feat: add exit-code parameter to sarif format (#213)

* chore(deps): update trivy to v0.42.0

* revert formatting

* revert formatting again

* update sarif version in tests

.github/workflows/build.yaml

@@ -1,7 +1,7 @@
 name: "build"
 on: [push, pull_request]
 env:
-  TRIVY_VERSION: 0.37.2
+  TRIVY_VERSION: 0.42.0
   BATS_LIB_PATH: '/usr/lib/'
 jobs:
   build:

Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/aquasecurity/trivy:0.37.2
+FROM ghcr.io/aquasecurity/trivy:0.42.0
 COPY entrypoint.sh /
 RUN apk --no-cache add bash curl npm
 RUN chmod +x /entrypoint.sh

README.md

@@ -299,11 +299,12 @@ jobs:
 ```
 
 ### Using Trivy to generate SBOM
-It's possible for Trivy to generate an SBOM of your dependencies and submit them to a consumer like GitHub Dependency Snapshot.
+It's possible for Trivy to generate an [SBOM](https://www.aquasec.com/cloud-native-academy/supply-chain-security/sbom/) of your dependencies and submit them to a consumer like [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).
 
-The sending of SBOM to GitHub feature is only available if you currently have [GitHub Dependency Snapshot](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) available to you in your repo. 
+The [sending of an SBOM to GitHub](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) feature is only available if you currently have GitHub Dependency Graph [enabled in your repo](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository). 
+
+In order to send results to GitHub Dependency Graph, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) or use the [GitHub installation access token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication) (also known as `GITHUB_TOKEN`):
 
-In order to send results to the GitHub Dependency Snapshot, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)
 ```yaml
 ---
 name: Pull Request
@@ -311,7 +312,11 @@ on:
   push:
     branches:
     - master
-  pull_request:
+
+## GITHUB_TOKEN authentication, add only if you're not going to use a PAT
+permissions:
+  contents: write
+
 jobs:
   build:
     name: Checks
@@ -320,14 +325,14 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v3
 
-      - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Snapshots
+      - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
         uses: aquasecurity/trivy-action@master
         with:
           scan-type: 'fs'
           format: 'github'
           output: 'dependency-results.sbom.json'
           image-ref: '.'
-          github-pat: '<github_pat_token>'
+          github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
 ```
 
 ### Using Trivy to scan your private registry
@@ -498,10 +503,10 @@ Following inputs can be used as `step.with` keys:
 | `ignore-policy`   | String  |                                    | Filter vulnerabilities with OPA rego language                                                   |
 | `hide-progress`   | String  | `true`                             | Suppress progress bar                                                                           |
 | `list-all-pkgs`   | String  |                                    | Output all packages regardless of vulnerability                                                 |
-| `security-checks` | String  | `vuln,secret`                      | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`)               |
+| `scanners` | String  | `vuln,secret`                      | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`)               |
 | `trivyignores`    | String  |                                    | comma-separated list of relative paths in repository to one or more `.trivyignore` files        |
 | `trivy-config`    | String  |                                    | Path to trivy.yaml config                                                                       |
-| `github-pat`      | String  |                                    | GitHub Personal Access Token (PAT) for sending SBOM scan results to GitHub Dependency Snapshots |
+| `github-pat`      | String  |                                    | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
 | `limit-severities-for-sarif`      | Boolean  | false                                   | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
 
 [release]: https://github.com/aquasecurity/trivy-action/releases/latest

action.yaml

@@ -71,7 +71,7 @@ inputs:
     description: 'output all packages regardless of vulnerability'
     required: false
     default: 'false'
-  security-checks:
+  scanners:
     description: 'comma-separated list of what security issues to detect'
     required: false
     default: ''
@@ -114,7 +114,7 @@ runs:
     - '-p ${{ inputs.hide-progress }}'
     - '-q ${{ inputs.skip-files }}'
     - '-r ${{ inputs.list-all-pkgs }}'
-    - '-s ${{ inputs.security-checks }}'
+    - '-s ${{ inputs.scanners }}'
     - '-t ${{ inputs.trivyignores }}'
     - '-u ${{ inputs.github-pat }}'
     - '-v ${{ inputs.trivy-config }}'

entrypoint.sh

@@ -57,7 +57,7 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:" o; do
          export listAllPkgs=${OPTARG}
        ;;
        s)
-         export securityChecks=${OPTARG}
+         export scanners=${OPTARG}
        ;;
        t)
          export trivyIgnores=${OPTARG}
@@ -105,6 +105,7 @@ if [ $template ] ;then
 fi
 if [ $exitCode ];then
  ARGS="$ARGS --exit-code $exitCode"
+ SARIF_ARGS="$SARIF_ARGS --exit-code $exitCode"
 fi
 if [ "$ignoreUnfixed" == "true" ] && [ "$scanType" != "config" ];then
   ARGS="$ARGS --ignore-unfixed"
@@ -114,9 +115,9 @@ if [ $vulnType ] && [ "$scanType" != "config" ] && [ "$scanType" != "sbom" ];the
   ARGS="$ARGS --vuln-type $vulnType"
   SARIF_ARGS="$SARIF_ARGS --vuln-type $vulnType"
 fi
-if [ $securityChecks ];then
-  ARGS="$ARGS --security-checks $securityChecks"
-  SARIF_ARGS="$SARIF_ARGS --security-checks $securityChecks"
+if [ $scanners ];then
+  ARGS="$ARGS --scanners $scanners"
+  SARIF_ARGS="$SARIF_ARGS --scanners $scanners"
 fi
 if [ $severity ];then
   ARGS="$ARGS --severity $severity"
@@ -169,6 +170,8 @@ if [ "$skipFiles" ];then
 fi
 
 trivyConfig=$(echo $trivyConfig | tr -d '\r')
+# To make sure that uploda GitHub Dependency Snapshot succeeds, disable the script that fails first.
+set +e
 if [ "${format}" == "sarif" ] && [ "${limitSeveritiesForSARIF}" != "true" ]; then
   # SARIF is special. We output all vulnerabilities,
   # regardless of severity level specified in this report.
@@ -177,7 +180,7 @@ if [ "${format}" == "sarif" ] && [ "${limitSeveritiesForSARIF}" != "true" ]; the
   trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
 elif [ $trivyConfig ]; then
    echo "Running Trivy with trivy.yaml config from: " $trivyConfig
-   trivy --config $trivyConfig ${scanType} ${artifactRef}
+   trivy --config $trivyConfig ${ARGS} ${scanType} ${artifactRef}
    returnCode=$?
 else
    echo "Running trivy with options: trivy ${scanType} ${ARGS}" "${artifactRef}"
@@ -186,6 +189,7 @@ else
    returnCode=$?
 fi
 
+set -e
 if [[ "${format}" == "github" ]]; then
   if [[ "$(echo $githubPAT | xargs)" != "" ]]; then
     printf "\n Uploading GitHub Dependency Snapshot"

test/data/config-sarif.test

@@ -1,6 +1,6 @@
 {
   "version": "2.1.0",
-  "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
+  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
   "runs": [
     {
       "tool": {
@@ -43,15 +43,15 @@
                 "text": "No HEALTHCHECK defined"
               },
               "fullDescription": {
-                "text": "You shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
+                "text": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
               },
               "defaultConfiguration": {
                 "level": "note"
               },
               "helpUri": "https://avd.aquasec.com/misconfig/ds026",
               "help": {
-                "text": "Misconfiguration DS026\nType: Dockerfile Security Check\nSeverity: LOW\nCheck: No HEALTHCHECK defined\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)\nYou shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
-                "markdown": "**Misconfiguration DS026**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|LOW|No HEALTHCHECK defined|Add HEALTHCHECK instruction in your Dockerfile|[DS026](https://avd.aquasec.com/misconfig/ds026)|\n\nYou shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
+                "text": "Misconfiguration DS026\nType: Dockerfile Security Check\nSeverity: LOW\nCheck: No HEALTHCHECK defined\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
+                "markdown": "**Misconfiguration DS026**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|LOW|No HEALTHCHECK defined|Add HEALTHCHECK instruction in your Dockerfile|[DS026](https://avd.aquasec.com/misconfig/ds026)|\n\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
               },
               "properties": {
                 "precision": "very-high",
@@ -64,7 +64,7 @@
               }
             }
           ],
-          "version": "0.37.2"
+          "version": "0.42.0"
         }
       },
       "results": [

test/data/config.test

@@ -20,7 +20,7 @@
       "Class": "config",
       "Type": "dockerfile",
       "MisconfSummary": {
-        "Successes": 22,
+        "Successes": 24,
         "Failures": 2,
         "Exceptions": 0
       },
@@ -56,7 +56,7 @@
           "ID": "DS026",
           "AVDID": "AVD-DS-0026",
           "Title": "No HEALTHCHECK defined",
-          "Description": "You shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
+          "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
           "Message": "Add HEALTHCHECK instruction in your Dockerfile",
           "Namespace": "builtin.dockerfile.DS026",
           "Query": "data.builtin.dockerfile.DS026.deny",

test/data/fs-scheck.test

@@ -20,7 +20,7 @@
       "Class": "config",
       "Type": "dockerfile",
       "MisconfSummary": {
-        "Successes": 22,
+        "Successes": 24,
         "Failures": 2,
         "Exceptions": 0
       },
@@ -56,7 +56,7 @@
           "ID": "DS026",
           "AVDID": "AVD-DS-0026",
           "Title": "No HEALTHCHECK defined",
-          "Description": "You shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
+          "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
           "Message": "Add HEALTHCHECK instruction in your Dockerfile",
           "Namespace": "builtin.dockerfile.DS026",
           "Query": "data.builtin.dockerfile.DS026.deny",

test/data/image-sarif.test

@@ -1,6 +1,6 @@
 {
   "version": "2.1.0",
-  "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
+  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
   "runs": [
     {
       "tool": {
@@ -37,7 +37,7 @@
               }
             }
           ],
-          "version": "0.37.2"
+          "version": "0.42.0"
         }
       },
       "results": [

test/data/trivy-reduced.yaml

@@ -0,0 +1,3 @@
+vulnerability:
+  type: os
+output: yamlconfig.test

test/test.bats

@@ -4,7 +4,7 @@ bats_load_library bats-assert
 bats_load_library bats-file
 
 @test "trivy repo with securityCheck secret only" {
-  # trivy repo --format json --output repo.test --security-checks=secret https://github.com/krol3/demo-trivy/
+  # trivy repo --format json --output repo.test --scanners=secret https://github.com/krol3/demo-trivy/
   run ./entrypoint.sh '-b json' '-h repo.test' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
   run diff repo.test ./test/data/repo.test
   echo "$output"
@@ -52,7 +52,7 @@ bats_load_library bats-file
 }
 
 @test "trivy fs with securityChecks option" {
-  # trivy fs --format json --security-checks=vuln,config --output fs-scheck.test .
+  # trivy fs --format json --scanners=vuln,config --output fs-scheck.test .
   run ./entrypoint.sh '-a fs' '-b json' '-j .' '-s vuln,config,secret' '-h fs-scheck.test'
   run diff fs-scheck.test ./test/data/fs-scheck.test
   echo "$output"
@@ -81,3 +81,11 @@ bats_load_library bats-file
   echo "$output"
   assert_files_equal yamlconfig.test ./test/data/yamlconfig.test
 }
+
+@test "trivy image with trivy.yaml config and args" {
+  # trivy --config=./test/data/trivy-reduced.yaml image alpine:3.10
+  run ./entrypoint.sh "-v ./test/data/trivy-reduced.yaml" "-a image" "-i alpine:3.10" "-b json" "-g CRITICAL"
+  run diff yamlconfig.test ./test/data/yamlconfig.test
+  echo "$output"
+  assert_files_equal yamlconfig.test ./test/data/yamlconfig.test
+}