docs(trivy): Add instructions to scan tarballs.

Signed-off-by: Simar <simar@linux.com>

.github/workflows/build.yaml

@@ -1,8 +1,7 @@
 name: "build"
 on: [push, pull_request]
 env:
-  TRIVY_VERSION: 0.30.4
-  BATS_LIB_PATH: '/usr/lib/'
+  TRIVY_VERSION: 0.29.1
 jobs:
   build:
     name: build
@@ -12,7 +11,7 @@ jobs:
       - name: Setup BATS
         uses: mig4/setup-bats@v1
         with:
-          bats-version: 1.7.0
+          bats-version: 1.2.1
 
       - name: Setup Bats libs
         uses: brokenpip3/setup-bats-libs@0.1.0
@@ -25,4 +24,4 @@ jobs:
           curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
 
       - name: Test
-        run: BATS_LIB_PATH=${{ env.BATS_LIB_PATH }} bats --recursive --timing .
+        run: bats -r .

.gitignore

@@ -2,4 +2,3 @@
 *.test
 !test/data/*.test
 trivyignores
-.vscode/

Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/aquasecurity/trivy:0.30.4
+FROM ghcr.io/aquasecurity/trivy:0.29.1
 COPY entrypoint.sh /
 RUN apk --no-cache add bash curl
 RUN chmod +x /entrypoint.sh

Makefile

@@ -1,4 +0,0 @@
-.PHONY: test
-
-test:
-	BATS_LIB_PATH=/usr/local/lib/ bats -r .

README.md

@@ -19,7 +19,7 @@
 
 ## Usage
 
-### Scan CI Pipeline
+### Workflow
 
 ```yaml
 name: build
@@ -31,13 +31,15 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
         uses: actions/checkout@v2
+
       - name: Build an image from Dockerfile
         run: |
           docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
+
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
@@ -49,49 +51,6 @@ jobs:
           severity: 'CRITICAL,HIGH'
 ```
 
-### Scan CI Pipeline (w/ Trivy Config)
-
-```yaml
-name: build
-on:
-  push:
-    branches:
-    - master
-  pull_request:
-jobs:
-  build:
-    name: Build
-    runs-on: ubuntu-20.04
-    steps:
-    - name: Checkout code
-      uses: actions/checkout@v3
-
-    - name: Run Trivy vulnerability scanner in fs mode
-      uses: aquasecurity/trivy-action@master
-      with:
-        scan-type: 'fs'
-        scan-ref: '.'
-        trivy-config: trivy.yaml
-```
-
-In this case `trivy.yaml` is a YAML configuration that is checked in as part of the repo. Detailed information is available on the Trivy website but an example is as follows:
-```yaml
-format: json
-exit-code: 1
-severity: CRITICAL
-```
-
-It is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes. Defining the following is required as they cannot be defined with the config file:
-- `scan-ref`: If using `fs, repo` scans.
-- `image-ref`: If using `image` scan.
-- `scan-type`: To define the scan type, e.g. `image`, `fs`, `repo`, etc.
-
-#### Order of prerference for options
-Trivy uses [Viper](https://github.com/spf13/viper) which has a defined precedence order for options. The order is as follows:
-- GitHub Action flag
-- Environment variable
-- Config file
-- Default
 
 ### Scanning a Tarball
 ```yaml
@@ -107,7 +66,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
     - name: Checkout code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v2
 
     - name: Generate tarball from image
       run: |
@@ -133,10 +92,10 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: Build an image from Dockerfile
         run: |
@@ -168,10 +127,10 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: Build an image from Dockerfile
         run: |
@@ -207,10 +166,10 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: Run Trivy vulnerability scanner in repo mode
         uses: aquasecurity/trivy-action@master
@@ -241,10 +200,10 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: Run Trivy vulnerability scanner with rootfs command
         uses: aquasecurity/trivy-action@master
@@ -276,10 +235,10 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: Run Trivy vulnerability scanner in IaC mode
         uses: aquasecurity/trivy-action@master
@@ -345,10 +304,10 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
@@ -381,10 +340,10 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
@@ -417,10 +376,10 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
@@ -450,10 +409,10 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master

action.yaml

@@ -85,9 +85,6 @@ inputs:
   github-pat:
     description: 'GitHub Personal Access Token (PAT) for submitting SBOM to GitHub Dependency Snapshot API'
     required: false
-  trivy-config:
-    description: 'path to trivy.yaml config'
-    required: false
 
 runs:
   using: 'docker'
@@ -114,4 +111,3 @@ runs:
     - '-s ${{ inputs.security-checks }}'
     - '-t ${{ inputs.trivyignores }}'
     - '-u ${{ inputs.github-pat }}'
-    - '-v ${{ inputs.trivy-config }}'

entrypoint.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 set -e
-while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" o; do
+while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:" o; do
    case "${o}" in
        a)
          export scanType=${OPTARG}
@@ -65,13 +65,9 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" o; do
        u)
          export githubPAT=${OPTARG}
        ;;
-       v)
-         export trivyConfig=${OPTARG}
-       ;;
   esac
 done
 
-
 scanType=$(echo $scanType | tr -d '\r')
 export artifactRef="${imageRef}"
 if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] ||  [ "${scanType}" = "config" ] ||  [ "${scanType}" = "rootfs" ];then
@@ -111,7 +107,6 @@ if [ $vulnType ] && [ "$scanType" != "config" ] && [ "$scanType" != "sbom" ];the
 fi
 if [ $securityChecks ];then
   ARGS="$ARGS --security-checks $securityChecks"
-  SARIF_ARGS="$SARIF_ARGS --security-checks $securityChecks"
 fi
 if [ $severity ];then
   ARGS="$ARGS --severity $severity"
@@ -142,7 +137,6 @@ if [ $trivyIgnores ];then
 fi
 if [ $timeout ];then
   ARGS="$ARGS --timeout $timeout"
-  SARIF_ARGS="$SARIF_ARGS --timeout $timeout"
 fi
 if [ $ignorePolicy ];then
   ARGS="$ARGS --ignore-policy $ignorePolicy"
@@ -163,17 +157,10 @@ if [ "$skipFiles" ];then
   done
 fi
 
-trivyConfig=$(echo $trivyConfig | tr -d '\r')
-if [ $trivyConfig ]; then
-   echo "Running Trivy with trivy.yaml config from: " $trivyConfig
-   trivy --config $trivyConfig ${scanType} ${artifactRef}
-   returnCode=$?
-else
-   echo "Running trivy with options: trivy ${scanType} ${ARGS}" "${artifactRef}"
-   echo "Global options: " "${GLOBAL_ARGS}"
-   trivy $GLOBAL_ARGS ${scanType} ${ARGS} ${artifactRef}
-   returnCode=$?
-fi
+echo "Running trivy with options: ${ARGS}" "${artifactRef}"
+echo "Global options: " "${GLOBAL_ARGS}"
+trivy $GLOBAL_ARGS ${scanType} $ARGS ${artifactRef}
+returnCode=$?
 
 # SARIF is special. We output all vulnerabilities,
 # regardless of severity level specified in this report.
@@ -183,13 +170,9 @@ if [[ "${format}" == "sarif" ]]; then
   trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
 fi
 
-if [[ "${format}" == "github" ]]; then
-  if [[ "$(echo $githubPAT | xargs)" != "" ]]; then
-    printf "\n Uploading GitHub Dependency Snapshot"
-    curl -u "${githubPAT}" -H 'Content-Type: application/json' 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./$(echo $output | xargs)
-  else
-    printf "\n Failing GitHub Dependency Snapshot. Missing github-pat"
-  fi
+if [[ "${format}" == "github" ]] && [[ "$(echo $githubPAT | xargs)" != "" ]]; then
+  echo "Uploading GitHub Dependency Snapshot"
+  curl -u "${githubPAT}" -H 'Content-Type: application/json' 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./$(echo $output | xargs)
 fi
 
 exit $returnCode

test/data/config-sarif.test

@@ -1,77 +0,0 @@
-{
-  "version": "2.1.0",
-  "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
-  "runs": [
-    {
-      "tool": {
-        "driver": {
-          "fullName": "Trivy Vulnerability Scanner",
-          "informationUri": "https://github.com/aquasecurity/trivy",
-          "name": "Trivy",
-          "rules": [
-            {
-              "id": "DS002",
-              "name": "Misconfiguration",
-              "shortDescription": {
-                "text": "DS002"
-              },
-              "fullDescription": {
-                "text": "Running containers with \u0026#39;root\u0026#39; user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a \u0026#39;USER\u0026#39; statement to the Dockerfile."
-              },
-              "defaultConfiguration": {
-                "level": "error"
-              },
-              "helpUri": "https://avd.aquasec.com/misconfig/ds002",
-              "help": {
-                "text": "Misconfiguration DS002\nType: Dockerfile Security Check\nSeverity: HIGH\nCheck: Image user should not be 'root'\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
-                "markdown": "**Misconfiguration DS002**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|HIGH|Image user should not be 'root'|Specify at least 1 USER command in Dockerfile with non-root user as argument|[DS002](https://avd.aquasec.com/misconfig/ds002)|\n\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile."
-              },
-              "properties": {
-                "precision": "very-high",
-                "security-severity": "8.0",
-                "tags": [
-                  "misconfiguration",
-                  "security",
-                  "HIGH"
-                ]
-              }
-            }
-          ],
-          "version": "0.30.4"
-        }
-      },
-      "results": [
-        {
-          "ruleId": "DS002",
-          "ruleIndex": 0,
-          "level": "error",
-          "message": {
-            "text": "Artifact: Dockerfile\nType: dockerfile\nVulnerability DS002\nSeverity: HIGH\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)"
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "Dockerfile",
-                  "uriBaseId": "ROOTPATH"
-                },
-                "region": {
-                  "startLine": 1,
-                  "startColumn": 1,
-                  "endLine": 1,
-                  "endColumn": 1
-                }
-              }
-            }
-          ]
-        }
-      ],
-      "columnKind": "utf16CodeUnits",
-      "originalUriBaseIds": {
-        "ROOTPATH": {
-          "uri": "file:///"
-        }
-      }
-    }
-  ]
-}

test/data/fs.test

@@ -0,0 +1,17 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": ".",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  }
+}

test/data/repo.test

@@ -26,49 +26,7 @@
           "Title": "GitHub Personal Access Token",
           "StartLine": 5,
           "EndLine": 5,
-          "Code": {
-            "Lines": [
-              {
-                "Number": 3,
-                "Content": "export AWS_ACCESS_KEY_ID=1234567",
-                "IsCause": false,
-                "Annotation": "",
-                "Truncated": false,
-                "Highlighted": "export AWS_ACCESS_KEY_ID=1234567",
-                "FirstCause": false,
-                "LastCause": false
-              },
-              {
-                "Number": 4,
-                "Content": "",
-                "IsCause": false,
-                "Annotation": "",
-                "Truncated": false,
-                "FirstCause": false,
-                "LastCause": false
-              },
-              {
-                "Number": 5,
-                "Content": "export GITHUB_PAT=****************************************",
-                "IsCause": true,
-                "Annotation": "",
-                "Truncated": false,
-                "Highlighted": "export GITHUB_PAT=****************************************",
-                "FirstCause": true,
-                "LastCause": true
-              },
-              {
-                "Number": 6,
-                "Content": "",
-                "IsCause": false,
-                "Annotation": "",
-                "Truncated": false,
-                "FirstCause": false,
-                "LastCause": false
-              }
-            ]
-          },
-          "Match": "export GITHUB_PAT=****************************************"
+          "Match": "export GITHUB_PAT=*****"
         }
       ]
     }

test/data/rootfs.test

@@ -0,0 +1,17 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": ".",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  }
+}

test/data/trivy.yaml

@@ -1,5 +0,0 @@
-format: json
-severity: CRITICAL
-vulnerability:
-  type: os
-output: yamlconfig.test

test/data/yamlconfig.test

@@ -1,104 +0,0 @@
-{
-  "SchemaVersion": 2,
-  "ArtifactName": "alpine:3.10",
-  "ArtifactType": "container_image",
-  "Metadata": {
-    "OS": {
-      "Family": "alpine",
-      "Name": "3.10.9",
-      "EOSL": true
-    },
-    "ImageID": "sha256:e7b300aee9f9bf3433d32bc9305bfdd22183beb59d933b48d77ab56ba53a197a",
-    "DiffIDs": [
-      "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
-    ],
-    "RepoTags": [
-      "alpine:3.10"
-    ],
-    "RepoDigests": [
-      "alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98"
-    ],
-    "ImageConfig": {
-      "architecture": "amd64",
-      "container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4",
-      "created": "2021-04-14T19:20:05.338397761Z",
-      "docker_version": "19.03.12",
-      "history": [
-        {
-          "created": "2021-04-14T19:20:04.987219124Z",
-          "created_by": "/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / "
-        },
-        {
-          "created": "2021-04-14T19:20:05.338397761Z",
-          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
-          "empty_layer": true
-        }
-      ],
-      "os": "linux",
-      "rootfs": {
-        "type": "layers",
-        "diff_ids": [
-          "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
-        ]
-      },
-      "config": {
-        "Cmd": [
-          "/bin/sh"
-        ],
-        "Env": [
-          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-        ],
-        "Image": "sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8"
-      }
-    }
-  },
-  "Results": [
-    {
-      "Target": "alpine:3.10 (alpine 3.10.9)",
-      "Class": "os-pkgs",
-      "Type": "alpine",
-      "Vulnerabilities": [
-        {
-          "VulnerabilityID": "CVE-2021-36159",
-          "PkgName": "apk-tools",
-          "InstalledVersion": "2.10.6-r0",
-          "FixedVersion": "2.10.7-r0",
-          "Layer": {
-            "Digest": "sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5",
-            "DiffID": "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-36159",
-          "DataSource": {
-            "ID": "alpine",
-            "Name": "Alpine Secdb",
-            "URL": "https://secdb.alpinelinux.org/"
-          },
-          "Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
-          "Severity": "CRITICAL",
-          "CweIDs": [
-            "CWE-125"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
-              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
-              "V2Score": 6.4,
-              "V3Score": 9.1
-            }
-          },
-          "References": [
-            "https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch",
-            "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749",
-            "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E",
-            "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E",
-            "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E",
-            "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E"
-          ],
-          "PublishedDate": "2021-08-03T14:15:00Z",
-          "LastModifiedDate": "2021-10-18T12:19:00Z"
-        }
-      ]
-    }
-  ]
-}

test/test.bats

@@ -1,71 +1,61 @@
 #!/usr/bin/env bats
-bats_load_library bats-support
-bats_load_library bats-assert
-bats_load_library bats-file
-
-@test "trivy repo with securityCheck secret only" {
-  # trivy repo --format json --output repo.test --security-checks=secret https://github.com/krol3/demo-trivy/
-  run ./entrypoint.sh '-b json' '-h repo.test' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
-  run diff repo.test ./test/data/repo.test
-  echo "$output"
-  assert_files_equal repo.test ./test/data/repo.test
-}
+load '/usr/lib/bats-support/load.bash'
+load '/usr/lib/bats-assert/load.bash'
 
 @test "trivy image" {
-  # trivy image --severity CRITICAL --output image.test knqyf263/vuln-image:1.2.3
-  run ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image.test' '-g CRITICAL'
-  run diff image.test ./test/data/image.test
-  echo "$output"
-  assert_files_equal image.test ./test/data/image.test
+  # trivy image --severity CRITICAL --format json --output image.test knqyf263/vuln-image:1.2.3
+  ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b json' '-h image.test' '-g CRITICAL'
+  result="$(diff ./test/data/image.test image.test)"
+  [ "$result" == '' ]
 }
 
-@test "trivy config sarif report" {
-  # trivy config --format sarif --output  config-sarif.test .
-  run ./entrypoint.sh '-a config' '-b sarif' '-h config-sarif.test' '-j .'
-  run diff config-sarif.test ./test/data/config-sarif.test
-  echo "$output"
-  assert_files_equal config-sarif.test ./test/data/config-sarif.test
+@test "trivy image sarif report" {
+  # trivy image --severity CRITICAL -f sarif --output image-sarif.test knqyf263/vuln-image:1.2.3
+  ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b sarif' '-h image-sarif.test' '-g CRITICAL'
+  result="$(diff ./test/data/image-sarif.test image-sarif.test)"
+  [ "$result" == '' ]
 }
 
 @test "trivy config" {
   # trivy config --format json --output config.test .
-  run ./entrypoint.sh '-a config' '-b json' '-j .' '-h config.test'
-  run diff config.test ./test/data/config.test
-  echo "$output"
-  assert_files_equal config.test ./test/data/config.test
+  ./entrypoint.sh '-a config' '-j .' '-b json' '-h config.test'
+  result="$(diff ./test/data/config.test config.test)"
+  [ "$result" == '' ]
 }
 
 @test "trivy rootfs" {
-  # trivy rootfs --output rootfs.test .
-  run ./entrypoint.sh '-a rootfs' '-j .' '-h rootfs.test'
-  run diff rootfs.test ./test/data/rootfs.test
-  echo "$output"
-  assert_files_equal rootfs.test ./test/data/rootfs.test
+  # trivy rootfs --format json --output rootfs.test .
+  ./entrypoint.sh '-a rootfs' '-j .' '-b json' '-h rootfs.test'
+  result="$(diff ./test/data/rootfs.test rootfs.test)"
+  [ "$result" == '' ]
 }
 
 @test "trivy fs" {
-  # trivy fs --output fs.test .
-  run ./entrypoint.sh '-a fs' '-j .' '-h fs.test'
-  run diff fs.test ./test/data/fs.test
-  echo "$output"
-  assert_files_equal fs.test ./test/data/fs.test
+  # trivy fs --format json --output fs.test .
+  ./entrypoint.sh '-a fs' '-j .' '-b json' '-h fs.test'
+  result="$(diff ./test/data/fs.test fs.test)"
+  [ "$result" == '' ]
 }
 
 @test "trivy fs with securityChecks option" {
   # trivy fs --format json --security-checks=vuln,config --output fs-scheck.test .
-  run ./entrypoint.sh '-a fs' '-b json' '-j .' '-s vuln,config,secret' '-h fs-scheck.test'
-  run diff fs-scheck.test ./test/data/fs-scheck.test
-  echo "$output"
-  assert_files_equal fs-scheck.test ./test/data/fs-scheck.test
+  ./entrypoint.sh '-a fs' '-j .' '-b json' '-s vuln,config,secret' '-h fs-scheck.test'
+  result="$(diff ./test/data/fs-scheck.test fs-scheck.test)"
+  [ "$result" == '' ]
 }
 
+@test "trivy repo with securityCheck secret only" {
+  # trivy repo --format json --output repo.test --security-checks=secret https://github.com/krol3/demo-trivy/
+  ./entrypoint.sh '-b json' '-h repo.test' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
+  result="$(diff ./test/data/repo.test repo.test)"
+  [ "$result" == '' ]
+}
 
 @test "trivy image with trivyIgnores option" {
-  # cat ./test/data/.trivyignore1 ./test/data/.trivyignore2 > ./trivyignores ; trivy image --severity CRITICAL  --output image-trivyignores.test --ignorefile ./trivyignores knqyf263/vuln-image:1.2.3
-  run ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image-trivyignores.test' '-g CRITICAL' '-t ./test/data/.trivyignore1,./test/data/.trivyignore2'
-  run diff image-trivyignores.test ./test/data/image-trivyignores.test
-  echo "$output"
-  assert_files_equal image-trivyignores.test ./test/data/image-trivyignores.test
+  # cat ./test/data/.trivyignore1 ./test/data/.trivyignore2 > ./trivyignores ; trivy image --severity CRITICAL --format json --output image-trivyignores.test --ignorefile ./trivyignores knqyf263/vuln-image:1.2.3
+  ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b json' '-h image-trivyignores.test' '-g CRITICAL' '-t ./test/data/.trivyignore1,./test/data/.trivyignore2'
+  result="$(diff ./test/data/image-trivyignores.test image-trivyignores.test)"
+  [ "$result" == '' ]
 }
 
 @test "trivy image with sbom output" {
@@ -73,11 +63,3 @@ bats_load_library bats-file
   run ./entrypoint.sh  "-a image" "-b github" "-i knqyf263/vuln-image:1.2.3"
   assert_output --partial '"package_url": "pkg:apk/ca-certificates@20171114-r0",' # TODO: Output contains time, need to mock
 }
-
-@test "trivy image with trivy.yaml config" {
-  # trivy --config=./test/data/trivy.yaml image alpine:3.10
-  run ./entrypoint.sh "-v ./test/data/trivy.yaml" "-a image" "-i alpine:3.10"
-  run diff yamlconfig.test ./test/data/yamlconfig.test
-  echo "$output"
-  assert_files_equal yamlconfig.test ./test/data/yamlconfig.test
-}