feat(yaml): Add support for trivy.yaml (#143)

* feat(yaml): Add support for trivy.yaml

Signed-off-by: Simar <simar@linux.com>

* chore: fixing test using trivy v 0.30.0

* chore(deps): Update to use Trivy v0.30.2

Signed-off-by: Simar <simar@linux.com>

Co-authored-by: carolina valencia <krol3@users.noreply.github.com>

.github/workflows/build.yaml

@@ -1,7 +1,8 @@
 name: "build"
 on: [push, pull_request]
 env:
-  TRIVY_VERSION: 0.29.1
+  TRIVY_VERSION: 0.30.2
+  BATS_LIB_PATH: '/usr/lib/'
 jobs:
   build:
     name: build
@@ -11,7 +12,7 @@ jobs:
       - name: Setup BATS
         uses: mig4/setup-bats@v1
         with:
-          bats-version: 1.2.1
+          bats-version: 1.7.0
 
       - name: Setup Bats libs
         uses: brokenpip3/setup-bats-libs@0.1.0
@@ -24,4 +25,4 @@ jobs:
           curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
 
       - name: Test
-        run: bats -r .
+        run: BATS_LIB_PATH=${{ env.BATS_LIB_PATH }} bats --recursive --timing .

Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/aquasecurity/trivy:0.29.1
+FROM ghcr.io/aquasecurity/trivy:0.30.2
 COPY entrypoint.sh /
 RUN apk --no-cache add bash curl
 RUN chmod +x /entrypoint.sh

README.md

@@ -19,7 +19,7 @@
 
 ## Usage
 
-### Workflow
+### Scan CI Pipeline
 
 ```yaml
 name: build
@@ -31,15 +31,13 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-20.04
     steps:
       - name: Checkout code
         uses: actions/checkout@v2
-
       - name: Build an image from Dockerfile
         run: |
           docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
-
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
@@ -51,6 +49,68 @@ jobs:
           severity: 'CRITICAL,HIGH'
 ```
 
+### Scan CI Pipeline (w/ Trivy Config)
+
+```yaml
+name: build
+on:
+  push:
+    branches:
+    - master
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-20.04
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v2
+
+    - name: Run Trivy vulnerability scanner in repo mode
+      uses: aquasecurity/trivy-action@add-support-for-trivy-config
+      with:
+        scan-type: 'fs'
+        ignore-unfixed: true
+        trivy-config: ./trivy.yaml
+```
+
+In this case `trivy.yaml` is a YAML configuration that is checked in as part of the repo. Detailed information is available on the Trivy website but an example is as follows:
+```yaml
+format: json
+exit-code: 1
+severity: CRITICAL
+```
+
+It is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes.
+
+### Scanning a Tarball
+```yaml
+name: build
+on:
+  push:
+    branches:
+    - master
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-20.04
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v2
+
+    - name: Generate tarball from image
+      run: |
+        docker pull <your-docker-image>
+        docker save -o vuln-image.tar <your-docker-image>
+        
+    - name: Run Trivy vulnerability scanner in tarball mode
+      uses: aquasecurity/trivy-action@master
+      with:
+        input: /github/workspace/vuln-image.tar
+        severity: 'CRITICAL,HIGH'
+```
+
 ### Using Trivy with GitHub Code Scanning
 If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
 ```yaml

action.yaml

@@ -85,6 +85,9 @@ inputs:
   github-pat:
     description: 'GitHub Personal Access Token (PAT) for submitting SBOM to GitHub Dependency Snapshot API'
     required: false
+  trivy-config:
+    description: 'path to trivy.yaml config'
+    required: false
 
 runs:
   using: 'docker'
@@ -111,3 +114,4 @@ runs:
     - '-s ${{ inputs.security-checks }}'
     - '-t ${{ inputs.trivyignores }}'
     - '-u ${{ inputs.github-pat }}'
+    - '-v ${{ inputs.trivy-config }}'

entrypoint.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 set -e
-while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:" o; do
+while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" o; do
    case "${o}" in
        a)
          export scanType=${OPTARG}
@@ -65,9 +65,13 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:" o; do
        u)
          export githubPAT=${OPTARG}
        ;;
+       v)
+         export trivyConfig=${OPTARG}
+       ;;
   esac
 done
 
+
 scanType=$(echo $scanType | tr -d '\r')
 export artifactRef="${imageRef}"
 if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] ||  [ "${scanType}" = "config" ] ||  [ "${scanType}" = "rootfs" ];then
@@ -157,10 +161,17 @@ if [ "$skipFiles" ];then
   done
 fi
 
-echo "Running trivy with options: ${ARGS}" "${artifactRef}"
-echo "Global options: " "${GLOBAL_ARGS}"
-trivy $GLOBAL_ARGS ${scanType} $ARGS ${artifactRef}
-returnCode=$?
+trivyConfig=$(echo $trivyConfig | tr -d '\r')
+if [ $trivyConfig ]; then
+   echo "Running Trivy with trivy.yaml config from: " $trivyConfig
+   trivy --config $trivyConfig ${scanType} $ARGS ${artifactRef}
+   returnCode=$?
+else
+   echo "Running trivy with options: ${ARGS}" "${artifactRef}"
+   echo "Global options: " "${GLOBAL_ARGS}"
+   trivy $GLOBAL_ARGS ${scanType} $ARGS ${artifactRef}
+   returnCode=$?
+fi
 
 # SARIF is special. We output all vulnerabilities,
 # regardless of severity level specified in this report.

test/data/config-sarif.test

@@ -0,0 +1,77 @@
+{
+  "version": "2.1.0",
+  "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "fullName": "Trivy Vulnerability Scanner",
+          "informationUri": "https://github.com/aquasecurity/trivy",
+          "name": "Trivy",
+          "rules": [
+            {
+              "id": "DS002",
+              "name": "Misconfiguration",
+              "shortDescription": {
+                "text": "DS002"
+              },
+              "fullDescription": {
+                "text": "Running containers with \u0026#39;root\u0026#39; user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a \u0026#39;USER\u0026#39; statement to the Dockerfile."
+              },
+              "defaultConfiguration": {
+                "level": "error"
+              },
+              "helpUri": "https://avd.aquasec.com/misconfig/ds002",
+              "help": {
+                "text": "Misconfiguration DS002\nType: Dockerfile Security Check\nSeverity: HIGH\nCheck: Image user should not be 'root'\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
+                "markdown": "**Misconfiguration DS002**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|HIGH|Image user should not be 'root'|Specify at least 1 USER command in Dockerfile with non-root user as argument|[DS002](https://avd.aquasec.com/misconfig/ds002)|\n\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile."
+              },
+              "properties": {
+                "precision": "very-high",
+                "security-severity": "8.0",
+                "tags": [
+                  "misconfiguration",
+                  "security",
+                  "HIGH"
+                ]
+              }
+            }
+          ],
+          "version": "0.30.2"
+        }
+      },
+      "results": [
+        {
+          "ruleId": "DS002",
+          "ruleIndex": 0,
+          "level": "error",
+          "message": {
+            "text": "Artifact: Dockerfile\nType: dockerfile\nVulnerability DS002\nSeverity: HIGH\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "Dockerfile",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1,
+                  "startColumn": 1,
+                  "endLine": 1,
+                  "endColumn": 1
+                }
+              }
+            }
+          ]
+        }
+      ],
+      "columnKind": "utf16CodeUnits",
+      "originalUriBaseIds": {
+        "ROOTPATH": {
+          "uri": "file:///"
+        }
+      }
+    }
+  ]
+}

test/data/fs.test

@@ -1,17 +0,0 @@
-{
-  "SchemaVersion": 2,
-  "ArtifactName": ".",
-  "ArtifactType": "filesystem",
-  "Metadata": {
-    "ImageConfig": {
-      "architecture": "",
-      "created": "0001-01-01T00:00:00Z",
-      "os": "",
-      "rootfs": {
-        "type": "",
-        "diff_ids": null
-      },
-      "config": {}
-    }
-  }
-}

test/data/image-sarif.test

@@ -1049,8 +1049,8 @@
               },
               "helpUri": "https://avd.aquasec.com/nvd/cve-2016-5385",
               "help": {
-                "text": "Vulnerability CVE-2016-5385\nSeverity: HIGH\nPackage: guzzlehttp/guzzle\nFixed Version: 6.2.1, 4.2.4, 5.3.1\nLink: [CVE-2016-5385](https://avd.aquasec.com/nvd/cve-2016-5385)\nPHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an \"httpoxy\" issue.",
-                "markdown": "**Vulnerability CVE-2016-5385**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|HIGH|guzzlehttp/guzzle|6.2.1, 4.2.4, 5.3.1|[CVE-2016-5385](https://avd.aquasec.com/nvd/cve-2016-5385)|\n\nPHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an \"httpoxy\" issue."
+                "text": "Vulnerability CVE-2016-5385\nSeverity: HIGH\nPackage: guzzlehttp/guzzle\nFixed Version: 5.3.1, 6.2.1, 4.2.4\nLink: [CVE-2016-5385](https://avd.aquasec.com/nvd/cve-2016-5385)\nPHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an \"httpoxy\" issue.",
+                "markdown": "**Vulnerability CVE-2016-5385**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|HIGH|guzzlehttp/guzzle|5.3.1, 6.2.1, 4.2.4|[CVE-2016-5385](https://avd.aquasec.com/nvd/cve-2016-5385)|\n\nPHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an \"httpoxy\" issue."
               },
               "properties": {
                 "precision": "very-high",
@@ -1150,23 +1150,23 @@
                 "text": "CVE-2022-31090"
               },
               "fullDescription": {
-                "text": "CURLOPT_HTTPAUTH option not cleared on change of origin"
+                "text": "Guzzle, an extensible PHP HTTP client. `Authorization` headers on requests are sensitive information. In affected versions when using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds with a redirect to a URI with a different origin (change in host, scheme or port), if we choose to follow it, we should remove the `CURLOPT_HTTPAUTH` option before continuing, stopping curl from appending the `Authorization` header to the new request. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. If you do not require or expect redirects to be followed, one should simply disable redirects all together. Alternatively, one can specify to use the Guzzle steam handler backend, rather than curl."
               },
               "defaultConfiguration": {
-                "level": "note"
+                "level": "error"
               },
               "helpUri": "https://avd.aquasec.com/nvd/cve-2022-31090",
               "help": {
-                "text": "Vulnerability CVE-2022-31090\nSeverity: UNKNOWN\nPackage: guzzlehttp/guzzle\nFixed Version: 6.5.8, 7.4.5\nLink: [CVE-2022-31090](https://avd.aquasec.com/nvd/cve-2022-31090)\n",
-                "markdown": "**Vulnerability CVE-2022-31090**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|UNKNOWN|guzzlehttp/guzzle|6.5.8, 7.4.5|[CVE-2022-31090](https://avd.aquasec.com/nvd/cve-2022-31090)|\n\n"
+                "text": "Vulnerability CVE-2022-31090\nSeverity: HIGH\nPackage: guzzlehttp/guzzle\nFixed Version: 7.4.5, 6.5.8\nLink: [CVE-2022-31090](https://avd.aquasec.com/nvd/cve-2022-31090)\nGuzzle, an extensible PHP HTTP client. `Authorization` headers on requests are sensitive information. In affected versions when using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds with a redirect to a URI with a different origin (change in host, scheme or port), if we choose to follow it, we should remove the `CURLOPT_HTTPAUTH` option before continuing, stopping curl from appending the `Authorization` header to the new request. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. If you do not require or expect redirects to be followed, one should simply disable redirects all together. Alternatively, one can specify to use the Guzzle steam handler backend, rather than curl.",
+                "markdown": "**Vulnerability CVE-2022-31090**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|HIGH|guzzlehttp/guzzle|7.4.5, 6.5.8|[CVE-2022-31090](https://avd.aquasec.com/nvd/cve-2022-31090)|\n\nGuzzle, an extensible PHP HTTP client. `Authorization` headers on requests are sensitive information. In affected versions when using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds with a redirect to a URI with a different origin (change in host, scheme or port), if we choose to follow it, we should remove the `CURLOPT_HTTPAUTH` option before continuing, stopping curl from appending the `Authorization` header to the new request. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. If you do not require or expect redirects to be followed, one should simply disable redirects all together. Alternatively, one can specify to use the Guzzle steam handler backend, rather than curl."
               },
               "properties": {
                 "precision": "very-high",
-                "security-severity": "0.0",
+                "security-severity": "8.0",
                 "tags": [
                   "vulnerability",
                   "security",
-                  "UNKNOWN"
+                  "HIGH"
                 ]
               }
             },
@@ -1177,23 +1177,23 @@
                 "text": "CVE-2022-31091"
               },
               "fullDescription": {
-                "text": "Change in port should be considered a change in origin"
+                "text": "Guzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` headers on requests are sensitive information. In affected versions on making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the `Authorization` and `Cookie` headers from the request, before containing. Previously, we would only consider a change in host or scheme. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together."
               },
               "defaultConfiguration": {
-                "level": "note"
+                "level": "error"
               },
               "helpUri": "https://avd.aquasec.com/nvd/cve-2022-31091",
               "help": {
-                "text": "Vulnerability CVE-2022-31091\nSeverity: UNKNOWN\nPackage: guzzlehttp/guzzle\nFixed Version: 7.4.5, 6.5.8\nLink: [CVE-2022-31091](https://avd.aquasec.com/nvd/cve-2022-31091)\n",
-                "markdown": "**Vulnerability CVE-2022-31091**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|UNKNOWN|guzzlehttp/guzzle|7.4.5, 6.5.8|[CVE-2022-31091](https://avd.aquasec.com/nvd/cve-2022-31091)|\n\n"
+                "text": "Vulnerability CVE-2022-31091\nSeverity: HIGH\nPackage: guzzlehttp/guzzle\nFixed Version: 7.4.5, 6.5.8\nLink: [CVE-2022-31091](https://avd.aquasec.com/nvd/cve-2022-31091)\nGuzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` headers on requests are sensitive information. In affected versions on making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the `Authorization` and `Cookie` headers from the request, before containing. Previously, we would only consider a change in host or scheme. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together.",
+                "markdown": "**Vulnerability CVE-2022-31091**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|HIGH|guzzlehttp/guzzle|7.4.5, 6.5.8|[CVE-2022-31091](https://avd.aquasec.com/nvd/cve-2022-31091)|\n\nGuzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` headers on requests are sensitive information. In affected versions on making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the `Authorization` and `Cookie` headers from the request, before containing. Previously, we would only consider a change in host or scheme. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together."
               },
               "properties": {
                 "precision": "very-high",
-                "security-severity": "0.0",
+                "security-severity": "8.0",
                 "tags": [
                   "vulnerability",
                   "security",
-                  "UNKNOWN"
+                  "HIGH"
                 ]
               }
             },
@@ -1468,7 +1468,7 @@
               }
             }
           ],
-          "version": "0.29.1"
+          "version": "0.29.2"
         }
       },
       "results": [
@@ -3013,7 +3013,7 @@
           "ruleIndex": 38,
           "level": "error",
           "message": {
-            "text": "Package: guzzlehttp/guzzle\nInstalled Version: 6.2.0\nVulnerability CVE-2016-5385\nSeverity: HIGH\nFixed Version: 6.2.1, 4.2.4, 5.3.1\nLink: [CVE-2016-5385](https://avd.aquasec.com/nvd/cve-2016-5385)"
+            "text": "Package: guzzlehttp/guzzle\nInstalled Version: 6.2.0\nVulnerability CVE-2016-5385\nSeverity: HIGH\nFixed Version: 5.3.1, 6.2.1, 4.2.4\nLink: [CVE-2016-5385](https://avd.aquasec.com/nvd/cve-2016-5385)"
           },
           "locations": [
             {
@@ -3107,9 +3107,9 @@
         {
           "ruleId": "CVE-2022-31090",
           "ruleIndex": 42,
-          "level": "note",
+          "level": "error",
           "message": {
-            "text": "Package: guzzlehttp/guzzle\nInstalled Version: 6.2.0\nVulnerability CVE-2022-31090\nSeverity: UNKNOWN\nFixed Version: 6.5.8, 7.4.5\nLink: [CVE-2022-31090](https://avd.aquasec.com/nvd/cve-2022-31090)"
+            "text": "Package: guzzlehttp/guzzle\nInstalled Version: 6.2.0\nVulnerability CVE-2022-31090\nSeverity: HIGH\nFixed Version: 7.4.5, 6.5.8\nLink: [CVE-2022-31090](https://avd.aquasec.com/nvd/cve-2022-31090)"
           },
           "locations": [
             {
@@ -3131,9 +3131,9 @@
         {
           "ruleId": "CVE-2022-31091",
           "ruleIndex": 43,
-          "level": "note",
+          "level": "error",
           "message": {
-            "text": "Package: guzzlehttp/guzzle\nInstalled Version: 6.2.0\nVulnerability CVE-2022-31091\nSeverity: UNKNOWN\nFixed Version: 7.4.5, 6.5.8\nLink: [CVE-2022-31091](https://avd.aquasec.com/nvd/cve-2022-31091)"
+            "text": "Package: guzzlehttp/guzzle\nInstalled Version: 6.2.0\nVulnerability CVE-2022-31091\nSeverity: HIGH\nFixed Version: 7.4.5, 6.5.8\nLink: [CVE-2022-31091](https://avd.aquasec.com/nvd/cve-2022-31091)"
           },
           "locations": [
             {

test/data/repo.test

@@ -26,7 +26,49 @@
           "Title": "GitHub Personal Access Token",
           "StartLine": 5,
           "EndLine": 5,
-          "Match": "export GITHUB_PAT=*****"
+          "Code": {
+            "Lines": [
+              {
+                "Number": 3,
+                "Content": "export AWS_ACCESS_KEY_ID=1234567",
+                "IsCause": false,
+                "Annotation": "",
+                "Truncated": false,
+                "Highlighted": "export AWS_ACCESS_KEY_ID=1234567",
+                "FirstCause": false,
+                "LastCause": false
+              },
+              {
+                "Number": 4,
+                "Content": "",
+                "IsCause": false,
+                "Annotation": "",
+                "Truncated": false,
+                "FirstCause": false,
+                "LastCause": false
+              },
+              {
+                "Number": 5,
+                "Content": "export GITHUB_PAT=****************************************",
+                "IsCause": true,
+                "Annotation": "",
+                "Truncated": false,
+                "Highlighted": "export GITHUB_PAT=****************************************",
+                "FirstCause": true,
+                "LastCause": true
+              },
+              {
+                "Number": 6,
+                "Content": "",
+                "IsCause": false,
+                "Annotation": "",
+                "Truncated": false,
+                "FirstCause": false,
+                "LastCause": false
+              }
+            ]
+          },
+          "Match": "export GITHUB_PAT=****************************************"
         }
       ]
     }

test/data/rootfs.test

@@ -1,17 +0,0 @@
-{
-  "SchemaVersion": 2,
-  "ArtifactName": ".",
-  "ArtifactType": "filesystem",
-  "Metadata": {
-    "ImageConfig": {
-      "architecture": "",
-      "created": "0001-01-01T00:00:00Z",
-      "os": "",
-      "rootfs": {
-        "type": "",
-        "diff_ids": null
-      },
-      "config": {}
-    }
-  }
-}

test/data/trivy.yaml

@@ -0,0 +1,2 @@
+format: json
+severity: CRITICAL

test/data/yamlconfig.test

@@ -0,0 +1,29 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": ".",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
+  "Results": [
+    {
+      "Target": "Dockerfile",
+      "Class": "config",
+      "Type": "dockerfile",
+      "MisconfSummary": {
+        "Successes": 6,
+        "Failures": 0,
+        "Exceptions": 0
+      }
+    }
+  ]
+}

test/test.bats

@@ -1,61 +1,71 @@
 #!/usr/bin/env bats
-load '/usr/lib/bats-support/load.bash'
-load '/usr/lib/bats-assert/load.bash'
+bats_load_library bats-support
+bats_load_library bats-assert
+bats_load_library bats-file
 
-@test "trivy image" {
-  # trivy image --severity CRITICAL --format json --output image.test knqyf263/vuln-image:1.2.3
-  ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b json' '-h image.test' '-g CRITICAL'
-  result="$(diff ./test/data/image.test image.test)"
-  [ "$result" == '' ]
+@test "trivy repo with securityCheck secret only" {
+  # trivy repo --format json --output repo.test --security-checks=secret https://github.com/krol3/demo-trivy/
+  run ./entrypoint.sh '-b json' '-h repo.test' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
+  run diff repo.test ./test/data/repo.test
+  echo "$output"
+  assert_files_equal repo.test ./test/data/repo.test
 }
 
-@test "trivy image sarif report" {
-  # trivy image --severity CRITICAL -f sarif --output image-sarif.test knqyf263/vuln-image:1.2.3
-  ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b sarif' '-h image-sarif.test' '-g CRITICAL'
-  result="$(diff ./test/data/image-sarif.test image-sarif.test)"
-  [ "$result" == '' ]
+@test "trivy image" {
+  # trivy image --severity CRITICAL --output image.test knqyf263/vuln-image:1.2.3
+  run ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image.test' '-g CRITICAL'
+  run diff image.test ./test/data/image.test
+  echo "$output"
+  assert_files_equal image.test ./test/data/image.test
+}
+
+@test "trivy config sarif report" {
+  # trivy config --format sarif --output  config-sarif.test .
+  run ./entrypoint.sh '-a config' '-b sarif' '-h config-sarif.test' '-j .'
+  run diff config-sarif.test ./test/data/config-sarif.test
+  echo "$output"
+  assert_files_equal config-sarif.test ./test/data/config-sarif.test
 }
 
 @test "trivy config" {
   # trivy config --format json --output config.test .
-  ./entrypoint.sh '-a config' '-j .' '-b json' '-h config.test'
-  result="$(diff ./test/data/config.test config.test)"
-  [ "$result" == '' ]
+  run ./entrypoint.sh '-a config' '-b json' '-j .' '-h config.test'
+  run diff config.test ./test/data/config.test
+  echo "$output"
+  assert_files_equal config.test ./test/data/config.test
 }
 
 @test "trivy rootfs" {
-  # trivy rootfs --format json --output rootfs.test .
-  ./entrypoint.sh '-a rootfs' '-j .' '-b json' '-h rootfs.test'
-  result="$(diff ./test/data/rootfs.test rootfs.test)"
-  [ "$result" == '' ]
+  # trivy rootfs --output rootfs.test .
+  run ./entrypoint.sh '-a rootfs' '-j .' '-h rootfs.test'
+  run diff rootfs.test ./test/data/rootfs.test
+  echo "$output"
+  assert_files_equal rootfs.test ./test/data/rootfs.test
 }
 
 @test "trivy fs" {
-  # trivy fs --format json --output fs.test .
-  ./entrypoint.sh '-a fs' '-j .' '-b json' '-h fs.test'
-  result="$(diff ./test/data/fs.test fs.test)"
-  [ "$result" == '' ]
+  # trivy fs --output fs.test .
+  run ./entrypoint.sh '-a fs' '-j .' '-h fs.test'
+  run diff fs.test ./test/data/fs.test
+  echo "$output"
+  assert_files_equal fs.test ./test/data/fs.test
 }
 
 @test "trivy fs with securityChecks option" {
   # trivy fs --format json --security-checks=vuln,config --output fs-scheck.test .
-  ./entrypoint.sh '-a fs' '-j .' '-b json' '-s vuln,config,secret' '-h fs-scheck.test'
-  result="$(diff ./test/data/fs-scheck.test fs-scheck.test)"
-  [ "$result" == '' ]
+  run ./entrypoint.sh '-a fs' '-b json' '-j .' '-s vuln,config,secret' '-h fs-scheck.test'
+  run diff fs-scheck.test ./test/data/fs-scheck.test
+  echo "$output"
+  assert_files_equal fs-scheck.test ./test/data/fs-scheck.test
 }
 
-@test "trivy repo with securityCheck secret only" {
-  # trivy repo --format json --output repo.test --security-checks=secret https://github.com/krol3/demo-trivy/
-  ./entrypoint.sh '-b json' '-h repo.test' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
-  result="$(diff ./test/data/repo.test repo.test)"
-  [ "$result" == '' ]
-}
 
 @test "trivy image with trivyIgnores option" {
-  # cat ./test/data/.trivyignore1 ./test/data/.trivyignore2 > ./trivyignores ; trivy image --severity CRITICAL --format json --output image-trivyignores.test --ignorefile ./trivyignores knqyf263/vuln-image:1.2.3
-  ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b json' '-h image-trivyignores.test' '-g CRITICAL' '-t ./test/data/.trivyignore1,./test/data/.trivyignore2'
-  result="$(diff ./test/data/image-trivyignores.test image-trivyignores.test)"
-  [ "$result" == '' ]
+  # cat ./test/data/.trivyignore1 ./test/data/.trivyignore2 > ./trivyignores ; trivy image --severity CRITICAL  --output image-trivyignores.test --ignorefile ./trivyignores knqyf263/vuln-image:1.2.3
+  run ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image-trivyignores.test' '-g CRITICAL' '-t ./test/data/.trivyignore1,./test/data/.trivyignore2'
+  run diff image-trivyignores.test ./test/data/image-trivyignores.test
+  echo "$output"
+  assert_files_equal image-trivyignores.test ./test/data/image-trivyignores.test
 }
 
 @test "trivy image with sbom output" {
@@ -63,3 +73,11 @@ load '/usr/lib/bats-assert/load.bash'
   run ./entrypoint.sh  "-a image" "-b github" "-i knqyf263/vuln-image:1.2.3"
   assert_output --partial '"package_url": "pkg:apk/ca-certificates@20171114-r0",' # TODO: Output contains time, need to mock
 }
+
+@test "trivy repo with trivy.yaml config" {
+  # trivy --config=./data/trivy.yaml fs --security-checks=config,secret --output=yamlconfig.test .
+  run ./entrypoint.sh "-a fs" "-j ." "-s config,secret" "-v ./test/data/trivy.yaml" "-h yamlconfig.test"
+  run diff yamlconfig.test ./test/data/yamlconfig.test
+  echo "$output"
+  assert_files_equal yamlconfig.test ./test/data/yamlconfig.test
+}