Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
cff3e9a7f6 | ||
|
|
ab15891596 | ||
|
|
cacfd7a243 | ||
|
|
1e0bef4613 |
Vendored
+1
-1
@@ -1,7 +1,7 @@
|
||||
name: "build"
|
||||
on: [push, pull_request]
|
||||
env:
|
||||
TRIVY_VERSION: 0.34.0
|
||||
TRIVY_VERSION: 0.37.1
|
||||
BATS_LIB_PATH: '/usr/lib/'
|
||||
jobs:
|
||||
build:
|
||||
|
||||
+1
-1
@@ -1,4 +1,4 @@
|
||||
FROM ghcr.io/aquasecurity/trivy:0.34.0
|
||||
FROM ghcr.io/aquasecurity/trivy:0.37.1
|
||||
COPY entrypoint.sh /
|
||||
RUN apk --no-cache add bash curl npm
|
||||
RUN chmod +x /entrypoint.sh
|
||||
|
||||
@@ -262,7 +262,7 @@ jobs:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
|
||||
### Using Trivy to scan Infrastucture as Code
|
||||
### Using Trivy to scan Infrastructure as Code
|
||||
It's also possible to scan your IaC repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
|
||||
|
||||
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
|
||||
@@ -500,7 +500,9 @@ Following inputs can be used as `step.with` keys:
|
||||
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
|
||||
| `security-checks` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
|
||||
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
|
||||
| `trivy-config` | String | | Path to trivy.yaml config |
|
||||
| `github-pat` | String | | GitHub Personal Access Token (PAT) for sending SBOM scan results to GitHub Dependency Snapshots |
|
||||
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
|
||||
|
||||
[release]: https://github.com/aquasecurity/trivy-action/releases/latest
|
||||
[release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github
|
||||
|
||||
@@ -88,6 +88,9 @@ inputs:
|
||||
trivy-config:
|
||||
description: 'path to trivy.yaml config'
|
||||
required: false
|
||||
limit-severities-for-sarif:
|
||||
description: 'limit severities for SARIF format'
|
||||
required: false
|
||||
|
||||
runs:
|
||||
using: 'docker'
|
||||
@@ -115,3 +118,4 @@ runs:
|
||||
- '-t ${{ inputs.trivyignores }}'
|
||||
- '-u ${{ inputs.github-pat }}'
|
||||
- '-v ${{ inputs.trivy-config }}'
|
||||
- '-z ${{ inputs.limit-severities-for-sarif }}'
|
||||
|
||||
+13
-10
@@ -1,6 +1,6 @@
|
||||
#!/bin/bash
|
||||
set -e
|
||||
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" o; do
|
||||
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:" o; do
|
||||
case "${o}" in
|
||||
a)
|
||||
export scanType=${OPTARG}
|
||||
@@ -68,6 +68,9 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" o; do
|
||||
v)
|
||||
export trivyConfig=${OPTARG}
|
||||
;;
|
||||
z)
|
||||
export limitSeveritiesForSARIF=${OPTARG}
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
@@ -81,8 +84,10 @@ input=$(echo $input | tr -d '\r')
|
||||
if [ $input ]; then
|
||||
artifactRef="--input $input"
|
||||
fi
|
||||
#trim leading spaces for boolean params
|
||||
ignoreUnfixed=$(echo $ignoreUnfixed | tr -d '\r')
|
||||
hideProgress=$(echo $hideProgress | tr -d '\r')
|
||||
limitSeveritiesForSARIF=$(echo $limitSeveritiesForSARIF | tr -d '\r')
|
||||
|
||||
GLOBAL_ARGS=""
|
||||
if [ $cacheDir ];then
|
||||
@@ -164,7 +169,13 @@ if [ "$skipFiles" ];then
|
||||
fi
|
||||
|
||||
trivyConfig=$(echo $trivyConfig | tr -d '\r')
|
||||
if [ $trivyConfig ]; then
|
||||
if [ "${format}" == "sarif" ] && [ "${limitSeveritiesForSARIF}" != "true" ]; then
|
||||
# SARIF is special. We output all vulnerabilities,
|
||||
# regardless of severity level specified in this report.
|
||||
# This is a feature, not a bug :)
|
||||
echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
|
||||
trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
|
||||
elif [ $trivyConfig ]; then
|
||||
echo "Running Trivy with trivy.yaml config from: " $trivyConfig
|
||||
trivy --config $trivyConfig ${scanType} ${artifactRef}
|
||||
returnCode=$?
|
||||
@@ -175,14 +186,6 @@ else
|
||||
returnCode=$?
|
||||
fi
|
||||
|
||||
# SARIF is special. We output all vulnerabilities,
|
||||
# regardless of severity level specified in this report.
|
||||
# This is a feature, not a bug :)
|
||||
if [[ "${format}" == "sarif" ]]; then
|
||||
echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
|
||||
trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
|
||||
fi
|
||||
|
||||
if [[ "${format}" == "github" ]]; then
|
||||
if [[ "$(echo $githubPAT | xargs)" != "" ]]; then
|
||||
printf "\n Uploading GitHub Dependency Snapshot"
|
||||
|
||||
@@ -35,9 +35,36 @@
|
||||
"HIGH"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "DS026",
|
||||
"name": "Misconfiguration",
|
||||
"shortDescription": {
|
||||
"text": "No HEALTHCHECK defined"
|
||||
},
|
||||
"fullDescription": {
|
||||
"text": "You shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
|
||||
},
|
||||
"defaultConfiguration": {
|
||||
"level": "note"
|
||||
},
|
||||
"helpUri": "https://avd.aquasec.com/misconfig/ds026",
|
||||
"help": {
|
||||
"text": "Misconfiguration DS026\nType: Dockerfile Security Check\nSeverity: LOW\nCheck: No HEALTHCHECK defined\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)\nYou shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
|
||||
"markdown": "**Misconfiguration DS026**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|LOW|No HEALTHCHECK defined|Add HEALTHCHECK instruction in your Dockerfile|[DS026](https://avd.aquasec.com/misconfig/ds026)|\n\nYou shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
|
||||
},
|
||||
"properties": {
|
||||
"precision": "very-high",
|
||||
"security-severity": "2.0",
|
||||
"tags": [
|
||||
"misconfiguration",
|
||||
"security",
|
||||
"LOW"
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"version": "0.34.0"
|
||||
"version": "0.37.1"
|
||||
}
|
||||
},
|
||||
"results": [
|
||||
@@ -67,6 +94,33 @@
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"ruleId": "DS026",
|
||||
"ruleIndex": 1,
|
||||
"level": "note",
|
||||
"message": {
|
||||
"text": "Artifact: Dockerfile\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
|
||||
},
|
||||
"locations": [
|
||||
{
|
||||
"physicalLocation": {
|
||||
"artifactLocation": {
|
||||
"uri": "Dockerfile",
|
||||
"uriBaseId": "ROOTPATH"
|
||||
},
|
||||
"region": {
|
||||
"startLine": 1,
|
||||
"startColumn": 1,
|
||||
"endLine": 1,
|
||||
"endColumn": 1
|
||||
}
|
||||
},
|
||||
"message": {
|
||||
"text": "Dockerfile"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"columnKind": "utf16CodeUnits",
|
||||
|
||||
+28
-2
@@ -20,8 +20,8 @@
|
||||
"Class": "config",
|
||||
"Type": "dockerfile",
|
||||
"MisconfSummary": {
|
||||
"Successes": 21,
|
||||
"Failures": 1,
|
||||
"Successes": 22,
|
||||
"Failures": 2,
|
||||
"Exceptions": 0
|
||||
},
|
||||
"Misconfigurations": [
|
||||
@@ -50,6 +50,32 @@
|
||||
"Lines": null
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Dockerfile Security Check",
|
||||
"ID": "DS026",
|
||||
"AVDID": "AVD-DS-0026",
|
||||
"Title": "No HEALTHCHECK defined",
|
||||
"Description": "You shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
|
||||
"Message": "Add HEALTHCHECK instruction in your Dockerfile",
|
||||
"Namespace": "builtin.dockerfile.DS026",
|
||||
"Query": "data.builtin.dockerfile.DS026.deny",
|
||||
"Resolution": "Add HEALTHCHECK instruction in Dockerfile",
|
||||
"Severity": "LOW",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds026",
|
||||
"References": [
|
||||
"https://blog.aquasec.com/docker-security-best-practices",
|
||||
"https://avd.aquasec.com/misconfig/ds026"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Dockerfile",
|
||||
"Service": "general",
|
||||
"Code": {
|
||||
"Lines": null
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
@@ -20,8 +20,8 @@
|
||||
"Class": "config",
|
||||
"Type": "dockerfile",
|
||||
"MisconfSummary": {
|
||||
"Successes": 21,
|
||||
"Failures": 1,
|
||||
"Successes": 22,
|
||||
"Failures": 2,
|
||||
"Exceptions": 0
|
||||
},
|
||||
"Misconfigurations": [
|
||||
@@ -50,6 +50,32 @@
|
||||
"Lines": null
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Dockerfile Security Check",
|
||||
"ID": "DS026",
|
||||
"AVDID": "AVD-DS-0026",
|
||||
"Title": "No HEALTHCHECK defined",
|
||||
"Description": "You shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
|
||||
"Message": "Add HEALTHCHECK instruction in your Dockerfile",
|
||||
"Namespace": "builtin.dockerfile.DS026",
|
||||
"Query": "data.builtin.dockerfile.DS026.deny",
|
||||
"Resolution": "Add HEALTHCHECK instruction in Dockerfile",
|
||||
"Severity": "LOW",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds026",
|
||||
"References": [
|
||||
"https://blog.aquasec.com/docker-security-best-practices",
|
||||
"https://avd.aquasec.com/misconfig/ds026"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Dockerfile",
|
||||
"Service": "general",
|
||||
"Code": {
|
||||
"Lines": null
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
@@ -37,7 +37,7 @@
|
||||
}
|
||||
}
|
||||
],
|
||||
"version": "0.34.0"
|
||||
"version": "0.37.1"
|
||||
}
|
||||
},
|
||||
"results": [
|
||||
|
||||
Reference in New Issue
Block a user