 · 2025-12-08 17:02:57 -07:00
16 changed files with 184 additions and 128 deletions
--- a/.github/workflows/bump-trivy.yaml
+++ b/.github/workflows/bump-trivy.yaml
@@ -15,13 +15,31 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
-      
-      - name: Set new version from input
-        run: echo "NEW_VERSION=${{ inputs.trivy_version }}" >> $GITHUB_ENV

      - name: Update Trivy versions
+        env:
+          NEW_VERSION: ${{ inputs.trivy_version }}
        run: make bump-trivy

+      - name: Setup Bats and bats libs
+        id: setup-bats
+        uses: bats-core/bats-action@3.0.1
+
+      - name: Install Trivy
+        run: |
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ inputs.trivy_version }}
+          trivy --version
+
+      - name: Update golden files
+        env:
+          BATS_LIB_PATH: ${{ steps.setup-bats.outputs.lib-path }}
+        run: make update-golden
+
+      - name: Run tests
+        env:
+          BATS_LIB_PATH: ${{ steps.setup-bats.outputs.lib-path }}
+        run: make test
+
      - name: Create PR
        id: create-pr
        uses: peter-evans/create-pull-request@v5
--- a/.github/workflows/sync-trivy-checks.yaml
+++ b/.github/workflows/sync-trivy-checks.yaml
@@ -11,7 +11,10 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
-      
+
+      - name: setup-oras
+        uses: oras-project/setup-oras@v1.2.3
+
      - name: Login to GitHub Packages Container registry
        uses: docker/login-action@v3
        with:
--- a/.github/workflows/sync-trivy-db.yaml
+++ b/.github/workflows/sync-trivy-db.yaml
@@ -12,6 +12,9 @@ jobs:
    steps:
      - uses: actions/checkout@v4

+      - name: setup-oras
+        uses: oras-project/setup-oras@v1.2.3
+
      - name: Login to GitHub Packages Container registry
        uses: docker/login-action@v3
        with:
--- a/.github/workflows/sync-trivy-java-db.yaml
+++ b/.github/workflows/sync-trivy-java-db.yaml
@@ -12,6 +12,9 @@ jobs:
    steps:
      - uses: actions/checkout@v4

+      - name: setup-oras
+        uses: oras-project/setup-oras@v1.2.3
+
      - name: Login to GitHub Packages Container registry
        uses: docker/login-action@v3
        with:
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -6,7 +6,7 @@ on:
  workflow_dispatch:

 env:
-  TRIVY_VERSION: 0.64.1
+  TRIVY_VERSION: 0.68.1
  BATS_LIB_PATH: '/usr/lib/'

 jobs:
@@ -16,7 +16,8 @@ jobs:
      - uses: actions/checkout@v4

      - name: Setup Bats and bats libs
-        uses: bats-core/bats-action@2.0.0
+        id: setup-bats
+        uses: bats-core/bats-action@3.0.1

      - name: Install Trivy
        run: |
@@ -24,8 +25,6 @@ jobs:
          trivy --version

      - name: Test
-        run: bats --recursive --timing --verbose-run .
        env:
-          TRIVY_CACHE_DIR: .cache
-          TRIVY_DISABLE_VEX_NOTICE: true
-          TRIVY_DEBUG: true
+          BATS_LIB_PATH: ${{ steps.setup-bats.outputs.lib-path }}
+        run: make test
--- a/31
+++ b/31
@@ -1,18 +1,33 @@
 OS := $(shell uname)
-SED = sed
-BATS_LIB_PATH = /usr/local/lib/ 

 ifeq ($(OS), Darwin)
-SED = gsed
-BATS_LIB_PATH = /opt/homebrew/lib
+  SED = gsed
+  BATS_LIB_PATH ?= /opt/homebrew/lib
+else
+  SED = sed
+  BATS_LIB_PATH ?= /usr/local/lib/
 endif

+BATS_ENV := BATS_LIB_PATH=$(BATS_LIB_PATH) \
+	GITHUB_REPOSITORY_OWNER=aquasecurity \
+	TRIVY_CACHE_DIR=.cache \
+	TRIVY_DISABLE_VEX_NOTICE=true \
+	TRIVY_DEBUG=true
+
+BATS_FLAGS := --recursive --timing --verbose-run .
+
 .PHONY: test
-test:
+test: init-cache
+	$(BATS_ENV) bats $(BATS_FLAGS)
+
+.PHONY: update-golden
+update-golden: init-cache
+	UPDATE_GOLDEN=1 $(BATS_ENV) bats $(BATS_FLAGS)
+
+.PHONY: init-cache
+init-cache:
 	mkdir -p .cache
-	BATS_LIB_PATH=$(BATS_LIB_PATH) GITHUB_REPOSITORY_OWNER=aquasecurity\
-	  TRIVY_CACHE_DIR=.cache TRIVY_DISABLE_VEX_NOTICE=true TRIVY_DEBUG=true\
-	  bats --recursive --timing --verbose-run .
+	rm -f .cache/fanal/fanal.db

 bump-trivy:
 	@[ $$NEW_VERSION ] || ( echo "env 'NEW_VERSION' is not set"; exit 1 )
--- a/README.md
+++ b/README.md
@@ -46,11 +46,11 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      - name: Build an image from Dockerfile
        run: docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'table'
@@ -78,7 +78,7 @@ jobs:
      uses: actions/checkout@v4

    - name: Run Trivy vulnerability scanner in fs mode
-      uses: aquasecurity/trivy-action@0.28.0
+      uses: aquasecurity/trivy-action@0.33.1
      with:
        scan-type: 'fs'
        scan-ref: '.'
@@ -119,7 +119,7 @@ If you want to disable caching, set the `cache` input to `false`, but we recomme

 ```yaml
    - name: Run Trivy scanner without cache
-      uses: aquasecurity/trivy-action@0.28.0
+      uses: aquasecurity/trivy-action@0.33.1
      with:
        scan-type: 'fs'
        scan-ref: '.'
@@ -180,7 +180,7 @@ When running a scan, set the environment variables `TRIVY_SKIP_DB_UPDATE` and `T

 ```yaml
    - name: Run Trivy scanner without downloading DBs
-      uses: aquasecurity/trivy-action@0.28.0
+      uses: aquasecurity/trivy-action@0.33.1
      with:
        scan-type: 'image'
        scan-ref: 'myimage'
@@ -215,7 +215,7 @@ jobs:
      uses: aquasecurity/setup-trivy@v0.2.0
      with:
        cache: true
-        version: v0.64.1
+        version: v0.68.1

    - name: Run Trivy vulnerability scanner in repo mode
      uses: aquasecurity/trivy-action@master
@@ -287,7 +287,7 @@ Therefore, you can't install `Trivy` using the `setup-trivy` action.
 To fix this problem, you need to overwrite the token for `setup-trivy` using `token-setup-trivy` input:
 ```yaml
    - name: Run Trivy scanner without cache
-      uses: aquasecurity/trivy-action@0.28.0
+      uses: aquasecurity/trivy-action@0.33.1
      with:
        scan-type: 'fs'
        scan-ref: '.'
@@ -318,7 +318,7 @@ jobs:
        docker save -o vuln-image.tar <your-docker-image>

    - name: Run Trivy vulnerability scanner in tarball mode
-      uses: aquasecurity/trivy-action@0.28.0
+      uses: aquasecurity/trivy-action@0.33.1
      with:
        input: /github/workspace/vuln-image.tar
        severity: 'CRITICAL,HIGH'
@@ -342,10 +342,10 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          scan-type: "fs"
          scan-ref: .
@@ -371,10 +371,10 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          scan-type: "fs"
          scan-ref: .
@@ -395,6 +395,9 @@ jobs:
  build:
    name: Build
    runs-on: ubuntu-24.04
+    permissions:
+      contents: read          # Required to checkout and read repo files
+      security-events: write  # Required to upload SARIF files to Security tab
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
@@ -404,14 +407,14 @@ jobs:
          docker build -t docker.io/my-organization/my-app:${{ github.sha }} .

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'sarif'
          output: 'trivy-results.sarif'

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: 'trivy-results.sarif'
 ```
@@ -430,6 +433,9 @@ jobs:
  build:
    name: Build
    runs-on: ubuntu-24.04
+    permissions:
+      contents: read          # Required to checkout and read repo files
+      security-events: write  # Required to upload SARIF files to Security tab
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
@@ -439,14 +445,14 @@ jobs:
          docker build -t docker.io/my-organization/my-app:${{ github.sha }} .

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'sarif'
          output: 'trivy-results.sarif'

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
        if: always()
        with:
          sarif_file: 'trivy-results.sarif'
@@ -455,7 +461,7 @@ jobs:
 See this for more details: https://docs.github.com/en/actions/learn-github-actions/expressions#always

 ### Using Trivy to scan your Git repo
-It's also possible to scan your git repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
+It's also possible to scan your git repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerabilities that might get introduced with each PR.

 If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
 ```yaml
@@ -469,12 +475,15 @@ jobs:
  build:
    name: Build
    runs-on: ubuntu-24.04
+    permissions:
+      contents: read          # Required to checkout and read repo files
+      security-events: write  # Required to upload SARIF files to Security tab
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          scan-type: 'fs'
          ignore-unfixed: true
@@ -483,13 +492,13 @@ jobs:
          severity: 'CRITICAL'

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: 'trivy-results.sarif'
 ```

 ### Using Trivy to scan your rootfs directories
-It's also possible to scan your rootfs directories with Trivy's built-in rootfs scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
+It's also possible to scan your rootfs directories with Trivy's built-in rootfs scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerabilities that might get introduced with each PR.

 If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
 ```yaml
@@ -503,12 +512,15 @@ jobs:
  build:
    name: Build
    runs-on: ubuntu-24.04
+    permissions:
+      contents: read          # Required to checkout and read repo files
+      security-events: write  # Required to upload SARIF files to Security tab
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner with rootfs command
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          scan-type: 'rootfs'
          scan-ref: 'rootfs-example-binary'
@@ -518,13 +530,15 @@ jobs:
          severity: 'CRITICAL'

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: 'trivy-results.sarif'
 ```

 ### Using Trivy to scan Infrastructure as Code
-It's also possible to scan your IaC repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
+It's also possible to scan your IaC repos with Trivy's built-in repo scan. 
+This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. 
+This helps you identify potential vulnerabilities that might get introduced with each PR.

 If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
 ```yaml
@@ -538,12 +552,15 @@ jobs:
  build:
    name: Build
    runs-on: ubuntu-24.04
+    permissions:
+      contents: read          # Required to checkout and read repo files
+      security-events: write  # Required to upload SARIF files to Security tab
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner in IaC mode
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          scan-type: 'config'
          hide-progress: true
@@ -553,11 +570,26 @@ jobs:
          severity: 'CRITICAL,HIGH'

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: 'trivy-results.sarif'
 ```

+**Note**: If your Terraform configuration contains private modules, configure Git to authenticate with the repository hosting them. 
+This can be done by adding a step in your CI workflow that sets up access, for example using a Personal Access Token (PAT) or SSH keys:
+
+```yaml
+- name: Configure Git for private modules
+  run: |
+    git config --global url."https://$GITHUB_USER:$PRIVATE_REPO_TOKEN@github.com/".insteadOf "https://github.com/"
+  env:
+    GITHUB_USER: ${{ github.actor }}
+    PRIVATE_REPO_TOKEN: ${{ secrets.PRIVATE_REPO_TOKEN }}
+```
+This ensures Trivy can download private modules.
+
+
 ### Using Trivy to generate SBOM
 It's possible for Trivy to generate an [SBOM](https://www.aquasec.com/cloud-native-academy/supply-chain-security/sbom/) of your dependencies and submit them to a consumer like [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).

@@ -585,12 +617,12 @@ jobs:
        uses: actions/checkout@v4

      - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          scan-type: 'fs'
          format: 'github'
          output: 'dependency-results.sbom.json'
-          image-ref: '.'
+          scan-ref: '.'
          github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
 ```

@@ -615,7 +647,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Scan image in a private registry
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          image-ref: "private_image_registry/image_name:image_tag"
          scan-type: image
@@ -653,12 +685,15 @@ jobs:
  build:
    name: Build
    runs-on: ubuntu-24.04
+    permissions:
+      contents: read          # Required to checkout and read repo files
+      security-events: write  # Required to upload SARIF results to the GitHub Security tab
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'sarif'
@@ -668,7 +703,7 @@ jobs:
          TRIVY_PASSWORD: Password

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: 'trivy-results.sarif'
 ```
@@ -689,12 +724,15 @@ jobs:
  build:
    name: Build
    runs-on: ubuntu-24.04
+    permissions:
+      contents: read          # Required to checkout and read repo files
+      security-events: write  # Required to upload SARIF files to Security tab
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          image-ref: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}'
          format: 'sarif'
@@ -705,7 +743,7 @@ jobs:
          AWS_DEFAULT_REGION: us-west-2

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: 'trivy-results.sarif'
 ```
@@ -725,12 +763,15 @@ jobs:
  build:
    name: Build
    runs-on: ubuntu-24.04
+    permissions:
+      contents: read          # Required to checkout and read repo files
+      security-events: write  # Required to upload SARIF files to Security tab
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'sarif'
@@ -739,7 +780,7 @@ jobs:
          GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: 'trivy-results.sarif'
 ```
@@ -758,12 +799,15 @@ jobs:
  build:
    name: Build
    runs-on: ubuntu-24.04
+    permissions:
+      contents: read          # Required to checkout and read repo files
+      security-events: write  # Required to upload SARIF files to Security tab
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'sarif'
@@ -773,7 +817,7 @@ jobs:
          TRIVY_PASSWORD: Password

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: 'trivy-results.sarif'
 ```
@@ -786,7 +830,7 @@ This step is especially useful for private repositories without [GitHub Advanced

 ```yaml
 - name: Run Trivy scanner
-  uses: aquasecurity/trivy-action@0.28.0
+  uses: aquasecurity/trivy-action@0.33.1
  with:
    scan-type: config
    hide-progress: true
@@ -847,7 +891,7 @@ Following inputs can be used as `step.with` keys:
 | `github-pat`                 | String  |                                    | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN          |
 | `limit-severities-for-sarif` | Boolean | false                              | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true**   |
 | `docker-host`                | String  |                                    | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values (`unix:/` or other prefix is required) |
-| `version`                    | String  | `v0.64.1`                          | Trivy version to use, e.g. `latest` or `v0.64.1`                                                                                                                 |
+| `version`                    | String  | `v0.68.1`                          | Trivy version to use, e.g. `latest` or `v0.68.1`                                                                                                                 |
 | `skip-setup-trivy`           | Boolean | false                              | Skip calling the `setup-trivy` action to install `trivy`                                                                                                         |
 | `token-setup-trivy`          | Boolean |                                    | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository                                                                                |

--- a/action.yaml
+++ b/action.yaml
@@ -98,7 +98,7 @@ inputs:
  version:
    description: 'Trivy version to use'
    required: false
-    default: 'v0.64.1'
+    default: 'v0.68.1'
  cache:
    description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.'
    required: false
@@ -126,7 +126,7 @@ runs:
      # "allowing select actions" feature can be used to whitelist the dependent action by a hash.
      # This is needed since some organizations have a policy to only allow pinned 3rd party actions to 
      # be used.
-      uses: aquasecurity/setup-trivy@ff1b8b060f23b650436d419b5e13f67f5d4c3087 # equivalent to `v0.2.2`
+      uses: aquasecurity/setup-trivy@e6c2c5e321ed9123bda567646e2f96565e34abe1 # equivalent to `v0.2.4`
      with:
        version: ${{ inputs.version }}
        cache: ${{ inputs.cache }}
@@ -139,7 +139,7 @@ runs:

    - name: Restore DB from cache
      if: ${{ inputs.cache == 'true' }}
-      uses: actions/cache@v4
+      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
      with:
        path: ${{ inputs.cache-dir }}
        key: cache-trivy-${{ steps.date.outputs.date }}
--- a/renovate.json
+++ b/renovate.json
@@ -0,0 +1,3 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json"
+}
--- a/test/data/config-scan/report.json
+++ b/test/data/config-scan/report.json
@@ -2,18 +2,6 @@
  "SchemaVersion": 2,
  "ArtifactName": "test/data/config-scan",
  "ArtifactType": "filesystem",
-  "Metadata": {
-    "ImageConfig": {
-      "architecture": "",
-      "created": "0001-01-01T00:00:00Z",
-      "os": "",
-      "rootfs": {
-        "type": "",
-        "diff_ids": null
-      },
-      "config": {}
-    }
-  },
  "Results": [
    {
      "Target": ".",
@@ -50,7 +38,6 @@
            "https://avd.aquasec.com/misconfig/avd-aws-0086"
          ],
          "Status": "FAIL",
-          "Layer": {},
          "CauseMetadata": {
            "Resource": "aws_s3_bucket.bucket",
            "Provider": "AWS",
@@ -90,8 +77,7 @@
                  "LastCause": true
                }
              ]
-            },
-            "RenderedCause": {}
+            }
          }
        },
        {
@@ -111,7 +97,6 @@
            "https://avd.aquasec.com/misconfig/avd-aws-0087"
          ],
          "Status": "FAIL",
-          "Layer": {},
          "CauseMetadata": {
            "Resource": "aws_s3_bucket.bucket",
            "Provider": "AWS",
@@ -151,8 +136,7 @@
                  "LastCause": true
                }
              ]
-            },
-            "RenderedCause": {}
+            }
          }
        },
        {
@@ -172,7 +156,6 @@
            "https://avd.aquasec.com/misconfig/avd-aws-0088"
          ],
          "Status": "FAIL",
-          "Layer": {},
          "CauseMetadata": {
            "Resource": "aws_s3_bucket.bucket",
            "Provider": "AWS",
@@ -212,8 +195,7 @@
                  "LastCause": true
                }
              ]
-            },
-            "RenderedCause": {}
+            }
          }
        },
        {
@@ -234,7 +216,6 @@
            "https://avd.aquasec.com/misconfig/s3-bucket-logging"
          ],
          "Status": "FAIL",
-          "Layer": {},
          "CauseMetadata": {
            "Resource": "aws_s3_bucket.bucket",
            "Provider": "AWS",
@@ -274,8 +255,7 @@
                  "LastCause": true
                }
              ]
-            },
-            "RenderedCause": {}
+            }
          }
        },
        {
@@ -295,7 +275,6 @@
            "https://avd.aquasec.com/misconfig/avd-aws-0090"
          ],
          "Status": "FAIL",
-          "Layer": {},
          "CauseMetadata": {
            "Resource": "aws_s3_bucket_versioning.bucket_versioning",
            "Provider": "AWS",
@@ -416,7 +395,6 @@
            "https://avd.aquasec.com/misconfig/avd-aws-0091"
          ],
          "Status": "FAIL",
-          "Layer": {},
          "CauseMetadata": {
            "Resource": "aws_s3_bucket.bucket",
            "Provider": "AWS",
@@ -456,8 +434,7 @@
                  "LastCause": true
                }
              ]
-            },
-            "RenderedCause": {}
+            }
          }
        },
        {
@@ -477,7 +454,6 @@
            "https://avd.aquasec.com/misconfig/avd-aws-0093"
          ],
          "Status": "FAIL",
-          "Layer": {},
          "CauseMetadata": {
            "Resource": "aws_s3_bucket.bucket",
            "Provider": "AWS",
@@ -517,8 +493,7 @@
                  "LastCause": true
                }
              ]
-            },
-            "RenderedCause": {}
+            }
          }
        },
        {
@@ -538,7 +513,6 @@
            "https://avd.aquasec.com/misconfig/avd-aws-0094"
          ],
          "Status": "FAIL",
-          "Layer": {},
          "CauseMetadata": {
            "Resource": "aws_s3_bucket.bucket",
            "Provider": "AWS",
@@ -578,8 +552,7 @@
                  "LastCause": true
                }
              ]
-            },
-            "RenderedCause": {}
+            }
          }
        },
        {
@@ -599,7 +572,6 @@
            "https://avd.aquasec.com/misconfig/avd-aws-0132"
          ],
          "Status": "FAIL",
-          "Layer": {},
          "CauseMetadata": {
            "Resource": "aws_s3_bucket.bucket",
            "Provider": "AWS",
@@ -639,8 +611,7 @@
                  "LastCause": true
                }
              ]
-            },
-            "RenderedCause": {}
+            }
          }
        }
      ]
--- a/test/data/image-scan/report
+++ b/test/data/image-scan/report
@@ -51,7 +51,8 @@ Total: 19 (CRITICAL: 19)
 │             │                │          │        │                   │               │ Windows Subsystem for...                                     │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-1353                    │
 ├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
-│ libbz2      │ CVE-2019-12900 │          │        │ 1.0.6-r6          │ 1.0.6-r7      │ bzip2: out-of-bounds write in function BZ2_decompress        │
+│ libbz2      │ CVE-2019-12900 │          │        │ 1.0.6-r6          │ 1.0.6-r7      │ bzip2: bzip2: Data integrity error when decompressing (with  │
+│             │                │          │        │                   │               │ data integrity tests fail)....                               │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-12900                   │
 ├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
 │ libcurl     │ CVE-2018-16839 │          │        │ 7.61.1-r0         │ 7.61.1-r1     │ curl: Integer overflow leading to heap-based buffer overflow │
--- a/test/data/secret-scan/report.json
+++ b/test/data/secret-scan/report.json
@@ -1,18 +1,15 @@
 {
  "SchemaVersion": 2,
+  "ArtifactID": "sha256:79ce4c2f8371bef1ce2a321518d3136bc1bd8f3c307ed679944a38e7cbd76c14",
  "ArtifactName": "https://github.com/krol3/demo-trivy/",
  "ArtifactType": "repository",
  "Metadata": {
-    "ImageConfig": {
-      "architecture": "",
-      "created": "0001-01-01T00:00:00Z",
-      "os": "",
-      "rootfs": {
-        "type": "",
-        "diff_ids": null
-      },
-      "config": {}
-    }
+    "RepoURL": "https://github.com/krol3/demo-trivy/",
+    "Branch": "main",
+    "Commit": "547db823c73fdb3385871f6235e946c72291f734",
+    "CommitMsg": "chore: add gitignore",
+    "Author": "carolina valencia <krol3@users.noreply.github.com>",
+    "Committer": "carolina valencia <krol3@users.noreply.github.com>"
  },
  "Results": [
    {
@@ -69,7 +66,7 @@
            ]
          },
          "Match": "export GITHUB_PAT=****************************************",
-          "Layer": {}
+          "Offset": 63
        }
      ]
    }
--- a/test/data/with-ignore-files/report
+++ b/test/data/with-ignore-files/report
@@ -51,7 +51,8 @@ Total: 19 (CRITICAL: 19)
 │             │                │          │        │                   │               │ Windows Subsystem for...                                     │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-1353                    │
 ├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
-│ libbz2      │ CVE-2019-12900 │          │        │ 1.0.6-r6          │ 1.0.6-r7      │ bzip2: out-of-bounds write in function BZ2_decompress        │
+│ libbz2      │ CVE-2019-12900 │          │        │ 1.0.6-r6          │ 1.0.6-r7      │ bzip2: bzip2: Data integrity error when decompressing (with  │
+│             │                │          │        │                   │               │ data integrity tests fail)....                               │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-12900                   │
 ├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
 │ libcurl     │ CVE-2018-16839 │          │        │ 7.61.1-r0         │ 7.61.1-r1     │ curl: Integer overflow leading to heap-based buffer overflow │
--- a/test/data/with-tf-vars/report.json
+++ b/test/data/with-tf-vars/report.json
@@ -2,18 +2,6 @@
  "SchemaVersion": 2,
  "ArtifactName": "test/data/with-tf-vars/main.tf",
  "ArtifactType": "filesystem",
-  "Metadata": {
-    "ImageConfig": {
-      "architecture": "",
-      "created": "0001-01-01T00:00:00Z",
-      "os": "",
-      "rootfs": {
-        "type": "",
-        "diff_ids": null
-      },
-      "config": {}
-    }
-  },
  "Results": [
    {
      "Target": ".",
--- a/test/data/with-trivy-yaml-cfg/report.json
+++ b/test/data/with-trivy-yaml-cfg/report.json
@@ -1,6 +1,6 @@
 {
  "SchemaVersion": 2,
-  "CreatedAt": "2025-06-03T01:26:45.367171-06:00",
+  "ArtifactID": "sha256:aab05ff324c90bb728aa5177b75d7e39d363be13323873de70959d2251edcebc",
  "ArtifactName": "alpine:3.10",
  "ArtifactType": "container_image",
  "Metadata": {
@@ -20,6 +20,7 @@
    "RepoDigests": [
      "alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98"
    ],
+    "Reference": "alpine:3.10",
    "ImageConfig": {
      "architecture": "amd64",
      "container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4",
@@ -72,7 +73,7 @@
          "PkgID": "apk-tools@2.10.6-r0",
          "PkgName": "apk-tools",
          "PkgIdentifier": {
-            "PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64\u0026distro=3.10.9",
+            "PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64&distro=3.10.9",
            "UID": "b7a64ae671a99195"
          },
          "InstalledVersion": "2.10.6-r0",
@@ -89,6 +90,7 @@
            "Name": "Alpine Secdb",
            "URL": "https://secdb.alpinelinux.org/"
          },
+          "Fingerprint": "sha256:f86484d912018e22a8212a9c21359a64583d86342016ed1c57e3b3d6e9afa63c",
          "Title": "libfetch: an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes leads to information leak or crash",
          "Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
          "Severity": "CRITICAL",
@@ -123,7 +125,7 @@
            "https://www.cve.org/CVERecord?id=CVE-2021-36159"
          ],
          "PublishedDate": "2021-08-03T14:15:08.233Z",
-          "LastModifiedDate": "2023-11-07T03:36:43.337Z"
+          "LastModifiedDate": "2024-11-21T06:13:13.57Z"
        }
      ]
    }
--- a/test/test.bats
+++ b/test/test.bats
@@ -5,6 +5,7 @@ setup_file() {
  export TRIVY_DB_REPOSITORY=ghcr.io/${owner}/trivy-db-act:latest
  export TRIVY_JAVA_DB_REPOSITORY=ghcr.io/${owner}/trivy-java-db-act:latest
  export TRIVY_CHECKS_BUNDLE_REPOSITORY=ghcr.io/${owner}/trivy-checks-act:latest
+  export TRIVY_LIST_ALL_PKGS=false
 }

 setup() {
@@ -16,7 +17,7 @@ setup() {
 function remove_json_fields() {
  local file="$1"
  if [[ "$file" == *.json ]]; then
-      jq 'del(.CreatedAt)' "$file" > tmp && mv tmp "$file"
+      jq 'del(.CreatedAt, .ReportID)' "$file" > tmp && mv tmp "$file"
  fi
 }

@@ -57,9 +58,16 @@ function compare_files() {
  remove_github_fields "$file1"
  remove_github_fields "$file2"
  
-  run diff "$file1" "$file2"
-  echo "$output"
-  assert_files_equal "$file1" "$file2"
+  if [ "${UPDATE_GOLDEN}" = "1" ]; then
+    cp "$file1" "$file2"
+    echo "Updated golden file: $file2"
+  else
+    run diff "$file1" "$file2"
+    echo "$output"
+    assert_files_equal "$file1" "$file2"
+  fi
+
+  rm -f "$file1"
 }

@test "trivy repo with securityCheck secret only" {
Author	SHA1	Message	Date
ivan	c13c370e94	Merge pull request 'chore: Configure Renovate' (#2 ) from renovate/configure into master Reviewed-on: #2	2025-12-29 20:05:22 +00:00
Renovate Bot	0231551320	Add renovate.json	2025-12-29 20:04:59 +00:00
Nikita Pivkin	22438a4357	Merge pull request #496 from aquasecurity/bump-trivy-1765431074	2025-12-11 14:34:44 +06:00
simar7	0024b3f39e	chore(deps): Update trivy to v0.68.1	2025-12-11 05:31:14 +00:00
Nikita Pivkin	83690f7d38	ci: install trivy in bump-trivy workflow and update tests (#495 ) * ci: install trivy in bump-trivy workflow Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io> * test: diasble list-all-pkgs and remove ReportID Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io> * ci: run tests after updating golden files Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io> * fix BATS_LIB_PATH setting Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io> --------- Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>	2025-12-10 22:30:00 -07:00
Nikita Pivkin	df65449f48	chore: update README (#493 ) Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>	2025-12-08 17:02:57 -07:00
Nikita Pivkin	0317097f59	ci: use setup-bats in bump-trivy workflow (#494 ) Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>	2025-12-08 17:02:32 -07:00
Martin Costello	b6643a29fe	Update setup-trivy action to version v0.2.4 (#486 )	2025-08-29 14:43:29 +06:00
Nikita Pivkin	f9424c10c3	Merge pull request #481 from aquasecurity/bump-trivy-1755898251	2025-08-27 13:19:48 +06:00
Nikita Pivkin	85abccb4a4	dev: delete fanal.db before tests Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>	2025-08-27 13:05:59 +06:00
Nikita Pivkin	a1698702b6	ci: update golden files on Trivy bump Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>	2025-08-27 12:33:47 +06:00
Nikita Pivkin	71f6a8fb8b	dev: add update-golden goal Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>	2025-08-27 12:20:05 +06:00
Nikita Pivkin	bf330b1153	test: update golden files Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>	2025-08-27 12:19:06 +06:00
Nikita Pivkin	644762e8d4	Merge pull request #482 from aquasecurity/fix-gh-actions	2025-08-27 11:56:15 +06:00
Simar	f2e28516ef	chore(ci): Add oras to correctly setup sync jobs	2025-08-26 19:17:21 -06:00
Simar	636fd3c4eb	fix: update tests	2025-08-26 19:12:07 -06:00
simar7	7c0244b8c6	chore(deps): Update trivy to v0.65.0	2025-08-22 21:30:51 +00:00
Martin Costello	c26e17b164	Pin actions/cache by SHA (#480 ) Resolves #479.	2025-08-22 15:29:59 -06:00
YuXuan Tay	77137e9dc3	doc/correct-sbom-fs-scan (#458 )	2025-07-07 12:48:46 -06:00
Akshay Iyyadurai Balasundaram	e7fbf034e4	Update dependencies in README (#378 ) * chore: update dependencies in README * chore: update the actions/checkout version in documentation * chore: bump upload-sarif dependency from readme * docs: bump actions/checkout to v4 Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io> --------- Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io> Co-authored-by: Nikita Pivkin <nikita.pivkin@smartforce.io>	2025-07-07 12:46:41 -06:00