actions/trivy-action
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: actions:bump-trivy
Branches Tags
actions:master actions:fix-gh-actions actions:bump-trivy-1751468699 actions:update-default-version actions:use-pinned-version actions:update-to-v0.45.0 actions:update-trivy-v0.43.1 actions:bump-trivy-3 actions:bump-trivy actions:add-support-for-trivy-config actions:fix-golden-files actions:exit-code-test actions:update-tarball-docs actions:volume-mounts actions:update-readme actions:revert-45-fix_sarif_duplicate_rule_id actions:knqyf263-patch-1 actions:artifact_types actions:sarif-support-2
actions:0.33.1 actions:0.33.0 actions:0.32.0 actions:0.31.0 actions:0.30.0 actions:0.29.0 actions:0.28.0 actions:0.27.0 actions:0.26.0 actions:0.25.0 actions:0.24.0 actions:0.23.0 actions:0.22.0 actions:0.21.0 actions:0.20.0 actions:0.19.0 actions:0.18.0 actions:0.17.0 actions:0.16.1 actions:0.16.0 actions:0.15.0 actions:0.14.0 actions:0.13.1 actions:0.13.0 actions:0.12.0 actions:0.11.2 actions:0.11.1 actions:0.11.0 actions:0.10.0 actions:0.9.2 actions:0.9.1 actions:0.9.0 actions:0.8.0 actions:0.7.1 actions:0.7.0 actions:0.6.2 actions:0.6.1 actions:0.6.0 actions:0.5.1 actions:0.5.0 actions:0.4.1 actions:0.4.0 actions:0.3.0 actions:0.2.5 actions:0.2.4 actions:0.2.3 actions:0.2.2 actions:0.2.1 actions:0.2.0 actions:0.1.0 actions:0.0.22 actions:0.0.21 actions:0.0.20 actions:0.0.19 actions:0.0.18 actions:0.0.17 actions:0.0.16 actions:0.0.15 actions:0.0.14 actions:0.0.13 actions:0.0.12 actions:0.0.11 actions:v0.0.10 actions:0.0.10 actions:0.0.9 actions:0.0.8 actions:0.0.7 actions:0.0.6 actions:0.0.5 actions:0.0.4 actions:0.0.3 actions:0.0.2 actions:0.0.1
...
compare: actions:0.11.0
Branches Tags
actions:master actions:fix-gh-actions actions:bump-trivy-1751468699 actions:update-default-version actions:use-pinned-version actions:update-to-v0.45.0 actions:update-trivy-v0.43.1 actions:bump-trivy-3 actions:bump-trivy actions:add-support-for-trivy-config actions:fix-golden-files actions:exit-code-test actions:update-tarball-docs actions:volume-mounts actions:update-readme actions:revert-45-fix_sarif_duplicate_rule_id actions:knqyf263-patch-1 actions:artifact_types actions:sarif-support-2
actions:0.33.1 actions:0.33.0 actions:0.32.0 actions:0.31.0 actions:0.30.0 actions:0.29.0 actions:0.28.0 actions:0.27.0 actions:0.26.0 actions:0.25.0 actions:0.24.0 actions:0.23.0 actions:0.22.0 actions:0.21.0 actions:0.20.0 actions:0.19.0 actions:0.18.0 actions:0.17.0 actions:0.16.1 actions:0.16.0 actions:0.15.0 actions:0.14.0 actions:0.13.1 actions:0.13.0 actions:0.12.0 actions:0.11.2 actions:0.11.1 actions:0.11.0 actions:0.10.0 actions:0.9.2 actions:0.9.1 actions:0.9.0 actions:0.8.0 actions:0.7.1 actions:0.7.0 actions:0.6.2 actions:0.6.1 actions:0.6.0 actions:0.5.1 actions:0.5.0 actions:0.4.1 actions:0.4.0 actions:0.3.0 actions:0.2.5 actions:0.2.4 actions:0.2.3 actions:0.2.2 actions:0.2.1 actions:0.2.0 actions:0.1.0 actions:0.0.22 actions:0.0.21 actions:0.0.20 actions:0.0.19 actions:0.0.18 actions:0.0.17 actions:0.0.16 actions:0.0.15 actions:0.0.14 actions:0.0.13 actions:0.0.12 actions:0.0.11 actions:v0.0.10 actions:0.0.10 actions:0.0.9 actions:0.0.8 actions:0.0.7 actions:0.0.6 actions:0.0.5 actions:0.0.4 actions:0.0.3 actions:0.0.2 actions:0.0.1

22 Commits
bump-trivy ... 0.11.0

Author SHA1 Message Date
Roger Coll
b43daad0c3 feat: add exit-code parameter to sarif format (#213) 2023-06-05 11:19:20 -06:00
abriko
dedfa59531 Enhance GitHub Dependency Snapshot upload (#233) 2023-06-05 11:12:39 -06:00
Daniel Chabr
f96f79aa22 bump trivy to v0.42.0 (#237) 
* chore(deps): update trivy to v0.42.0

* revert formatting

* revert formatting again

* update sarif version in tests
 2023-06-05 11:08:24 -06:00
Herman Wika Horn
82ec0dd604 Include args when using trivy config file (#231) 
Previously, arguments provided using regular flags
were ignored if a trivy config file was provided

Note that this pull request makes no effort to
deduce or merge desired argument if the same
configuration with different values are provided
both within the config file and as flags. Behaviour
for this case would develop on the implementation
of trivy
 2023-05-31 14:47:20 -06:00
Bruce Bujon
e5f43133f6 chore: Update Trivy to 0.40.0 (#223) 
* chore: Update trivy to 0.39.0

* chore: Update trivy to 0.40.0
 2023-04-18 17:44:36 -07:00
Guilherme Marz Vazzolla
1a09192c0e docs: improve SBOM documentation (#208) 
* fix: dependency graph name ocurrences

* feat: improve readability and add useful links

* feat: improve readability and instructions 

Improves readability and adds missing information about github_token, another authentication method.

* feat: add github_token instructions

* feat: add github_token to inputs table

* feat: add "what is an SBOM" link

* fix: GitHub dependency graph name ocurrence

* feat: improve SBOM input description

* fix: remove "on pull request" trigger

Co-authored-by: Duncan Casteleyn <10881109+DuncanCasteleyn@users.noreply.github.com>

* fix: outdated input name

---------

Co-authored-by: Duncan Casteleyn <10881109+DuncanCasteleyn@users.noreply.github.com>
 2023-03-28 17:48:04 -07:00
Viktor Sadovnikov
1f0aa582c8 Rename security-checks to scanners (#211) 
* Renaming securityChecks to runners

* Renaming securityChecks to runners

* Renaming securityChecks to runners

* Correcting README
 2023-03-06 21:00:01 -08:00
DmitriyLewen
43849adf01 bump trivy to v0.38.1 (#215) 2023-03-06 20:58:30 -08:00
Falk Puschner
8bd2f9fbda ⬆️ bump trivy action (#203) 2023-02-10 16:20:50 +09:00
simar7
cff3e9a7f6 feat(trivy): Bump Trivy to v0.37.1 (#199) 
Signed-off-by: Simar <simar@linux.com>
 2023-02-01 16:40:29 -08:00
Michael Cantú
ab15891596 Update README.md (#186) 
Fix typo
 2023-02-01 16:23:59 -08:00
Omar Silva
cacfd7a243 docs: add trivy-config to table (#195) 2023-02-01 16:19:16 -08:00
AndreyLevchenko
1e0bef4613 fix(sarif): Add option to limit severities for sarif (aquasecurity#192) (#198) 2023-02-01 16:18:31 -08:00
Aibek
9ab158e859 Add 0.34.0 release (#177) 
* bump to ghcr.io/aquasecurity/trivy:0.33.0

* fix tests

* bump to 0.34.0
 2022-10-31 17:18:27 -07:00
Lior Vaisman Argon
e55de85bee Add npm to action Dockerfile (#176) 2022-10-25 07:04:22 -07:00
chejn
d63413b0a4 Fix github dependency submission API call (#162) 
* Update entrypoint.sh

* Update entrypoint.sh

* Update entrypoint.sh
 2022-08-17 14:54:57 -07:00
simar7
1db49f5326 feat(trivy): Bump Trivy to v0.31.0 (#165) 
Fixes: https://github.com/aquasecurity/trivy-action/issues/164

Signed-off-by: Simar <simar@linux.com>

Signed-off-by: Simar <simar@linux.com>
 2022-08-16 17:25:38 -07:00
Engin Diri
12814ff8bc docs: correct format and add output on config scan with sarif (#159) 2022-08-15 11:09:42 -07:00
simar7
cb606dfdb0 fix(sarif): Add timeout and security-checks for sarif (#156) 2022-08-03 17:32:25 -07:00
Carol Valencia
0d7cf2ddfb chore: improve message output sbom with gh (#145) 
* fix: merge with master- entrypoint

* chore: gitignore .vscode

Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-08-02 15:24:58 -07:00
simar7
5144f05a8d fix(config): Drop mixing of options with yaml config. (#148) 
Also adds some documentation explaining how the config
and flags are used in conjunction with each other.

Fixes: https://github.com/aquasecurity/trivy-action/issues/147

Signed-off-by: Simar <simar@linux.com>
 2022-07-29 14:30:07 -07:00
simar7
81b9a6f5ab Update Dockerfile (#152) 2022-07-26 13:08:58 -07:00
19 changed files with 390 additions and 3469 deletions
Expand all files Collapse all files
.github/workflows/build.yaml
Vendored
+1 -1
View File
@@ -1,7 +1,7 @@
name: "build"
on: [push, pull_request]
env:
TRIVY_VERSION: 0.30.2
TRIVY_VERSION: 0.42.0
BATS_LIB_PATH: '/usr/lib/'
jobs:
build:
.gitignore
Vendored
+1
View File
@@ -2,3 +2,4 @@
*.test
!test/data/*.test
trivyignores
.vscode/
Dockerfile
+2 -2
View File
@@ -1,5 +1,5 @@
FROM ghcr.io/aquasecurity/trivy:0.30.2
FROM ghcr.io/aquasecurity/trivy:0.42.0
COPY entrypoint.sh /
RUN apk --no-cache add bash curl
RUN apk --no-cache add bash curl npm
RUN chmod +x /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
Makefile
+4
View File
@@ -0,0 +1,4 @@
.PHONY: test
test:
BATS_LIB_PATH=/usr/local/lib/ bats -r .
README.md
+53 -35
View File
@@ -64,14 +64,14 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@add-support-for-trivy-config
- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
trivy-config: ./trivy.yaml
scan-ref: '.'
trivy-config: trivy.yaml
```
In this case `trivy.yaml` is a YAML configuration that is checked in as part of the repo. Detailed information is available on the Trivy website but an example is as follows:
@@ -81,7 +81,17 @@ exit-code: 1
severity: CRITICAL
```
It is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes.
It is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes. Defining the following is required as they cannot be defined with the config file:
- `scan-ref`: If using `fs, repo` scans.
- `image-ref`: If using `image` scan.
- `scan-type`: To define the scan type, e.g. `image`, `fs`, `repo`, etc.
#### Order of prerference for options
Trivy uses [Viper](https://github.com/spf13/viper) which has a defined precedence order for options. The order is as follows:
- GitHub Action flag
- Environment variable
- Config file
- Default
### Scanning a Tarball
```yaml
@@ -97,7 +107,7 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Generate tarball from image
run: |
@@ -123,10 +133,10 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Build an image from Dockerfile
run: |
@@ -158,10 +168,10 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Build an image from Dockerfile
run: |
@@ -197,10 +207,10 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
@@ -231,10 +241,10 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner with rootfs command
uses: aquasecurity/trivy-action@master
@@ -252,7 +262,7 @@ jobs:
sarif_file: 'trivy-results.sarif'
```
### Using Trivy to scan Infrastucture as Code
### Using Trivy to scan Infrastructure as Code
It's also possible to scan your IaC repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
@@ -266,17 +276,18 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner in IaC mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'config'
hide-progress: false
format: 'table'
format: 'sarif'
output: 'trivy-results.sarif'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
@@ -288,11 +299,12 @@ jobs:
```
### Using Trivy to generate SBOM
It's possible for Trivy to generate an SBOM of your dependencies and submit them to a consumer like GitHub Dependency Snapshot.
It's possible for Trivy to generate an [SBOM](https://www.aquasec.com/cloud-native-academy/supply-chain-security/sbom/) of your dependencies and submit them to a consumer like [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).
The sending of SBOM to GitHub feature is only available if you currently have [GitHub Dependency Snapshot](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) available to you in your repo.
The [sending of an SBOM to GitHub](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) feature is only available if you currently have GitHub Dependency Graph [enabled in your repo](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository).
In order to send results to GitHub Dependency Graph, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) or use the [GitHub installation access token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication) (also known as `GITHUB_TOKEN`):
In order to send results to the GitHub Dependency Snapshot, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)
```yaml
---
name: Pull Request
@@ -300,7 +312,11 @@ on:
push:
branches:
- master
pull_request:
## GITHUB_TOKEN authentication, add only if you're not going to use a PAT
permissions:
contents: write
jobs:
build:
name: Checks
@@ -309,14 +325,14 @@ jobs:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Snapshots
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
format: 'github'
output: 'dependency-results.sbom.json'
image-ref: '.'
github-pat: '<github_pat_token>'
github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
```
### Using Trivy to scan your private registry
@@ -335,10 +351,10 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
@@ -371,10 +387,10 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
@@ -407,10 +423,10 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
@@ -440,10 +456,10 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
@@ -487,9 +503,11 @@ Following inputs can be used as `step.with` keys:
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
| `hide-progress` | String | `true` | Suppress progress bar |
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
| `security-checks` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
| `github-pat` | String | | GitHub Personal Access Token (PAT) for sending SBOM scan results to GitHub Dependency Snapshots |
| `trivy-config` | String | | Path to trivy.yaml config |
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
[release]: https://github.com/aquasecurity/trivy-action/releases/latest
[release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github
action.yaml
+6 -2
View File
@@ -71,7 +71,7 @@ inputs:
description: 'output all packages regardless of vulnerability'
required: false
default: 'false'
security-checks:
scanners:
description: 'comma-separated list of what security issues to detect'
required: false
default: ''
@@ -88,6 +88,9 @@ inputs:
trivy-config:
description: 'path to trivy.yaml config'
required: false
limit-severities-for-sarif:
description: 'limit severities for SARIF format'
required: false
runs:
using: 'docker'
@@ -111,7 +114,8 @@ runs:
- '-p ${{ inputs.hide-progress }}'
- '-q ${{ inputs.skip-files }}'
- '-r ${{ inputs.list-all-pkgs }}'
- '-s ${{ inputs.security-checks }}'
- '-s ${{ inputs.scanners }}'
- '-t ${{ inputs.trivyignores }}'
- '-u ${{ inputs.github-pat }}'
- '-v ${{ inputs.trivy-config }}'
- '-z ${{ inputs.limit-severities-for-sarif }}'
entrypoint.sh
+35 -22
View File
@@ -1,6 +1,6 @@
#!/bin/bash
set -e
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" o; do
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:" o; do
case "${o}" in
a)
export scanType=${OPTARG}
@@ -57,7 +57,7 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" o; do
export listAllPkgs=${OPTARG}
;;
s)
export securityChecks=${OPTARG}
export scanners=${OPTARG}
;;
t)
export trivyIgnores=${OPTARG}
@@ -68,6 +68,9 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" o; do
v)
export trivyConfig=${OPTARG}
;;
z)
export limitSeveritiesForSARIF=${OPTARG}
;;
esac
done
@@ -81,8 +84,10 @@ input=$(echo $input | tr -d '\r')
if [ $input ]; then
artifactRef="--input $input"
fi
#trim leading spaces for boolean params
ignoreUnfixed=$(echo $ignoreUnfixed | tr -d '\r')
hideProgress=$(echo $hideProgress | tr -d '\r')
limitSeveritiesForSARIF=$(echo $limitSeveritiesForSARIF | tr -d '\r')
GLOBAL_ARGS=""
if [ $cacheDir ];then
@@ -100,6 +105,7 @@ if [ $template ] ;then
fi
if [ $exitCode ];then
ARGS="$ARGS --exit-code $exitCode"
SARIF_ARGS="$SARIF_ARGS --exit-code $exitCode"
fi
if [ "$ignoreUnfixed" == "true" ] && [ "$scanType" != "config" ];then
ARGS="$ARGS --ignore-unfixed"
@@ -109,8 +115,9 @@ if [ $vulnType ] && [ "$scanType" != "config" ] && [ "$scanType" != "sbom" ];the
ARGS="$ARGS --vuln-type $vulnType"
SARIF_ARGS="$SARIF_ARGS --vuln-type $vulnType"
fi
if [ $securityChecks ];then
ARGS="$ARGS --security-checks $securityChecks"
if [ $scanners ];then
ARGS="$ARGS --scanners $scanners"
SARIF_ARGS="$SARIF_ARGS --scanners $scanners"
fi
if [ $severity ];then
ARGS="$ARGS --severity $severity"
@@ -141,6 +148,7 @@ if [ $trivyIgnores ];then
fi
if [ $timeout ];then
ARGS="$ARGS --timeout $timeout"
SARIF_ARGS="$SARIF_ARGS --timeout $timeout"
fi
if [ $ignorePolicy ];then
ARGS="$ARGS --ignore-policy $ignorePolicy"
@@ -162,28 +170,33 @@ if [ "$skipFiles" ];then
fi
trivyConfig=$(echo $trivyConfig | tr -d '\r')
if [ $trivyConfig ]; then
echo "Running Trivy with trivy.yaml config from: " $trivyConfig
trivy --config $trivyConfig ${scanType} $ARGS ${artifactRef}
returnCode=$?
else
echo "Running trivy with options: ${ARGS}" "${artifactRef}"
echo "Global options: " "${GLOBAL_ARGS}"
trivy $GLOBAL_ARGS ${scanType} $ARGS ${artifactRef}
returnCode=$?
fi
# SARIF is special. We output all vulnerabilities,
# regardless of severity level specified in this report.
# This is a feature, not a bug :)
if [[ "${format}" == "sarif" ]]; then
# To make sure that uploda GitHub Dependency Snapshot succeeds, disable the script that fails first.
set +e
if [ "${format}" == "sarif" ] && [ "${limitSeveritiesForSARIF}" != "true" ]; then
# SARIF is special. We output all vulnerabilities,
# regardless of severity level specified in this report.
# This is a feature, not a bug :)
echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
elif [ $trivyConfig ]; then
echo "Running Trivy with trivy.yaml config from: " $trivyConfig
trivy --config $trivyConfig ${ARGS} ${scanType} ${artifactRef}
returnCode=$?
else
echo "Running trivy with options: trivy ${scanType} ${ARGS}" "${artifactRef}"
echo "Global options: " "${GLOBAL_ARGS}"
trivy $GLOBAL_ARGS ${scanType} ${ARGS} ${artifactRef}
returnCode=$?
fi
if [[ "${format}" == "github" ]] && [[ "$(echo $githubPAT | xargs)" != "" ]]; then
echo "Uploading GitHub Dependency Snapshot"
curl -u "${githubPAT}" -H 'Content-Type: application/json' 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./$(echo $output | xargs)
set -e
if [[ "${format}" == "github" ]]; then
if [[ "$(echo $githubPAT | xargs)" != "" ]]; then
printf "\n Uploading GitHub Dependency Snapshot"
curl -H 'Accept: application/vnd.github+json' -H "Authorization: token $githubPAT" 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./$(echo $output | xargs)
else
printf "\n Failing GitHub Dependency Snapshot. Missing github-pat"
fi
fi
exit $returnCode
test/data/config-sarif.test
+60 -3
View File
@@ -1,6 +1,6 @@
{
"version": "2.1.0",
"$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"runs": [
{
"tool": {
@@ -13,7 +13,7 @@
"id": "DS002",
"name": "Misconfiguration",
"shortDescription": {
"text": "DS002"
"text": "Image user should not be \u0026#39;root\u0026#39;"
},
"fullDescription": {
"text": "Running containers with \u0026#39;root\u0026#39; user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a \u0026#39;USER\u0026#39; statement to the Dockerfile."
@@ -35,9 +35,36 @@
"HIGH"
]
}
},
{
"id": "DS026",
"name": "Misconfiguration",
"shortDescription": {
"text": "No HEALTHCHECK defined"
},
"fullDescription": {
"text": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
},
"defaultConfiguration": {
"level": "note"
},
"helpUri": "https://avd.aquasec.com/misconfig/ds026",
"help": {
"text": "Misconfiguration DS026\nType: Dockerfile Security Check\nSeverity: LOW\nCheck: No HEALTHCHECK defined\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
"markdown": "**Misconfiguration DS026**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|LOW|No HEALTHCHECK defined|Add HEALTHCHECK instruction in your Dockerfile|[DS026](https://avd.aquasec.com/misconfig/ds026)|\n\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
},
"properties": {
"precision": "very-high",
"security-severity": "2.0",
"tags": [
"misconfiguration",
"security",
"LOW"
]
}
}
],
"version": "0.30.2"
"version": "0.42.0"
}
},
"results": [
@@ -61,6 +88,36 @@
"endLine": 1,
"endColumn": 1
}
},
"message": {
"text": "Dockerfile"
}
}
]
},
{
"ruleId": "DS026",
"ruleIndex": 1,
"level": "note",
"message": {
"text": "Artifact: Dockerfile\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "Dockerfile",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
},
"message": {
"text": "Dockerfile"
}
}
]
test/data/config.test
+29 -2
View File
@@ -20,14 +20,15 @@
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 21,
"Failures": 1,
"Successes": 24,
"Failures": 2,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Dockerfile Security Check",
"ID": "DS002",
"AVDID": "AVD-DS-0002",
"Title": "Image user should not be 'root'",
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
@@ -49,6 +50,32 @@
"Lines": null
}
}
},
{
"Type": "Dockerfile Security Check",
"ID": "DS026",
"AVDID": "AVD-DS-0026",
"Title": "No HEALTHCHECK defined",
"Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
"Message": "Add HEALTHCHECK instruction in your Dockerfile",
"Namespace": "builtin.dockerfile.DS026",
"Query": "data.builtin.dockerfile.DS026.deny",
"Resolution": "Add HEALTHCHECK instruction in Dockerfile",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds026",
"References": [
"https://blog.aquasec.com/docker-security-best-practices",
"https://avd.aquasec.com/misconfig/ds026"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"Code": {
"Lines": null
}
}
}
]
}
test/data/fs-scheck.test
+29 -2
View File
@@ -20,14 +20,15 @@
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 21,
"Failures": 1,
"Successes": 24,
"Failures": 2,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Dockerfile Security Check",
"ID": "DS002",
"AVDID": "AVD-DS-0002",
"Title": "Image user should not be 'root'",
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
@@ -49,6 +50,32 @@
"Lines": null
}
}
},
{
"Type": "Dockerfile Security Check",
"ID": "DS026",
"AVDID": "AVD-DS-0026",
"Title": "No HEALTHCHECK defined",
"Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
"Message": "Add HEALTHCHECK instruction in your Dockerfile",
"Namespace": "builtin.dockerfile.DS026",
"Query": "data.builtin.dockerfile.DS026.deny",
"Resolution": "Add HEALTHCHECK instruction in Dockerfile",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds026",
"References": [
"https://blog.aquasec.com/docker-security-best-practices",
"https://avd.aquasec.com/misconfig/ds026"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"Code": {
"Lines": null
}
}
}
]
}
test/data/image-sarif.test
+11 -3338
View File
File diff suppressed because it is too large Load Diff
test/data/image-trivyignores.test
+21 -18
View File
@@ -8,8 +8,8 @@ Total: 19 (CRITICAL: 19)
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ curl │ CVE-2018-14618 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r0 │ curl: NTLM password overflow via integer overflow │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-14618 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
curl │ CVE-2018-16839 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ CVE-2018-16839 │ │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
│ │ │ │ │ │ in Curl_sasl_create_plain_message() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16839 │
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
@@ -20,8 +20,8 @@ Total: 19 (CRITICAL: 19)
│ │ CVE-2018-16842 │ │ │ │ curl: Heap-based buffer over-read in the curl tool warning │
│ │ │ │ │ │ formatting │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16842 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
curl │ CVE-2019-3822 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ CVE-2019-3822 │ │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3822 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5481 │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │
@@ -32,15 +32,15 @@ Total: 19 (CRITICAL: 19)
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ git │ CVE-2018-17456 │ │ 2.15.2-r0 │ 2.15.3-r0 │ git: arbitrary code execution via .gitmodules │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-17456 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
git │ CVE-2019-1353 │ CRITICAL │ 2.15.2-r0 │ 2.15.4-r0 │ git: NTFS protections inactive when running Git in the │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ CVE-2019-1353 │ │ 2.15.4-r0 │ git: NTFS protections inactive when running Git in the │
│ │ │ │ │ │ Windows Subsystem for... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libbz2 │ CVE-2019-12900 │ CRITICAL │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libbz2 │ CVE-2019-12900 │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl │ CVE-2018-16839 │ CRITICAL │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl │ CVE-2018-16839 │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
│ │ │ │ │ │ in Curl_sasl_create_plain_message() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16839 │
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
@@ -51,8 +51,8 @@ Total: 19 (CRITICAL: 19)
│ │ CVE-2018-16842 │ │ │ │ curl: Heap-based buffer over-read in the curl tool warning │
│ │ │ │ │ │ formatting │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16842 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
libcurl │ CVE-2019-3822 │ CRITICAL │ 7.61.1-r0 │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ CVE-2019-3822 │ │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3822 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5481 │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │
@@ -60,27 +60,30 @@ Total: 19 (CRITICAL: 19)
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5482 │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ musl │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ musl │ CVE-2019-14697 │ │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │
│ │ │ │ │ │ adjustment im ...... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-14697 │
├─────────────┤ │ │ │ │ │
│ musl-utils │ │ │ │ │ │
│ │ │ │ │ │ │
│ │ │ │ │ │ │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ sqlite-libs │ CVE-2019-8457 │ CRITICAL │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ sqlite-libs │ CVE-2019-8457 │ │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │
└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
rust-app/Cargo.lock (cargo)
===========================
Total: 1 (CRITICAL: 1)
Total: 2 (CRITICAL: 2)
┌──────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
smallvec │ CVE-2021-25900 │ CRITICAL │ 0.6.9 │ 0.6.14, 1.6.1 │ An issue was discovered in the smallvec crate before 0.6.14
openssl │ CVE-2018-20997 │ CRITICAL │ 0.8.3 │ 0.10.9 │ Use after free in openssl
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-20997 │
├──────────┼────────────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ smallvec │ CVE-2021-25900 │ │ 0.6.9 │ 1.6.1, 0.6.14 │ An issue was discovered in the smallvec crate before 0.6.14 │
│ │ │ │ │ │ and 1.x... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25900 │
└──────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
test/data/image.test
+22 -19
View File
@@ -8,8 +8,8 @@ Total: 19 (CRITICAL: 19)
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ curl │ CVE-2018-14618 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r0 │ curl: NTLM password overflow via integer overflow │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-14618 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
curl │ CVE-2018-16839 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ CVE-2018-16839 │ │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
│ │ │ │ │ │ in Curl_sasl_create_plain_message() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16839 │
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
@@ -20,8 +20,8 @@ Total: 19 (CRITICAL: 19)
│ │ CVE-2018-16842 │ │ │ │ curl: Heap-based buffer over-read in the curl tool warning │
│ │ │ │ │ │ formatting │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16842 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
curl │ CVE-2019-3822 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ CVE-2019-3822 │ │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3822 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5481 │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │
@@ -32,15 +32,15 @@ Total: 19 (CRITICAL: 19)
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ git │ CVE-2018-17456 │ │ 2.15.2-r0 │ 2.15.3-r0 │ git: arbitrary code execution via .gitmodules │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-17456 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
git │ CVE-2019-1353 │ CRITICAL │ 2.15.2-r0 │ 2.15.4-r0 │ git: NTFS protections inactive when running Git in the │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ CVE-2019-1353 │ │ 2.15.4-r0 │ git: NTFS protections inactive when running Git in the │
│ │ │ │ │ │ Windows Subsystem for... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libbz2 │ CVE-2019-12900 │ CRITICAL │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libbz2 │ CVE-2019-12900 │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl │ CVE-2018-16839 │ CRITICAL │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl │ CVE-2018-16839 │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
│ │ │ │ │ │ in Curl_sasl_create_plain_message() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16839 │
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
@@ -51,8 +51,8 @@ Total: 19 (CRITICAL: 19)
│ │ CVE-2018-16842 │ │ │ │ curl: Heap-based buffer over-read in the curl tool warning │
│ │ │ │ │ │ formatting │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16842 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
libcurl │ CVE-2019-3822 │ CRITICAL │ 7.61.1-r0 │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ CVE-2019-3822 │ │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3822 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5481 │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │
@@ -60,27 +60,30 @@ Total: 19 (CRITICAL: 19)
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-5482 │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ musl │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ musl │ CVE-2019-14697 │ │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │
│ │ │ │ │ │ adjustment im ...... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-14697 │
├─────────────┤ │ │ │ │ │
│ musl-utils │ │ │ │ │ │
│ │ │ │ │ │ │
│ │ │ │ │ │ │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ sqlite-libs │ CVE-2019-8457 │ CRITICAL │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ sqlite-libs │ CVE-2019-8457 │ │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │
└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
rust-app/Cargo.lock (cargo)
===========================
Total: 4 (CRITICAL: 4)
Total: 5 (CRITICAL: 5)
┌───────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├───────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
rand_core │ CVE-2020-25576 │ CRITICAL │ 0.4.0 │ 0.3.1, 0.4.2 │ An issue was discovered in the rand_core crate before 0.4.2
openssl │ CVE-2018-20997 │ CRITICAL │ 0.8.3 │ 0.10.9 │ Use after free in openssl
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-20997 │
├───────────┼────────────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ rand_core │ CVE-2020-25576 │ │ 0.4.0 │ 0.3.1, 0.4.2 │ An issue was discovered in the rand_core crate before 0.4.2 │
│ │ │ │ │ │ for Rust.... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-25576 │
├───────────┼────────────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
@@ -92,7 +95,7 @@ Total: 4 (CRITICAL: 4)
│ │ │ │ │ │ for Rust.... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-15554 │
│ ├────────────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2021-25900 │ │ │ 0.6.14, 1.6.1 │ An issue was discovered in the smallvec crate before 0.6.14 │
│ │ CVE-2021-25900 │ │ │ 1.6.1, 0.6.14 │ An issue was discovered in the smallvec crate before 0.6.14 │
│ │ │ │ │ │ and 1.x... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25900 │
└───────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
test/data/repo.test
+2 -1
View File
@@ -68,7 +68,8 @@
}
]
},
"Match": "export GITHUB_PAT=****************************************"
"Match": "export GITHUB_PAT=****************************************",
"Layer": {}
}
]
}
test/data/trivy-reduced.yaml
+3
View File
@@ -0,0 +1,3 @@
vulnerability:
type: os
output: yamlconfig.test
test/data/trivy.yaml
+4 -1
View File
@@ -1,2 +1,5 @@
format: json
severity: CRITICAL
severity: CRITICAL
vulnerability:
type: os
output: yamlconfig.test
test/data/yamlconfig.test
+92 -16
View File
@@ -1,29 +1,105 @@
{
"SchemaVersion": 2,
"ArtifactName": ".",
"ArtifactType": "filesystem",
"ArtifactName": "alpine:3.10",
"ArtifactType": "container_image",
"Metadata": {
"OS": {
"Family": "alpine",
"Name": "3.10.9",
"EOSL": true
},
"ImageID": "sha256:e7b300aee9f9bf3433d32bc9305bfdd22183beb59d933b48d77ab56ba53a197a",
"DiffIDs": [
"sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
],
"RepoTags": [
"alpine:3.10"
],
"RepoDigests": [
"alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98"
],
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"architecture": "amd64",
"container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4",
"created": "2021-04-14T19:20:05.338397761Z",
"docker_version": "19.03.12",
"history": [
{
"created": "2021-04-14T19:20:04.987219124Z",
"created_by": "/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / "
},
{
"created": "2021-04-14T19:20:05.338397761Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]",
"empty_layer": true
}
],
"os": "linux",
"rootfs": {
"type": "",
"diff_ids": null
"type": "layers",
"diff_ids": [
"sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
]
},
"config": {}
"config": {
"Cmd": [
"/bin/sh"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Image": "sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8"
}
}
},
"Results": [
{
"Target": "Dockerfile",
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 6,
"Failures": 0,
"Exceptions": 0
}
"Target": "alpine:3.10 (alpine 3.10.9)",
"Class": "os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2021-36159",
"PkgID": "apk-tools@2.10.6-r0",
"PkgName": "apk-tools",
"InstalledVersion": "2.10.6-r0",
"FixedVersion": "2.10.7-r0",
"Layer": {
"Digest": "sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5",
"DiffID": "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-36159",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"V2Score": 6.4,
"V3Score": 9.1
}
},
"References": [
"https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch",
"https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749",
"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E",
"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E",
"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E",
"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E"
],
"PublishedDate": "2021-08-03T14:15:00Z",
"LastModifiedDate": "2021-10-18T12:19:00Z"
}
]
}
]
}
test/test.bats
+14 -6
View File
@@ -4,7 +4,7 @@ bats_load_library bats-assert
bats_load_library bats-file
@test "trivy repo with securityCheck secret only" {
# trivy repo --format json --output repo.test --security-checks=secret https://github.com/krol3/demo-trivy/
# trivy repo --format json --output repo.test --scanners=secret https://github.com/krol3/demo-trivy/
run ./entrypoint.sh '-b json' '-h repo.test' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
run diff repo.test ./test/data/repo.test
echo "$output"
@@ -52,7 +52,7 @@ bats_load_library bats-file
}
@test "trivy fs with securityChecks option" {
# trivy fs --format json --security-checks=vuln,config --output fs-scheck.test .
# trivy fs --format json --scanners=vuln,config --output fs-scheck.test .
run ./entrypoint.sh '-a fs' '-b json' '-j .' '-s vuln,config,secret' '-h fs-scheck.test'
run diff fs-scheck.test ./test/data/fs-scheck.test
echo "$output"
@@ -74,10 +74,18 @@ bats_load_library bats-file
assert_output --partial '"package_url": "pkg:apk/ca-certificates@20171114-r0",' # TODO: Output contains time, need to mock
}
@test "trivy repo with trivy.yaml config" {
# trivy --config=./data/trivy.yaml fs --security-checks=config,secret --output=yamlconfig.test .
run ./entrypoint.sh "-a fs" "-j ." "-s config,secret" "-v ./test/data/trivy.yaml" "-h yamlconfig.test"
@test "trivy image with trivy.yaml config" {
# trivy --config=./test/data/trivy.yaml image alpine:3.10
run ./entrypoint.sh "-v ./test/data/trivy.yaml" "-a image" "-i alpine:3.10"
run diff yamlconfig.test ./test/data/yamlconfig.test
echo "$output"
assert_files_equal yamlconfig.test ./test/data/yamlconfig.test
}
}
@test "trivy image with trivy.yaml config and args" {
# trivy --config=./test/data/trivy-reduced.yaml image alpine:3.10
run ./entrypoint.sh "-v ./test/data/trivy-reduced.yaml" "-a image" "-i alpine:3.10" "-b json" "-g CRITICAL"
run diff yamlconfig.test ./test/data/yamlconfig.test
echo "$output"
assert_files_equal yamlconfig.test ./test/data/yamlconfig.test
}
workflow.yml
+1 -1
View File
@@ -7,7 +7,7 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2