Update Dockerfile

.gitignore

@@ -2,4 +2,3 @@
 *.test
 !test/data/*.test
 trivyignores
-.vscode/

Makefile

@@ -1,4 +0,0 @@
-.PHONY: test
-
-test:
-	BATS_LIB_PATH=/usr/local/lib/ bats -r .

README.md

@@ -64,14 +64,14 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
     - name: Checkout code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v2
 
-    - name: Run Trivy vulnerability scanner in fs mode
-      uses: aquasecurity/trivy-action@master
+    - name: Run Trivy vulnerability scanner in repo mode
+      uses: aquasecurity/trivy-action@add-support-for-trivy-config
       with:
         scan-type: 'fs'
-        scan-ref: '.'
-        trivy-config: trivy.yaml
+        ignore-unfixed: true
+        trivy-config: ./trivy.yaml
 ```
 
 In this case `trivy.yaml` is a YAML configuration that is checked in as part of the repo. Detailed information is available on the Trivy website but an example is as follows:
@@ -81,17 +81,7 @@ exit-code: 1
 severity: CRITICAL
 ```
 
-It is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes. Defining the following is required as they cannot be defined with the config file:
-- `scan-ref`: If using `fs, repo` scans.
-- `image-ref`: If using `image` scan.
-- `scan-type`: To define the scan type, e.g. `image`, `fs`, `repo`, etc.
-
-#### Order of prerference for options
-Trivy uses [Viper](https://github.com/spf13/viper) which has a defined precedence order for options. The order is as follows:
-- GitHub Action flag
-- Environment variable
-- Config file
-- Default
+It is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes.
 
 ### Scanning a Tarball
 ```yaml
@@ -107,7 +97,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
     - name: Checkout code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v2
 
     - name: Generate tarball from image
       run: |
@@ -133,10 +123,10 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: Build an image from Dockerfile
         run: |
@@ -168,10 +158,10 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: Build an image from Dockerfile
         run: |
@@ -207,10 +197,10 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: Run Trivy vulnerability scanner in repo mode
         uses: aquasecurity/trivy-action@master
@@ -241,10 +231,10 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: Run Trivy vulnerability scanner with rootfs command
         uses: aquasecurity/trivy-action@master
@@ -276,10 +266,10 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: Run Trivy vulnerability scanner in IaC mode
         uses: aquasecurity/trivy-action@master
@@ -345,10 +335,10 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
@@ -381,10 +371,10 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
@@ -417,10 +407,10 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
@@ -450,10 +440,10 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master

entrypoint.sh

@@ -111,7 +111,6 @@ if [ $vulnType ] && [ "$scanType" != "config" ] && [ "$scanType" != "sbom" ];the
 fi
 if [ $securityChecks ];then
   ARGS="$ARGS --security-checks $securityChecks"
-  SARIF_ARGS="$SARIF_ARGS --security-checks $securityChecks"
 fi
 if [ $severity ];then
   ARGS="$ARGS --severity $severity"
@@ -142,7 +141,6 @@ if [ $trivyIgnores ];then
 fi
 if [ $timeout ];then
   ARGS="$ARGS --timeout $timeout"
-  SARIF_ARGS="$SARIF_ARGS --timeout $timeout"
 fi
 if [ $ignorePolicy ];then
   ARGS="$ARGS --ignore-policy $ignorePolicy"
@@ -166,12 +164,12 @@ fi
 trivyConfig=$(echo $trivyConfig | tr -d '\r')
 if [ $trivyConfig ]; then
    echo "Running Trivy with trivy.yaml config from: " $trivyConfig
-   trivy --config $trivyConfig ${scanType} ${artifactRef}
+   trivy --config $trivyConfig ${scanType} $ARGS ${artifactRef}
    returnCode=$?
 else
-   echo "Running trivy with options: trivy ${scanType} ${ARGS}" "${artifactRef}"
+   echo "Running trivy with options: ${ARGS}" "${artifactRef}"
    echo "Global options: " "${GLOBAL_ARGS}"
-   trivy $GLOBAL_ARGS ${scanType} ${ARGS} ${artifactRef}
+   trivy $GLOBAL_ARGS ${scanType} $ARGS ${artifactRef}
    returnCode=$?
 fi
 
@@ -183,13 +181,9 @@ if [[ "${format}" == "sarif" ]]; then
   trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
 fi
 
-if [[ "${format}" == "github" ]]; then
-  if [[ "$(echo $githubPAT | xargs)" != "" ]]; then
-    printf "\n Uploading GitHub Dependency Snapshot"
-    curl -u "${githubPAT}" -H 'Content-Type: application/json' 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./$(echo $output | xargs)
-  else
-    printf "\n Failing GitHub Dependency Snapshot. Missing github-pat"
-  fi
+if [[ "${format}" == "github" ]] && [[ "$(echo $githubPAT | xargs)" != "" ]]; then
+  echo "Uploading GitHub Dependency Snapshot"
+  curl -u "${githubPAT}" -H 'Content-Type: application/json' 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./$(echo $output | xargs)
 fi
 
 exit $returnCode

test/data/trivy.yaml

@@ -1,5 +1,2 @@
 format: json
-severity: CRITICAL
-vulnerability:
-  type: os
-output: yamlconfig.test
+severity: CRITICAL

test/data/yamlconfig.test

@@ -1,104 +1,29 @@
 {
   "SchemaVersion": 2,
-  "ArtifactName": "alpine:3.10",
-  "ArtifactType": "container_image",
+  "ArtifactName": ".",
+  "ArtifactType": "filesystem",
   "Metadata": {
-    "OS": {
-      "Family": "alpine",
-      "Name": "3.10.9",
-      "EOSL": true
-    },
-    "ImageID": "sha256:e7b300aee9f9bf3433d32bc9305bfdd22183beb59d933b48d77ab56ba53a197a",
-    "DiffIDs": [
-      "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
-    ],
-    "RepoTags": [
-      "alpine:3.10"
-    ],
-    "RepoDigests": [
-      "alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98"
-    ],
     "ImageConfig": {
-      "architecture": "amd64",
-      "container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4",
-      "created": "2021-04-14T19:20:05.338397761Z",
-      "docker_version": "19.03.12",
-      "history": [
-        {
-          "created": "2021-04-14T19:20:04.987219124Z",
-          "created_by": "/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / "
-        },
-        {
-          "created": "2021-04-14T19:20:05.338397761Z",
-          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
-          "empty_layer": true
-        }
-      ],
-      "os": "linux",
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
       "rootfs": {
-        "type": "layers",
-        "diff_ids": [
-          "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
-        ]
+        "type": "",
+        "diff_ids": null
       },
-      "config": {
-        "Cmd": [
-          "/bin/sh"
-        ],
-        "Env": [
-          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-        ],
-        "Image": "sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8"
-      }
+      "config": {}
     }
   },
   "Results": [
     {
-      "Target": "alpine:3.10 (alpine 3.10.9)",
-      "Class": "os-pkgs",
-      "Type": "alpine",
-      "Vulnerabilities": [
-        {
-          "VulnerabilityID": "CVE-2021-36159",
-          "PkgName": "apk-tools",
-          "InstalledVersion": "2.10.6-r0",
-          "FixedVersion": "2.10.7-r0",
-          "Layer": {
-            "Digest": "sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5",
-            "DiffID": "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-36159",
-          "DataSource": {
-            "ID": "alpine",
-            "Name": "Alpine Secdb",
-            "URL": "https://secdb.alpinelinux.org/"
-          },
-          "Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
-          "Severity": "CRITICAL",
-          "CweIDs": [
-            "CWE-125"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
-              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
-              "V2Score": 6.4,
-              "V3Score": 9.1
-            }
-          },
-          "References": [
-            "https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch",
-            "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749",
-            "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E",
-            "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E",
-            "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E",
-            "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E"
-          ],
-          "PublishedDate": "2021-08-03T14:15:00Z",
-          "LastModifiedDate": "2021-10-18T12:19:00Z"
-        }
-      ]
+      "Target": "Dockerfile",
+      "Class": "config",
+      "Type": "dockerfile",
+      "MisconfSummary": {
+        "Successes": 6,
+        "Failures": 0,
+        "Exceptions": 0
+      }
     }
   ]
 }

test/test.bats

@@ -74,10 +74,10 @@ bats_load_library bats-file
   assert_output --partial '"package_url": "pkg:apk/ca-certificates@20171114-r0",' # TODO: Output contains time, need to mock
 }
 
-@test "trivy image with trivy.yaml config" {
-  # trivy --config=./test/data/trivy.yaml image alpine:3.10
-  run ./entrypoint.sh "-v ./test/data/trivy.yaml" "-a image" "-i alpine:3.10"
+@test "trivy repo with trivy.yaml config" {
+  # trivy --config=./data/trivy.yaml fs --security-checks=config,secret --output=yamlconfig.test .
+  run ./entrypoint.sh "-a fs" "-j ." "-s config,secret" "-v ./test/data/trivy.yaml" "-h yamlconfig.test"
   run diff yamlconfig.test ./test/data/yamlconfig.test
   echo "$output"
   assert_files_equal yamlconfig.test ./test/data/yamlconfig.test
-}
+}