From c7bd22743919d64b6ce082ee4660cdde6d8214e1 Mon Sep 17 00:00:00 2001
From: Tim Kelly <austimkelly@gmail.com>
Date: Fri, 8 Mar 2024 10:52:03 -0500
Subject: [PATCH 1/2] update trivy config scan example yaml that works

---
 README.md | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 0d971f6..e4364e1 100644
--- a/README.md
+++ b/README.md
@@ -265,16 +265,20 @@ jobs:
 ```
 
 ### Using Trivy to scan Infrastructure as Code
-It's also possible to scan your IaC repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
+It's also possible to scan your IaC repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerabilities that might get introduced with each PR.
 
 If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
 ```yaml
-name: build
+name: trivy-config-scan
 on:
   push:
     branches:
       - main
   pull_request:
+    branches:
+      -main
+  workflow_dispatch:
+  
 jobs:
   build:
     name: Build
@@ -284,16 +288,17 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Run Trivy vulnerability scanner in IaC mode
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
         with:
           scan-type: 'config'
           hide-progress: false
           format: 'sarif'
           output: 'trivy-results.sarif'
-          exit-code: '1'
+          exit-code: '0'
           ignore-unfixed: true
           severity: 'CRITICAL,HIGH'
-
+          vuln-type: config
+          
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2
         with:

From 0fe37a84ad5d2b8e86f79d6a65cc29b389bf0da9 Mon Sep 17 00:00:00 2001
From: Tim Kelly <1355145+austimkelly@users.noreply.github.com>
Date: Mon, 15 Apr 2024 14:59:20 -0400
Subject: [PATCH 2/2] Update entrypoint.sh

set --severity for SARIF output.
---
 entrypoint.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/entrypoint.sh b/entrypoint.sh
index 79fd708..60c410f 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -127,6 +127,7 @@ if [ $scanners ];then
 fi
 if [ $severity ];then
   ARGS="$ARGS --severity $severity"
+  SARIF_ARGS="$SARIF_ARGS --severity $severity"
 fi
 if [ $output ];then
   ARGS="$ARGS --output $output"