Discrepancy between JUnit and GitLab SAST templates #8508

jackwhelpton · 2025-03-07T09:03:09Z

jackwhelpton
Mar 7, 2025

Description

We were previously running the misconfig scanner using the JUnit template:

      trivy fs --scanners misconfig \
        --severity HIGH,CRITICAL \
        --skip-dirs ".terraform/*" \
        --skip-files ".terraform.*" \
        $flags \
        --format template \
        --template "@/contrib/junit.tpl"

As expected, this includes misconfigurations as failed tests. In order to combine results from other (non-Trivy) analyzers, we want to migrate this to use GitLab's SAST format. I expected this to be as simple as:

      trivy fs --scanners misconfig \
        --severity HIGH,CRITICAL \
        --skip-dirs ".terraform/*" \
        --skip-files ".terraform.*" \
        $flags \
        --format template \
        --template "@/contrib/gitlab.tpl"

but this doesn't work

Desired Behavior

The GitLab template should present the issues found using the misconfig scanner; the same issues that are present in the JUnit output, just in a different format.

Actual Behavior

The results are empty.

The reason can be seen by examining the two templates. Whilst the JUnit one combines Vulnerabilities, Secrets, Misconfigs and Licenses:

https://github.com/aquasecurity/trivy/blob/main/contrib/junit.tpl

The GitLab template only looks at Vulnerabilities:

https://github.com/aquasecurity/trivy/blob/main/contrib/gitlab.tpl

Happy to work on an MR for this if there's interest and it has a chance of being accepted.

Reproduction Steps

See above

Target

Filesystem

Scanner

Misconfiguration

Output Format

Template

Mode

Standalone

Debug Output

/mnt # trivy fs --scanners misconfig . --format template --template '@/contrib/gitlab.tpl' --debug
2025-03-07T09:02:28Z    DEBUG   No plugins loaded
2025-03-07T09:02:28Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-03-07T09:02:28Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-03-07T09:02:28Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-03-07T09:02:28Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-03-07T09:02:28Z    DEBUG   Ignore statuses statuses=[]
2025-03-07T09:02:28Z    INFO    [misconfig] Misconfiguration scanning is enabled
2025-03-07T09:02:28Z    DEBUG   [misconfig] Checks successfully loaded from disk
2025-03-07T09:02:28Z    DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-03-07T09:02:28Z    DEBUG   Initializing scan cache...      type="memory"
2025-03-07T09:02:28Z    DEBUG   [fs] Analyzing...       root="."
2025-03-07T09:02:28Z    DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Terraform"
2025-03-07T09:02:28Z    DEBUG   [terraform scanner] Scanning directory  file_path="."
2025-03-07T09:02:28Z    DEBUG   [rego] Overriding filesystem for checks
2025-03-07T09:02:28Z    DEBUG   [rego] Embedded libraries are loaded    count=17
2025-03-07T09:02:28Z    DEBUG   [rego] Embedded checks are loaded       count=517
2025-03-07T09:02:28Z    DEBUG   [rego] Checks from disk are loaded      count=534
2025-03-07T09:02:28Z    DEBUG   [rego] Overriding filesystem for data
2025-03-07T09:02:28Z    DEBUG   [terraform parser] Setting project/module root  module="root" file_path="."
2025-03-07T09:02:28Z    DEBUG   [terraform parser] Parsing FS   module="root" file_path="."
2025-03-07T09:02:28Z    DEBUG   [terraform parser] Parsing      module="root" file_path="main.tf"
2025-03-07T09:02:28Z    DEBUG   [terraform parser] Added file   module="root" file_path="main.tf"
2025-03-07T09:02:28Z    INFO    [terraform scanner] Scanning root module        file_path="."
2025-03-07T09:02:28Z    DEBUG   [terraform parser] Setting project/module root  module="root" file_path="."
2025-03-07T09:02:28Z    DEBUG   [terraform parser] Parsing FS   module="root" file_path="."
2025-03-07T09:02:28Z    DEBUG   [terraform parser] Parsing      module="root" file_path="main.tf"
2025-03-07T09:02:28Z    DEBUG   [terraform parser] Added file   module="root" file_path="main.tf"
2025-03-07T09:02:28Z    DEBUG   [terraform parser] Loading module       module="root" module="root"
2025-03-07T09:02:28Z    DEBUG   [terraform parser] Read block(s) and ignore(s)  module="root" blocks=6 ignores=0
2025-03-07T09:02:28Z    DEBUG   [terraform parser] Added input variables from tfvars    module="root" count=0
2025-03-07T09:02:28Z    DEBUG   [terraform parser] Working directory for module evaluation      module="root" file_path="/mnt"
2025-03-07T09:02:28Z    DEBUG   [terraform evaluator] Starting module evaluation...     path="."
2025-03-07T09:02:28Z    DEBUG   [terraform evaluator] Starting iteration        iteration=0
2025-03-07T09:02:28Z    DEBUG   [terraform evaluator] Starting iteration        iteration=1
2025-03-07T09:02:28Z    DEBUG   [terraform evaluator] Starting iteration        iteration=2
2025-03-07T09:02:28Z    DEBUG   [terraform evaluator] Context unchanged iteration=2
2025-03-07T09:02:28Z    DEBUG   [terraform evaluator] Starting post-submodules evaluation...
2025-03-07T09:02:28Z    DEBUG   [terraform evaluator] Starting iteration        iteration=0
2025-03-07T09:02:28Z    DEBUG   [terraform evaluator] Starting iteration        iteration=1
2025-03-07T09:02:28Z    DEBUG   [terraform evaluator] Context unchanged iteration=1
2025-03-07T09:02:28Z    DEBUG   [terraform evaluator] Module evaluation complete.
2025-03-07T09:02:28Z    DEBUG   [terraform parser] Finished parsing module      module="root"
2025-03-07T09:02:28Z    DEBUG   [terraform executor] Adapting modules...
2025-03-07T09:02:28Z    DEBUG   [terraform executor] Adapted module(s) into state data. count=1
2025-03-07T09:02:28Z    DEBUG   [rego] Scanning inputs  count=1
2025-03-07T09:02:29Z    DEBUG   [terraform executor] Finished applying rules.
2025-03-07T09:02:29Z    DEBUG   [terraform executor] Applying ignores...
2025-03-07T09:02:29Z    DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:31-36"
2025-03-07T09:02:29Z    DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:24-29"
2025-03-07T09:02:29Z    DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:35"
2025-03-07T09:02:29Z    DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:28"
2025-03-07T09:02:29Z    DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:14"
2025-03-07T09:02:29Z    DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:15"
2025-03-07T09:02:29Z    DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:7-9"
2025-03-07T09:02:29Z    DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:7-9"
2025-03-07T09:02:29Z    DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:7-9"
2025-03-07T09:02:29Z    DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:7-9"
2025-03-07T09:02:29Z    DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:16"
2025-03-07T09:02:29Z    DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:17"
2025-03-07T09:02:29Z    DEBUG   OS is not detected.
2025-03-07T09:02:29Z    INFO    Detected config files   num=2
2025-03-07T09:02:29Z    DEBUG   Scanned config file     file_path="main.tf"
2025-03-07T09:02:29Z    DEBUG   Scanned config file     file_path="."
2025-03-07T09:02:29Z    DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-03-07T09:02:29Z    DEBUG   [vex] VEX filtering is disabled
{
  "version": "15.0.7",
  "scan": {
    "analyzer": {
      "id": "trivy",
      "name": "Trivy",
      "vendor": {
        "name": "Aqua Security"
      },
      "version": "0.60.0"
    },
    "end_time": "2025-03-07T09:02:29",
    "scanner": {
      "id": "trivy",
      "name": "Trivy",
      "url": "https://github.com/aquasecurity/trivy/",
      "vendor": {
        "name": "Aqua Security"
      },
      "version": "0.60.0"
    },
    "start_time": "2025-03-07T09:02:29",
    "status": "success",
    "type": "container_scanning"
  },
  "vulnerabilities": [
  ],
  "remediations": []
}

Operating System

Windows, WSL (Ubuntu), CI (Trivy docker image)

Version

Version: 0.60.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-03-07 06:19:34.629903576 +0000 UTC
  NextUpdate: 2025-03-08 06:19:34.629896994 +0000 UTC
  DownloadedAt: 2025-03-07 08:45:37.617452239 +0000 UTC
Check Bundle:
  Digest: sha256:2bc834fc222789e26b85dc3e92e3333b488e16a9bfa192aa971cca25db884837
  DownloadedAt: 2025-03-07 08:45:57.433321177 +0000 UTC

Checklist

Run trivy clean --all
Read the troubleshooting

DmitriyLewen · 2025-03-07T10:23:41Z

DmitriyLewen
Mar 7, 2025
Maintainer

Hello @jackwhelpton
You are right. gitlab.tpl only includes vulnerabilities.
We do not plan to add other security issues to this tpl file because we want to replace them with community plugins (see #7374 (reply in thread))

So you can create plugin for this template.

Regards, Dmitriy

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Discrepancy between JUnit and GitLab SAST templates #8508

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Discrepancy between JUnit and GitLab SAST templates #8508

jackwhelpton Mar 7, 2025

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 1 comment

DmitriyLewen Mar 7, 2025 Maintainer

jackwhelpton
Mar 7, 2025

DmitriyLewen
Mar 7, 2025
Maintainer