Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
c7c2c6533b |
Vendored
-3
@@ -22,9 +22,6 @@ jobs:
|
||||
- name: Update Trivy versions
|
||||
run: make bump-trivy
|
||||
|
||||
- name: Update golden files
|
||||
run: make update-golden
|
||||
|
||||
- name: Create PR
|
||||
id: create-pr
|
||||
uses: peter-evans/create-pull-request@v5
|
||||
|
||||
Vendored
+1
-1
@@ -6,7 +6,7 @@ on:
|
||||
workflow_dispatch:
|
||||
|
||||
env:
|
||||
TRIVY_VERSION: 0.65.0
|
||||
TRIVY_VERSION: 0.61.1
|
||||
BATS_LIB_PATH: '/usr/lib/'
|
||||
|
||||
jobs:
|
||||
|
||||
@@ -7,26 +7,12 @@ SED = gsed
|
||||
BATS_LIB_PATH = /opt/homebrew/lib
|
||||
endif
|
||||
|
||||
BATS_ENV := BATS_LIB_PATH=$(BATS_LIB_PATH) \
|
||||
GITHUB_REPOSITORY_OWNER=aquasecurity \
|
||||
TRIVY_CACHE_DIR=.cache \
|
||||
TRIVY_DISABLE_VEX_NOTICE=true \
|
||||
TRIVY_DEBUG=true
|
||||
|
||||
BATS_FLAGS := --recursive --timing --verbose-run .
|
||||
|
||||
.PHONY: test
|
||||
test: init-cache
|
||||
$(BATS_ENV) bats $(BATS_FLAGS)
|
||||
|
||||
.PHONY: update-golden
|
||||
update-golden: init-cache
|
||||
UPDATE_GOLDEN=1 $(BATS_ENV) bats $(BATS_FLAGS)
|
||||
|
||||
.PHONY: init-cache
|
||||
init-cache:
|
||||
test:
|
||||
mkdir -p .cache
|
||||
rm -f .cache/fanal/fanal.db
|
||||
BATS_LIB_PATH=$(BATS_LIB_PATH) GITHUB_REPOSITORY_OWNER=aquasecurity\
|
||||
TRIVY_CACHE_DIR=.cache TRIVY_DISABLE_VEX_NOTICE=true TRIVY_DEBUG=true\
|
||||
bats --recursive --timing --verbose-run .
|
||||
|
||||
bump-trivy:
|
||||
@[ $$NEW_VERSION ] || ( echo "env 'NEW_VERSION' is not set"; exit 1 )
|
||||
|
||||
@@ -46,7 +46,7 @@ jobs:
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v3
|
||||
- name: Build an image from Dockerfile
|
||||
run: docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
|
||||
- name: Run Trivy vulnerability scanner
|
||||
@@ -215,7 +215,7 @@ jobs:
|
||||
uses: aquasecurity/setup-trivy@v0.2.0
|
||||
with:
|
||||
cache: true
|
||||
version: v0.65.0
|
||||
version: v0.61.1
|
||||
|
||||
- name: Run Trivy vulnerability scanner in repo mode
|
||||
uses: aquasecurity/trivy-action@master
|
||||
@@ -342,7 +342,7 @@ jobs:
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
@@ -371,7 +371,7 @@ jobs:
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
@@ -590,7 +590,7 @@ jobs:
|
||||
scan-type: 'fs'
|
||||
format: 'github'
|
||||
output: 'dependency-results.sbom.json'
|
||||
scan-ref: '.'
|
||||
image-ref: '.'
|
||||
github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
|
||||
```
|
||||
|
||||
@@ -847,7 +847,7 @@ Following inputs can be used as `step.with` keys:
|
||||
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
|
||||
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
|
||||
| `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values (`unix:/` or other prefix is required) |
|
||||
| `version` | String | `v0.65.0` | Trivy version to use, e.g. `latest` or `v0.65.0` |
|
||||
| `version` | String | `v0.61.1` | Trivy version to use, e.g. `latest` or `v0.61.1` |
|
||||
| `skip-setup-trivy` | Boolean | false | Skip calling the `setup-trivy` action to install `trivy` |
|
||||
| `token-setup-trivy` | Boolean | | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository |
|
||||
|
||||
|
||||
+2
-2
@@ -98,7 +98,7 @@ inputs:
|
||||
version:
|
||||
description: 'Trivy version to use'
|
||||
required: false
|
||||
default: 'v0.65.0'
|
||||
default: 'v0.61.1'
|
||||
cache:
|
||||
description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.'
|
||||
required: false
|
||||
@@ -139,7 +139,7 @@ runs:
|
||||
|
||||
- name: Restore DB from cache
|
||||
if: ${{ inputs.cache == 'true' }}
|
||||
uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
|
||||
uses: actions/cache@v4
|
||||
with:
|
||||
path: ${{ inputs.cache-dir }}
|
||||
key: cache-trivy-${{ steps.date.outputs.date }}
|
||||
|
||||
@@ -2,6 +2,18 @@
|
||||
"SchemaVersion": 2,
|
||||
"ArtifactName": "test/data/config-scan",
|
||||
"ArtifactType": "filesystem",
|
||||
"Metadata": {
|
||||
"ImageConfig": {
|
||||
"architecture": "",
|
||||
"created": "0001-01-01T00:00:00Z",
|
||||
"os": "",
|
||||
"rootfs": {
|
||||
"type": "",
|
||||
"diff_ids": null
|
||||
},
|
||||
"config": {}
|
||||
}
|
||||
},
|
||||
"Results": [
|
||||
{
|
||||
"Target": ".",
|
||||
@@ -38,6 +50,7 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0086"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -77,7 +90,8 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -97,6 +111,7 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0087"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -136,7 +151,8 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -156,6 +172,7 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0088"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -195,7 +212,8 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -216,6 +234,7 @@
|
||||
"https://avd.aquasec.com/misconfig/s3-bucket-logging"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -255,7 +274,8 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -275,6 +295,7 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0090"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket_versioning.bucket_versioning",
|
||||
"Provider": "AWS",
|
||||
@@ -395,6 +416,7 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0091"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -434,7 +456,8 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -454,6 +477,7 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0093"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -493,7 +517,8 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -513,6 +538,7 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0094"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -552,7 +578,8 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -572,6 +599,7 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0132"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -611,7 +639,8 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
]
|
||||
|
||||
@@ -3,12 +3,16 @@
|
||||
"ArtifactName": "https://github.com/krol3/demo-trivy/",
|
||||
"ArtifactType": "repository",
|
||||
"Metadata": {
|
||||
"RepoURL": "https://github.com/krol3/demo-trivy/",
|
||||
"Branch": "main",
|
||||
"Commit": "547db823c73fdb3385871f6235e946c72291f734",
|
||||
"CommitMsg": "chore: add gitignore",
|
||||
"Author": "carolina valencia <krol3@users.noreply.github.com>",
|
||||
"Committer": "carolina valencia <krol3@users.noreply.github.com>"
|
||||
"ImageConfig": {
|
||||
"architecture": "",
|
||||
"created": "0001-01-01T00:00:00Z",
|
||||
"os": "",
|
||||
"rootfs": {
|
||||
"type": "",
|
||||
"diff_ids": null
|
||||
},
|
||||
"config": {}
|
||||
}
|
||||
},
|
||||
"Results": [
|
||||
{
|
||||
@@ -64,7 +68,8 @@
|
||||
}
|
||||
]
|
||||
},
|
||||
"Match": "export GITHUB_PAT=****************************************"
|
||||
"Match": "export GITHUB_PAT=****************************************",
|
||||
"Layer": {}
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
@@ -2,6 +2,18 @@
|
||||
"SchemaVersion": 2,
|
||||
"ArtifactName": "test/data/with-tf-vars/main.tf",
|
||||
"ArtifactType": "filesystem",
|
||||
"Metadata": {
|
||||
"ImageConfig": {
|
||||
"architecture": "",
|
||||
"created": "0001-01-01T00:00:00Z",
|
||||
"os": "",
|
||||
"rootfs": {
|
||||
"type": "",
|
||||
"diff_ids": null
|
||||
},
|
||||
"config": {}
|
||||
}
|
||||
},
|
||||
"Results": [
|
||||
{
|
||||
"Target": ".",
|
||||
|
||||
+3
-10
@@ -57,16 +57,9 @@ function compare_files() {
|
||||
remove_github_fields "$file1"
|
||||
remove_github_fields "$file2"
|
||||
|
||||
if [ "${UPDATE_GOLDEN}" = "1" ]; then
|
||||
cp "$file1" "$file2"
|
||||
echo "Updated golden file: $file2"
|
||||
else
|
||||
run diff "$file1" "$file2"
|
||||
echo "$output"
|
||||
assert_files_equal "$file1" "$file2"
|
||||
fi
|
||||
|
||||
rm -f "$file1"
|
||||
run diff "$file1" "$file2"
|
||||
echo "$output"
|
||||
assert_files_equal "$file1" "$file2"
|
||||
}
|
||||
|
||||
@test "trivy repo with securityCheck secret only" {
|
||||
|
||||
Reference in New Issue
Block a user