Compare commits
13 Commits
fix-gh-act
...
0.33.0
| Author | SHA1 | Date | |
|---|---|---|---|
|
f9424c10c3 | ||
|
|
85abccb4a4 | ||
|
|
a1698702b6 | ||
|
|
71f6a8fb8b | ||
|
|
bf330b1153 | ||
|
|
644762e8d4 | ||
|
|
636fd3c4eb | ||
|
|
7c0244b8c6 | ||
|
|
c26e17b164 | ||
|
|
77137e9dc3 | ||
|
|
e7fbf034e4 | ||
|
|
dc5a429b52 | ||
|
|
76071ef0d7 |
3
.github/workflows/bump-trivy.yaml
vendored
3
.github/workflows/bump-trivy.yaml
vendored
@@ -22,6 +22,9 @@ jobs:
|
||||
- name: Update Trivy versions
|
||||
run: make bump-trivy
|
||||
|
||||
- name: Update golden files
|
||||
run: make update-golden
|
||||
|
||||
- name: Create PR
|
||||
id: create-pr
|
||||
uses: peter-evans/create-pull-request@v5
|
||||
|
||||
2
.github/workflows/test.yaml
vendored
2
.github/workflows/test.yaml
vendored
@@ -6,7 +6,7 @@ on:
|
||||
workflow_dispatch:
|
||||
|
||||
env:
|
||||
TRIVY_VERSION: 0.61.1
|
||||
TRIVY_VERSION: 0.65.0
|
||||
BATS_LIB_PATH: '/usr/lib/'
|
||||
|
||||
jobs:
|
||||
|
||||
22
Makefile
22
Makefile
@@ -7,12 +7,26 @@ SED = gsed
|
||||
BATS_LIB_PATH = /opt/homebrew/lib
|
||||
endif
|
||||
|
||||
BATS_ENV := BATS_LIB_PATH=$(BATS_LIB_PATH) \
|
||||
GITHUB_REPOSITORY_OWNER=aquasecurity \
|
||||
TRIVY_CACHE_DIR=.cache \
|
||||
TRIVY_DISABLE_VEX_NOTICE=true \
|
||||
TRIVY_DEBUG=true
|
||||
|
||||
BATS_FLAGS := --recursive --timing --verbose-run .
|
||||
|
||||
.PHONY: test
|
||||
test:
|
||||
test: init-cache
|
||||
$(BATS_ENV) bats $(BATS_FLAGS)
|
||||
|
||||
.PHONY: update-golden
|
||||
update-golden: init-cache
|
||||
UPDATE_GOLDEN=1 $(BATS_ENV) bats $(BATS_FLAGS)
|
||||
|
||||
.PHONY: init-cache
|
||||
init-cache:
|
||||
mkdir -p .cache
|
||||
BATS_LIB_PATH=$(BATS_LIB_PATH) GITHUB_REPOSITORY_OWNER=aquasecurity\
|
||||
TRIVY_CACHE_DIR=.cache TRIVY_DISABLE_VEX_NOTICE=true TRIVY_DEBUG=true\
|
||||
bats --recursive --timing --verbose-run .
|
||||
rm -f .cache/fanal/fanal.db
|
||||
|
||||
bump-trivy:
|
||||
@[ $$NEW_VERSION ] || ( echo "env 'NEW_VERSION' is not set"; exit 1 )
|
||||
|
||||
12
README.md
12
README.md
@@ -46,7 +46,7 @@ jobs:
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
uses: actions/checkout@v4
|
||||
- name: Build an image from Dockerfile
|
||||
run: docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
|
||||
- name: Run Trivy vulnerability scanner
|
||||
@@ -215,7 +215,7 @@ jobs:
|
||||
uses: aquasecurity/setup-trivy@v0.2.0
|
||||
with:
|
||||
cache: true
|
||||
version: v0.61.1
|
||||
version: v0.65.0
|
||||
|
||||
- name: Run Trivy vulnerability scanner in repo mode
|
||||
uses: aquasecurity/trivy-action@master
|
||||
@@ -342,7 +342,7 @@ jobs:
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
@@ -371,7 +371,7 @@ jobs:
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
@@ -590,7 +590,7 @@ jobs:
|
||||
scan-type: 'fs'
|
||||
format: 'github'
|
||||
output: 'dependency-results.sbom.json'
|
||||
image-ref: '.'
|
||||
scan-ref: '.'
|
||||
github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
|
||||
```
|
||||
|
||||
@@ -847,7 +847,7 @@ Following inputs can be used as `step.with` keys:
|
||||
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
|
||||
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
|
||||
| `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values (`unix:/` or other prefix is required) |
|
||||
| `version` | String | `v0.61.1` | Trivy version to use, e.g. `latest` or `v0.61.1` |
|
||||
| `version` | String | `v0.65.0` | Trivy version to use, e.g. `latest` or `v0.65.0` |
|
||||
| `skip-setup-trivy` | Boolean | false | Skip calling the `setup-trivy` action to install `trivy` |
|
||||
| `token-setup-trivy` | Boolean | | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository |
|
||||
|
||||
|
||||
@@ -98,7 +98,7 @@ inputs:
|
||||
version:
|
||||
description: 'Trivy version to use'
|
||||
required: false
|
||||
default: 'v0.61.1'
|
||||
default: 'v0.65.0'
|
||||
cache:
|
||||
description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.'
|
||||
required: false
|
||||
@@ -139,7 +139,7 @@ runs:
|
||||
|
||||
- name: Restore DB from cache
|
||||
if: ${{ inputs.cache == 'true' }}
|
||||
uses: actions/cache@v4
|
||||
uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
|
||||
with:
|
||||
path: ${{ inputs.cache-dir }}
|
||||
key: cache-trivy-${{ steps.date.outputs.date }}
|
||||
|
||||
@@ -2,18 +2,6 @@
|
||||
"SchemaVersion": 2,
|
||||
"ArtifactName": "test/data/config-scan",
|
||||
"ArtifactType": "filesystem",
|
||||
"Metadata": {
|
||||
"ImageConfig": {
|
||||
"architecture": "",
|
||||
"created": "0001-01-01T00:00:00Z",
|
||||
"os": "",
|
||||
"rootfs": {
|
||||
"type": "",
|
||||
"diff_ids": null
|
||||
},
|
||||
"config": {}
|
||||
}
|
||||
},
|
||||
"Results": [
|
||||
{
|
||||
"Target": ".",
|
||||
@@ -50,7 +38,6 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0086"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -90,8 +77,7 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -111,7 +97,6 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0087"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -151,8 +136,7 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -172,7 +156,6 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0088"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -212,8 +195,7 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -234,7 +216,6 @@
|
||||
"https://avd.aquasec.com/misconfig/s3-bucket-logging"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -274,8 +255,7 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -295,7 +275,6 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0090"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket_versioning.bucket_versioning",
|
||||
"Provider": "AWS",
|
||||
@@ -416,7 +395,6 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0091"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -456,8 +434,7 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -477,7 +454,6 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0093"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -517,8 +493,7 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -538,7 +513,6 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0094"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -578,8 +552,7 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
@@ -599,7 +572,6 @@
|
||||
"https://avd.aquasec.com/misconfig/avd-aws-0132"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Resource": "aws_s3_bucket.bucket",
|
||||
"Provider": "AWS",
|
||||
@@ -639,8 +611,7 @@
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
|
||||
@@ -51,7 +51,8 @@ Total: 19 (CRITICAL: 19)
|
||||
│ │ │ │ │ │ │ Windows Subsystem for... │
|
||||
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │
|
||||
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
|
||||
│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: bzip2: Data integrity error when decompressing (with │
|
||||
│ │ │ │ │ │ │ data integrity tests fail).... │
|
||||
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
|
||||
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libcurl │ CVE-2018-16839 │ │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
|
||||
|
||||
@@ -3,16 +3,12 @@
|
||||
"ArtifactName": "https://github.com/krol3/demo-trivy/",
|
||||
"ArtifactType": "repository",
|
||||
"Metadata": {
|
||||
"ImageConfig": {
|
||||
"architecture": "",
|
||||
"created": "0001-01-01T00:00:00Z",
|
||||
"os": "",
|
||||
"rootfs": {
|
||||
"type": "",
|
||||
"diff_ids": null
|
||||
},
|
||||
"config": {}
|
||||
}
|
||||
"RepoURL": "https://github.com/krol3/demo-trivy/",
|
||||
"Branch": "main",
|
||||
"Commit": "547db823c73fdb3385871f6235e946c72291f734",
|
||||
"CommitMsg": "chore: add gitignore",
|
||||
"Author": "carolina valencia <krol3@users.noreply.github.com>",
|
||||
"Committer": "carolina valencia <krol3@users.noreply.github.com>"
|
||||
},
|
||||
"Results": [
|
||||
{
|
||||
@@ -68,8 +64,7 @@
|
||||
}
|
||||
]
|
||||
},
|
||||
"Match": "export GITHUB_PAT=****************************************",
|
||||
"Layer": {}
|
||||
"Match": "export GITHUB_PAT=****************************************"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
@@ -51,7 +51,8 @@ Total: 19 (CRITICAL: 19)
|
||||
│ │ │ │ │ │ │ Windows Subsystem for... │
|
||||
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │
|
||||
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
|
||||
│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: bzip2: Data integrity error when decompressing (with │
|
||||
│ │ │ │ │ │ │ data integrity tests fail).... │
|
||||
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
|
||||
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libcurl │ CVE-2018-16839 │ │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
|
||||
|
||||
@@ -2,18 +2,6 @@
|
||||
"SchemaVersion": 2,
|
||||
"ArtifactName": "test/data/with-tf-vars/main.tf",
|
||||
"ArtifactType": "filesystem",
|
||||
"Metadata": {
|
||||
"ImageConfig": {
|
||||
"architecture": "",
|
||||
"created": "0001-01-01T00:00:00Z",
|
||||
"os": "",
|
||||
"rootfs": {
|
||||
"type": "",
|
||||
"diff_ids": null
|
||||
},
|
||||
"config": {}
|
||||
}
|
||||
},
|
||||
"Results": [
|
||||
{
|
||||
"Target": ".",
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
"ArtifactName": "alpine:3.10",
|
||||
"ArtifactType": "container_image",
|
||||
"Metadata": {
|
||||
"Size": 5842432,
|
||||
"OS": {
|
||||
"Family": "alpine",
|
||||
"Name": "3.10.9",
|
||||
@@ -50,7 +51,14 @@
|
||||
],
|
||||
"Image": "sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Layers": [
|
||||
{
|
||||
"Size": 5842432,
|
||||
"Digest": "sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5",
|
||||
"DiffID": "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
|
||||
}
|
||||
]
|
||||
},
|
||||
"Results": [
|
||||
{
|
||||
@@ -64,7 +72,7 @@
|
||||
"PkgName": "apk-tools",
|
||||
"PkgIdentifier": {
|
||||
"PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64&distro=3.10.9",
|
||||
"UID": "99f6581ffed6b22"
|
||||
"UID": "b7a64ae671a99195"
|
||||
},
|
||||
"InstalledVersion": "2.10.6-r0",
|
||||
"FixedVersion": "2.10.7-r0",
|
||||
@@ -114,7 +122,7 @@
|
||||
"https://www.cve.org/CVERecord?id=CVE-2021-36159"
|
||||
],
|
||||
"PublishedDate": "2021-08-03T14:15:08.233Z",
|
||||
"LastModifiedDate": "2023-11-07T03:36:43.337Z"
|
||||
"LastModifiedDate": "2024-11-21T06:13:13.57Z"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
@@ -57,9 +57,16 @@ function compare_files() {
|
||||
remove_github_fields "$file1"
|
||||
remove_github_fields "$file2"
|
||||
|
||||
run diff "$file1" "$file2"
|
||||
echo "$output"
|
||||
assert_files_equal "$file1" "$file2"
|
||||
if [ "${UPDATE_GOLDEN}" = "1" ]; then
|
||||
cp "$file1" "$file2"
|
||||
echo "Updated golden file: $file2"
|
||||
else
|
||||
run diff "$file1" "$file2"
|
||||
echo "$output"
|
||||
assert_files_equal "$file1" "$file2"
|
||||
fi
|
||||
|
||||
rm -f "$file1"
|
||||
}
|
||||
|
||||
@test "trivy repo with securityCheck secret only" {
|
||||
|
||||
Reference in New Issue
Block a user