actions/trivy-action
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: actions:use-pinned-version
Branches Tags
actions:master actions:fix-gh-actions actions:bump-trivy-1751468699 actions:update-default-version actions:use-pinned-version actions:update-to-v0.45.0 actions:update-trivy-v0.43.1 actions:bump-trivy-3 actions:bump-trivy actions:add-support-for-trivy-config actions:fix-golden-files actions:exit-code-test actions:update-tarball-docs actions:volume-mounts actions:update-readme actions:revert-45-fix_sarif_duplicate_rule_id actions:knqyf263-patch-1 actions:artifact_types actions:sarif-support-2
actions:0.33.1 actions:0.33.0 actions:0.32.0 actions:0.31.0 actions:0.30.0 actions:0.29.0 actions:0.28.0 actions:0.27.0 actions:0.26.0 actions:0.25.0 actions:0.24.0 actions:0.23.0 actions:0.22.0 actions:0.21.0 actions:0.20.0 actions:0.19.0 actions:0.18.0 actions:0.17.0 actions:0.16.1 actions:0.16.0 actions:0.15.0 actions:0.14.0 actions:0.13.1 actions:0.13.0 actions:0.12.0 actions:0.11.2 actions:0.11.1 actions:0.11.0 actions:0.10.0 actions:0.9.2 actions:0.9.1 actions:0.9.0 actions:0.8.0 actions:0.7.1 actions:0.7.0 actions:0.6.2 actions:0.6.1 actions:0.6.0 actions:0.5.1 actions:0.5.0 actions:0.4.1 actions:0.4.0 actions:0.3.0 actions:0.2.5 actions:0.2.4 actions:0.2.3 actions:0.2.2 actions:0.2.1 actions:0.2.0 actions:0.1.0 actions:0.0.22 actions:0.0.21 actions:0.0.20 actions:0.0.19 actions:0.0.18 actions:0.0.17 actions:0.0.16 actions:0.0.15 actions:0.0.14 actions:0.0.13 actions:0.0.12 actions:0.0.11 actions:v0.0.10 actions:0.0.10 actions:0.0.9 actions:0.0.8 actions:0.0.7 actions:0.0.6 actions:0.0.5 actions:0.0.4 actions:0.0.3 actions:0.0.2 actions:0.0.1
..
compare: actions:master
Branches Tags
actions:master actions:fix-gh-actions actions:bump-trivy-1751468699 actions:update-default-version actions:use-pinned-version actions:update-to-v0.45.0 actions:update-trivy-v0.43.1 actions:bump-trivy-3 actions:bump-trivy actions:add-support-for-trivy-config actions:fix-golden-files actions:exit-code-test actions:update-tarball-docs actions:volume-mounts actions:update-readme actions:revert-45-fix_sarif_duplicate_rule_id actions:knqyf263-patch-1 actions:artifact_types actions:sarif-support-2
actions:0.33.1 actions:0.33.0 actions:0.32.0 actions:0.31.0 actions:0.30.0 actions:0.29.0 actions:0.28.0 actions:0.27.0 actions:0.26.0 actions:0.25.0 actions:0.24.0 actions:0.23.0 actions:0.22.0 actions:0.21.0 actions:0.20.0 actions:0.19.0 actions:0.18.0 actions:0.17.0 actions:0.16.1 actions:0.16.0 actions:0.15.0 actions:0.14.0 actions:0.13.1 actions:0.13.0 actions:0.12.0 actions:0.11.2 actions:0.11.1 actions:0.11.0 actions:0.10.0 actions:0.9.2 actions:0.9.1 actions:0.9.0 actions:0.8.0 actions:0.7.1 actions:0.7.0 actions:0.6.2 actions:0.6.1 actions:0.6.0 actions:0.5.1 actions:0.5.0 actions:0.4.1 actions:0.4.0 actions:0.3.0 actions:0.2.5 actions:0.2.4 actions:0.2.3 actions:0.2.2 actions:0.2.1 actions:0.2.0 actions:0.1.0 actions:0.0.22 actions:0.0.21 actions:0.0.20 actions:0.0.19 actions:0.0.18 actions:0.0.17 actions:0.0.16 actions:0.0.15 actions:0.0.14 actions:0.0.13 actions:0.0.12 actions:0.0.11 actions:v0.0.10 actions:0.0.10 actions:0.0.9 actions:0.0.8 actions:0.0.7 actions:0.0.6 actions:0.0.5 actions:0.0.4 actions:0.0.3 actions:0.0.2 actions:0.0.1

55 Commits
use-pinned ... master

Author SHA1 Message Date
ivan
c13c370e94 Merge pull request 'chore: Configure Renovate' (#2) from renovate/configure into master 
Reviewed-on: #2
 2025-12-29 20:05:22 +00:00
Renovate Bot
0231551320 Add renovate.json 2025-12-29 20:04:59 +00:00
Nikita Pivkin
22438a4357 Merge pull request #496 from aquasecurity/bump-trivy-1765431074 2025-12-11 14:34:44 +06:00
simar7
0024b3f39e chore(deps): Update trivy to v0.68.1 2025-12-11 05:31:14 +00:00
Nikita Pivkin
83690f7d38 ci: install trivy in bump-trivy workflow and update tests (#495) 
* ci: install trivy in bump-trivy workflow

Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>

* test: diasble list-all-pkgs and remove ReportID

Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>

* ci: run tests after updating golden files

Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>

* fix BATS_LIB_PATH setting

Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>

---------

Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
 2025-12-10 22:30:00 -07:00
Nikita Pivkin
df65449f48 chore: update README (#493) 
Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
 2025-12-08 17:02:57 -07:00
Nikita Pivkin
0317097f59 ci: use setup-bats in bump-trivy workflow (#494) 
Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
 2025-12-08 17:02:32 -07:00
Martin Costello
b6643a29fe Update setup-trivy action to version v0.2.4 (#486) 2025-08-29 14:43:29 +06:00
Nikita Pivkin
f9424c10c3 Merge pull request #481 from aquasecurity/bump-trivy-1755898251 2025-08-27 13:19:48 +06:00
Nikita Pivkin
85abccb4a4 dev: delete fanal.db before tests 
Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
 2025-08-27 13:05:59 +06:00
Nikita Pivkin
a1698702b6 ci: update golden files on Trivy bump 
Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
 2025-08-27 12:33:47 +06:00
Nikita Pivkin
71f6a8fb8b dev: add update-golden goal 
Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
 2025-08-27 12:20:05 +06:00
Nikita Pivkin
bf330b1153 test: update golden files 
Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
 2025-08-27 12:19:06 +06:00
Nikita Pivkin
644762e8d4 Merge pull request #482 from aquasecurity/fix-gh-actions 2025-08-27 11:56:15 +06:00
Simar
f2e28516ef chore(ci): Add oras to correctly setup sync jobs 2025-08-26 19:17:21 -06:00
Simar
636fd3c4eb fix: update tests 2025-08-26 19:12:07 -06:00
simar7
7c0244b8c6 chore(deps): Update trivy to v0.65.0 2025-08-22 21:30:51 +00:00
Martin Costello
c26e17b164 Pin actions/cache by SHA (#480) 
Resolves #479.
 2025-08-22 15:29:59 -06:00
YuXuan Tay
77137e9dc3 doc/correct-sbom-fs-scan (#458) 2025-07-07 12:48:46 -06:00
Akshay Iyyadurai Balasundaram
e7fbf034e4 Update dependencies in README (#378) 
* chore: update dependencies in README

* chore: update the actions/checkout version in documentation

* chore: bump upload-sarif dependency from readme

* docs: bump actions/checkout to v4

Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>

---------

Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
Co-authored-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
 2025-07-07 12:46:41 -06:00
Aqua Security automated builds
dc5a429b52 chore(deps): Update trivy to v0.64.1 (#474) 
Co-authored-by: nikpivkin <nikpivkin@users.noreply.github.com>
 2025-07-04 00:18:35 -06:00
Aqua Security automated builds
76071ef0d7 chore(deps): Update trivy to v0.63.0 (#467) 
* chore(deps): Update trivy to v0.63.0

* update test data

---------

Co-authored-by: simar7 <simar7@users.noreply.github.com>
Co-authored-by: Simar <simar@linux.com>
 2025-06-03 13:38:46 +06:00
Nikita Pivkin
4844d823d3 ci: fix workflow to bump Trivy (#466) 
Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
 2025-06-02 21:30:59 -06:00
simar7
26d71e622b refactor: use ubuntu 24.04 (#465) 2025-05-16 11:37:50 +06:00
Maxim Masiutin
b3dafe507f Bump Trivy version to fix GitHub actions (#460) 2025-05-12 14:16:37 -06:00
Lari Hotari
99baf0d8b4 Pin aquasecuriy/setup-trivy to hash instead of tag (#456) 
* Pin aquasecuriy/setup-trivy to hash instead of tag

Fixes #423

* Address review comment

* Revisit previous change based on feedback
 2025-04-08 20:50:36 -06:00
Rob Vesse
7aca5acc95 fix: Trivy action inputs leaking between invocations (#422) (#454) 
* fix: use trivy_envs.txt for envs

* test: add test step

* refactor

* refactor

* test

* refactor: use `export` in trivy_envs.txt

* test

* test metadata.json

* test metadata.json

* Clean up envs file better (#422)

- Explicitly rm -f it at start and end of action
- Also remove temporary test steps from action

* Add BATS test for usage of trivy_envs.txt file (#422)

* Add optional step triggered only when Actions Debug logging

Dump the generated environment variables file only when tests are run
with actions debug logging

* Fix to always set env vars into file (#422)

This is done as long as they have a non-empty input value, or a
non-empty default value.

* Clean up env overwriting

- Remove unnecessary debug statements in the action used during testing
- Additional explanatory comments
- Fix to address case where caller explicitly injects environment
  variables, either via env: block on the action call or via GITHUB_ENV

* Further refine env var setting logic (#422)

Noted in documenting this fix that what had been implemented deviated
from the existing configuration priority documentation.  Amended the
implementation of the Action to try and restore that consistency.

* Fix shell syntax error (#422)

---------

Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
 2025-04-04 23:59:10 -06:00
DmitriyLewen
ea27ac12e1 docs: add info that unix:/ prefix is required (#455) 2025-04-01 21:44:53 -06:00
Nikita Pivkin
6c175e9c40 chore: bump trivy to v0.60.0 (#453) 
Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
 2025-03-13 20:58:00 -06:00
Alex B
53e8848d3e Improve README/SBOM (#439) 
* Improve README/SBOM

* Use logical workflow name
* Use modern ubuntu version

* Update README.md
 2025-03-12 16:11:45 -06:00
Yuta Tokoi
ef1b561207 fix: typo in description of an input for action.yaml (#452) 2025-03-12 16:11:20 -06:00
Mario Apra
a11da62073 fix: Update default trivy version in README (#444) 
As part of PR #434 the default trivy version got bumped
but the readme didn't reflect it.
 2025-01-07 16:37:47 -07:00
simar7
18f2510ee3 chore(deps): Bump trivy to v0.57.1 (#434) 
* chore(deps): Bump trivy to v0.57.1

* update tests

* use mirrors from mirror.gcr.io

* update workflow for tests

* Revert "use mirrors from mirror.gcr.io"

This reverts commit 529a941eed.
 2024-11-19 17:11:53 -07:00
Nikita Pivkin
93941cebba docs: remove ignore-unfixed from IaC scan example (#429) 
Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
 2024-11-18 16:54:58 -07:00
DmitriyLewen
d2a392a137 fix: bump setup-trivy and add new contrib directory path info (#424) 
* chore(deps): use fork for setup-trivy

* docs: add info about templates

* refactor: use `setup-trivy` v0.2.2

* docs: remove `./` prefix

* Merge branch 'main' into 'fix/contrib-dir'

* docs: fix link

* docs: fix typo

Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com>

---------

Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com>
 2024-10-25 00:45:28 -06:00
DmitriyLewen
ee8934673c feat: add token for setup-trivy (#421) 
* feat: add `token-setup-trivy` input.

* docs: add info about `token-setup-trivy`

* fix: use correct commit

* refactor: use `default: ${{ github.token }}` for `token-setup-trivy`

* refactor: use `setup-trivy` v0.2.2
 2024-10-24 23:32:23 -06:00
simar7
cf990b19d8 Update README.md (#420) 2024-10-21 22:43:57 -06:00
Daisuke Sato
bff40be51b docs: Fix oras command not found (#413) 2024-10-21 22:43:42 -06:00
Rob Vesse
fc1500abdc feat: Allow skipping setup (#414) 
If a user is invoking the action multiple times then the trivy binary
gets installed multiple times.  Users can avoid this by managing the
installation themselves and setting the skip-setup input to true, or by
letting the action install in on their first invocation and then setting
skip-setup to true on subsequent invocations

Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com>
 2024-10-15 19:57:47 -06:00
DmitriyLewen
915b19bbe7 chore(deps): bump setup-trivy to v0.2.1 (#411) 
* chore(deps): bump setup-trivy

* chore(deps): bump setup-trivy

* chore(deps): bump setup-trivy to `v0.2.1`
 2024-10-15 10:04:03 -06:00
Teppei Fukuda
5681af892c fix: set envs only when passed (#405) 
* fix: set envs when passed

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* use inputs.<input_id>.default

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* Revert "use inputs.<input_id>.default"

This reverts commit 1a12292eac.

---------

Signed-off-by: knqyf263 <knqyf263@gmail.com>
 2024-10-10 22:48:38 -06:00
Nikita Pivkin
807896715e chore: update description for scanners and format inputs (#407) 
Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
 2024-10-09 15:37:31 -06:00
DmitriyLewen
0fa0cdb177 ci: use setup-trivy to install Trivy (#406) 2024-10-09 15:36:41 -06:00
Teppei Fukuda
a20de5420d feat: store artifacts in cache by default (#399) 
* feat: migrate to a composite action

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* Fix tests

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* Delete an unused input

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* test: expect status code 0

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* test: not use run

https://bats-core.readthedocs.io/en/stable/writing-tests.html#when-not-to-use-run

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* feat: add 'cache' input

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* docs: update README

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* feat: pin Trivy version

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* fix: bump trivy version

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* feat: use date for cache key

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* chore: delete a comment

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* docs: update README

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* refactor: resolve conflicts and use envs

Signed-off-by: knqyf263 <knqyf263@gmail.com>

---------

Signed-off-by: knqyf263 <knqyf263@gmail.com>
 2024-10-08 14:20:38 -06:00
DmitriyLewen
1b8b83dcc2 docs: add usage info about action/cache for trivy databases (#397) 
* docs: add info about using `action/cache` for `trivy-db`

* docs: add info about trivy-java-db and trivy-checks
 2024-10-07 22:05:39 -06:00
simar7
f781cce5aa feat(trivy): Bump to support v0.56.1 (#387) 
* feat(trivy): Bump to support v0.55.2

* fix tests

* update github workflow

* upgrade to v0.56.0

* bump to trivy v0.56.1

* update tests
 2024-10-07 14:14:19 -06:00
Nikita Pivkin
54f21d8382 ci: sync trivy-checks version 1 (#398) 
Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
 2024-10-07 12:23:44 -06:00
Oussama Bounaim
89b14e517d Upgrade GitHub actions (#374) 
* Upgrade Github checkout action

* Upgrade Github upload-sarif action

* Upgrade Github checkout action - Pipeline
 2024-10-02 14:41:43 -06:00
Nikita Pivkin
97646fedde chore: use checks bundle snapshot from trivy-action (#388) 
Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
 2024-09-19 08:58:52 -06:00
chris
d9cd5b1c23 fix(Makefile): recursive option typo (#371) 2024-07-09 10:07:51 -06:00
Vinayak S
6e7b7d1fd3 Upgrade trivy to v0.53.0 (#369) 
* Upgrade trivy to v0.53.0

* update tests

---------

Co-authored-by: Simar <simar@linux.com>
 2024-07-09 00:19:25 -06:00
Vinayak S
7c2007bcb5 Upgrade trivy to v0.52.2 (#367) 
* Upgrade trivy to v0.52.2

* Upgrade trivy to v0.52.2
 2024-06-17 16:53:33 -06:00
Francisco Javier Barón
595be6a0f6 Upgrade trivy to v0.52.0 (#364) 2024-06-06 17:41:36 -06:00
simar7
841fb371db chore(docs): Reference the use of a pinned version (#356) 2024-05-22 18:59:56 -06:00
Vinayak S
fd25fed697 bump trivy version to v0.51.2 (#360) 
* bump trivy version to v0.51.2

* bump trivy version to v0.51.2
 2024-05-21 16:33:02 -06:00
24 changed files with 972 additions and 659 deletions
Expand all files Collapse all files

28
.github/workflows/bump-trivy.yaml vendored
View File

@@ -6,7 +6,7 @@ on:
trivy_version:
required: true
type: string
description: the trivy version
description: 'The Trivy version in x.x.x format'
run-name: Bump trivy to v${{ inputs.trivy_version }}
@@ -14,11 +14,31 @@ jobs:
bump:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Update Trivy versions
env:
NEW_VERSION: ${{ inputs.trivy_version }}
run: make bump-trivy
- name: Setup Bats and bats libs
id: setup-bats
uses: bats-core/bats-action@3.0.1
- name: Install Trivy
run: |
sed -r -i "s/ghcr.io\/aquasecurity\/trivy:[0-9]+\.[0-9]+\.[0-9]+/ghcr.io\/aquasecurity\/trivy:${{ inputs.trivy_version }}/" Dockerfile
find test/data -type f -name '*.test' | xargs sed -r -i 's/"version": "[0-9]+\.[0-9]+\.[0-9]+"/"version": "${{ inputs.trivy_version }}"/'
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ inputs.trivy_version }}
trivy --version
- name: Update golden files
env:
BATS_LIB_PATH: ${{ steps.setup-bats.outputs.lib-path }}
run: make update-golden
- name: Run tests
env:
BATS_LIB_PATH: ${{ steps.setup-bats.outputs.lib-path }}
run: make test
- name: Create PR
id: create-pr

7
.github/workflows/sync-trivy-checks.yaml vendored
View File

@@ -11,7 +11,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: setup-oras
uses: oras-project/setup-oras@v1.2.3
- name: Login to GitHub Packages Container registry
uses: docker/login-action@v3
with:
@@ -21,4 +24,4 @@ jobs:
- name: Copy Trivy Checks
run: |
oras cp ghcr.io/aquasecurity/trivy-checks:0 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
oras cp ghcr.io/aquasecurity/trivy-checks:1 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest

3
.github/workflows/sync-trivy-db.yaml vendored
View File

@@ -12,6 +12,9 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: setup-oras
uses: oras-project/setup-oras@v1.2.3
- name: Login to GitHub Packages Container registry
uses: docker/login-action@v3
with:

3
.github/workflows/sync-trivy-java-db.yaml vendored
View File

@@ -12,6 +12,9 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: setup-oras
uses: oras-project/setup-oras@v1.2.3
- name: Login to GitHub Packages Container registry
uses: docker/login-action@v3
with:

11
.github/workflows/test.yaml vendored
View File

@@ -6,7 +6,7 @@ on:
workflow_dispatch:
env:
TRIVY_VERSION: 0.51.1
TRIVY_VERSION: 0.68.1
BATS_LIB_PATH: '/usr/lib/'
jobs:
@@ -16,7 +16,8 @@ jobs:
- uses: actions/checkout@v4
- name: Setup Bats and bats libs
uses: bats-core/bats-action@2.0.0
id: setup-bats
uses: bats-core/bats-action@3.0.1
- name: Install Trivy
run: |
@@ -24,6 +25,6 @@ jobs:
trivy --version
- name: Test
run: |
chmod +x entrypoint.sh
bats -r -T .
env:
BATS_LIB_PATH: ${{ steps.setup-bats.outputs.lib-path }}
run: make test

4
.gitignore vendored
View File

@@ -2,4 +2,6 @@
*.test
!test/data/*.test
trivyignores
.vscode/
.vscode/
.cache

5
Dockerfile
View File

@@ -1,5 +0,0 @@
FROM ghcr.io/aquasecurity/trivy:0.51.1
COPY entrypoint.sh /
RUN apk --no-cache add bash curl npm
RUN chmod +x /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]

39
Makefile
View File

@@ -1,4 +1,37 @@
.PHONY: test
OS := $(shell uname)
test:
BATS_LIB_PATH=/usr/local/lib/ bats -r .
ifeq ($(OS), Darwin)
SED = gsed
BATS_LIB_PATH ?= /opt/homebrew/lib
else
SED = sed
BATS_LIB_PATH ?= /usr/local/lib/
endif
BATS_ENV := BATS_LIB_PATH=$(BATS_LIB_PATH) \
GITHUB_REPOSITORY_OWNER=aquasecurity \
TRIVY_CACHE_DIR=.cache \
TRIVY_DISABLE_VEX_NOTICE=true \
TRIVY_DEBUG=true
BATS_FLAGS := --recursive --timing --verbose-run .
.PHONY: test
test: init-cache
$(BATS_ENV) bats $(BATS_FLAGS)
.PHONY: update-golden
update-golden: init-cache
UPDATE_GOLDEN=1 $(BATS_ENV) bats $(BATS_FLAGS)
.PHONY: init-cache
init-cache:
mkdir -p .cache
rm -f .cache/fanal/fanal.db
bump-trivy:
@[ $$NEW_VERSION ] || ( echo "env 'NEW_VERSION' is not set"; exit 1 )
@CURRENT_VERSION=$$(grep "TRIVY_VERSION:" .github/workflows/test.yaml | awk '{print $$2}');\
echo Current version: $$CURRENT_VERSION ;\
echo New version: $$NEW_VERSION ;\
$(SED) -i -e "s/$$CURRENT_VERSION/$$NEW_VERSION/g" README.md action.yaml .github/workflows/test.yaml ;\

506
README.md
View File

@@ -10,12 +10,24 @@
## Table of Contents
- [Usage](#usage)
- [Workflow](#workflow)
- [Docker Image Scanning](#using-trivy-with-github-code-scanning)
- [Git Repository Scanning](#using-trivy-to-scan-your-git-repo)
- [Customizing](#customizing)
- [Inputs](#inputs)
* [Usage](#usage)
* [Scan CI Pipeline](#scan-ci-pipeline)
* [Scan CI Pipeline (w/ Trivy Config)](#scan-ci-pipeline-w-trivy-config)
* [Cache](#cache)
* [Trivy Setup](#trivy-setup)
* [Scanning a Tarball](#scanning-a-tarball)
* [Using Trivy with templates](#using-trivy-with-templates)
* [Using Trivy with GitHub Code Scanning](#using-trivy-with-github-code-scanning)
* [Using Trivy to scan your Git repo](#using-trivy-to-scan-your-git-repo)
* [Using Trivy to scan your rootfs directories](#using-trivy-to-scan-your-rootfs-directories)
* [Using Trivy to scan Infrastructure as Code](#using-trivy-to-scan-infrastructure-as-code)
* [Using Trivy to generate SBOM](#using-trivy-to-generate-sbom)
* [Using Trivy to scan your private registry](#using-trivy-to-scan-your-private-registry)
* [Using Trivy if you don't have code scanning enabled](#using-trivy-if-you-dont-have-code-scanning-enabled)
* [Customizing](#customizing)
* [inputs](#inputs)
* [Environment variables](#environment-variables)
* [Trivy config file](#trivy-config-file)
## Usage
@@ -31,15 +43,14 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v4
- name: Build an image from Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
run: docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.33.1
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'table'
@@ -61,13 +72,13 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.33.1
with:
scan-type: 'fs'
scan-ref: '.'
@@ -95,6 +106,196 @@ Trivy uses [Viper](https://github.com/spf13/viper) which has a defined precedenc
- Config file
- Default
### Cache
The action has a built-in functionality for caching and restoring [the vulnerability DB](https://github.com/aquasecurity/trivy-db), [the Java DB](https://github.com/aquasecurity/trivy-java-db) and [the checks bundle](https://github.com/aquasecurity/trivy-checks) if they are downloaded during the scan.
The cache is stored in the `$GITHUB_WORKSPACE/.cache/trivy` directory by default.
The cache is restored before the scan starts and saved after the scan finishes.
It uses [actions/cache](https://github.com/actions/cache) under the hood but requires less configuration settings.
The cache input is optional, and caching is turned on by default.
#### Disabling caching
If you want to disable caching, set the `cache` input to `false`, but we recommend keeping it enabled to avoid rate limiting issues.
```yaml
- name: Run Trivy scanner without cache
uses: aquasecurity/trivy-action@0.33.1
with:
scan-type: 'fs'
scan-ref: '.'
cache: 'false'
```
#### Updating caches in the default branch
Please note that there are [restrictions on cache access](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache) between branches in GitHub Actions.
By default, a workflow can access and restore a cache created in either the current branch or the default branch (usually `main` or `master`).
If you need to share caches across branches, you may need to create a cache in the default branch and restore it in the current branch.
To optimize your workflow, you can set up a cron job to regularly update the cache in the default branch.
This allows subsequent scans to use the cached DB without downloading it again.
```yaml
# Note: This workflow only updates the cache. You should create a separate workflow for your actual Trivy scans.
# In your scan workflow, set TRIVY_SKIP_DB_UPDATE=true and TRIVY_SKIP_JAVA_DB_UPDATE=true.
name: Update Trivy Cache
on:
schedule:
- cron: '0 0 * * *' # Run daily at midnight UTC
workflow_dispatch: # Allow manual triggering
jobs:
update-trivy-db:
runs-on: ubuntu-latest
steps:
- name: Setup oras
uses: oras-project/setup-oras@v1
- name: Get current date
id: date
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
- name: Download and extract the vulnerability DB
run: |
mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
oras pull ghcr.io/aquasecurity/trivy-db:2
tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
rm db.tar.gz
- name: Download and extract the Java DB
run: |
mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
oras pull ghcr.io/aquasecurity/trivy-java-db:1
tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
rm javadb.tar.gz
- name: Cache DBs
uses: actions/cache/save@v4
with:
path: ${{ github.workspace }}/.cache/trivy
key: cache-trivy-${{ steps.date.outputs.date }}
```
When running a scan, set the environment variables `TRIVY_SKIP_DB_UPDATE` and `TRIVY_SKIP_JAVA_DB_UPDATE` to skip the download process.
```yaml
- name: Run Trivy scanner without downloading DBs
uses: aquasecurity/trivy-action@0.33.1
with:
scan-type: 'image'
scan-ref: 'myimage'
env:
TRIVY_SKIP_DB_UPDATE: true
TRIVY_SKIP_JAVA_DB_UPDATE: true
```
### Trivy Setup
By default the action calls [`aquasecurity/setup-trivy`](https://github.com/aquasecurity/setup-trivy) as the first step
which installs the `trivy` version specified by the `version` input. If you have already installed `trivy` by other
means, e.g. calling `aquasecurity/setup-trivy` directly, or are invoking this action multiple times then you can use the
`skip-setup-trivy` input to disable this step.
#### Setting up Trivy Manually
```yaml
name: build
on:
push:
branches:
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Manual Trivy Setup
uses: aquasecurity/setup-trivy@v0.2.0
with:
cache: true
version: v0.68.1
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL'
skip-setup-trivy: true
```
#### Skipping Setup when Calling Trivy Action multiple times
Another common use case is when a build calls this action multiple times, in this case we can set `skip-setup-trivy` to
`true` on subsequent invocations e.g.
```yaml
name: build
on:
push:
branches:
- main
pull_request:
jobs:
test:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Check out Git repository
uses: actions/checkout@v4
# The first call to the action will invoke setup-trivy and install trivy
- name: Generate Trivy Vulnerability Report
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
output: trivy-report.json
format: json
scan-ref: .
exit-code: 0
- name: Upload Vulnerability Scan Results
uses: actions/upload-artifact@v4
with:
name: trivy-report
path: trivy-report.json
retention-days: 30
- name: Fail build on High/Criticial Vulnerabilities
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
format: table
scan-ref: .
severity: HIGH,CRITICAL
ignore-unfixed: true
exit-code: 1
# On a subsequent call to the action we know trivy is already installed so can skip this
skip-setup-trivy: true
```
#### Use non-default token to install Trivy
GitHub Enterprise Server (GHES) uses an invalid `github.token` for `https://github.com` server.
Therefore, you can't install `Trivy` using the `setup-trivy` action.
To fix this problem, you need to overwrite the token for `setup-trivy` using `token-setup-trivy` input:
```yaml
- name: Run Trivy scanner without cache
uses: aquasecurity/trivy-action@0.33.1
with:
scan-type: 'fs'
scan-ref: '.'
token-setup-trivy: ${{ secrets.GITHUB_PAT }}
```
GitHub even has [create-github-app-token](https://github.com/actions/create-github-app-token) for similar cases.
### Scanning a Tarball
```yaml
name: build
@@ -106,10 +307,10 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Generate tarball from image
run: |
@@ -117,12 +318,70 @@ jobs:
docker save -o vuln-image.tar <your-docker-image>
- name: Run Trivy vulnerability scanner in tarball mode
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.33.1
with:
input: /github/workspace/vuln-image.tar
severity: 'CRITICAL,HIGH'
```
### Using Trivy with templates
The action supports [Trivy templates][trivy-templates].
Use `template` input to specify path (remember to prefix the path with `@`) to template file.
```yaml
name: build
on:
push:
branches:
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.33.1
with:
scan-type: "fs"
scan-ref: .
format: 'template'
template: "@path/to/my_template.tpl"
```
#### Default templates
Trivy has [default templates][trivy-default-templates].
By default, `setup-trivy` installs them into the `$HOME/.local/bin/trivy-bin/contrib` directory.
```yaml
name: build
on:
push:
branches:
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.33.1
with:
scan-type: "fs"
scan-ref: .
format: 'template'
template: "@$HOME/.local/bin/trivy-bin/contrib/html.tpl"
```
### Using Trivy with GitHub Code Scanning
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
```yaml
@@ -135,24 +394,27 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
runs-on: ubuntu-24.04
permissions:
contents: read # Required to checkout and read repo files
security-events: write # Required to upload SARIF files to Security tab
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Build an image from Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.33.1
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: 'trivy-results.sarif'
```
@@ -170,24 +432,27 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
runs-on: ubuntu-24.04
permissions:
contents: read # Required to checkout and read repo files
security-events: write # Required to upload SARIF files to Security tab
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Build an image from Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.33.1
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: 'trivy-results.sarif'
@@ -196,7 +461,7 @@ jobs:
See this for more details: https://docs.github.com/en/actions/learn-github-actions/expressions#always
### Using Trivy to scan your Git repo
It's also possible to scan your git repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
It's also possible to scan your git repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerabilities that might get introduced with each PR.
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
```yaml
@@ -209,13 +474,16 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
runs-on: ubuntu-24.04
permissions:
contents: read # Required to checkout and read repo files
security-events: write # Required to upload SARIF files to Security tab
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.33.1
with:
scan-type: 'fs'
ignore-unfixed: true
@@ -224,13 +492,13 @@ jobs:
severity: 'CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: 'trivy-results.sarif'
```
### Using Trivy to scan your rootfs directories
It's also possible to scan your rootfs directories with Trivy's built-in rootfs scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
It's also possible to scan your rootfs directories with Trivy's built-in rootfs scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerabilities that might get introduced with each PR.
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
```yaml
@@ -243,13 +511,16 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
runs-on: ubuntu-24.04
permissions:
contents: read # Required to checkout and read repo files
security-events: write # Required to upload SARIF files to Security tab
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner with rootfs command
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.33.1
with:
scan-type: 'rootfs'
scan-ref: 'rootfs-example-binary'
@@ -259,13 +530,15 @@ jobs:
severity: 'CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: 'trivy-results.sarif'
```
### Using Trivy to scan Infrastructure as Code
It's also possible to scan your IaC repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
It's also possible to scan your IaC repos with Trivy's built-in repo scan.
This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo.
This helps you identify potential vulnerabilities that might get introduced with each PR.
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
```yaml
@@ -278,28 +551,45 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
runs-on: ubuntu-24.04
permissions:
contents: read # Required to checkout and read repo files
security-events: write # Required to upload SARIF files to Security tab
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in IaC mode
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.33.1
with:
scan-type: 'config'
hide-progress: true
format: 'sarif'
output: 'trivy-results.sarif'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: always()
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: 'trivy-results.sarif'
```
**Note**: If your Terraform configuration contains private modules, configure Git to authenticate with the repository hosting them.
This can be done by adding a step in your CI workflow that sets up access, for example using a Personal Access Token (PAT) or SSH keys:
```yaml
- name: Configure Git for private modules
run: |
git config --global url."https://$GITHUB_USER:$PRIVATE_REPO_TOKEN@github.com/".insteadOf "https://github.com/"
env:
GITHUB_USER: ${{ github.actor }}
PRIVATE_REPO_TOKEN: ${{ secrets.PRIVATE_REPO_TOKEN }}
```
This ensures Trivy can download private modules.
### Using Trivy to generate SBOM
It's possible for Trivy to generate an [SBOM](https://www.aquasec.com/cloud-native-academy/supply-chain-security/sbom/) of your dependencies and submit them to a consumer like [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).
@@ -309,7 +599,7 @@ In order to send results to GitHub Dependency Graph, you will need to create a [
```yaml
---
name: Pull Request
name: Generate SBOM
on:
push:
branches:
@@ -320,20 +610,19 @@ permissions:
contents: write
jobs:
build:
name: Checks
runs-on: ubuntu-20.04
generate-sbom:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.33.1
with:
scan-type: 'fs'
format: 'github'
output: 'dependency-results.sbom.json'
image-ref: '.'
scan-ref: '.'
github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
```
@@ -343,7 +632,7 @@ You can upload the report as an artifact and download it, for instance using the
```yaml
---
name: Pull Request
name: Generate SBOM
on:
push:
branches:
@@ -354,12 +643,11 @@ permissions:
contents: write
jobs:
build:
name: Checks
runs-on: ubuntu-20.04
generate-sbom:
runs-on: ubuntu-latest
steps:
- name: Scan image in a private registry
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.33.1
with:
image-ref: "private_image_registry/image_name:image_tag"
scan-type: image
@@ -396,13 +684,16 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
runs-on: ubuntu-24.04
permissions:
contents: read # Required to checkout and read repo files
security-events: write # Required to upload SARIF results to the GitHub Security tab
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.33.1
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
@@ -412,7 +703,7 @@ jobs:
TRIVY_PASSWORD: Password
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: 'trivy-results.sarif'
```
@@ -432,13 +723,16 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
runs-on: ubuntu-24.04
permissions:
contents: read # Required to checkout and read repo files
security-events: write # Required to upload SARIF files to Security tab
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.33.1
with:
image-ref: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}'
format: 'sarif'
@@ -449,7 +743,7 @@ jobs:
AWS_DEFAULT_REGION: us-west-2
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: 'trivy-results.sarif'
```
@@ -468,13 +762,16 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
runs-on: ubuntu-24.04
permissions:
contents: read # Required to checkout and read repo files
security-events: write # Required to upload SARIF files to Security tab
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.33.1
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
@@ -483,7 +780,7 @@ jobs:
GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: 'trivy-results.sarif'
```
@@ -501,13 +798,16 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
runs-on: ubuntu-24.04
permissions:
contents: read # Required to checkout and read repo files
security-events: write # Required to upload SARIF files to Security tab
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.33.1
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
@@ -517,7 +817,7 @@ jobs:
TRIVY_PASSWORD: Password
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: 'trivy-results.sarif'
```
@@ -530,7 +830,7 @@ This step is especially useful for private repositories without [GitHub Advanced
```yaml
- name: Run Trivy scanner
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.33.1
with:
scan-type: config
hide-progress: true
@@ -564,37 +864,47 @@ Configuration priority:
Following inputs can be used as `step.with` keys:
| Name | Type | Default | Description |
|------------------------------|---------|------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) |
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |
| `tf-vars` | String | | path to Terraform variables file |
| `output` | String | | Save results to a file |
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
| `cache-dir` | String | | Cache directory |
| `timeout` | String | `5m0s` | Scan timeout duration |
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
| `hide-progress` | String | `false` | Suppress progress bar and log output |
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
| `trivy-config` | String | | Path to trivy.yaml config |
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
| `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values |
| Name | Type | Default | Description |
|------------------------------|---------|------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
| `format` | String | `table` | Output format (`table`, `json`, `template`, `sarif`, `cyclonedx`, `spdx`, `spdx-json`, `github`, `cosign-vuln`) |
| `template` | String | | Output template (`@$HOME/.local/bin/trivy-bin/contrib/gitlab.tpl`, `@$HOME/.local/bin/trivy-bin/contrib/junit.tpl`) |
| `tf-vars` | String | | path to Terraform variables file |
| `output` | String | | Save results to a file |
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
| `cache-dir` | String | `$GITHUB_WORKSPACE/.cache/trivy` | Cache directory. NOTE: This value cannot be configured by `trivy.yaml`. |
| `timeout` | String | `5m0s` | Scan timeout duration |
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
| `hide-progress` | String | `false` | Suppress progress bar and log output |
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`misconfig`,`license`) |
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
| `trivy-config` | String | | Path to trivy.yaml config |
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
| `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values (`unix:/` or other prefix is required) |
| `version` | String | `v0.68.1` | Trivy version to use, e.g. `latest` or `v0.68.1` |
| `skip-setup-trivy` | Boolean | false | Skip calling the `setup-trivy` action to install `trivy` |
| `token-setup-trivy` | Boolean | | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository |
### Environment variables
You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
**NB** In some older versions of the Action there was a bug that caused inputs from one call to the Action to leak
over to subsequent calls to the Action. This could cause workflows that call the Action multiple times e.g. to run
multiple scans, or the same scans with different output formats, to not produce the desired output. You can see if this
is the case by looking at the GitHub Actions step information, if the `env` section shown in your Actions output
contains `TRIVY_*` environment variables you did not explicitly set then you may be affected by this bug and should
upgrade to the latest Action version.
### Trivy config file
When using the `trivy-config` [Input](#inputs), you can set options using the [Trivy config file][trivy-config] (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
@@ -606,3 +916,5 @@ When using the `trivy-config` [Input](#inputs), you can set options using the [T
[license-img]: https://img.shields.io/github/license/aquasecurity/trivy-action
[trivy-env]: https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables
[trivy-config]: https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/
[trivy-templates]: https://aquasecurity.github.io/trivy/latest/docs/configuration/reporting/#template
[trivy-default-templates]: https://aquasecurity.github.io/trivy/latest/docs/configuration/reporting/#default-templates

175
action.yaml
View File

@@ -1,13 +1,14 @@
name: 'Aqua Security Trivy'
description: 'Scans container images for vulnerabilities with Trivy'
author: 'Aqua Security'
inputs:
scan-type:
description: 'Scan type to use for scanning vulnerability'
required: false
default: 'image'
image-ref:
description: 'image reference(for backward compatibility)'
description: 'image reference (for backward compatibility)'
required: false
input:
description: 'reference of tar file to scan'
@@ -24,7 +25,7 @@ inputs:
description: 'ignore unfixed vulnerabilities'
required: false
default: 'false'
vuln-type:
vuln-type: # TODO: rename to pkg-types
description: 'comma-separated list of vulnerability types (os,library)'
required: false
default: 'os,library'
@@ -55,7 +56,7 @@ inputs:
cache-dir:
description: 'specify where the cache is stored'
required: false
default: ''
default: '${{ github.workspace }}/.cache/trivy'
timeout:
description: 'timeout (default 5m0s)'
required: false
@@ -79,9 +80,6 @@ inputs:
description: 'comma-separated list of relative paths in repository to one or more .trivyignore files'
required: false
default: ''
artifact-type:
description: 'input artifact type (image, fs, repo, archive) for SBOM generation'
required: false
github-pat:
description: 'GitHub Personal Access Token (PAT) for submitting SBOM to GitHub Dependency Snapshot API'
required: false
@@ -97,33 +95,142 @@ inputs:
docker-host:
description: 'unix domain socket path to use for docker scanning, ex. unix:///var/run/docker.sock'
required: false
version:
description: 'Trivy version to use'
required: false
default: 'v0.68.1'
cache:
description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.'
required: false
default: 'true'
skip-setup-trivy:
description: 'skip calling the setup-trivy action to install trivy'
required: false
default: 'false'
token-setup-trivy:
description: >
`token-setup-trivy` is required when `github.token` in invalid for `https://github.com` server.
See https://github.com/aquasecurity/setup-trivy/?tab=readme-ov-file#install-trivy-with-non-default-token for more details.
`token-setup-trivy` is only used to fetch the Trivy repository in `setup-trivy`
required: false
## ${{ github.token }} is default value for actions/checkout
## cf. https://github.com/actions/checkout/blob/eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871/action.yml#L24
default: ${{ github.token }}
runs:
using: 'docker'
image: "Dockerfile"
args:
- '-a ${{ inputs.scan-type }}'
- '-b ${{ inputs.format }}'
- '-c ${{ inputs.template }}'
- '-d ${{ inputs.exit-code }}'
- '-e ${{ inputs.ignore-unfixed }}'
- '-f ${{ inputs.vuln-type }}'
- '-g ${{ inputs.severity }}'
- '-h ${{ inputs.output }}'
- '-i ${{ inputs.image-ref }}'
- '-j ${{ inputs.scan-ref }}'
- '-k ${{ inputs.skip-dirs }}'
- '-l ${{ inputs.input }}'
- '-m ${{ inputs.cache-dir }}'
- '-n ${{ inputs.timeout }}'
- '-o ${{ inputs.ignore-policy }}'
- '-p ${{ inputs.hide-progress }}'
- '-q ${{ inputs.skip-files }}'
- '-r ${{ inputs.list-all-pkgs }}'
- '-s ${{ inputs.scanners }}'
- '-t ${{ inputs.trivyignores }}'
- '-u ${{ inputs.github-pat }}'
- '-v ${{ inputs.trivy-config }}'
- '-x ${{ inputs.tf-vars }}'
- '-z ${{ inputs.limit-severities-for-sarif }}'
- '-y ${{ inputs.docker-host }}'
using: 'composite'
steps:
- name: Install Trivy
if: ${{ inputs.skip-setup-trivy == 'false' }}
# Pin to hash instead of tag for aquasecurity/setup-trivy action so that GitHub Actions
# "allowing select actions" feature can be used to whitelist the dependent action by a hash.
# This is needed since some organizations have a policy to only allow pinned 3rd party actions to
# be used.
uses: aquasecurity/setup-trivy@e6c2c5e321ed9123bda567646e2f96565e34abe1 # equivalent to `v0.2.4`
with:
version: ${{ inputs.version }}
cache: ${{ inputs.cache }}
token: ${{ inputs.token-setup-trivy }}
- name: Get current date
id: date
shell: bash
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
- name: Restore DB from cache
if: ${{ inputs.cache == 'true' }}
uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
with:
path: ${{ inputs.cache-dir }}
key: cache-trivy-${{ steps.date.outputs.date }}
restore-keys: cache-trivy-
- name: Set GitHub Path
run: echo "$GITHUB_ACTION_PATH" >> $GITHUB_PATH
shell: bash
env:
GITHUB_ACTION_PATH: ${{ github.action_path }}
# Create and Clear Trivy Envs file
# See #422 for context
- name: Clear Trivy Envs file
shell: bash
run: |
rm -f trivy_envs.txt
touch trivy_envs.txt
- name: Set Trivy environment variables
shell: bash
run: |
# Note: There is currently no way to distinguish between undefined variables and empty strings in GitHub Actions.
# This limitation affects how we handle default values and empty inputs.
# For more information, see: https://github.com/actions/runner/issues/924
# The following logic implements the configuration priority described in the README:
#
# Inputs
# Environment Variables
# Config File
# Defaults
#
# As noted above defaults are awkward to handle as GitHub Actions will inject those values as the input
# if the caller doesn't provide them, thus if the input matches the default we don't set it as we
# can't tell the difference. Plus if we did set it when it was the default value then it could potentially
# override an external environment variable, or something in the callers configuration file, which then wouldn't
# match the configuration priority that is documented.
set_env_var_if_provided() {
local var_name="$1"
local input_value="$2"
local default_value="$3"
if [ ! -z "$input_value" ] && [ "$input_value" != "$default_value" ]; then
# If action was provided with explicit input by the caller set that
echo "export $var_name=$input_value" >> trivy_envs.txt
fi
}
# Set environment variables, handling those with default values
# cf. https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables
set_env_var_if_provided "TRIVY_INPUT" "${{ inputs.input }}" ""
set_env_var_if_provided "TRIVY_EXIT_CODE" "${{ inputs.exit-code }}" ""
set_env_var_if_provided "TRIVY_IGNORE_UNFIXED" "${{ inputs.ignore-unfixed }}" "false"
set_env_var_if_provided "TRIVY_PKG_TYPES" "${{ inputs.vuln-type }}" "os,library"
set_env_var_if_provided "TRIVY_SEVERITY" "${{ inputs.severity }}" "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
set_env_var_if_provided "TRIVY_FORMAT" "${{ inputs.format }}" "table"
set_env_var_if_provided "TRIVY_TEMPLATE" "${{ inputs.template }}" ""
set_env_var_if_provided "TRIVY_OUTPUT" "${{ inputs.output }}" ""
set_env_var_if_provided "TRIVY_SKIP_DIRS" "${{ inputs.skip-dirs }}" ""
set_env_var_if_provided "TRIVY_SKIP_FILES" "${{ inputs.skip-files }}" ""
set_env_var_if_provided "TRIVY_TIMEOUT" "${{ inputs.timeout }}" ""
set_env_var_if_provided "TRIVY_IGNORE_POLICY" "${{ inputs.ignore-policy }}" ""
set_env_var_if_provided "TRIVY_QUIET" "${{ inputs.hide-progress }}" ""
set_env_var_if_provided "TRIVY_LIST_ALL_PKGS" "${{ inputs.list-all-pkgs }}" "false"
set_env_var_if_provided "TRIVY_SCANNERS" "${{ inputs.scanners }}" ""
set_env_var_if_provided "TRIVY_CONFIG" "${{ inputs.trivy-config }}" ""
set_env_var_if_provided "TRIVY_TF_VARS" "${{ inputs.tf-vars }}" ""
set_env_var_if_provided "TRIVY_DOCKER_HOST" "${{ inputs.docker-host }}" ""
- name: Run Trivy
shell: bash
run: entrypoint.sh
env:
# For shell script
# > If the action is written using a composite, then it will not automatically get INPUT_<VARIABLE_NAME>
# cf. https://docs.github.com/en/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
INPUT_SCAN_TYPE: ${{ inputs.scan-type }}
INPUT_IMAGE_REF: ${{ inputs.image-ref }}
INPUT_SCAN_REF: ${{ inputs.scan-ref }}
INPUT_TRIVYIGNORES: ${{ inputs.trivyignores }}
INPUT_GITHUB_PAT: ${{ inputs.github-pat }}
INPUT_LIMIT_SEVERITIES_FOR_SARIF: ${{ inputs.limit-severities-for-sarif }}
# For Trivy
TRIVY_CACHE_DIR: ${{ inputs.cache-dir }} # Always set
# Remove Trivy envs to keep envs within this action and avoid env leaks
# See #422 for context
- name: Remove Trivy Envs file
if: ${{ always() }}
shell: bash
run: |
rm -f trivy_envs.txt

231
entrypoint.sh
View File

@@ -1,215 +1,64 @@
#!/bin/bash
set -e
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:x:y:z:" o; do
case "${o}" in
a)
export scanType=${OPTARG}
;;
b)
export format=${OPTARG}
;;
c)
export template=${OPTARG}
;;
d)
export exitCode=${OPTARG}
;;
e)
export ignoreUnfixed=${OPTARG}
;;
f)
export vulnType=${OPTARG}
;;
g)
export severity=${OPTARG}
;;
h)
export output=${OPTARG}
;;
i)
export imageRef=${OPTARG}
;;
j)
export scanRef=${OPTARG}
;;
k)
export skipDirs=${OPTARG}
;;
l)
export input=${OPTARG}
;;
m)
export cacheDir=${OPTARG}
;;
n)
export timeout=${OPTARG}
;;
o)
export ignorePolicy=${OPTARG}
;;
p)
export hideProgress=${OPTARG}
;;
q)
export skipFiles=${OPTARG}
;;
r)
export listAllPkgs=${OPTARG}
;;
s)
export scanners=${OPTARG}
;;
t)
export trivyIgnores=${OPTARG}
;;
u)
export githubPAT=${OPTARG}
;;
v)
export trivyConfig=${OPTARG}
;;
x)
export tfVars=${OPTARG}
;;
y)
export dockerHost=${OPTARG}
;;
z)
export limitSeveritiesForSARIF=${OPTARG}
;;
esac
done
set -euo pipefail
scanType=$(echo $scanType | tr -d '\r')
export artifactRef="${imageRef}"
if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "filesystem" ] || [ "${scanType}" = "config" ] || [ "${scanType}" = "rootfs" ] || [ "${scanType}" = "sbom" ];then
artifactRef=$(echo $scanRef | tr -d '\r')
fi
input=$(echo $input | tr -d '\r')
if [ $input ]; then
artifactRef="--input $input"
fi
#trim leading spaces for boolean params
ignoreUnfixed=$(echo $ignoreUnfixed | tr -d '\r')
hideProgress=$(echo $hideProgress | tr -d '\r')
limitSeveritiesForSARIF=$(echo $limitSeveritiesForSARIF | tr -d '\r')
GLOBAL_ARGS=""
if [ $cacheDir ];then
GLOBAL_ARGS="$GLOBAL_ARGS --cache-dir $cacheDir"
# Read TRIVY_* envs from file, previously they were written to the GITHUB_ENV file but GitHub Actions automatically
# injects those into subsequent job steps which means inputs from one trivy-action invocation were leaking over to
# any subsequent invocation which led to unexpected/undesireable behaviour from a user perspective
# See #422 for more context around this
if [ -f ./trivy_envs.txt ]; then
source ./trivy_envs.txt
fi
SARIF_ARGS=""
ARGS=""
format=$(echo $format | xargs)
if [ $format ];then
ARGS="$ARGS --format $format"
fi
if [ $template ] ;then
ARGS="$ARGS --template $template"
fi
if [ $exitCode ];then
ARGS="$ARGS --exit-code $exitCode"
SARIF_ARGS="$SARIF_ARGS --exit-code $exitCode"
fi
if [ "$ignoreUnfixed" == "true" ] && [ "$scanType" != "config" ];then
ARGS="$ARGS --ignore-unfixed"
SARIF_ARGS="$SARIF_ARGS --ignore-unfixed"
fi
if [ $vulnType ] && [ "$scanType" != "config" ] && [ "$scanType" != "sbom" ];then
ARGS="$ARGS --vuln-type $vulnType"
SARIF_ARGS="$SARIF_ARGS --vuln-type $vulnType"
fi
if [ $scanners ];then
ARGS="$ARGS --scanners $scanners"
SARIF_ARGS="$SARIF_ARGS --scanners $scanners"
fi
if [ $severity ];then
ARGS="$ARGS --severity $severity"
fi
if [ $output ];then
ARGS="$ARGS --output $output"
fi
if [ $skipDirs ];then
for i in $(echo $skipDirs | tr "," "\n")
do
ARGS="$ARGS --skip-dirs $i"
SARIF_ARGS="$SARIF_ARGS --skip-dirs $i"
done
fi
if [ $tfVars ] && [ "$scanType" == "config" ];then
ARGS="$ARGS --tf-vars $tfVars"
# Set artifact reference
scanType="${INPUT_SCAN_TYPE:-image}"
scanRef="${INPUT_SCAN_REF:-.}"
if [ -n "${INPUT_IMAGE_REF:-}" ]; then
scanRef="${INPUT_IMAGE_REF}" # backwards compatibility
fi
if [ $trivyIgnores ];then
for f in $(echo $trivyIgnores | tr "," "\n")
do
# Handle trivy ignores
if [ -n "${INPUT_TRIVYIGNORES:-}" ]; then
ignorefile="./trivyignores"
# Clear the ignore file if it exists, or create a new empty file
: > "$ignorefile"
for f in ${INPUT_TRIVYIGNORES//,/ }; do
if [ -f "$f" ]; then
echo "Found ignorefile '${f}':"
cat "${f}"
cat "${f}" >> ./trivyignores
cat "${f}" >> "$ignorefile"
else
echo "ERROR: cannot find ignorefile '${f}'."
echo "ERROR: cannot find ignorefile '${f}'." >&2
exit 1
fi
done
ARGS="$ARGS --ignorefile ./trivyignores"
fi
if [ $timeout ];then
ARGS="$ARGS --timeout $timeout"
SARIF_ARGS="$SARIF_ARGS --timeout $timeout"
fi
if [ $ignorePolicy ];then
ARGS="$ARGS --ignore-policy $ignorePolicy"
SARIF_ARGS="$SARIF_ARGS --ignore-policy $ignorePolicy"
fi
if [ "$hideProgress" == "true" ];then
ARGS="$ARGS --quiet"
SARIF_ARGS="$SARIF_ARGS --quiet"
fi
if [ $dockerHost ];then
ARGS="$ARGS --docker-host $dockerHost"
export TRIVY_IGNOREFILE="$ignorefile"
fi
listAllPkgs=$(echo $listAllPkgs | tr -d '\r')
if [ "$listAllPkgs" == "true" ];then
ARGS="$ARGS --list-all-pkgs"
fi
if [ "$skipFiles" ];then
for i in $(echo $skipFiles | tr "," "\n")
do
ARGS="$ARGS --skip-files $i"
SARIF_ARGS="$SARIF_ARGS --skip-files $i"
done
# Handle SARIF
if [ "${TRIVY_FORMAT:-}" = "sarif" ]; then
if [ "${INPUT_LIMIT_SEVERITIES_FOR_SARIF:-false,,}" != "true" ]; then
echo "Building SARIF report with all severities"
unset TRIVY_SEVERITY
else
echo "Building SARIF report"
fi
fi
trivyConfig=$(echo $trivyConfig | tr -d '\r')
# To make sure that uploda GitHub Dependency Snapshot succeeds, disable the script that fails first.
set +e
if [ "${format}" == "sarif" ] && [ "${limitSeveritiesForSARIF}" != "true" ]; then
# SARIF is special. We output all vulnerabilities,
# regardless of severity level specified in this report.
# This is a feature, not a bug :)
echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
elif [ $trivyConfig ]; then
echo "Running Trivy with trivy.yaml config from: " $trivyConfig
trivy --config $trivyConfig ${scanType} ${artifactRef}
else
echo "Running trivy with options: trivy ${scanType} ${ARGS}" "${artifactRef}"
echo "Global options: " "${GLOBAL_ARGS}"
trivy $GLOBAL_ARGS ${scanType} ${ARGS} ${artifactRef}
fi
# Run Trivy
cmd=(trivy "$scanType" "$scanRef")
echo "Running Trivy with options: ${cmd[*]}"
"${cmd[@]}"
returnCode=$?
set -e
if [[ "${format}" == "github" ]]; then
if [[ "$(echo $githubPAT | xargs)" != "" ]]; then
if [ "${TRIVY_FORMAT:-}" = "github" ]; then
if [ -n "${INPUT_GITHUB_PAT:-}" ]; then
printf "\n Uploading GitHub Dependency Snapshot"
curl -H 'Accept: application/vnd.github+json' -H "Authorization: token $githubPAT" 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./$(echo $output | xargs)
curl -H 'Accept: application/vnd.github+json' -H "Authorization: token ${INPUT_GITHUB_PAT}" \
"https://api.github.com/repos/$GITHUB_REPOSITORY/dependency-graph/snapshots" -d @"${TRIVY_OUTPUT:-}"
else
printf "\n Failing GitHub Dependency Snapshot. Missing github-pat"
printf "\n Failing GitHub Dependency Snapshot. Missing github-pat" >&2
fi
fi

3
renovate.json Normal file
View File

@@ -0,0 +1,3 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json"
}

76
test/data/config-sarif-report/report.sarif
View File

@@ -1,6 +1,6 @@
{
"version": "2.1.0",
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
"runs": [
{
"tool": {
@@ -16,15 +16,15 @@
"text": "S3 Access block should block public ACL"
},
"fullDescription": {
"text": "\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n"
"text": "S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n"
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0086",
"help": {
"text": "Misconfiguration AVD-AWS-0086\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should block public ACL\nMessage: No public access block so not blocking public acls\nLink: [AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)\n\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n",
"markdown": "**Misconfiguration AVD-AWS-0086**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should block public ACL|No public access block so not blocking public acls|[AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)|\n\n\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n"
"text": "Misconfiguration AVD-AWS-0086\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should block public ACL\nMessage: No public access block so not blocking public acls\nLink: [AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n",
"markdown": "**Misconfiguration AVD-AWS-0086**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should block public ACL|No public access block so not blocking public acls|[AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)|\n\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n"
},
"properties": {
"precision": "very-high",
@@ -43,15 +43,15 @@
"text": "S3 Access block should block public policy"
},
"fullDescription": {
"text": "\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n"
"text": "S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n"
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0087",
"help": {
"text": "Misconfiguration AVD-AWS-0087\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should block public policy\nMessage: No public access block so not blocking public policies\nLink: [AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)\n\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n",
"markdown": "**Misconfiguration AVD-AWS-0087**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should block public policy|No public access block so not blocking public policies|[AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)|\n\n\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n"
"text": "Misconfiguration AVD-AWS-0087\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should block public policy\nMessage: No public access block so not blocking public policies\nLink: [AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n",
"markdown": "**Misconfiguration AVD-AWS-0087**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should block public policy|No public access block so not blocking public policies|[AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)|\n\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n"
},
"properties": {
"precision": "very-high",
@@ -70,15 +70,15 @@
"text": "Unencrypted S3 bucket."
},
"fullDescription": {
"text": "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised."
"text": "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.\n"
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0088",
"help": {
"text": "Misconfiguration AVD-AWS-0088\nType: Terraform Security Check\nSeverity: HIGH\nCheck: Unencrypted S3 bucket.\nMessage: Bucket does not have encryption enabled\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.",
"markdown": "**Misconfiguration AVD-AWS-0088**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|Unencrypted S3 bucket.|Bucket does not have encryption enabled|[AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)|\n\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised."
"text": "Misconfiguration AVD-AWS-0088\nType: Terraform Security Check\nSeverity: HIGH\nCheck: Unencrypted S3 bucket.\nMessage: Bucket does not have encryption enabled\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.\n",
"markdown": "**Misconfiguration AVD-AWS-0088**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|Unencrypted S3 bucket.|Bucket does not have encryption enabled|[AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)|\n\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.\n"
},
"properties": {
"precision": "very-high",
@@ -91,7 +91,7 @@
}
},
{
"id": "AVD-AWS-0089",
"id": "s3-bucket-logging",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 Bucket Logging"
@@ -102,10 +102,10 @@
"defaultConfiguration": {
"level": "note"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0089",
"helpUri": "https://avd.aquasec.com/misconfig/s3-bucket-logging",
"help": {
"text": "Misconfiguration AVD-AWS-0089\nType: Terraform Security Check\nSeverity: LOW\nCheck: S3 Bucket Logging\nMessage: Bucket has logging disabled\nLink: [AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)\nEnsures S3 bucket logging is enabled for S3 buckets",
"markdown": "**Misconfiguration AVD-AWS-0089**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|LOW|S3 Bucket Logging|Bucket has logging disabled|[AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)|\n\nEnsures S3 bucket logging is enabled for S3 buckets"
"text": "Misconfiguration s3-bucket-logging\nType: Terraform Security Check\nSeverity: LOW\nCheck: S3 Bucket Logging\nMessage: Bucket has logging disabled\nLink: [s3-bucket-logging](https://avd.aquasec.com/misconfig/s3-bucket-logging)\nEnsures S3 bucket logging is enabled for S3 buckets",
"markdown": "**Misconfiguration s3-bucket-logging**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|LOW|S3 Bucket Logging|Bucket has logging disabled|[s3-bucket-logging](https://avd.aquasec.com/misconfig/s3-bucket-logging)|\n\nEnsures S3 bucket logging is enabled for S3 buckets"
},
"properties": {
"precision": "very-high",
@@ -124,15 +124,15 @@
"text": "S3 Data should be versioned"
},
"fullDescription": {
"text": "\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n"
"text": "Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.\n\nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.\n\nWith versioning you can recover more easily from both unintended user actions and application failures.\n"
},
"defaultConfiguration": {
"level": "warning"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0090",
"help": {
"text": "Misconfiguration AVD-AWS-0090\nType: Terraform Security Check\nSeverity: MEDIUM\nCheck: S3 Data should be versioned\nMessage: Bucket does not have versioning enabled\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n",
"markdown": "**Misconfiguration AVD-AWS-0090**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|MEDIUM|S3 Data should be versioned|Bucket does not have versioning enabled|[AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)|\n\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n"
"text": "Misconfiguration AVD-AWS-0090\nType: Terraform Security Check\nSeverity: MEDIUM\nCheck: S3 Data should be versioned\nMessage: Bucket does not have versioning enabled\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.\n\nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.\n\nWith versioning you can recover more easily from both unintended user actions and application failures.\n",
"markdown": "**Misconfiguration AVD-AWS-0090**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|MEDIUM|S3 Data should be versioned|Bucket does not have versioning enabled|[AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)|\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.\n\nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.\n\nWith versioning you can recover more easily from both unintended user actions and application failures.\n"
},
"properties": {
"precision": "very-high",
@@ -151,15 +151,15 @@
"text": "S3 Access Block should Ignore Public Acl"
},
"fullDescription": {
"text": "\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n"
"text": "S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n"
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0091",
"help": {
"text": "Misconfiguration AVD-AWS-0091\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access Block should Ignore Public Acl\nMessage: No public access block so not ignoring public acls\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n",
"markdown": "**Misconfiguration AVD-AWS-0091**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access Block should Ignore Public Acl|No public access block so not ignoring public acls|[AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)|\n\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n"
"text": "Misconfiguration AVD-AWS-0091\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access Block should Ignore Public Acl\nMessage: No public access block so not blocking public acls\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n",
"markdown": "**Misconfiguration AVD-AWS-0091**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access Block should Ignore Public Acl|No public access block so not blocking public acls|[AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)|\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n"
},
"properties": {
"precision": "very-high",
@@ -178,15 +178,15 @@
"text": "S3 Access block should restrict public bucket to limit access"
},
"fullDescription": {
"text": "S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy."
"text": "S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.\n"
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0093",
"help": {
"text": "Misconfiguration AVD-AWS-0093\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should restrict public bucket to limit access\nMessage: No public access block so not restricting public buckets\nLink: [AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.",
"markdown": "**Misconfiguration AVD-AWS-0093**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should restrict public bucket to limit access|No public access block so not restricting public buckets|[AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)|\n\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy."
"text": "Misconfiguration AVD-AWS-0093\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should restrict public bucket to limit access\nMessage: No public access block so not restricting public buckets\nLink: [AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.\n",
"markdown": "**Misconfiguration AVD-AWS-0093**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should restrict public bucket to limit access|No public access block so not restricting public buckets|[AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)|\n\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.\n"
},
"properties": {
"precision": "very-high",
@@ -205,15 +205,15 @@
"text": "S3 buckets should each define an aws_s3_bucket_public_access_block"
},
"fullDescription": {
"text": "The \u0026#34;block public access\u0026#34; settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it."
"text": "The \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.\n"
},
"defaultConfiguration": {
"level": "note"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0094",
"help": {
"text": "Misconfiguration AVD-AWS-0094\nType: Terraform Security Check\nSeverity: LOW\nCheck: S3 buckets should each define an aws_s3_bucket_public_access_block\nMessage: Bucket does not have a corresponding public access block.\nLink: [AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.",
"markdown": "**Misconfiguration AVD-AWS-0094**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|LOW|S3 buckets should each define an aws_s3_bucket_public_access_block|Bucket does not have a corresponding public access block.|[AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)|\n\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it."
"text": "Misconfiguration AVD-AWS-0094\nType: Terraform Security Check\nSeverity: LOW\nCheck: S3 buckets should each define an aws_s3_bucket_public_access_block\nMessage: Bucket does not have a corresponding public access block.\nLink: [AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.\n",
"markdown": "**Misconfiguration AVD-AWS-0094**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|LOW|S3 buckets should each define an aws_s3_bucket_public_access_block|Bucket does not have a corresponding public access block.|[AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)|\n\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.\n"
},
"properties": {
"precision": "very-high",
@@ -232,15 +232,15 @@
"text": "S3 encryption should use Customer Managed Keys"
},
"fullDescription": {
"text": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys."
"text": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.\n"
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0132",
"help": {
"text": "Misconfiguration AVD-AWS-0132\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 encryption should use Customer Managed Keys\nMessage: Bucket does not encrypt data with a customer managed key.\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.",
"markdown": "**Misconfiguration AVD-AWS-0132**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 encryption should use Customer Managed Keys|Bucket does not encrypt data with a customer managed key.|[AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)|\n\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys."
"text": "Misconfiguration AVD-AWS-0132\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 encryption should use Customer Managed Keys\nMessage: Bucket does not encrypt data with a customer managed key.\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.\n",
"markdown": "**Misconfiguration AVD-AWS-0132**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 encryption should use Customer Managed Keys|Bucket does not encrypt data with a customer managed key.|[AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)|\n\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.\n"
},
"properties": {
"precision": "very-high",
@@ -252,8 +252,7 @@
]
}
}
],
"version": "0.50.0"
]
}
},
"results": [
@@ -339,11 +338,11 @@
]
},
{
"ruleId": "AVD-AWS-0089",
"ruleId": "s3-bucket-logging",
"ruleIndex": 3,
"level": "note",
"message": {
"text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0089\nSeverity: LOW\nMessage: Bucket has logging disabled\nLink: [AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)"
"text": "Artifact: main.tf\nType: terraform\nVulnerability s3-bucket-logging\nSeverity: LOW\nMessage: Bucket has logging disabled\nLink: [s3-bucket-logging](https://avd.aquasec.com/misconfig/s3-bucket-logging)"
},
"locations": [
{
@@ -397,7 +396,7 @@
"ruleIndex": 5,
"level": "error",
"message": {
"text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0091\nSeverity: HIGH\nMessage: No public access block so not ignoring public acls\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)"
"text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0091\nSeverity: HIGH\nMessage: No public access block so not blocking public acls\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)"
},
"locations": [
{
@@ -501,12 +500,7 @@
]
}
],
"columnKind": "utf16CodeUnits",
"originalUriBaseIds": {
"ROOTPATH": {
"uri": "file://D:\\projects\\trivy-action\\test\\data\\config-sarif-report/"
}
}
"columnKind": "utf16CodeUnits"
}
]
}
}

87
test/data/config-scan/report.json
View File

@@ -1,29 +1,15 @@
{
"SchemaVersion": 2,
"CreatedAt": "2024-04-12T16:53:35.5567541+03:00",
"ArtifactName": "test/data/config-scan",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": ".",
"Class": "config",
"Type": "terraform",
"MisconfSummary": {
"Successes": 2,
"Failures": 0,
"Exceptions": 0
"Successes": 38,
"Failures": 0
}
},
{
@@ -31,9 +17,8 @@
"Class": "config",
"Type": "terraform",
"MisconfSummary": {
"Successes": 1,
"Failures": 9,
"Exceptions": 0
"Successes": 0,
"Failures": 9
},
"Misconfigurations": [
{
@@ -41,9 +26,10 @@
"ID": "AVD-AWS-0086",
"AVDID": "AVD-AWS-0086",
"Title": "S3 Access block should block public ACL",
"Description": "\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n",
"Description": "S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n",
"Message": "No public access block so not blocking public acls",
"Query": "data..",
"Namespace": "builtin.aws.s3.aws0086",
"Query": "data.builtin.aws.s3.aws0086.deny",
"Resolution": "Enable blocking any PUT calls with a public ACL specified",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0086",
@@ -52,7 +38,6 @@
"https://avd.aquasec.com/misconfig/avd-aws-0086"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
@@ -100,9 +85,10 @@
"ID": "AVD-AWS-0087",
"AVDID": "AVD-AWS-0087",
"Title": "S3 Access block should block public policy",
"Description": "\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n",
"Description": "S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n",
"Message": "No public access block so not blocking public policies",
"Query": "data..",
"Namespace": "builtin.aws.s3.aws0087",
"Query": "data.builtin.aws.s3.aws0087.deny",
"Resolution": "Prevent policies that allow public access being PUT",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0087",
@@ -111,7 +97,6 @@
"https://avd.aquasec.com/misconfig/avd-aws-0087"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
@@ -159,9 +144,10 @@
"ID": "AVD-AWS-0088",
"AVDID": "AVD-AWS-0088",
"Title": "Unencrypted S3 bucket.",
"Description": "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.",
"Description": "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.\n",
"Message": "Bucket does not have encryption enabled",
"Query": "data..",
"Namespace": "builtin.aws.s3.aws0088",
"Query": "data.builtin.aws.s3.aws0088.deny",
"Resolution": "Configure bucket encryption",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0088",
@@ -170,7 +156,6 @@
"https://avd.aquasec.com/misconfig/avd-aws-0088"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
@@ -215,7 +200,7 @@
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0089",
"ID": "s3-bucket-logging",
"AVDID": "AVD-AWS-0089",
"Title": "S3 Bucket Logging",
"Description": "Ensures S3 bucket logging is enabled for S3 buckets",
@@ -224,13 +209,13 @@
"Query": "data.builtin.aws.s3.aws0089.deny",
"Resolution": "Add a logging block to the resource to enable access logging",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0089",
"PrimaryURL": "https://avd.aquasec.com/misconfig/s3-bucket-logging",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html",
"https://avd.aquasec.com/misconfig/avd-aws-0089"
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html",
"https://avd.aquasec.com/misconfig/s3-bucket-logging"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
@@ -278,9 +263,10 @@
"ID": "AVD-AWS-0090",
"AVDID": "AVD-AWS-0090",
"Title": "S3 Data should be versioned",
"Description": "\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n",
"Description": "Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.\n\nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.\n\nWith versioning you can recover more easily from both unintended user actions and application failures.\n",
"Message": "Bucket does not have versioning enabled",
"Query": "data..",
"Namespace": "builtin.aws.s3.aws0090",
"Query": "data.builtin.aws.s3.aws0090.deny",
"Resolution": "Enable versioning to protect against accidental/malicious removal or modification",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0090",
@@ -289,7 +275,6 @@
"https://avd.aquasec.com/misconfig/avd-aws-0090"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket_versioning.bucket_versioning",
"Provider": "AWS",
@@ -386,7 +371,11 @@
"EndLine": 18
}
}
]
],
"RenderedCause": {
"Raw": "resource \"aws_s3_bucket_versioning\" \"bucket_versioning\" {\n versioning_configuration {\n status = \"Disabled\"\n }\n}",
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket_versioning\"\u001b[0m \u001b[38;5;37m\"bucket_versioning\"\u001b[0m {\n versioning_configuration {\n \u001b[38;5;245mstatus\u001b[0m = \u001b[38;5;37m\"Disabled\"\n\u001b[0m }\n}"
}
}
},
{
@@ -394,9 +383,10 @@
"ID": "AVD-AWS-0091",
"AVDID": "AVD-AWS-0091",
"Title": "S3 Access Block should Ignore Public Acl",
"Description": "\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n",
"Message": "No public access block so not ignoring public acls",
"Query": "data..",
"Description": "S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n",
"Message": "No public access block so not blocking public acls",
"Namespace": "builtin.aws.s3.aws0091",
"Query": "data.builtin.aws.s3.aws0091.deny",
"Resolution": "Enable ignoring the application of public ACLs in PUT calls",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0091",
@@ -405,7 +395,6 @@
"https://avd.aquasec.com/misconfig/avd-aws-0091"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
@@ -453,9 +442,10 @@
"ID": "AVD-AWS-0093",
"AVDID": "AVD-AWS-0093",
"Title": "S3 Access block should restrict public bucket to limit access",
"Description": "S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.",
"Description": "S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.\n",
"Message": "No public access block so not restricting public buckets",
"Query": "data..",
"Namespace": "builtin.aws.s3.aws0093",
"Query": "data.builtin.aws.s3.aws0093.deny",
"Resolution": "Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0093",
@@ -464,7 +454,6 @@
"https://avd.aquasec.com/misconfig/avd-aws-0093"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
@@ -512,9 +501,10 @@
"ID": "AVD-AWS-0094",
"AVDID": "AVD-AWS-0094",
"Title": "S3 buckets should each define an aws_s3_bucket_public_access_block",
"Description": "The \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.",
"Description": "The \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.\n",
"Message": "Bucket does not have a corresponding public access block.",
"Query": "data..",
"Namespace": "builtin.aws.s3.aws0094",
"Query": "data.builtin.aws.s3.aws0094.deny",
"Resolution": "Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0094",
@@ -523,7 +513,6 @@
"https://avd.aquasec.com/misconfig/avd-aws-0094"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
@@ -571,9 +560,10 @@
"ID": "AVD-AWS-0132",
"AVDID": "AVD-AWS-0132",
"Title": "S3 encryption should use Customer Managed Keys",
"Description": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.",
"Description": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.\n",
"Message": "Bucket does not encrypt data with a customer managed key.",
"Query": "data..",
"Namespace": "builtin.aws.s3.aws0132",
"Query": "data.builtin.aws.s3.aws0132.deny",
"Resolution": "Enable encryption using customer managed keys",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0132",
@@ -582,7 +572,6 @@
"https://avd.aquasec.com/misconfig/avd-aws-0132"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",

12
test/data/fs-scan/report
View File

@@ -0,0 +1,12 @@
Report Summary
┌────────┬──────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├────────┼──────┼─────────────────┼─────────┤
│ - │ - │ - │ - │
└────────┴──────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

225
test/data/github-dep-snapshot/report.gsbom
View File

@@ -2,23 +2,18 @@
"version": 0,
"detector": {
"name": "trivy",
"version": "0.50.0",
"url": "https://github.com/aquasecurity/trivy"
},
"metadata": {
"aquasecurity:trivy:RepoDigest": "knqyf263/vuln-image@sha256:1e8b199249d6d0ef3419ddc6eda2348d9fbdb10d350d3bb70aa98e87faa227c9",
"aquasecurity:trivy:RepoTag": "knqyf263/vuln-image:1.2.3"
},
"job": {
"correlator": "_"
},
"scanned": "2024-04-12T16:02:51+03:00",
"manifests": {
"knqyf263/vuln-image:1.2.3 (alpine 3.7.1)": {
"name": "alpine",
"resolved": {
".composer-phpext-rundeps": {
"package_url": "pkg:apk/alpine/.composer-phpext-rundeps@0?arch=noarch\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/.composer-phpext-rundeps@0?arch=noarch&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libsodium@1.0.15-r0",
@@ -28,7 +23,7 @@
"scope": "runtime"
},
".persistent-deps": {
"package_url": "pkg:apk/alpine/.persistent-deps@0?arch=noarch\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/.persistent-deps@0?arch=noarch&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"ca-certificates@20171114-r0",
@@ -40,7 +35,7 @@
"scope": "runtime"
},
".php-rundeps": {
"package_url": "pkg:apk/alpine/.php-rundeps@0?arch=noarch\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/.php-rundeps@0?arch=noarch&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libcurl@7.61.1-r0",
@@ -55,7 +50,7 @@
"scope": "runtime"
},
"alpine-baselayout": {
"package_url": "pkg:apk/alpine/alpine-baselayout@3.0.5-r2?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/alpine-baselayout@3.0.5-r2?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"busybox@1.27.2-r11",
@@ -64,12 +59,12 @@
"scope": "runtime"
},
"alpine-keys": {
"package_url": "pkg:apk/alpine/alpine-keys@2.1-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/alpine-keys@2.1-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"scope": "runtime"
},
"apk-tools": {
"package_url": "pkg:apk/alpine/apk-tools@2.10.1-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/apk-tools@2.10.1-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libcrypto@2.6.5-r0",
@@ -80,7 +75,7 @@
"scope": "runtime"
},
"apr": {
"package_url": "pkg:apk/alpine/apr@1.6.3-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/apr@1.6.3-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libuuid@2.31-r0",
@@ -89,7 +84,7 @@
"scope": "runtime"
},
"apr-util": {
"package_url": "pkg:apk/alpine/apr-util@1.6.1-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/apr-util@1.6.1-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"apr@1.6.3-r0",
@@ -100,7 +95,7 @@
"scope": "runtime"
},
"bash": {
"package_url": "pkg:apk/alpine/bash@4.4.19-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/bash@4.4.19-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"busybox@1.27.2-r11",
@@ -111,7 +106,7 @@
"scope": "runtime"
},
"busybox": {
"package_url": "pkg:apk/alpine/busybox@1.27.2-r11?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/busybox@1.27.2-r11?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -119,7 +114,7 @@
"scope": "runtime"
},
"ca-certificates": {
"package_url": "pkg:apk/alpine/ca-certificates@20171114-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/ca-certificates@20171114-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"busybox@1.27.2-r11",
@@ -129,7 +124,7 @@
"scope": "runtime"
},
"curl": {
"package_url": "pkg:apk/alpine/curl@7.61.0-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/curl@7.61.0-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"ca-certificates@20171114-r0",
@@ -140,7 +135,7 @@
"scope": "runtime"
},
"db": {
"package_url": "pkg:apk/alpine/db@5.3.28-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/db@5.3.28-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -148,7 +143,7 @@
"scope": "runtime"
},
"expat": {
"package_url": "pkg:apk/alpine/expat@2.2.5-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/expat@2.2.5-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -156,7 +151,7 @@
"scope": "runtime"
},
"gdbm": {
"package_url": "pkg:apk/alpine/gdbm@1.13-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/gdbm@1.13-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -164,7 +159,7 @@
"scope": "runtime"
},
"git": {
"package_url": "pkg:apk/alpine/git@2.15.2-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/git@2.15.2-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"expat@2.2.5-r0",
@@ -176,7 +171,7 @@
"scope": "runtime"
},
"libbz2": {
"package_url": "pkg:apk/alpine/libbz2@1.0.6-r6?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libbz2@1.0.6-r6?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -184,7 +179,7 @@
"scope": "runtime"
},
"libc-utils": {
"package_url": "pkg:apk/alpine/libc-utils@0.7.1-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libc-utils@0.7.1-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl-utils@1.1.18-r3"
@@ -192,7 +187,7 @@
"scope": "runtime"
},
"libcurl": {
"package_url": "pkg:apk/alpine/libcurl@7.61.1-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libcurl@7.61.1-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"ca-certificates@20171114-r0",
@@ -205,7 +200,7 @@
"scope": "runtime"
},
"libedit": {
"package_url": "pkg:apk/alpine/libedit@20170329.3.1-r3?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libedit@20170329.3.1-r3?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3",
@@ -214,7 +209,7 @@
"scope": "runtime"
},
"libffi": {
"package_url": "pkg:apk/alpine/libffi@3.2.1-r4?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libffi@3.2.1-r4?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -222,7 +217,7 @@
"scope": "runtime"
},
"libressl": {
"package_url": "pkg:apk/alpine/libressl@2.6.5-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libressl@2.6.5-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libcrypto@2.6.5-r0",
@@ -233,7 +228,7 @@
"scope": "runtime"
},
"libressl2.6-libcrypto": {
"package_url": "pkg:apk/alpine/libressl2.6-libcrypto@2.6.5-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libressl2.6-libcrypto@2.6.5-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -241,7 +236,7 @@
"scope": "runtime"
},
"libressl2.6-libssl": {
"package_url": "pkg:apk/alpine/libressl2.6-libssl@2.6.5-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libressl2.6-libssl@2.6.5-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libcrypto@2.6.5-r0",
@@ -250,7 +245,7 @@
"scope": "runtime"
},
"libressl2.6-libtls": {
"package_url": "pkg:apk/alpine/libressl2.6-libtls@2.6.5-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libressl2.6-libtls@2.6.5-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libcrypto@2.6.5-r0",
@@ -260,7 +255,7 @@
"scope": "runtime"
},
"libsasl": {
"package_url": "pkg:apk/alpine/libsasl@2.1.26-r11?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libsasl@2.1.26-r11?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"db@5.3.28-r0",
@@ -269,7 +264,7 @@
"scope": "runtime"
},
"libsodium": {
"package_url": "pkg:apk/alpine/libsodium@1.0.15-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libsodium@1.0.15-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -277,7 +272,7 @@
"scope": "runtime"
},
"libssh2": {
"package_url": "pkg:apk/alpine/libssh2@1.8.0-r2?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libssh2@1.8.0-r2?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libcrypto@2.6.5-r0",
@@ -287,7 +282,7 @@
"scope": "runtime"
},
"libuuid": {
"package_url": "pkg:apk/alpine/libuuid@2.31-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libuuid@2.31-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -295,7 +290,7 @@
"scope": "runtime"
},
"libxml2": {
"package_url": "pkg:apk/alpine/libxml2@2.9.7-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/libxml2@2.9.7-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3",
@@ -304,7 +299,7 @@
"scope": "runtime"
},
"mercurial": {
"package_url": "pkg:apk/alpine/mercurial@4.5.2-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/mercurial@4.5.2-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3",
@@ -313,12 +308,12 @@
"scope": "runtime"
},
"musl": {
"package_url": "pkg:apk/alpine/musl@1.1.18-r3?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/musl@1.1.18-r3?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"scope": "runtime"
},
"musl-utils": {
"package_url": "pkg:apk/alpine/musl-utils@1.1.18-r3?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/musl-utils@1.1.18-r3?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3",
@@ -327,7 +322,7 @@
"scope": "runtime"
},
"ncurses-libs": {
"package_url": "pkg:apk/alpine/ncurses-libs@6.0_p20171125-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/ncurses-libs@6.0_p20171125-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3",
@@ -337,7 +332,7 @@
"scope": "runtime"
},
"ncurses-terminfo": {
"package_url": "pkg:apk/alpine/ncurses-terminfo@6.0_p20171125-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/ncurses-terminfo@6.0_p20171125-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"ncurses-terminfo-base@6.0_p20171125-r1"
@@ -345,12 +340,12 @@
"scope": "runtime"
},
"ncurses-terminfo-base": {
"package_url": "pkg:apk/alpine/ncurses-terminfo-base@6.0_p20171125-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/ncurses-terminfo-base@6.0_p20171125-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"scope": "runtime"
},
"openssh": {
"package_url": "pkg:apk/alpine/openssh@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/openssh@7.5_p1-r9?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libcrypto@2.6.5-r0",
@@ -362,7 +357,7 @@
"scope": "runtime"
},
"openssh-client": {
"package_url": "pkg:apk/alpine/openssh-client@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/openssh-client@7.5_p1-r9?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libcrypto@2.6.5-r0",
@@ -373,7 +368,7 @@
"scope": "runtime"
},
"openssh-keygen": {
"package_url": "pkg:apk/alpine/openssh-keygen@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/openssh-keygen@7.5_p1-r9?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libcrypto@2.6.5-r0",
@@ -382,7 +377,7 @@
"scope": "runtime"
},
"openssh-server": {
"package_url": "pkg:apk/alpine/openssh-server@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/openssh-server@7.5_p1-r9?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libcrypto@2.6.5-r0",
@@ -394,12 +389,12 @@
"scope": "runtime"
},
"openssh-server-common": {
"package_url": "pkg:apk/alpine/openssh-server-common@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/openssh-server-common@7.5_p1-r9?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"scope": "runtime"
},
"openssh-sftp-server": {
"package_url": "pkg:apk/alpine/openssh-sftp-server@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/openssh-sftp-server@7.5_p1-r9?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -407,7 +402,7 @@
"scope": "runtime"
},
"patch": {
"package_url": "pkg:apk/alpine/patch@2.7.5-r2?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/patch@2.7.5-r2?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -415,7 +410,7 @@
"scope": "runtime"
},
"pcre2": {
"package_url": "pkg:apk/alpine/pcre2@10.30-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/pcre2@10.30-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -423,7 +418,7 @@
"scope": "runtime"
},
"pkgconf": {
"package_url": "pkg:apk/alpine/pkgconf@1.3.10-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/pkgconf@1.3.10-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -431,7 +426,7 @@
"scope": "runtime"
},
"python2": {
"package_url": "pkg:apk/alpine/python2@2.7.15-r2?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/python2@2.7.15-r2?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"expat@2.2.5-r0",
@@ -449,7 +444,7 @@
"scope": "runtime"
},
"readline": {
"package_url": "pkg:apk/alpine/readline@7.0.003-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/readline@7.0.003-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3",
@@ -458,7 +453,7 @@
"scope": "runtime"
},
"scanelf": {
"package_url": "pkg:apk/alpine/scanelf@1.2.2-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/scanelf@1.2.2-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -466,7 +461,7 @@
"scope": "runtime"
},
"serf": {
"package_url": "pkg:apk/alpine/serf@1.3.9-r3?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/serf@1.3.9-r3?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"apr-util@1.6.1-r1",
@@ -479,7 +474,7 @@
"scope": "runtime"
},
"sqlite-libs": {
"package_url": "pkg:apk/alpine/sqlite-libs@3.21.0-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/sqlite-libs@3.21.0-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -487,7 +482,7 @@
"scope": "runtime"
},
"ssl_client": {
"package_url": "pkg:apk/alpine/ssl_client@1.27.2-r11?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/ssl_client@1.27.2-r11?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"libressl2.6-libtls@2.6.5-r0",
@@ -496,7 +491,7 @@
"scope": "runtime"
},
"subversion": {
"package_url": "pkg:apk/alpine/subversion@1.9.7-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/subversion@1.9.7-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"apr-util@1.6.1-r1",
@@ -509,7 +504,7 @@
"scope": "runtime"
},
"subversion-libs": {
"package_url": "pkg:apk/alpine/subversion-libs@1.9.7-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/subversion-libs@1.9.7-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"apr-util@1.6.1-r1",
@@ -525,7 +520,7 @@
"scope": "runtime"
},
"tar": {
"package_url": "pkg:apk/alpine/tar@1.29-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/tar@1.29-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -533,7 +528,7 @@
"scope": "runtime"
},
"tini": {
"package_url": "pkg:apk/alpine/tini@0.16.1-r0?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/tini@0.16.1-r0?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -541,7 +536,7 @@
"scope": "runtime"
},
"xz": {
"package_url": "pkg:apk/alpine/xz@5.2.3-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/xz@5.2.3-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3",
@@ -550,7 +545,7 @@
"scope": "runtime"
},
"xz-libs": {
"package_url": "pkg:apk/alpine/xz-libs@5.2.3-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/xz-libs@5.2.3-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -558,7 +553,7 @@
"scope": "runtime"
},
"zlib": {
"package_url": "pkg:apk/alpine/zlib@1.2.11-r1?arch=x86_64\u0026distro=3.7.1",
"package_url": "pkg:apk/alpine/zlib@1.2.11-r1?arch=x86_64&distro=3.7.1",
"relationship": "direct",
"dependencies": [
"musl@1.1.18-r3"
@@ -567,108 +562,6 @@
}
}
},
"php-app/composer.lock": {
"name": "composer",
"file": {
"source_location": "knqyf263/vuln-image:1.2.3@sha256:1e8b199249d6d0ef3419ddc6eda2348d9fbdb10d350d3bb70aa98e87faa227c9"
},
"resolved": {
"guzzlehttp/guzzle": {
"package_url": "pkg:composer/guzzlehttp/guzzle@6.2.0",
"relationship": "direct",
"dependencies": [
"guzzlehttp/promises@v1.3.1",
"guzzlehttp/psr7@1.5.2"
],
"scope": "runtime"
},
"guzzlehttp/promises": {
"package_url": "pkg:composer/guzzlehttp/promises@v1.3.1",
"relationship": "direct",
"scope": "runtime"
},
"guzzlehttp/psr7": {
"package_url": "pkg:composer/guzzlehttp/psr7@1.5.2",
"relationship": "direct",
"dependencies": [
"psr/http-message@1.0.1",
"ralouphie/getallheaders@2.0.5"
],
"scope": "runtime"
},
"laravel/installer": {
"package_url": "pkg:composer/laravel/installer@v2.0.1",
"relationship": "direct",
"dependencies": [
"guzzlehttp/guzzle@6.2.0",
"symfony/console@v4.2.7",
"symfony/filesystem@v4.2.7",
"symfony/process@v4.2.7"
],
"scope": "runtime"
},
"pear/log": {
"package_url": "pkg:composer/pear/log@1.13.1",
"relationship": "direct",
"dependencies": [
"pear/pear_exception@v1.0.0"
],
"scope": "runtime"
},
"pear/pear_exception": {
"package_url": "pkg:composer/pear/pear_exception@v1.0.0",
"relationship": "direct",
"scope": "runtime"
},
"psr/http-message": {
"package_url": "pkg:composer/psr/http-message@1.0.1",
"relationship": "direct",
"scope": "runtime"
},
"ralouphie/getallheaders": {
"package_url": "pkg:composer/ralouphie/getallheaders@2.0.5",
"relationship": "direct",
"scope": "runtime"
},
"symfony/console": {
"package_url": "pkg:composer/symfony/console@v4.2.7",
"relationship": "direct",
"dependencies": [
"symfony/contracts@v1.0.2",
"symfony/polyfill-mbstring@v1.11.0"
],
"scope": "runtime"
},
"symfony/contracts": {
"package_url": "pkg:composer/symfony/contracts@v1.0.2",
"relationship": "direct",
"scope": "runtime"
},
"symfony/filesystem": {
"package_url": "pkg:composer/symfony/filesystem@v4.2.7",
"relationship": "direct",
"dependencies": [
"symfony/polyfill-ctype@v1.11.0"
],
"scope": "runtime"
},
"symfony/polyfill-ctype": {
"package_url": "pkg:composer/symfony/polyfill-ctype@v1.11.0",
"relationship": "direct",
"scope": "runtime"
},
"symfony/polyfill-mbstring": {
"package_url": "pkg:composer/symfony/polyfill-mbstring@v1.11.0",
"relationship": "direct",
"scope": "runtime"
},
"symfony/process": {
"package_url": "pkg:composer/symfony/process@v4.2.7",
"relationship": "direct",
"scope": "runtime"
}
}
},
"rust-app/Cargo.lock": {
"name": "cargo",
"file": {
@@ -1235,4 +1128,4 @@
}
}
}
}
}

17
test/data/image-scan/report
View File

@@ -1,4 +1,18 @@
Report Summary
┌──────────────────────────────────────────┬────────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├──────────────────────────────────────────┼────────┼─────────────────┼─────────┤
│ knqyf263/vuln-image:1.2.3 (alpine 3.7.1) │ alpine │ 19 │ - │
├──────────────────────────────────────────┼────────┼─────────────────┼─────────┤
│ rust-app/Cargo.lock │ cargo │ 4 │ - │
└──────────────────────────────────────────┴────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
knqyf263/vuln-image:1.2.3 (alpine 3.7.1)
========================================
Total: 19 (CRITICAL: 19)
@@ -37,7 +51,8 @@ Total: 19 (CRITICAL: 19)
│ │ │ │ │ │ │ Windows Subsystem for... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress
│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: bzip2: Data integrity error when decompressing (with
│ │ │ │ │ │ │ data integrity tests fail).... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl │ CVE-2018-16839 │ │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │

12
test/data/rootfs-scan/report
View File

@@ -0,0 +1,12 @@
Report Summary
┌────────┬──────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├────────┼──────┼─────────────────┼─────────┤
│ - │ - │ - │ - │
└────────┴──────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

20
test/data/secret-scan/report.json
View File

@@ -1,19 +1,15 @@
{
"SchemaVersion": 2,
"CreatedAt": "2024-01-02T23:40:04.647712097Z",
"ArtifactID": "sha256:79ce4c2f8371bef1ce2a321518d3136bc1bd8f3c307ed679944a38e7cbd76c14",
"ArtifactName": "https://github.com/krol3/demo-trivy/",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
"RepoURL": "https://github.com/krol3/demo-trivy/",
"Branch": "main",
"Commit": "547db823c73fdb3385871f6235e946c72291f734",
"CommitMsg": "chore: add gitignore",
"Author": "carolina valencia <krol3@users.noreply.github.com>",
"Committer": "carolina valencia <krol3@users.noreply.github.com>"
},
"Results": [
{
@@ -70,7 +66,7 @@
]
},
"Match": "export GITHUB_PAT=****************************************",
"Layer": {}
"Offset": 63
}
]
}

17
test/data/with-ignore-files/report
View File

@@ -1,4 +1,18 @@
Report Summary
┌──────────────────────────────────────────┬────────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├──────────────────────────────────────────┼────────┼─────────────────┼─────────┤
│ knqyf263/vuln-image:1.2.3 (alpine 3.7.1) │ alpine │ 19 │ - │
├──────────────────────────────────────────┼────────┼─────────────────┼─────────┤
│ rust-app/Cargo.lock │ cargo │ 1 │ - │
└──────────────────────────────────────────┴────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
knqyf263/vuln-image:1.2.3 (alpine 3.7.1)
========================================
Total: 19 (CRITICAL: 19)
@@ -37,7 +51,8 @@ Total: 19 (CRITICAL: 19)
│ │ │ │ │ │ │ Windows Subsystem for... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress
│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: bzip2: Data integrity error when decompressing (with
│ │ │ │ │ │ │ data integrity tests fail).... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl │ CVE-2018-16839 │ │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │

25
test/data/with-tf-vars/report.json
View File

@@ -1,40 +1,21 @@
{
"SchemaVersion": 2,
"CreatedAt": "2024-04-12T14:09:09.5680191+03:00",
"ArtifactName": "test/data/with-tf-vars/main.tf",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": ".",
"Class": "config",
"Type": "terraform",
"MisconfSummary": {
"Successes": 2,
"Failures": 0,
"Exceptions": 0
"Successes": 19,
"Failures": 0
}
},
{
"Target": "main.tf",
"Class": "config",
"Type": "terraform",
"MisconfSummary": {
"Successes": 1,
"Failures": 0,
"Exceptions": 0
}
"Type": "terraform"
}
]
}

20
test/data/with-trivy-yaml-cfg/report.json
View File

@@ -1,9 +1,10 @@
{
"SchemaVersion": 2,
"CreatedAt": "2024-01-02T23:40:21.039454971Z",
"ArtifactID": "sha256:aab05ff324c90bb728aa5177b75d7e39d363be13323873de70959d2251edcebc",
"ArtifactName": "alpine:3.10",
"ArtifactType": "container_image",
"Metadata": {
"Size": 5842432,
"OS": {
"Family": "alpine",
"Name": "3.10.9",
@@ -19,6 +20,7 @@
"RepoDigests": [
"alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98"
],
"Reference": "alpine:3.10",
"ImageConfig": {
"architecture": "amd64",
"container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4",
@@ -51,7 +53,14 @@
],
"Image": "sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8"
}
}
},
"Layers": [
{
"Size": 5842432,
"Digest": "sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5",
"DiffID": "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
}
]
},
"Results": [
{
@@ -64,8 +73,8 @@
"PkgID": "apk-tools@2.10.6-r0",
"PkgName": "apk-tools",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64\u0026distro=3.10.9",
"UID": "a6adb154870b6380"
"PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64&distro=3.10.9",
"UID": "b7a64ae671a99195"
},
"InstalledVersion": "2.10.6-r0",
"FixedVersion": "2.10.7-r0",
@@ -81,6 +90,7 @@
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Fingerprint": "sha256:f86484d912018e22a8212a9c21359a64583d86342016ed1c57e3b3d6e9afa63c",
"Title": "libfetch: an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes leads to information leak or crash",
"Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
"Severity": "CRITICAL",
@@ -115,7 +125,7 @@
"https://www.cve.org/CVERecord?id=CVE-2021-36159"
],
"PublishedDate": "2021-08-03T14:15:08.233Z",
"LastModifiedDate": "2023-11-07T03:36:43.337Z"
"LastModifiedDate": "2024-11-21T06:13:13.57Z"
}
]
}

101
test/test.bats
View File

@@ -4,7 +4,8 @@ setup_file() {
local owner=$GITHUB_REPOSITORY_OWNER
export TRIVY_DB_REPOSITORY=ghcr.io/${owner}/trivy-db-act:latest
export TRIVY_JAVA_DB_REPOSITORY=ghcr.io/${owner}/trivy-java-db-act:latest
export TRIVY_POLICY_BUNDLE_REPOSITORY=ghcr.io/${owner}/trivy-checks-act:latest
export TRIVY_CHECKS_BUNDLE_REPOSITORY=ghcr.io/${owner}/trivy-checks-act:latest
export TRIVY_LIST_ALL_PKGS=false
}
setup() {
@@ -16,7 +17,7 @@ setup() {
function remove_json_fields() {
local file="$1"
if [[ "$file" == *.json ]]; then
jq 'del(.CreatedAt)' "$file" > tmp && mv tmp "$file"
jq 'del(.CreatedAt, .ReportID)' "$file" > tmp && mv tmp "$file"
fi
}
@@ -34,6 +35,14 @@ function remove_github_fields() {
fi
}
function reset_envs() {
local var
for var in $(env | grep '^TRIVY_\|^INPUT_' | cut -d= -f1); do
unset "$var"
done
rm -f trivy_envs.txt
}
function compare_files() {
local file1="$1"
local file2="$2"
@@ -49,75 +58,131 @@ function compare_files() {
remove_github_fields "$file1"
remove_github_fields "$file2"
run diff "$file1" "$file2"
echo "$output"
assert_files_equal "$file1" "$file2"
if [ "${UPDATE_GOLDEN}" = "1" ]; then
cp "$file1" "$file2"
echo "Updated golden file: $file2"
else
run diff "$file1" "$file2"
echo "$output"
assert_files_equal "$file1" "$file2"
fi
rm -f "$file1"
}
@test "trivy repo with securityCheck secret only" {
# trivy repo -f json -o repo.test --scanners=secret https://github.com/krol3/demo-trivy/
run ./entrypoint.sh '-b json' '-h repo.json' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
export TRIVY_FORMAT=json TRIVY_OUTPUT=repo.json TRIVY_SCANNERS=secret INPUT_SCAN_TYPE=repo INPUT_SCAN_REF="https://github.com/krol3/demo-trivy/"
./entrypoint.sh
compare_files repo.json ./test/data/secret-scan/report.json
reset_envs
}
@test "trivy image" {
# trivy image --severity CRITICAL -o image.test knqyf263/vuln-image:1.2.3
run ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image.test' '-g CRITICAL'
export TRIVY_OUTPUT=image.test TRIVY_SEVERITY=CRITICAL INPUT_SCAN_TYPE=image INPUT_SCAN_REF=knqyf263/vuln-image:1.2.3
./entrypoint.sh
compare_files image.test ./test/data/image-scan/report
reset_envs
}
@test "trivy config sarif report" {
# trivy config -f sarif -o config-sarif.test ./test/data/config-sarif-report
run ./entrypoint.sh '-a config' '-b sarif' '-h config-sarif.sarif' '-j ./test/data/config-sarif-report/main.tf'
export TRIVY_FORMAT=sarif TRIVY_OUTPUT=config-sarif.sarif INPUT_SCAN_TYPE=config INPUT_SCAN_REF=./test/data/config-sarif-report
./entrypoint.sh
compare_files config-sarif.sarif ./test/data/config-sarif-report/report.sarif
reset_envs
}
@test "trivy config" {
# trivy config -f json -o config.json ./test/data/config-scan
run ./entrypoint.sh '-a config' '-b json' '-j ./test/data/config-scan' '-h config.json'
export TRIVY_FORMAT=json TRIVY_OUTPUT=config.json INPUT_SCAN_TYPE=config INPUT_SCAN_REF=./test/data/config-scan
./entrypoint.sh
compare_files config.json ./test/data/config-scan/report.json
reset_envs
}
@test "trivy rootfs" {
# trivy rootfs --output rootfs.test ./test/data/rootfs-scan
# TODO: add data
run ./entrypoint.sh '-a rootfs' '-j ./test/data/rootfs-scan' '-h rootfs.test'
export TRIVY_OUTPUT=rootfs.test INPUT_SCAN_TYPE=rootfs INPUT_SCAN_REF=./test/data/rootfs-scan
./entrypoint.sh
compare_files rootfs.test ./test/data/rootfs-scan/report
reset_envs
}
@test "trivy fs" {
# trivy fs --output fs.test ./test/data/fs-scan
# TODO: add data
run ./entrypoint.sh '-a fs' '-j ./test/data/fs-scan' '-h fs.test'
export TRIVY_OUTPUT=fs.test INPUT_SCAN_TYPE=fs INPUT_SCAN_REF=./test/data/fs-scan
./entrypoint.sh
compare_files fs.test ./test/data/fs-scan/report
reset_envs
}
@test "trivy image with trivyIgnores option" {
# cat ./test/data/with-ignore-files/.trivyignore1 ./test/data/with-ignore-files/.trivyignore2 > ./trivyignores ; trivy image --severity CRITICAL --output image-trivyignores.test --ignorefile ./trivyignores knqyf263/vuln-image:1.2.3
run ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image-trivyignores.test' '-g CRITICAL' '-t ./test/data/with-ignore-files/.trivyignore1,./test/data/with-ignore-files/.trivyignore2'
export TRIVY_OUTPUT=image-trivyignores.test TRIVY_SEVERITY=CRITICAL INPUT_SCAN_TYPE=image INPUT_IMAGE_REF=knqyf263/vuln-image:1.2.3 INPUT_TRIVYIGNORES="./test/data/with-ignore-files/.trivyignore1,./test/data/with-ignore-files/.trivyignore2"
./entrypoint.sh
compare_files image-trivyignores.test ./test/data/with-ignore-files/report
reset_envs
}
@test "trivy image with sbom output" {
# trivy image --format github knqyf263/vuln-image:1.2.3
run ./entrypoint.sh "-a image" "-b github" "-h github-dep-snapshot.gsbom" "-i knqyf263/vuln-image:1.2.3"
# trivy image --format github knqyf263/vuln-image:1.2.3
export TRIVY_FORMAT=github TRIVY_OUTPUT=github-dep-snapshot.gsbom INPUT_SCAN_TYPE=image INPUT_SCAN_REF=knqyf263/vuln-image:1.2.3
./entrypoint.sh
compare_files github-dep-snapshot.gsbom ./test/data/github-dep-snapshot/report.gsbom
reset_envs
}
@test "trivy image with trivy.yaml config" {
# trivy --config=./test/data/with-trivy-yaml-cfg/trivy.yaml image alpine:3.10
run ./entrypoint.sh "-v ./test/data/with-trivy-yaml-cfg/trivy.yaml" "-a image" "-i alpine:3.10"
export TRIVY_CONFIG=./test/data/with-trivy-yaml-cfg/trivy.yaml INPUT_SCAN_TYPE=image INPUT_SCAN_REF=alpine:3.10
./entrypoint.sh
compare_files yamlconfig.json ./test/data/with-trivy-yaml-cfg/report.json
reset_envs
}
@test "trivy image with custom docker-host" {
# trivy image --docker-host unix:///var/run/docker.sock --severity CRITICAL --output image.test knqyf263/vuln-image:1.2.3
run ./entrypoint.sh '-y unix:///var/run/docker.sock' '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image.test' '-g CRITICAL'
export TRIVY_OUTPUT=image.test TRIVY_SEVERITY=CRITICAL INPUT_SCAN_TYPE=image INPUT_SCAN_REF=knqyf263/vuln-image:1.2.3 TRIVY_DOCKER_HOST=unix:///var/run/docker.sock
./entrypoint.sh
compare_files image.test ./test/data/image-scan/report
reset_envs
}
@test "trivy config with terraform variables" {
# trivy config -f json -o tfvars.json --severity MEDIUM --tf-vars ./test/data/with-tf-vars/dev.tfvars ./test/data/with-tf-vars/main.tf
run ./entrypoint.sh "-a config" "-j ./test/data/with-tf-vars/main.tf" "-h tfvars.json" "-g MEDIUM" "-x ./test/data/with-tf-vars/dev.tfvars" "-b json"
# trivy config -f json -o tfvars.json --severity MEDIUM --tf-vars ./test/data/with-tf-vars/dev.tfvars ./test/data/with-tf-vars/main.tf
export TRIVY_FORMAT=json TRIVY_SEVERITY=MEDIUM TRIVY_OUTPUT=tfvars.json INPUT_SCAN_TYPE=config INPUT_SCAN_REF=./test/data/with-tf-vars/main.tf TRIVY_TF_VARS=./test/data/with-tf-vars/dev.tfvars
./entrypoint.sh
compare_files tfvars.json ./test/data/with-tf-vars/report.json
reset_envs
}
@test "trivy image via environment file" {
# trivy image --severity CRITICAL --output image.test knqyf263/vuln-image:1.2.3
# Action injects inputs into the script via environment variables
echo "export TRIVY_OUTPUT=image.test" >> trivy_envs.txt
echo "export TRIVY_SEVERITY=CRITICAL" >> trivy_envs.txt
echo "export INPUT_SCAN_TYPE=image" >> trivy_envs.txt
echo "export INPUT_SCAN_REF=knqyf263/vuln-image:1.2.3" >> trivy_envs.txt
./entrypoint.sh
compare_files image.test ./test/data/image-scan/report
reset_envs
}
@test "trivy image via environment file overrides env leakages" {
# trivy image --severity CRITICAL --output image.test knqyf263/vuln-image:1.2.3
# Action injects inputs into the script via environment variables
# If caller mixes old and new trivy-action version they could still have env leakage so verify that env vars already
# in the env are overridden by those from the envs file
export INPUT_SCAN_REF=no/such-image:1.2.3
echo "export TRIVY_OUTPUT=image.test" >> trivy_envs.txt
echo "export TRIVY_SEVERITY=CRITICAL" >> trivy_envs.txt
echo "export INPUT_SCAN_TYPE=image" >> trivy_envs.txt
echo "export INPUT_SCAN_REF=knqyf263/vuln-image:1.2.3" >> trivy_envs.txt
./entrypoint.sh
compare_files image.test ./test/data/image-scan/report
reset_envs
}

4
workflow.yml
View File

@@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Build an image from Dockerfile
run: |
@@ -29,6 +29,6 @@ jobs:
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'