Compare commits
7 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
0cd397afbf | ||
|
|
b43daad0c3 | ||
|
|
dedfa59531 | ||
|
|
f96f79aa22 | ||
|
|
82ec0dd604 | ||
|
|
e5f43133f6 | ||
|
|
1a09192c0e |
2
.github/workflows/build.yaml
vendored
2
.github/workflows/build.yaml
vendored
@@ -1,7 +1,7 @@
|
||||
name: "build"
|
||||
on: [push, pull_request]
|
||||
env:
|
||||
TRIVY_VERSION: 0.38.1
|
||||
TRIVY_VERSION: 0.42.1
|
||||
BATS_LIB_PATH: '/usr/lib/'
|
||||
jobs:
|
||||
build:
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
FROM ghcr.io/aquasecurity/trivy:0.38.1
|
||||
FROM ghcr.io/aquasecurity/trivy:0.42.1
|
||||
COPY entrypoint.sh /
|
||||
RUN apk --no-cache add bash curl npm
|
||||
RUN chmod +x /entrypoint.sh
|
||||
|
||||
67
README.md
67
README.md
@@ -299,11 +299,12 @@ jobs:
|
||||
```
|
||||
|
||||
### Using Trivy to generate SBOM
|
||||
It's possible for Trivy to generate an SBOM of your dependencies and submit them to a consumer like GitHub Dependency Snapshot.
|
||||
It's possible for Trivy to generate an [SBOM](https://www.aquasec.com/cloud-native-academy/supply-chain-security/sbom/) of your dependencies and submit them to a consumer like [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).
|
||||
|
||||
The sending of SBOM to GitHub feature is only available if you currently have [GitHub Dependency Snapshot](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) available to you in your repo.
|
||||
The [sending of an SBOM to GitHub](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) feature is only available if you currently have GitHub Dependency Graph [enabled in your repo](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository).
|
||||
|
||||
In order to send results to GitHub Dependency Graph, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) or use the [GitHub installation access token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication) (also known as `GITHUB_TOKEN`):
|
||||
|
||||
In order to send results to the GitHub Dependency Snapshot, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)
|
||||
```yaml
|
||||
---
|
||||
name: Pull Request
|
||||
@@ -311,7 +312,11 @@ on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
pull_request:
|
||||
|
||||
## GITHUB_TOKEN authentication, add only if you're not going to use a PAT
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Checks
|
||||
@@ -320,14 +325,14 @@ jobs:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Snapshots
|
||||
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
scan-type: 'fs'
|
||||
format: 'github'
|
||||
output: 'dependency-results.sbom.json'
|
||||
image-ref: '.'
|
||||
github-pat: '<github_pat_token>'
|
||||
github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
|
||||
```
|
||||
|
||||
### Using Trivy to scan your private registry
|
||||
@@ -478,31 +483,31 @@ jobs:
|
||||
|
||||
Following inputs can be used as `step.with` keys:
|
||||
|
||||
| Name | Type | Default | Description |
|
||||
|------------------------------|---------|------------------------------------|-------------------------------------------------------------------------------------------------|
|
||||
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |
|
||||
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
|
||||
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
|
||||
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
|
||||
| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) |
|
||||
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |
|
||||
| `output` | String | | Save results to a file |
|
||||
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
|
||||
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
|
||||
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
|
||||
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
|
||||
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
|
||||
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
|
||||
| `cache-dir` | String | | Cache directory |
|
||||
| `timeout` | String | `5m0s` | Scan timeout duration |
|
||||
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
|
||||
| `hide-progress` | String | `true` | Suppress progress bar |
|
||||
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
|
||||
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
|
||||
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
|
||||
| `trivy-config` | String | | Path to trivy.yaml config |
|
||||
| `github-pat` | String | | GitHub Personal Access Token (PAT) for sending SBOM scan results to GitHub Dependency Snapshots |
|
||||
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
|
||||
| Name | Type | Default | Description |
|
||||
|-------------------|---------|------------------------------------|-------------------------------------------------------------------------------------------------|
|
||||
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |
|
||||
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
|
||||
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
|
||||
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
|
||||
| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) |
|
||||
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |
|
||||
| `output` | String | | Save results to a file |
|
||||
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
|
||||
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
|
||||
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
|
||||
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
|
||||
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
|
||||
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
|
||||
| `cache-dir` | String | | Cache directory |
|
||||
| `timeout` | String | `5m0s` | Scan timeout duration |
|
||||
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
|
||||
| `hide-progress` | String | `true` | Suppress progress bar |
|
||||
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
|
||||
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
|
||||
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
|
||||
| `trivy-config` | String | | Path to trivy.yaml config |
|
||||
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
|
||||
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
|
||||
|
||||
[release]: https://github.com/aquasecurity/trivy-action/releases/latest
|
||||
[release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github
|
||||
|
||||
@@ -105,6 +105,7 @@ if [ $template ] ;then
|
||||
fi
|
||||
if [ $exitCode ];then
|
||||
ARGS="$ARGS --exit-code $exitCode"
|
||||
SARIF_ARGS="$SARIF_ARGS --exit-code $exitCode"
|
||||
fi
|
||||
if [ "$ignoreUnfixed" == "true" ] && [ "$scanType" != "config" ];then
|
||||
ARGS="$ARGS --ignore-unfixed"
|
||||
@@ -169,6 +170,8 @@ if [ "$skipFiles" ];then
|
||||
fi
|
||||
|
||||
trivyConfig=$(echo $trivyConfig | tr -d '\r')
|
||||
# To make sure that uploda GitHub Dependency Snapshot succeeds, disable the script that fails first.
|
||||
set +e
|
||||
if [ "${format}" == "sarif" ] && [ "${limitSeveritiesForSARIF}" != "true" ]; then
|
||||
# SARIF is special. We output all vulnerabilities,
|
||||
# regardless of severity level specified in this report.
|
||||
@@ -177,7 +180,7 @@ if [ "${format}" == "sarif" ] && [ "${limitSeveritiesForSARIF}" != "true" ]; the
|
||||
trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
|
||||
elif [ $trivyConfig ]; then
|
||||
echo "Running Trivy with trivy.yaml config from: " $trivyConfig
|
||||
trivy --config $trivyConfig ${scanType} ${artifactRef}
|
||||
trivy --config $trivyConfig ${ARGS} ${scanType} ${artifactRef}
|
||||
returnCode=$?
|
||||
else
|
||||
echo "Running trivy with options: trivy ${scanType} ${ARGS}" "${artifactRef}"
|
||||
@@ -186,6 +189,7 @@ else
|
||||
returnCode=$?
|
||||
fi
|
||||
|
||||
set -e
|
||||
if [[ "${format}" == "github" ]]; then
|
||||
if [[ "$(echo $githubPAT | xargs)" != "" ]]; then
|
||||
printf "\n Uploading GitHub Dependency Snapshot"
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"version": "2.1.0",
|
||||
"$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
|
||||
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
|
||||
"runs": [
|
||||
{
|
||||
"tool": {
|
||||
@@ -43,15 +43,15 @@
|
||||
"text": "No HEALTHCHECK defined"
|
||||
},
|
||||
"fullDescription": {
|
||||
"text": "You shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
|
||||
"text": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
|
||||
},
|
||||
"defaultConfiguration": {
|
||||
"level": "note"
|
||||
},
|
||||
"helpUri": "https://avd.aquasec.com/misconfig/ds026",
|
||||
"help": {
|
||||
"text": "Misconfiguration DS026\nType: Dockerfile Security Check\nSeverity: LOW\nCheck: No HEALTHCHECK defined\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)\nYou shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
|
||||
"markdown": "**Misconfiguration DS026**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|LOW|No HEALTHCHECK defined|Add HEALTHCHECK instruction in your Dockerfile|[DS026](https://avd.aquasec.com/misconfig/ds026)|\n\nYou shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
|
||||
"text": "Misconfiguration DS026\nType: Dockerfile Security Check\nSeverity: LOW\nCheck: No HEALTHCHECK defined\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
|
||||
"markdown": "**Misconfiguration DS026**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|LOW|No HEALTHCHECK defined|Add HEALTHCHECK instruction in your Dockerfile|[DS026](https://avd.aquasec.com/misconfig/ds026)|\n\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
|
||||
},
|
||||
"properties": {
|
||||
"precision": "very-high",
|
||||
@@ -64,7 +64,7 @@
|
||||
}
|
||||
}
|
||||
],
|
||||
"version": "0.38.1"
|
||||
"version": "0.42.1"
|
||||
}
|
||||
},
|
||||
"results": [
|
||||
|
||||
@@ -20,7 +20,7 @@
|
||||
"Class": "config",
|
||||
"Type": "dockerfile",
|
||||
"MisconfSummary": {
|
||||
"Successes": 22,
|
||||
"Successes": 24,
|
||||
"Failures": 2,
|
||||
"Exceptions": 0
|
||||
},
|
||||
@@ -56,7 +56,7 @@
|
||||
"ID": "DS026",
|
||||
"AVDID": "AVD-DS-0026",
|
||||
"Title": "No HEALTHCHECK defined",
|
||||
"Description": "You shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
|
||||
"Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
|
||||
"Message": "Add HEALTHCHECK instruction in your Dockerfile",
|
||||
"Namespace": "builtin.dockerfile.DS026",
|
||||
"Query": "data.builtin.dockerfile.DS026.deny",
|
||||
|
||||
@@ -20,7 +20,7 @@
|
||||
"Class": "config",
|
||||
"Type": "dockerfile",
|
||||
"MisconfSummary": {
|
||||
"Successes": 22,
|
||||
"Successes": 24,
|
||||
"Failures": 2,
|
||||
"Exceptions": 0
|
||||
},
|
||||
@@ -56,7 +56,7 @@
|
||||
"ID": "DS026",
|
||||
"AVDID": "AVD-DS-0026",
|
||||
"Title": "No HEALTHCHECK defined",
|
||||
"Description": "You shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
|
||||
"Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
|
||||
"Message": "Add HEALTHCHECK instruction in your Dockerfile",
|
||||
"Namespace": "builtin.dockerfile.DS026",
|
||||
"Query": "data.builtin.dockerfile.DS026.deny",
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"version": "2.1.0",
|
||||
"$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
|
||||
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
|
||||
"runs": [
|
||||
{
|
||||
"tool": {
|
||||
@@ -37,7 +37,7 @@
|
||||
}
|
||||
}
|
||||
],
|
||||
"version": "0.38.1"
|
||||
"version": "0.42.1"
|
||||
}
|
||||
},
|
||||
"results": [
|
||||
|
||||
3
test/data/trivy-reduced.yaml
Normal file
3
test/data/trivy-reduced.yaml
Normal file
@@ -0,0 +1,3 @@
|
||||
vulnerability:
|
||||
type: os
|
||||
output: yamlconfig.test
|
||||
@@ -81,3 +81,11 @@ bats_load_library bats-file
|
||||
echo "$output"
|
||||
assert_files_equal yamlconfig.test ./test/data/yamlconfig.test
|
||||
}
|
||||
|
||||
@test "trivy image with trivy.yaml config and args" {
|
||||
# trivy --config=./test/data/trivy-reduced.yaml image alpine:3.10
|
||||
run ./entrypoint.sh "-v ./test/data/trivy-reduced.yaml" "-a image" "-i alpine:3.10" "-b json" "-g CRITICAL"
|
||||
run diff yamlconfig.test ./test/data/yamlconfig.test
|
||||
echo "$output"
|
||||
assert_files_equal yamlconfig.test ./test/data/yamlconfig.test
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user