Revert "Include args when using trivy config file (#231)"

Fixes: https://github.com/aquasecurity/trivy-action/issues/238

This reverts commit 82ec0dd604.

.github/workflows/build.yaml

@@ -1,7 +1,7 @@
 name: "build"
 on: [push, pull_request]
 env:
-  TRIVY_VERSION: 0.34.0
+  TRIVY_VERSION: 0.42.1
   BATS_LIB_PATH: '/usr/lib/'
 jobs:
   build:

Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/aquasecurity/trivy:0.34.0
+FROM ghcr.io/aquasecurity/trivy:0.42.1
 COPY entrypoint.sh /
 RUN apk --no-cache add bash curl npm
 RUN chmod +x /entrypoint.sh

README.md

@@ -299,11 +299,12 @@ jobs:
 ```
 
 ### Using Trivy to generate SBOM
-It's possible for Trivy to generate an SBOM of your dependencies and submit them to a consumer like GitHub Dependency Snapshot.
+It's possible for Trivy to generate an [SBOM](https://www.aquasec.com/cloud-native-academy/supply-chain-security/sbom/) of your dependencies and submit them to a consumer like [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).
 
-The sending of SBOM to GitHub feature is only available if you currently have [GitHub Dependency Snapshot](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) available to you in your repo. 
+The [sending of an SBOM to GitHub](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) feature is only available if you currently have GitHub Dependency Graph [enabled in your repo](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository). 
+
+In order to send results to GitHub Dependency Graph, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) or use the [GitHub installation access token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication) (also known as `GITHUB_TOKEN`):
 
-In order to send results to the GitHub Dependency Snapshot, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)
 ```yaml
 ---
 name: Pull Request
@@ -311,7 +312,11 @@ on:
   push:
     branches:
     - master
-  pull_request:
+
+## GITHUB_TOKEN authentication, add only if you're not going to use a PAT
+permissions:
+  contents: write
+
 jobs:
   build:
     name: Checks
@@ -320,14 +325,14 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v3
 
-      - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Snapshots
+      - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
         uses: aquasecurity/trivy-action@master
         with:
           scan-type: 'fs'
           format: 'github'
           output: 'dependency-results.sbom.json'
           image-ref: '.'
-          github-pat: '<github_pat_token>'
+          github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
 ```
 
 ### Using Trivy to scan your private registry
@@ -498,10 +503,10 @@ Following inputs can be used as `step.with` keys:
 | `ignore-policy`   | String  |                                    | Filter vulnerabilities with OPA rego language                                                   |
 | `hide-progress`   | String  | `true`                             | Suppress progress bar                                                                           |
 | `list-all-pkgs`   | String  |                                    | Output all packages regardless of vulnerability                                                 |
-| `security-checks` | String  | `vuln,secret`                      | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`)               |
+| `scanners` | String  | `vuln,secret`                      | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`)               |
 | `trivyignores`    | String  |                                    | comma-separated list of relative paths in repository to one or more `.trivyignore` files        |
 | `trivy-config`    | String  |                                    | Path to trivy.yaml config                                                                       |
-| `github-pat`      | String  |                                    | GitHub Personal Access Token (PAT) for sending SBOM scan results to GitHub Dependency Snapshots |
+| `github-pat`      | String  |                                    | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
 | `limit-severities-for-sarif`      | Boolean  | false                                   | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
 
 [release]: https://github.com/aquasecurity/trivy-action/releases/latest

action.yaml

@@ -71,7 +71,7 @@ inputs:
     description: 'output all packages regardless of vulnerability'
     required: false
     default: 'false'
-  security-checks:
+  scanners:
     description: 'comma-separated list of what security issues to detect'
     required: false
     default: ''
@@ -114,7 +114,7 @@ runs:
     - '-p ${{ inputs.hide-progress }}'
     - '-q ${{ inputs.skip-files }}'
     - '-r ${{ inputs.list-all-pkgs }}'
-    - '-s ${{ inputs.security-checks }}'
+    - '-s ${{ inputs.scanners }}'
     - '-t ${{ inputs.trivyignores }}'
     - '-u ${{ inputs.github-pat }}'
     - '-v ${{ inputs.trivy-config }}'

entrypoint.sh

@@ -57,7 +57,7 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:" o; do
          export listAllPkgs=${OPTARG}
        ;;
        s)
-         export securityChecks=${OPTARG}
+         export scanners=${OPTARG}
        ;;
        t)
          export trivyIgnores=${OPTARG}
@@ -105,6 +105,7 @@ if [ $template ] ;then
 fi
 if [ $exitCode ];then
  ARGS="$ARGS --exit-code $exitCode"
+ SARIF_ARGS="$SARIF_ARGS --exit-code $exitCode"
 fi
 if [ "$ignoreUnfixed" == "true" ] && [ "$scanType" != "config" ];then
   ARGS="$ARGS --ignore-unfixed"
@@ -114,9 +115,9 @@ if [ $vulnType ] && [ "$scanType" != "config" ] && [ "$scanType" != "sbom" ];the
   ARGS="$ARGS --vuln-type $vulnType"
   SARIF_ARGS="$SARIF_ARGS --vuln-type $vulnType"
 fi
-if [ $securityChecks ];then
-  ARGS="$ARGS --security-checks $securityChecks"
-  SARIF_ARGS="$SARIF_ARGS --security-checks $securityChecks"
+if [ $scanners ];then
+  ARGS="$ARGS --scanners $scanners"
+  SARIF_ARGS="$SARIF_ARGS --scanners $scanners"
 fi
 if [ $severity ];then
   ARGS="$ARGS --severity $severity"
@@ -169,6 +170,8 @@ if [ "$skipFiles" ];then
 fi
 
 trivyConfig=$(echo $trivyConfig | tr -d '\r')
+# To make sure that uploda GitHub Dependency Snapshot succeeds, disable the script that fails first.
+set +e
 if [ "${format}" == "sarif" ] && [ "${limitSeveritiesForSARIF}" != "true" ]; then
   # SARIF is special. We output all vulnerabilities,
   # regardless of severity level specified in this report.
@@ -186,6 +189,7 @@ else
    returnCode=$?
 fi
 
+set -e
 if [[ "${format}" == "github" ]]; then
   if [[ "$(echo $githubPAT | xargs)" != "" ]]; then
     printf "\n Uploading GitHub Dependency Snapshot"

test/data/config-sarif.test

@@ -1,6 +1,6 @@
 {
   "version": "2.1.0",
-  "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
+  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
   "runs": [
     {
       "tool": {
@@ -35,9 +35,36 @@
                   "HIGH"
                 ]
               }
+            },
+            {
+              "id": "DS026",
+              "name": "Misconfiguration",
+              "shortDescription": {
+                "text": "No HEALTHCHECK defined"
+              },
+              "fullDescription": {
+                "text": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
+              },
+              "defaultConfiguration": {
+                "level": "note"
+              },
+              "helpUri": "https://avd.aquasec.com/misconfig/ds026",
+              "help": {
+                "text": "Misconfiguration DS026\nType: Dockerfile Security Check\nSeverity: LOW\nCheck: No HEALTHCHECK defined\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
+                "markdown": "**Misconfiguration DS026**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|LOW|No HEALTHCHECK defined|Add HEALTHCHECK instruction in your Dockerfile|[DS026](https://avd.aquasec.com/misconfig/ds026)|\n\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
+              },
+              "properties": {
+                "precision": "very-high",
+                "security-severity": "2.0",
+                "tags": [
+                  "misconfiguration",
+                  "security",
+                  "LOW"
+                ]
+              }
             }
           ],
-          "version": "0.34.0"
+          "version": "0.42.1"
         }
       },
       "results": [
@@ -67,6 +94,33 @@
               }
             }
           ]
+        },
+        {
+          "ruleId": "DS026",
+          "ruleIndex": 1,
+          "level": "note",
+          "message": {
+            "text": "Artifact: Dockerfile\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "Dockerfile",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1,
+                  "startColumn": 1,
+                  "endLine": 1,
+                  "endColumn": 1
+                }
+              },
+              "message": {
+                "text": "Dockerfile"
+              }
+            }
+          ]
         }
       ],
       "columnKind": "utf16CodeUnits",

test/data/config.test

@@ -20,8 +20,8 @@
       "Class": "config",
       "Type": "dockerfile",
       "MisconfSummary": {
-        "Successes": 21,
-        "Failures": 1,
+        "Successes": 24,
+        "Failures": 2,
         "Exceptions": 0
       },
       "Misconfigurations": [
@@ -50,6 +50,32 @@
               "Lines": null
             }
           }
+        },
+        {
+          "Type": "Dockerfile Security Check",
+          "ID": "DS026",
+          "AVDID": "AVD-DS-0026",
+          "Title": "No HEALTHCHECK defined",
+          "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
+          "Message": "Add HEALTHCHECK instruction in your Dockerfile",
+          "Namespace": "builtin.dockerfile.DS026",
+          "Query": "data.builtin.dockerfile.DS026.deny",
+          "Resolution": "Add HEALTHCHECK instruction in Dockerfile",
+          "Severity": "LOW",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026",
+          "References": [
+            "https://blog.aquasec.com/docker-security-best-practices",
+            "https://avd.aquasec.com/misconfig/ds026"
+          ],
+          "Status": "FAIL",
+          "Layer": {},
+          "CauseMetadata": {
+            "Provider": "Dockerfile",
+            "Service": "general",
+            "Code": {
+              "Lines": null
+            }
+          }
         }
       ]
     }

test/data/fs-scheck.test

@@ -20,8 +20,8 @@
       "Class": "config",
       "Type": "dockerfile",
       "MisconfSummary": {
-        "Successes": 21,
-        "Failures": 1,
+        "Successes": 24,
+        "Failures": 2,
         "Exceptions": 0
       },
       "Misconfigurations": [
@@ -50,6 +50,32 @@
               "Lines": null
             }
           }
+        },
+        {
+          "Type": "Dockerfile Security Check",
+          "ID": "DS026",
+          "AVDID": "AVD-DS-0026",
+          "Title": "No HEALTHCHECK defined",
+          "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
+          "Message": "Add HEALTHCHECK instruction in your Dockerfile",
+          "Namespace": "builtin.dockerfile.DS026",
+          "Query": "data.builtin.dockerfile.DS026.deny",
+          "Resolution": "Add HEALTHCHECK instruction in Dockerfile",
+          "Severity": "LOW",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026",
+          "References": [
+            "https://blog.aquasec.com/docker-security-best-practices",
+            "https://avd.aquasec.com/misconfig/ds026"
+          ],
+          "Status": "FAIL",
+          "Layer": {},
+          "CauseMetadata": {
+            "Provider": "Dockerfile",
+            "Service": "general",
+            "Code": {
+              "Lines": null
+            }
+          }
         }
       ]
     }

test/data/image-sarif.test

@@ -1,6 +1,6 @@
 {
   "version": "2.1.0",
-  "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
+  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
   "runs": [
     {
       "tool": {
@@ -37,7 +37,7 @@
               }
             }
           ],
-          "version": "0.34.0"
+          "version": "0.42.1"
         }
       },
       "results": [

test/test.bats

@@ -4,7 +4,7 @@ bats_load_library bats-assert
 bats_load_library bats-file
 
 @test "trivy repo with securityCheck secret only" {
-  # trivy repo --format json --output repo.test --security-checks=secret https://github.com/krol3/demo-trivy/
+  # trivy repo --format json --output repo.test --scanners=secret https://github.com/krol3/demo-trivy/
   run ./entrypoint.sh '-b json' '-h repo.test' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
   run diff repo.test ./test/data/repo.test
   echo "$output"
@@ -52,7 +52,7 @@ bats_load_library bats-file
 }
 
 @test "trivy fs with securityChecks option" {
-  # trivy fs --format json --security-checks=vuln,config --output fs-scheck.test .
+  # trivy fs --format json --scanners=vuln,config --output fs-scheck.test .
   run ./entrypoint.sh '-a fs' '-b json' '-j .' '-s vuln,config,secret' '-h fs-scheck.test'
   run diff fs-scheck.test ./test/data/fs-scheck.test
   echo "$output"

workflow.yml

@@ -7,7 +7,7 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-20.04
     steps:
       - name: Checkout code
         uses: actions/checkout@v2