chore: Include skip options other than severity filter option when building SARIF report. (#79)

README.md

@@ -88,43 +88,6 @@ jobs:
 
 You can find a more in-depth example here: https://github.com/aquasecurity/trivy-sarif-demo/blob/master/.github/workflows/scan.yml
 
-If you would like to upload SARIF results to GitHub Code scanning even upon a non zero exit code from Trivy Scan, you can add the following to your upload step:
-```yaml
-name: build
-on:
-  push:
-    branches:
-      - master
-  pull_request:
-jobs:
-  build:
-    name: Build
-    runs-on: ubuntu-18.04
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-
-      - name: Build an image from Dockerfile
-        run: |
-          docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
-
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
-          output: 'trivy-results.sarif'
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v1
-        if: always() 
-        with:
-          sarif_file: 'trivy-results.sarif'
-```
-
-See this for more details: https://docs.github.com/en/actions/learn-github-actions/expressions#always
-
 ### Using Trivy to scan your Git repo
 It's also possible to scan your git repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
 

entrypoint.sh

@@ -70,6 +70,7 @@ if [ $cacheDir ];then
   GLOBAL_ARGS="$GLOBAL_ARGS --cache-dir $cacheDir"
 fi
 
+SARIF_ARGS=""
 ARGS=""
 if [ $format ];then
  ARGS="$ARGS --format $format"
@@ -82,9 +83,11 @@ if [ $exitCode ];then
 fi
 if [ "$ignoreUnfixed" == "true" ] && [ "$scanType" != "config" ];then
   ARGS="$ARGS --ignore-unfixed"
+  SARIF_ARGS="$SARIF_ARGS --ignore-unfixed"
 fi
 if [ $vulnType ] && [ "$scanType" != "config" ];then
   ARGS="$ARGS --vuln-type $vulnType"
+  SARIF_ARGS="$SARIF_ARGS --vuln-type $vulnType"
 fi
 if [ $severity ];then
   ARGS="$ARGS --severity $severity"
@@ -96,6 +99,7 @@ if [ $skipDirs ];then
   for i in $(echo $skipDirs | tr "," "\n")
   do
     ARGS="$ARGS --skip-dirs $i"
+    SARIF_ARGS="$SARIF_ARGS --skip-dirs $i"
   done
 fi
 if [ $timeout ];then
@@ -103,6 +107,7 @@ if [ $timeout ];then
 fi
 if [ $ignorePolicy ];then
   ARGS="$ARGS --ignore-policy $ignorePolicy"
+  SARIF_ARGS="$SARIF_ARGS --ignore-policy $ignorePolicy"
 fi
 if [ "$hideProgress" == "true" ];then
   ARGS="$ARGS --no-progress"
@@ -117,8 +122,8 @@ returnCode=$?
 # regardless of severity level specified in this report.
 # This is a feature, not a bug :)
 if [[ ${template} == *"sarif"* ]]; then
-  echo "Building SARIF report"
-  trivy --quiet ${scanType} --format template --template ${template} --output ${output} ${artifactRef}
+  echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
+  trivy --quiet ${scanType} --format template --template ${template} --output ${output} $SARIF_ARGS ${artifactRef}
 fi
 
 exit $returnCode