From 3c0a00eb330e8f568d9f7d29ac52f28b9d2a700b Mon Sep 17 00:00:00 2001 From: Scott Luu Date: Wed, 22 Oct 2025 16:01:26 -0400 Subject: [PATCH 1/5] BST-17725: add skip version check flag to all trivy scanners --- scanners/boostsecurityio/boost-sca/module.yaml | 7 ++++++- scanners/boostsecurityio/trivy-fs/module.yaml | 5 ++++- scanners/boostsecurityio/trivy-image/module.yaml | 4 +++- scanners/boostsecurityio/trivy-sbom-image/module.yaml | 4 +++- scanners/boostsecurityio/trivy-sbom/module.yaml | 7 ++++++- 5 files changed, 22 insertions(+), 5 deletions(-) diff --git a/scanners/boostsecurityio/boost-sca/module.yaml b/scanners/boostsecurityio/boost-sca/module.yaml index 5142b3b2..4987d593 100644 --- a/scanners/boostsecurityio/boost-sca/module.yaml +++ b/scanners/boostsecurityio/boost-sca/module.yaml @@ -107,7 +107,12 @@ steps: TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2 TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1 run: | - $SETUP_PATH/trivy fs --cache-dir=/tmp/trivy/ --format=cyclonedx --license-full --no-progress --scanners vuln . 2>&1 + $SETUP_PATH/trivy fs --cache-dir=/tmp/trivy/ \ + --format=cyclonedx \ + --license-full \ + --no-progress \ + --scanners vuln + --skip-version-check . 2>&1 format: cyclonedx post-processor: docker: diff --git a/scanners/boostsecurityio/trivy-fs/module.yaml b/scanners/boostsecurityio/trivy-fs/module.yaml index 8a037a3d..ba3f06bd 100644 --- a/scanners/boostsecurityio/trivy-fs/module.yaml +++ b/scanners/boostsecurityio/trivy-fs/module.yaml @@ -107,7 +107,10 @@ steps: TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2 TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1 run: | - $SETUP_PATH/trivy fs ${TRIVY_ADDITIONAL_ARGS} --format json --no-progress --scanners vuln . 2>&1 + $SETUP_PATH/trivy fs ${TRIVY_ADDITIONAL_ARGS} --format json \ + --no-progress \ + --scanners vuln \ + --skip-version-check . 2>&1 format: sarif post-processor: docker: diff --git a/scanners/boostsecurityio/trivy-image/module.yaml b/scanners/boostsecurityio/trivy-image/module.yaml index 4e39ebb9..8e1ebd50 100644 --- a/scanners/boostsecurityio/trivy-image/module.yaml +++ b/scanners/boostsecurityio/trivy-image/module.yaml @@ -61,7 +61,9 @@ steps: TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2 TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1 run: | - $SETUP_PATH/trivy image ${TRIVY_ADDITIONAL_ARGS} --format json --scanners vuln \ + $SETUP_PATH/trivy image ${TRIVY_ADDITIONAL_ARGS} --format json \ + --scanners vuln \ + --skip-version-check \ --quiet ${BOOST_IMAGE_NAME} format: sarif post-processor: diff --git a/scanners/boostsecurityio/trivy-sbom-image/module.yaml b/scanners/boostsecurityio/trivy-sbom-image/module.yaml index c40f1a3f..eb81ed41 100644 --- a/scanners/boostsecurityio/trivy-sbom-image/module.yaml +++ b/scanners/boostsecurityio/trivy-sbom-image/module.yaml @@ -59,7 +59,9 @@ steps: TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2 TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1 run: | - $SETUP_PATH/trivy image ${TRIVY_ADDITIONAL_ARGS} --format cyclonedx --license-full ${BOOST_IMAGE_NAME} + $SETUP_PATH/trivy image ${TRIVY_ADDITIONAL_ARGS} --format cyclonedx \ + --license-full \ + --skip-version-check ${BOOST_IMAGE_NAME} format: cyclonedx post-processor: docker: diff --git a/scanners/boostsecurityio/trivy-sbom/module.yaml b/scanners/boostsecurityio/trivy-sbom/module.yaml index e2446852..a6c9264b 100644 --- a/scanners/boostsecurityio/trivy-sbom/module.yaml +++ b/scanners/boostsecurityio/trivy-sbom/module.yaml @@ -104,7 +104,12 @@ steps: TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2 TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1 run: | - $SETUP_PATH/trivy fs --format=cyclonedx --license-full --no-progress --scanners vuln --cache-dir=/tmp/trivy/ . 2>&1 + $SETUP_PATH/trivy fs --format=cyclonedx \ + --license-full \ + --no-progress \ + --scanners vuln \ + --cache-dir=/tmp/trivy/ \ + --skip-version-check . 2>&1 format: cyclonedx post-processor: docker: From 7c1669e2647e9521e7cb024aced5722cdfa9fce9 Mon Sep 17 00:00:00 2001 From: Scott Luu Date: Wed, 22 Oct 2025 17:08:21 -0400 Subject: [PATCH 2/5] fix typo --- scanners/boostsecurityio/boost-sca/module.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scanners/boostsecurityio/boost-sca/module.yaml b/scanners/boostsecurityio/boost-sca/module.yaml index 4987d593..32d8a5bc 100644 --- a/scanners/boostsecurityio/boost-sca/module.yaml +++ b/scanners/boostsecurityio/boost-sca/module.yaml @@ -111,7 +111,7 @@ steps: --format=cyclonedx \ --license-full \ --no-progress \ - --scanners vuln + --scanners vuln \ --skip-version-check . 2>&1 format: cyclonedx post-processor: From 556748ee335cb0740e6016412caaea68c6e6357f Mon Sep 17 00:00:00 2001 From: Scott Luu Date: Wed, 22 Oct 2025 17:10:30 -0400 Subject: [PATCH 3/5] try one long line --- scanners/boostsecurityio/trivy-image/module.yaml | 5 +---- scanners/boostsecurityio/trivy-sbom-image/module.yaml | 4 +--- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/scanners/boostsecurityio/trivy-image/module.yaml b/scanners/boostsecurityio/trivy-image/module.yaml index 8e1ebd50..0d255482 100644 --- a/scanners/boostsecurityio/trivy-image/module.yaml +++ b/scanners/boostsecurityio/trivy-image/module.yaml @@ -61,10 +61,7 @@ steps: TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2 TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1 run: | - $SETUP_PATH/trivy image ${TRIVY_ADDITIONAL_ARGS} --format json \ - --scanners vuln \ - --skip-version-check \ - --quiet ${BOOST_IMAGE_NAME} + $SETUP_PATH/trivy image ${TRIVY_ADDITIONAL_ARGS} --format json --scanners vuln --skip-version-check --quiet ${BOOST_IMAGE_NAME} format: sarif post-processor: docker: diff --git a/scanners/boostsecurityio/trivy-sbom-image/module.yaml b/scanners/boostsecurityio/trivy-sbom-image/module.yaml index eb81ed41..64f62f2d 100644 --- a/scanners/boostsecurityio/trivy-sbom-image/module.yaml +++ b/scanners/boostsecurityio/trivy-sbom-image/module.yaml @@ -59,9 +59,7 @@ steps: TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2 TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1 run: | - $SETUP_PATH/trivy image ${TRIVY_ADDITIONAL_ARGS} --format cyclonedx \ - --license-full \ - --skip-version-check ${BOOST_IMAGE_NAME} + $SETUP_PATH/trivy image ${TRIVY_ADDITIONAL_ARGS} --format cyclonedx --license-full --skip-version-check ${BOOST_IMAGE_NAME} format: cyclonedx post-processor: docker: From a5dafdff2e697aa06d244c38d7014505a92c92a8 Mon Sep 17 00:00:00 2001 From: Scott Luu Date: Wed, 22 Oct 2025 17:15:38 -0400 Subject: [PATCH 4/5] try separate lines again --- scanners/boostsecurityio/trivy-image/module.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/scanners/boostsecurityio/trivy-image/module.yaml b/scanners/boostsecurityio/trivy-image/module.yaml index 0d255482..a9d5f1bf 100644 --- a/scanners/boostsecurityio/trivy-image/module.yaml +++ b/scanners/boostsecurityio/trivy-image/module.yaml @@ -60,8 +60,14 @@ steps: TRIVY_ADDITIONAL_ARGS: ${TRIVY_ADDITIONAL_ARGS---ignore-unfixed} TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2 TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1 - run: | - $SETUP_PATH/trivy image ${TRIVY_ADDITIONAL_ARGS} --format json --scanners vuln --skip-version-check --quiet ${BOOST_IMAGE_NAME} + run: > + $SETUP_PATH/trivy image + ${TRIVY_ADDITIONAL_ARGS} + --format json + --scanners vuln + --skip-version-check + --quiet + ${BOOST_IMAGE_NAME} format: sarif post-processor: docker: From 77378b9162ba715df81d3c5383a2738b5665c917 Mon Sep 17 00:00:00 2001 From: Scott Luu Date: Wed, 22 Oct 2025 17:20:21 -0400 Subject: [PATCH 5/5] update other trivy scanners --- scanners/boostsecurityio/boost-sca/module.yaml | 16 +++++++++------- scanners/boostsecurityio/trivy-fs/module.yaml | 13 ++++++++----- .../boostsecurityio/trivy-sbom-image/module.yaml | 9 +++++++-- scanners/boostsecurityio/trivy-sbom/module.yaml | 16 +++++++++------- 4 files changed, 33 insertions(+), 21 deletions(-) diff --git a/scanners/boostsecurityio/boost-sca/module.yaml b/scanners/boostsecurityio/boost-sca/module.yaml index 32d8a5bc..5e5be1eb 100644 --- a/scanners/boostsecurityio/boost-sca/module.yaml +++ b/scanners/boostsecurityio/boost-sca/module.yaml @@ -106,13 +106,15 @@ steps: TRIVY_ADDITIONAL_ARGS: ${TRIVY_ADDITIONAL_ARGS---ignore-unfixed} TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2 TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1 - run: | - $SETUP_PATH/trivy fs --cache-dir=/tmp/trivy/ \ - --format=cyclonedx \ - --license-full \ - --no-progress \ - --scanners vuln \ - --skip-version-check . 2>&1 + run: > + $SETUP_PATH/trivy fs + --cache-dir=/tmp/trivy/ + --format=cyclonedx + --license-full + --no-progress + --scanners vuln + --skip-version-check + . 2>&1 format: cyclonedx post-processor: docker: diff --git a/scanners/boostsecurityio/trivy-fs/module.yaml b/scanners/boostsecurityio/trivy-fs/module.yaml index ba3f06bd..d6bf5600 100644 --- a/scanners/boostsecurityio/trivy-fs/module.yaml +++ b/scanners/boostsecurityio/trivy-fs/module.yaml @@ -106,11 +106,14 @@ steps: TRIVY_ADDITIONAL_ARGS: ${TRIVY_ADDITIONAL_ARGS---ignore-unfixed} TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2 TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1 - run: | - $SETUP_PATH/trivy fs ${TRIVY_ADDITIONAL_ARGS} --format json \ - --no-progress \ - --scanners vuln \ - --skip-version-check . 2>&1 + run: > + $SETUP_PATH/trivy fs + ${TRIVY_ADDITIONAL_ARGS} + --format json + --no-progress + --scanners vuln + --skip-version-check + . 2>&1 format: sarif post-processor: docker: diff --git a/scanners/boostsecurityio/trivy-sbom-image/module.yaml b/scanners/boostsecurityio/trivy-sbom-image/module.yaml index 64f62f2d..9a342afc 100644 --- a/scanners/boostsecurityio/trivy-sbom-image/module.yaml +++ b/scanners/boostsecurityio/trivy-sbom-image/module.yaml @@ -58,8 +58,13 @@ steps: IMAGE_NAME: ${BOOST_IMAGE_NAME} TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2 TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1 - run: | - $SETUP_PATH/trivy image ${TRIVY_ADDITIONAL_ARGS} --format cyclonedx --license-full --skip-version-check ${BOOST_IMAGE_NAME} + run: > + $SETUP_PATH/trivy image + ${TRIVY_ADDITIONAL_ARGS} + --format cyclonedx + --license-full + --skip-version-check + ${BOOST_IMAGE_NAME} format: cyclonedx post-processor: docker: diff --git a/scanners/boostsecurityio/trivy-sbom/module.yaml b/scanners/boostsecurityio/trivy-sbom/module.yaml index a6c9264b..c33f0e03 100644 --- a/scanners/boostsecurityio/trivy-sbom/module.yaml +++ b/scanners/boostsecurityio/trivy-sbom/module.yaml @@ -103,13 +103,15 @@ steps: NO_COLOR: "true" TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2 TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1 - run: | - $SETUP_PATH/trivy fs --format=cyclonedx \ - --license-full \ - --no-progress \ - --scanners vuln \ - --cache-dir=/tmp/trivy/ \ - --skip-version-check . 2>&1 + run: > + $SETUP_PATH/trivy fs + --format=cyclonedx + --license-full + --no-progress + --scanners vuln + --cache-dir=/tmp/trivy/ + --skip-version-check + . 2>&1 format: cyclonedx post-processor: docker: