From d710430a6722f083d3b36b8339ff66b32f22ee55 Mon Sep 17 00:00:00 2001 From: simar7 <1254783+simar7@users.noreply.github.com> Date: Wed, 27 Mar 2024 16:22:09 -0600 Subject: [PATCH 1/5] bump trivy version to v0.50.1 (#324) --- .github/workflows/build.yaml | 2 +- Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 16915c2..e5bb34f 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -1,7 +1,7 @@ name: "build" on: [push, pull_request] env: - TRIVY_VERSION: 0.49.0 + TRIVY_VERSION: 0.50.1 BATS_LIB_PATH: '/usr/lib/' jobs: build: diff --git a/Dockerfile b/Dockerfile index 81d2f32..5df7c41 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/aquasecurity/trivy:0.49.0 +FROM ghcr.io/aquasecurity/trivy:0.50.1 COPY entrypoint.sh / RUN apk --no-cache add bash curl npm RUN chmod +x /entrypoint.sh From f72b7e8127f2e443feedad3c314e6fe75e5a8b84 Mon Sep 17 00:00:00 2001 From: uridium Date: Fri, 29 Mar 2024 02:06:30 +0100 Subject: [PATCH 2/5] Make 'hide-progress' input working again (#323) * Make hide-progress input working again * Unify 'hide-progress' default value --- README.md | 10 +++++----- action.yaml | 3 +-- entrypoint.sh | 6 +++--- 3 files changed, 9 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 0d971f6..648d08c 100644 --- a/README.md +++ b/README.md @@ -115,7 +115,7 @@ jobs: run: | docker pull docker save -o vuln-image.tar - + - name: Run Trivy vulnerability scanner in tarball mode uses: aquasecurity/trivy-action@master with: @@ -287,7 +287,7 @@ jobs: uses: aquasecurity/trivy-action@master with: scan-type: 'config' - hide-progress: false + hide-progress: true format: 'sarif' output: 'trivy-results.sarif' exit-code: '1' @@ -303,7 +303,7 @@ jobs: ### Using Trivy to generate SBOM It's possible for Trivy to generate an [SBOM](https://www.aquasec.com/cloud-native-academy/supply-chain-security/sbom/) of your dependencies and submit them to a consumer like [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph). -The [sending of an SBOM to GitHub](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) feature is only available if you currently have GitHub Dependency Graph [enabled in your repo](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository). +The [sending of an SBOM to GitHub](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) feature is only available if you currently have GitHub Dependency Graph [enabled in your repo](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository). In order to send results to GitHub Dependency Graph, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) or use the [GitHub installation access token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication) (also known as `GITHUB_TOKEN`): @@ -554,7 +554,7 @@ Following inputs can be used as `step.with` keys: | `cache-dir` | String | | Cache directory | | `timeout` | String | `5m0s` | Scan timeout duration | | `ignore-policy` | String | | Filter vulnerabilities with OPA rego language | -| `hide-progress` | String | `true` | Suppress progress bar | +| `hide-progress` | String | `false` | Suppress progress bar and log output | | `list-all-pkgs` | String | | Output all packages regardless of vulnerability | | `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) | | `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files | @@ -575,4 +575,4 @@ When using the `trivy-config` [Input](#inputs), you can set options using the [T [license]: https://github.com/aquasecurity/trivy-action/blob/master/LICENSE [license-img]: https://img.shields.io/github/license/aquasecurity/trivy-action [trivy-env]: https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables -[trivy-config]: https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/ \ No newline at end of file +[trivy-config]: https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/ diff --git a/action.yaml b/action.yaml index c6f457a..02bcd34 100644 --- a/action.yaml +++ b/action.yaml @@ -65,7 +65,7 @@ inputs: required: false default: '' hide-progress: - description: 'hide progress output' + description: 'suppress progress bar and log output' required: false list-all-pkgs: description: 'output all packages regardless of vulnerability' @@ -123,4 +123,3 @@ runs: - '-v ${{ inputs.trivy-config }}' - '-x ${{ inputs.tf-vars }}' - '-z ${{ inputs.limit-severities-for-sarif }}' - \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh index e6306f1..0b6f46c 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -137,7 +137,7 @@ if [ $skipDirs ];then fi if [ $tfVars ] && [ "$scanType" == "config" ];then ARGS="$ARGS --tf-vars $tfVars" -fi +fi if [ $trivyIgnores ];then for f in $(echo $trivyIgnores | tr "," "\n") @@ -162,8 +162,8 @@ if [ $ignorePolicy ];then SARIF_ARGS="$SARIF_ARGS --ignore-policy $ignorePolicy" fi if [ "$hideProgress" == "true" ];then - ARGS="$ARGS --no-progress" - SARIF_ARGS="$SARIF_ARGS --no-progress" + ARGS="$ARGS --quiet" + SARIF_ARGS="$SARIF_ARGS --quiet" fi listAllPkgs=$(echo $listAllPkgs | tr -d '\r') From 0f287db5d30aced70dbc7f7d6bb5c8b919114b4c Mon Sep 17 00:00:00 2001 From: Calin Marina Date: Thu, 4 Apr 2024 00:26:17 +0100 Subject: [PATCH 3/5] feat(image): add `--docker-host` option for GH Action users (#267) * add option to update docker-host via cli parameter * chore: update test results --------- Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com> --- action.yaml | 4 ++++ entrypoint.sh | 8 +++++++- test/test.bats | 8 ++++++++ 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/action.yaml b/action.yaml index 02bcd34..9b49414 100644 --- a/action.yaml +++ b/action.yaml @@ -94,6 +94,9 @@ inputs: limit-severities-for-sarif: description: 'limit severities for SARIF format' required: false + docker-host: + description: 'unix domain socket path to use for docker scanning' + required: false runs: using: 'docker' @@ -123,3 +126,4 @@ runs: - '-v ${{ inputs.trivy-config }}' - '-x ${{ inputs.tf-vars }}' - '-z ${{ inputs.limit-severities-for-sarif }}' + - '-y ${{ inputs.docker-host }}' \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh index 0b6f46c..6e8f71f 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,6 +1,6 @@ #!/bin/bash set -e -while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:x:z:" o; do +while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:x:y:z:" o; do case "${o}" in a) export scanType=${OPTARG} @@ -71,6 +71,9 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:x:z:" o; do x) export tfVars=${OPTARG} ;; + y) + export dockerHost=${OPTARG} + ;; z) export limitSeveritiesForSARIF=${OPTARG} ;; @@ -165,6 +168,9 @@ if [ "$hideProgress" == "true" ];then ARGS="$ARGS --quiet" SARIF_ARGS="$SARIF_ARGS --quiet" fi +if [ "$dockerHost" == "true" ];then + ARGS="$ARGS --docker-host $dockerHost" +fi listAllPkgs=$(echo $listAllPkgs | tr -d '\r') if [ "$listAllPkgs" == "true" ];then diff --git a/test/test.bats b/test/test.bats index 5301eab..0d10781 100644 --- a/test/test.bats +++ b/test/test.bats @@ -82,6 +82,14 @@ bats_load_library bats-file assert_files_equal yamlconfig.test ./test/data/yamlconfig.test } +@test "trivy image with custom docker-host" { + # trivy image --docker-host unix:///var/run/docker.sock --severity CRITICAL --output image.test knqyf263/vuln-image:1.2.3 + run ./entrypoint.sh '-y unix:///var/run/docker.sock' '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image.test' '-g CRITICAL' + run diff image.test ./test/data/image.test + echo "$output" + assert_files_equal image.test ./test/data/image.test +} + @test "trivy config with terraform variables" { # trivy config --format json --severity MEDIUM --output tfvars.test --tf-vars ./test/data/dev.tfvars ./test/data run ./entrypoint.sh "-a config" "-j ./test/data" "-h tfvars.test" "-g MEDIUM" "-x dev.tfvars" "-b json" From 840deb490824e6f5705e41a56fa12089b09ecb51 Mon Sep 17 00:00:00 2001 From: uridium Date: Fri, 5 Apr 2024 06:58:29 +0200 Subject: [PATCH 4/5] Browse scan reports without GitHub Advanced Security license (#328) --- README.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/README.md b/README.md index 648d08c..e9626f4 100644 --- a/README.md +++ b/README.md @@ -522,6 +522,35 @@ jobs: sarif_file: 'trivy-results.sarif' ``` +### Using Trivy if you don't have code scanning enabled + +It's also possible to browse a scan result in a workflow summary. + +This step is especially useful for private repositories without [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) license. + +```yaml +- name: Run Trivy scanner + uses: aquasecurity/trivy-action@master + with: + scan-type: config + hide-progress: true + output: trivy.txt + +- name: Publish Trivy Output to Summary + run: | + if [[ -s trivy.txt ]]; then + { + echo "### Security Output" + echo "
Click to expand" + echo "" + echo '```terraform' + cat trivy.txt + echo '```' + echo "
" + } >> $GITHUB_STEP_SUMMARY + fi +``` + ## Customizing Configuration priority: From 207cd40078971bb7a078f8504c2061f908569449 Mon Sep 17 00:00:00 2001 From: Lukas Gravley Date: Thu, 4 Apr 2024 23:59:05 -0500 Subject: [PATCH 5/5] Fix docker host bug (#329) * Update entrypoint.sh should be a value not boolean * Update action.yaml add example * Update README.md --- README.md | 1 + action.yaml | 4 ++-- entrypoint.sh | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e9626f4..1447610 100644 --- a/README.md +++ b/README.md @@ -590,6 +590,7 @@ Following inputs can be used as `step.with` keys: | `trivy-config` | String | | Path to trivy.yaml config | | `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN | | `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** | +| `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values | ### Environment variables You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`). diff --git a/action.yaml b/action.yaml index 9b49414..f13a5aa 100644 --- a/action.yaml +++ b/action.yaml @@ -95,7 +95,7 @@ inputs: description: 'limit severities for SARIF format' required: false docker-host: - description: 'unix domain socket path to use for docker scanning' + description: 'unix domain socket path to use for docker scanning, ex. unix:///var/run/docker.sock' required: false runs: @@ -126,4 +126,4 @@ runs: - '-v ${{ inputs.trivy-config }}' - '-x ${{ inputs.tf-vars }}' - '-z ${{ inputs.limit-severities-for-sarif }}' - - '-y ${{ inputs.docker-host }}' \ No newline at end of file + - '-y ${{ inputs.docker-host }}' diff --git a/entrypoint.sh b/entrypoint.sh index 6e8f71f..79fd708 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -168,7 +168,7 @@ if [ "$hideProgress" == "true" ];then ARGS="$ARGS --quiet" SARIF_ARGS="$SARIF_ARGS --quiet" fi -if [ "$dockerHost" == "true" ];then +if [ $dockerHost ];then ARGS="$ARGS --docker-host $dockerHost" fi