chore: update test to version 0.27.1 (#106)

* chore: update test to version 0.27.0 * chore: add test file secret and update to 0.27.1 * fix: support repository with securityCheck secret Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
aquasecurity · May 9, 2022 · 4b9b6fb · 4b9b6fb
1 parent 2b30463
commit 4b9b6fb
Show file tree

Hide file tree

Showing 7 changed files with 79 additions and 9 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -1,7 +1,7 @@
 name: "build"
 on: [push, pull_request]
 env:
-  TRIVY_VERSION: 0.26.0
+  TRIVY_VERSION: 0.27.1
 jobs:
   build:
     name: build

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM aquasec/trivy:0.26.0
+FROM aquasec/trivy:0.27.1
 COPY entrypoint.sh /
 RUN apk --no-cache add bash
 RUN chmod +x /entrypoint.sh

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -101,6 +101,9 @@ fi
 if [ $securityChecks ] && [ "$scanType" == "fs" ];then
   ARGS="$ARGS --security-checks $securityChecks"
 fi
+if [ $securityChecks ] && [ "$scanType" == "repo" ];then
+  ARGS="$ARGS --security-checks $securityChecks"
+fi
 if [ $severity ];then
   ARGS="$ARGS --severity $severity"
 fi

diff --git a/test/data/fs-scheck.test b/test/data/fs-scheck.test
@@ -0,0 +1,50 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": ".",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
+  "Results": [
+    {
+      "Target": "Dockerfile",
+      "Class": "config",
+      "Type": "dockerfile",
+      "MisconfSummary": {
+        "Successes": 22,
+        "Failures": 1,
+        "Exceptions": 0
+      },
+      "Misconfigurations": [
+        {
+          "Type": "Dockerfile Security Check",
+          "ID": "DS002",
+          "Title": "root user",
+          "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
+          "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
+          "Namespace": "appshield.dockerfile.DS002",
+          "Query": "data.appshield.dockerfile.DS002.deny",
+          "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
+          "Severity": "HIGH",
+          "PrimaryURL": "https://avd.aquasec.com/appshield/ds002",
+          "References": [
+            "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
+            "https://avd.aquasec.com/appshield/ds002"
+          ],
+          "Status": "FAIL",
+          "Layer": {},
+          "IacMetadata": {}
+        }
+      ]
+    }
+  ]
+}
diff --git a/test/data/image-sarif.test b/test/data/image-sarif.test
@@ -442,7 +442,7 @@
               }
             }
           ],
-          "version": "0.26.0"
+          "version": "0.27.1"
         }
       },
       "results": [

diff --git a/test/data/repo.test b/test/data/repo.test
@@ -1,6 +1,6 @@
 {
   "SchemaVersion": 2,
-  "ArtifactName": "https://github.com/aquasecurity/trivy-action/",
+  "ArtifactName": "https://github.com/krol3/demo-trivy/",
   "ArtifactType": "repository",
   "Metadata": {
     "ImageConfig": {
@@ -13,5 +13,22 @@
       },
       "config": {}
     }
-  }
+  },
+  "Results": [
+    {
+      "Target": "env",
+      "Class": "secret",
+      "Secrets": [
+        {
+          "RuleID": "github-pat",
+          "Category": "GitHub",
+          "Severity": "CRITICAL",
+          "Title": "GitHub Personal Access Token",
+          "StartLine": 5,
+          "EndLine": 5,
+          "Match": "export GITHUB_PAT=*****"
+        }
+      ]
+    }
+  ]
 }
diff --git a/test/test.bats b/test/test.bats
@@ -37,14 +37,14 @@
 
 @test "trivy fs with securityChecks option" {
   # trivy fs -f json --security-checks=vuln,config -o fs.test .
-  ./entrypoint.sh '-a fs' '-j .' '-b json' '-s vuln,config' '-h fs-scheck.test'
+  ./entrypoint.sh '-a fs' '-j .' '-b json' '-s vuln,config,secret' '-h fs-scheck.test'
   result="$(diff ./test/data/fs.test fs.test)"
   [ "$result" == '' ]
 }
 
-@test "trivy repo" {
-  # trivy repo -f json -o repo.test --severity CRITICAL https://github.com/aquasecurity/trivy-action/
-  ./entrypoint.sh '-b json' '-h repo.test' '-g CRITICAL' '-a repo' '-j https://github.com/aquasecurity/trivy-action/'
+@test "trivy repo with securityCheck secret only" {
+  # trivy repo -f json -o repo.test --security-checks=secret  https://github.com/krol3/demo-trivy/
+  ./entrypoint.sh '-b json' '-h repo.test' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
   result="$(diff ./test/data/repo.test repo.test)"
   [ "$result" == '' ]
 }