Compare commits
19 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
0cd397afbf | ||
|
|
b43daad0c3 | ||
|
|
dedfa59531 | ||
|
|
f96f79aa22 | ||
|
|
82ec0dd604 | ||
|
|
e5f43133f6 | ||
|
|
1a09192c0e | ||
|
|
1f0aa582c8 | ||
|
|
43849adf01 | ||
|
|
8bd2f9fbda | ||
|
|
cff3e9a7f6 | ||
|
|
ab15891596 | ||
|
|
cacfd7a243 | ||
|
|
1e0bef4613 | ||
|
|
9ab158e859 | ||
|
|
e55de85bee | ||
|
|
d63413b0a4 | ||
|
|
1db49f5326 | ||
|
|
12814ff8bc |
2
.github/workflows/build.yaml
vendored
2
.github/workflows/build.yaml
vendored
@@ -1,7 +1,7 @@
|
||||
name: "build"
|
||||
on: [push, pull_request]
|
||||
env:
|
||||
TRIVY_VERSION: 0.30.4
|
||||
TRIVY_VERSION: 0.42.1
|
||||
BATS_LIB_PATH: '/usr/lib/'
|
||||
jobs:
|
||||
build:
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
FROM ghcr.io/aquasecurity/trivy:0.30.4
|
||||
FROM ghcr.io/aquasecurity/trivy:0.42.1
|
||||
COPY entrypoint.sh /
|
||||
RUN apk --no-cache add bash curl
|
||||
RUN apk --no-cache add bash curl npm
|
||||
RUN chmod +x /entrypoint.sh
|
||||
ENTRYPOINT ["/entrypoint.sh"]
|
||||
|
||||
28
README.md
28
README.md
@@ -262,7 +262,7 @@ jobs:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
|
||||
### Using Trivy to scan Infrastucture as Code
|
||||
### Using Trivy to scan Infrastructure as Code
|
||||
It's also possible to scan your IaC repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
|
||||
|
||||
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
|
||||
@@ -286,7 +286,8 @@ jobs:
|
||||
with:
|
||||
scan-type: 'config'
|
||||
hide-progress: false
|
||||
format: 'table'
|
||||
format: 'sarif'
|
||||
output: 'trivy-results.sarif'
|
||||
exit-code: '1'
|
||||
ignore-unfixed: true
|
||||
severity: 'CRITICAL,HIGH'
|
||||
@@ -298,11 +299,12 @@ jobs:
|
||||
```
|
||||
|
||||
### Using Trivy to generate SBOM
|
||||
It's possible for Trivy to generate an SBOM of your dependencies and submit them to a consumer like GitHub Dependency Snapshot.
|
||||
It's possible for Trivy to generate an [SBOM](https://www.aquasec.com/cloud-native-academy/supply-chain-security/sbom/) of your dependencies and submit them to a consumer like [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).
|
||||
|
||||
The sending of SBOM to GitHub feature is only available if you currently have [GitHub Dependency Snapshot](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) available to you in your repo.
|
||||
The [sending of an SBOM to GitHub](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) feature is only available if you currently have GitHub Dependency Graph [enabled in your repo](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository).
|
||||
|
||||
In order to send results to GitHub Dependency Graph, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) or use the [GitHub installation access token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication) (also known as `GITHUB_TOKEN`):
|
||||
|
||||
In order to send results to the GitHub Dependency Snapshot, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)
|
||||
```yaml
|
||||
---
|
||||
name: Pull Request
|
||||
@@ -310,7 +312,11 @@ on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
pull_request:
|
||||
|
||||
## GITHUB_TOKEN authentication, add only if you're not going to use a PAT
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Checks
|
||||
@@ -319,14 +325,14 @@ jobs:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Snapshots
|
||||
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
scan-type: 'fs'
|
||||
format: 'github'
|
||||
output: 'dependency-results.sbom.json'
|
||||
image-ref: '.'
|
||||
github-pat: '<github_pat_token>'
|
||||
github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
|
||||
```
|
||||
|
||||
### Using Trivy to scan your private registry
|
||||
@@ -497,9 +503,11 @@ Following inputs can be used as `step.with` keys:
|
||||
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
|
||||
| `hide-progress` | String | `true` | Suppress progress bar |
|
||||
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
|
||||
| `security-checks` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
|
||||
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
|
||||
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
|
||||
| `github-pat` | String | | GitHub Personal Access Token (PAT) for sending SBOM scan results to GitHub Dependency Snapshots |
|
||||
| `trivy-config` | String | | Path to trivy.yaml config |
|
||||
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
|
||||
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
|
||||
|
||||
[release]: https://github.com/aquasecurity/trivy-action/releases/latest
|
||||
[release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github
|
||||
|
||||
@@ -71,7 +71,7 @@ inputs:
|
||||
description: 'output all packages regardless of vulnerability'
|
||||
required: false
|
||||
default: 'false'
|
||||
security-checks:
|
||||
scanners:
|
||||
description: 'comma-separated list of what security issues to detect'
|
||||
required: false
|
||||
default: ''
|
||||
@@ -88,6 +88,9 @@ inputs:
|
||||
trivy-config:
|
||||
description: 'path to trivy.yaml config'
|
||||
required: false
|
||||
limit-severities-for-sarif:
|
||||
description: 'limit severities for SARIF format'
|
||||
required: false
|
||||
|
||||
runs:
|
||||
using: 'docker'
|
||||
@@ -111,7 +114,8 @@ runs:
|
||||
- '-p ${{ inputs.hide-progress }}'
|
||||
- '-q ${{ inputs.skip-files }}'
|
||||
- '-r ${{ inputs.list-all-pkgs }}'
|
||||
- '-s ${{ inputs.security-checks }}'
|
||||
- '-s ${{ inputs.scanners }}'
|
||||
- '-t ${{ inputs.trivyignores }}'
|
||||
- '-u ${{ inputs.github-pat }}'
|
||||
- '-v ${{ inputs.trivy-config }}'
|
||||
- '-z ${{ inputs.limit-severities-for-sarif }}'
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
#!/bin/bash
|
||||
set -e
|
||||
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" o; do
|
||||
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:" o; do
|
||||
case "${o}" in
|
||||
a)
|
||||
export scanType=${OPTARG}
|
||||
@@ -57,7 +57,7 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" o; do
|
||||
export listAllPkgs=${OPTARG}
|
||||
;;
|
||||
s)
|
||||
export securityChecks=${OPTARG}
|
||||
export scanners=${OPTARG}
|
||||
;;
|
||||
t)
|
||||
export trivyIgnores=${OPTARG}
|
||||
@@ -68,6 +68,9 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" o; do
|
||||
v)
|
||||
export trivyConfig=${OPTARG}
|
||||
;;
|
||||
z)
|
||||
export limitSeveritiesForSARIF=${OPTARG}
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
@@ -81,8 +84,10 @@ input=$(echo $input | tr -d '\r')
|
||||
if [ $input ]; then
|
||||
artifactRef="--input $input"
|
||||
fi
|
||||
#trim leading spaces for boolean params
|
||||
ignoreUnfixed=$(echo $ignoreUnfixed | tr -d '\r')
|
||||
hideProgress=$(echo $hideProgress | tr -d '\r')
|
||||
limitSeveritiesForSARIF=$(echo $limitSeveritiesForSARIF | tr -d '\r')
|
||||
|
||||
GLOBAL_ARGS=""
|
||||
if [ $cacheDir ];then
|
||||
@@ -100,6 +105,7 @@ if [ $template ] ;then
|
||||
fi
|
||||
if [ $exitCode ];then
|
||||
ARGS="$ARGS --exit-code $exitCode"
|
||||
SARIF_ARGS="$SARIF_ARGS --exit-code $exitCode"
|
||||
fi
|
||||
if [ "$ignoreUnfixed" == "true" ] && [ "$scanType" != "config" ];then
|
||||
ARGS="$ARGS --ignore-unfixed"
|
||||
@@ -109,9 +115,9 @@ if [ $vulnType ] && [ "$scanType" != "config" ] && [ "$scanType" != "sbom" ];the
|
||||
ARGS="$ARGS --vuln-type $vulnType"
|
||||
SARIF_ARGS="$SARIF_ARGS --vuln-type $vulnType"
|
||||
fi
|
||||
if [ $securityChecks ];then
|
||||
ARGS="$ARGS --security-checks $securityChecks"
|
||||
SARIF_ARGS="$SARIF_ARGS --security-checks $securityChecks"
|
||||
if [ $scanners ];then
|
||||
ARGS="$ARGS --scanners $scanners"
|
||||
SARIF_ARGS="$SARIF_ARGS --scanners $scanners"
|
||||
fi
|
||||
if [ $severity ];then
|
||||
ARGS="$ARGS --severity $severity"
|
||||
@@ -164,9 +170,17 @@ if [ "$skipFiles" ];then
|
||||
fi
|
||||
|
||||
trivyConfig=$(echo $trivyConfig | tr -d '\r')
|
||||
if [ $trivyConfig ]; then
|
||||
# To make sure that uploda GitHub Dependency Snapshot succeeds, disable the script that fails first.
|
||||
set +e
|
||||
if [ "${format}" == "sarif" ] && [ "${limitSeveritiesForSARIF}" != "true" ]; then
|
||||
# SARIF is special. We output all vulnerabilities,
|
||||
# regardless of severity level specified in this report.
|
||||
# This is a feature, not a bug :)
|
||||
echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
|
||||
trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
|
||||
elif [ $trivyConfig ]; then
|
||||
echo "Running Trivy with trivy.yaml config from: " $trivyConfig
|
||||
trivy --config $trivyConfig ${scanType} ${artifactRef}
|
||||
trivy --config $trivyConfig ${ARGS} ${scanType} ${artifactRef}
|
||||
returnCode=$?
|
||||
else
|
||||
echo "Running trivy with options: trivy ${scanType} ${ARGS}" "${artifactRef}"
|
||||
@@ -175,18 +189,11 @@ else
|
||||
returnCode=$?
|
||||
fi
|
||||
|
||||
# SARIF is special. We output all vulnerabilities,
|
||||
# regardless of severity level specified in this report.
|
||||
# This is a feature, not a bug :)
|
||||
if [[ "${format}" == "sarif" ]]; then
|
||||
echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
|
||||
trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
|
||||
fi
|
||||
|
||||
set -e
|
||||
if [[ "${format}" == "github" ]]; then
|
||||
if [[ "$(echo $githubPAT | xargs)" != "" ]]; then
|
||||
printf "\n Uploading GitHub Dependency Snapshot"
|
||||
curl -u "${githubPAT}" -H 'Content-Type: application/json' 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./$(echo $output | xargs)
|
||||
curl -H 'Accept: application/vnd.github+json' -H "Authorization: token $githubPAT" 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./$(echo $output | xargs)
|
||||
else
|
||||
printf "\n Failing GitHub Dependency Snapshot. Missing github-pat"
|
||||
fi
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"version": "2.1.0",
|
||||
"$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
|
||||
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
|
||||
"runs": [
|
||||
{
|
||||
"tool": {
|
||||
@@ -13,7 +13,7 @@
|
||||
"id": "DS002",
|
||||
"name": "Misconfiguration",
|
||||
"shortDescription": {
|
||||
"text": "DS002"
|
||||
"text": "Image user should not be \u0026#39;root\u0026#39;"
|
||||
},
|
||||
"fullDescription": {
|
||||
"text": "Running containers with \u0026#39;root\u0026#39; user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a \u0026#39;USER\u0026#39; statement to the Dockerfile."
|
||||
@@ -35,9 +35,36 @@
|
||||
"HIGH"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "DS026",
|
||||
"name": "Misconfiguration",
|
||||
"shortDescription": {
|
||||
"text": "No HEALTHCHECK defined"
|
||||
},
|
||||
"fullDescription": {
|
||||
"text": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
|
||||
},
|
||||
"defaultConfiguration": {
|
||||
"level": "note"
|
||||
},
|
||||
"helpUri": "https://avd.aquasec.com/misconfig/ds026",
|
||||
"help": {
|
||||
"text": "Misconfiguration DS026\nType: Dockerfile Security Check\nSeverity: LOW\nCheck: No HEALTHCHECK defined\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
|
||||
"markdown": "**Misconfiguration DS026**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|LOW|No HEALTHCHECK defined|Add HEALTHCHECK instruction in your Dockerfile|[DS026](https://avd.aquasec.com/misconfig/ds026)|\n\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
|
||||
},
|
||||
"properties": {
|
||||
"precision": "very-high",
|
||||
"security-severity": "2.0",
|
||||
"tags": [
|
||||
"misconfiguration",
|
||||
"security",
|
||||
"LOW"
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"version": "0.30.4"
|
||||
"version": "0.42.1"
|
||||
}
|
||||
},
|
||||
"results": [
|
||||
@@ -61,6 +88,36 @@
|
||||
"endLine": 1,
|
||||
"endColumn": 1
|
||||
}
|
||||
},
|
||||
"message": {
|
||||
"text": "Dockerfile"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"ruleId": "DS026",
|
||||
"ruleIndex": 1,
|
||||
"level": "note",
|
||||
"message": {
|
||||
"text": "Artifact: Dockerfile\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
|
||||
},
|
||||
"locations": [
|
||||
{
|
||||
"physicalLocation": {
|
||||
"artifactLocation": {
|
||||
"uri": "Dockerfile",
|
||||
"uriBaseId": "ROOTPATH"
|
||||
},
|
||||
"region": {
|
||||
"startLine": 1,
|
||||
"startColumn": 1,
|
||||
"endLine": 1,
|
||||
"endColumn": 1
|
||||
}
|
||||
},
|
||||
"message": {
|
||||
"text": "Dockerfile"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
||||
@@ -20,14 +20,15 @@
|
||||
"Class": "config",
|
||||
"Type": "dockerfile",
|
||||
"MisconfSummary": {
|
||||
"Successes": 21,
|
||||
"Failures": 1,
|
||||
"Successes": 24,
|
||||
"Failures": 2,
|
||||
"Exceptions": 0
|
||||
},
|
||||
"Misconfigurations": [
|
||||
{
|
||||
"Type": "Dockerfile Security Check",
|
||||
"ID": "DS002",
|
||||
"AVDID": "AVD-DS-0002",
|
||||
"Title": "Image user should not be 'root'",
|
||||
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
|
||||
"Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
|
||||
@@ -49,6 +50,32 @@
|
||||
"Lines": null
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Dockerfile Security Check",
|
||||
"ID": "DS026",
|
||||
"AVDID": "AVD-DS-0026",
|
||||
"Title": "No HEALTHCHECK defined",
|
||||
"Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
|
||||
"Message": "Add HEALTHCHECK instruction in your Dockerfile",
|
||||
"Namespace": "builtin.dockerfile.DS026",
|
||||
"Query": "data.builtin.dockerfile.DS026.deny",
|
||||
"Resolution": "Add HEALTHCHECK instruction in Dockerfile",
|
||||
"Severity": "LOW",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds026",
|
||||
"References": [
|
||||
"https://blog.aquasec.com/docker-security-best-practices",
|
||||
"https://avd.aquasec.com/misconfig/ds026"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Dockerfile",
|
||||
"Service": "general",
|
||||
"Code": {
|
||||
"Lines": null
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
@@ -20,14 +20,15 @@
|
||||
"Class": "config",
|
||||
"Type": "dockerfile",
|
||||
"MisconfSummary": {
|
||||
"Successes": 21,
|
||||
"Failures": 1,
|
||||
"Successes": 24,
|
||||
"Failures": 2,
|
||||
"Exceptions": 0
|
||||
},
|
||||
"Misconfigurations": [
|
||||
{
|
||||
"Type": "Dockerfile Security Check",
|
||||
"ID": "DS002",
|
||||
"AVDID": "AVD-DS-0002",
|
||||
"Title": "Image user should not be 'root'",
|
||||
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
|
||||
"Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
|
||||
@@ -49,6 +50,32 @@
|
||||
"Lines": null
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Dockerfile Security Check",
|
||||
"ID": "DS026",
|
||||
"AVDID": "AVD-DS-0026",
|
||||
"Title": "No HEALTHCHECK defined",
|
||||
"Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
|
||||
"Message": "Add HEALTHCHECK instruction in your Dockerfile",
|
||||
"Namespace": "builtin.dockerfile.DS026",
|
||||
"Query": "data.builtin.dockerfile.DS026.deny",
|
||||
"Resolution": "Add HEALTHCHECK instruction in Dockerfile",
|
||||
"Severity": "LOW",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds026",
|
||||
"References": [
|
||||
"https://blog.aquasec.com/docker-security-best-practices",
|
||||
"https://avd.aquasec.com/misconfig/ds026"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Dockerfile",
|
||||
"Service": "general",
|
||||
"Code": {
|
||||
"Lines": null
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"version": "2.1.0",
|
||||
"$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
|
||||
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
|
||||
"runs": [
|
||||
{
|
||||
"tool": {
|
||||
@@ -37,7 +37,7 @@
|
||||
}
|
||||
}
|
||||
],
|
||||
"version": "0.30.4"
|
||||
"version": "0.42.1"
|
||||
}
|
||||
},
|
||||
"results": [
|
||||
|
||||
@@ -8,8 +8,8 @@ Total: 19 (CRITICAL: 19)
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ curl │ CVE-2018-14618 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r0 │ curl: NTLM password overflow via integer overflow │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-14618 │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ curl │ CVE-2018-16839 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
|
||||
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2018-16839 │ │ │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
|
||||
│ │ │ │ │ │ in Curl_sasl_create_plain_message() │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16839 │
|
||||
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
|
||||
@@ -20,8 +20,8 @@ Total: 19 (CRITICAL: 19)
|
||||
│ │ CVE-2018-16842 │ │ │ │ curl: Heap-based buffer over-read in the curl tool warning │
|
||||
│ │ │ │ │ │ formatting │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16842 │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ curl │ CVE-2019-3822 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
|
||||
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2019-3822 │ │ │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3822 │
|
||||
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2019-5481 │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │
|
||||
@@ -32,15 +32,15 @@ Total: 19 (CRITICAL: 19)
|
||||
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ git │ CVE-2018-17456 │ │ 2.15.2-r0 │ 2.15.3-r0 │ git: arbitrary code execution via .gitmodules │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-17456 │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ git │ CVE-2019-1353 │ CRITICAL │ 2.15.2-r0 │ 2.15.4-r0 │ git: NTFS protections inactive when running Git in the │
|
||||
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2019-1353 │ │ │ 2.15.4-r0 │ git: NTFS protections inactive when running Git in the │
|
||||
│ │ │ │ │ │ Windows Subsystem for... │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libbz2 │ CVE-2019-12900 │ CRITICAL │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
|
||||
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libbz2 │ CVE-2019-12900 │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libcurl │ CVE-2018-16839 │ CRITICAL │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
|
||||
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libcurl │ CVE-2018-16839 │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
|
||||
│ │ │ │ │ │ in Curl_sasl_create_plain_message() │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16839 │
|
||||
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
|
||||
@@ -51,8 +51,8 @@ Total: 19 (CRITICAL: 19)
|
||||
│ │ CVE-2018-16842 │ │ │ │ curl: Heap-based buffer over-read in the curl tool warning │
|
||||
│ │ │ │ │ │ formatting │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16842 │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libcurl │ CVE-2019-3822 │ CRITICAL │ 7.61.1-r0 │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
|
||||
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2019-3822 │ │ │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3822 │
|
||||
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2019-5481 │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │
|
||||
@@ -60,27 +60,30 @@ Total: 19 (CRITICAL: 19)
|
||||
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2019-5482 │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ musl │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │
|
||||
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ musl │ CVE-2019-14697 │ │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │
|
||||
│ │ │ │ │ │ adjustment im ...... │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-14697 │
|
||||
├─────────────┤ │ │ │ │ │
|
||||
│ musl-utils │ │ │ │ │ │
|
||||
│ │ │ │ │ │ │
|
||||
│ │ │ │ │ │ │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ sqlite-libs │ CVE-2019-8457 │ CRITICAL │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │
|
||||
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ sqlite-libs │ CVE-2019-8457 │ │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │
|
||||
└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
|
||||
|
||||
rust-app/Cargo.lock (cargo)
|
||||
===========================
|
||||
Total: 1 (CRITICAL: 1)
|
||||
Total: 2 (CRITICAL: 2)
|
||||
|
||||
┌──────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
|
||||
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
|
||||
├──────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
|
||||
│ smallvec │ CVE-2021-25900 │ CRITICAL │ 0.6.9 │ 0.6.14, 1.6.1 │ An issue was discovered in the smallvec crate before 0.6.14 │
|
||||
│ openssl │ CVE-2018-20997 │ CRITICAL │ 0.8.3 │ 0.10.9 │ Use after free in openssl │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-20997 │
|
||||
├──────────┼────────────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
|
||||
│ smallvec │ CVE-2021-25900 │ │ 0.6.9 │ 1.6.1, 0.6.14 │ An issue was discovered in the smallvec crate before 0.6.14 │
|
||||
│ │ │ │ │ │ and 1.x... │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25900 │
|
||||
└──────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
|
||||
|
||||
@@ -8,8 +8,8 @@ Total: 19 (CRITICAL: 19)
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ curl │ CVE-2018-14618 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r0 │ curl: NTLM password overflow via integer overflow │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-14618 │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ curl │ CVE-2018-16839 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
|
||||
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2018-16839 │ │ │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
|
||||
│ │ │ │ │ │ in Curl_sasl_create_plain_message() │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16839 │
|
||||
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
|
||||
@@ -20,8 +20,8 @@ Total: 19 (CRITICAL: 19)
|
||||
│ │ CVE-2018-16842 │ │ │ │ curl: Heap-based buffer over-read in the curl tool warning │
|
||||
│ │ │ │ │ │ formatting │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16842 │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ curl │ CVE-2019-3822 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
|
||||
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2019-3822 │ │ │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3822 │
|
||||
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2019-5481 │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │
|
||||
@@ -32,15 +32,15 @@ Total: 19 (CRITICAL: 19)
|
||||
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ git │ CVE-2018-17456 │ │ 2.15.2-r0 │ 2.15.3-r0 │ git: arbitrary code execution via .gitmodules │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-17456 │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ git │ CVE-2019-1353 │ CRITICAL │ 2.15.2-r0 │ 2.15.4-r0 │ git: NTFS protections inactive when running Git in the │
|
||||
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2019-1353 │ │ │ 2.15.4-r0 │ git: NTFS protections inactive when running Git in the │
|
||||
│ │ │ │ │ │ Windows Subsystem for... │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libbz2 │ CVE-2019-12900 │ CRITICAL │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
|
||||
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libbz2 │ CVE-2019-12900 │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libcurl │ CVE-2018-16839 │ CRITICAL │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
|
||||
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libcurl │ CVE-2018-16839 │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
|
||||
│ │ │ │ │ │ in Curl_sasl_create_plain_message() │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16839 │
|
||||
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
|
||||
@@ -51,8 +51,8 @@ Total: 19 (CRITICAL: 19)
|
||||
│ │ CVE-2018-16842 │ │ │ │ curl: Heap-based buffer over-read in the curl tool warning │
|
||||
│ │ │ │ │ │ formatting │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16842 │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libcurl │ CVE-2019-3822 │ CRITICAL │ 7.61.1-r0 │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
|
||||
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2019-3822 │ │ │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3822 │
|
||||
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2019-5481 │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │
|
||||
@@ -60,27 +60,30 @@ Total: 19 (CRITICAL: 19)
|
||||
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2019-5482 │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ musl │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │
|
||||
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ musl │ CVE-2019-14697 │ │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │
|
||||
│ │ │ │ │ │ adjustment im ...... │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-14697 │
|
||||
├─────────────┤ │ │ │ │ │
|
||||
│ musl-utils │ │ │ │ │ │
|
||||
│ │ │ │ │ │ │
|
||||
│ │ │ │ │ │ │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ sqlite-libs │ CVE-2019-8457 │ CRITICAL │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │
|
||||
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ sqlite-libs │ CVE-2019-8457 │ │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │
|
||||
└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
|
||||
|
||||
rust-app/Cargo.lock (cargo)
|
||||
===========================
|
||||
Total: 4 (CRITICAL: 4)
|
||||
Total: 5 (CRITICAL: 5)
|
||||
|
||||
┌───────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
|
||||
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
|
||||
├───────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
|
||||
│ rand_core │ CVE-2020-25576 │ CRITICAL │ 0.4.0 │ 0.3.1, 0.4.2 │ An issue was discovered in the rand_core crate before 0.4.2 │
|
||||
│ openssl │ CVE-2018-20997 │ CRITICAL │ 0.8.3 │ 0.10.9 │ Use after free in openssl │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-20997 │
|
||||
├───────────┼────────────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
|
||||
│ rand_core │ CVE-2020-25576 │ │ 0.4.0 │ 0.3.1, 0.4.2 │ An issue was discovered in the rand_core crate before 0.4.2 │
|
||||
│ │ │ │ │ │ for Rust.... │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-25576 │
|
||||
├───────────┼────────────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
|
||||
@@ -92,7 +95,7 @@ Total: 4 (CRITICAL: 4)
|
||||
│ │ │ │ │ │ for Rust.... │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-15554 │
|
||||
│ ├────────────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2021-25900 │ │ │ 0.6.14, 1.6.1 │ An issue was discovered in the smallvec crate before 0.6.14 │
|
||||
│ │ CVE-2021-25900 │ │ │ 1.6.1, 0.6.14 │ An issue was discovered in the smallvec crate before 0.6.14 │
|
||||
│ │ │ │ │ │ and 1.x... │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25900 │
|
||||
└───────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
|
||||
|
||||
@@ -68,7 +68,8 @@
|
||||
}
|
||||
]
|
||||
},
|
||||
"Match": "export GITHUB_PAT=****************************************"
|
||||
"Match": "export GITHUB_PAT=****************************************",
|
||||
"Layer": {}
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
3
test/data/trivy-reduced.yaml
Normal file
3
test/data/trivy-reduced.yaml
Normal file
@@ -0,0 +1,3 @@
|
||||
vulnerability:
|
||||
type: os
|
||||
output: yamlconfig.test
|
||||
@@ -60,6 +60,7 @@
|
||||
"Vulnerabilities": [
|
||||
{
|
||||
"VulnerabilityID": "CVE-2021-36159",
|
||||
"PkgID": "apk-tools@2.10.6-r0",
|
||||
"PkgName": "apk-tools",
|
||||
"InstalledVersion": "2.10.6-r0",
|
||||
"FixedVersion": "2.10.7-r0",
|
||||
|
||||
@@ -4,7 +4,7 @@ bats_load_library bats-assert
|
||||
bats_load_library bats-file
|
||||
|
||||
@test "trivy repo with securityCheck secret only" {
|
||||
# trivy repo --format json --output repo.test --security-checks=secret https://github.com/krol3/demo-trivy/
|
||||
# trivy repo --format json --output repo.test --scanners=secret https://github.com/krol3/demo-trivy/
|
||||
run ./entrypoint.sh '-b json' '-h repo.test' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
|
||||
run diff repo.test ./test/data/repo.test
|
||||
echo "$output"
|
||||
@@ -52,7 +52,7 @@ bats_load_library bats-file
|
||||
}
|
||||
|
||||
@test "trivy fs with securityChecks option" {
|
||||
# trivy fs --format json --security-checks=vuln,config --output fs-scheck.test .
|
||||
# trivy fs --format json --scanners=vuln,config --output fs-scheck.test .
|
||||
run ./entrypoint.sh '-a fs' '-b json' '-j .' '-s vuln,config,secret' '-h fs-scheck.test'
|
||||
run diff fs-scheck.test ./test/data/fs-scheck.test
|
||||
echo "$output"
|
||||
@@ -81,3 +81,11 @@ bats_load_library bats-file
|
||||
echo "$output"
|
||||
assert_files_equal yamlconfig.test ./test/data/yamlconfig.test
|
||||
}
|
||||
|
||||
@test "trivy image with trivy.yaml config and args" {
|
||||
# trivy --config=./test/data/trivy-reduced.yaml image alpine:3.10
|
||||
run ./entrypoint.sh "-v ./test/data/trivy-reduced.yaml" "-a image" "-i alpine:3.10" "-b json" "-g CRITICAL"
|
||||
run diff yamlconfig.test ./test/data/yamlconfig.test
|
||||
echo "$output"
|
||||
assert_files_equal yamlconfig.test ./test/data/yamlconfig.test
|
||||
}
|
||||
|
||||
@@ -7,7 +7,7 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
Reference in New Issue
Block a user