Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: aquasecurity/trivy-action
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 0.12.0
Choose a base ref
...
head repository: aquasecurity/trivy-action
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 0.17.0
Choose a head ref
  • 13 commits
  • 17 files changed
  • 12 contributors

Commits on Sep 15, 2023

  1. fix: mark image-ref attribute optional (#261)

    @arxeiss
    arxeiss authored Sep 15, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature.
    GPG key ID: B5690EEEBB952194
    Verified
    Learn about vigilant mode
    Copy the full SHA
    69cbbc0 View commit details

Commits on Oct 25, 2023

  1. Update Dockerfile to 0.46.0 (#274) 

    * Update Dockerfile to 0.46.0

This will address bugs before 0.46.0

* updating tests
    @Cr0n1c
    Cr0n1c authored Oct 25, 2023
    Copy the full SHA
    b77b85c View commit details

Commits on Oct 31, 2023

  1. Update Dockerfile to 0.46.1 (#277) 

    This update fixes aquasecurity/trivy#5441
    @witoldsleczkowski
    witoldsleczkowski authored Oct 31, 2023
    Copy the full SHA
    f78e9ec View commit details

Commits on Nov 7, 2023

  1. fix: set return code after each Trivy call (#247) 

    This change moves the return code to outside the trivy call. This fixes
#228 as the return code was not being propagated.
    @LiamMacP
    LiamMacP authored Nov 7, 2023
    Copy the full SHA
    7b07fa7 View commit details

  2. Update to trivy version 0.47.0 in Dockerfile (#280) 

    See:
- https://github.com/aquasecurity/trivy/releases/tag/v0.47.0
    @MPV
    MPV authored Nov 7, 2023
    Copy the full SHA
    47e481a View commit details

  3. Add filesystem alias (#269)

    @kderck
    kderck authored Nov 7, 2023
    Copy the full SHA
    2b6a709 View commit details

Commits on Dec 4, 2023

  1. feature(config): add terraform variable files (#285) 

    * Action now takes an input for terraform variable filess

* added tf-vars

* updated README.md

* Updated yamlconfig test to latest version of trivy output for that container

* updated for correct cpu type

* test trivy version change to 0.45.0

* run scan with correct parameters

* Added test for terraform tfvars

* Updated output for other tests

* use test data as path and updated tf vars to be relative

* removed quiet
    @kderck
    kderck authored Dec 4, 2023
    Copy the full SHA
    22d2755 View commit details

Commits on Dec 8, 2023

  1. Update to trivy version 0.48.0 (#289) 

    * Update to trivy version 0.48.0

 

---------

Signed-off-by: Simar <simar@linux.com>
Co-authored-by: Simar <simar@linux.com>
    @pragmaticivan @simar7
    pragmaticivan and simar7 authored Dec 8, 2023
    Copy the full SHA
    91713af View commit details

Commits on Jan 3, 2024

  1. Update Trivy to 0.48.1 (#291) 

    * Update Trivy to 0.48.1

Signed-off-by: Martin Kemp <me@martinke.mp>

* update tests

---------

Signed-off-by: Martin Kemp <me@martinke.mp>
Co-authored-by: Simar <simar@linux.com>
    @MartiUK @simar7
    MartiUK and simar7 authored Jan 3, 2024
    Copy the full SHA
    5f1841d View commit details

  2. docs: fix typo in README.md (#293) 

    Signed-off-by: Lucas Bickel <hairmare@purplehaze.ch>
    @hairmare
    hairmare authored Jan 3, 2024
    Copy the full SHA
    d43c1f1 View commit details

Commits on Jan 11, 2024

  1. docs: add configuration info for flags not supported by inputs (#296) 

    * docs: add information about configuration flags not supported by inputs

* docs: add env and config file to Customizing
    @DmitriyLewen
    DmitriyLewen authored Jan 11, 2024
    Copy the full SHA
    0b9d17b View commit details

Commits on Jan 14, 2024

  1. fix: Fix skip-files and hide-progress options not being applied w… 

    …hen using Sarif report format (#297)

* Update entrypoint.sh

* Update entrypoint.sh

* Update entrypoint.sh
    @simao-silva
    simao-silva authored Jan 14, 2024
    Copy the full SHA
    f3d9851 View commit details

Commits on Feb 6, 2024

  1. Upgraded Trivy from 0.48.1 to v0.49.0 (#304)

    @kderck
    kderck authored Feb 6, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    84384bd View commit details
4 changes: 2 additions & 2 deletions .github/workflows/build.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: "build"
on: [push, pull_request]
env:
TRIVY_VERSION: 0.45.0
TRIVY_VERSION: 0.49.0
BATS_LIB_PATH: '/usr/lib/'
jobs:
build:
@@ -25,4 +25,4 @@ jobs:
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
- name: Test
run: BATS_LIB_PATH=${{ env.BATS_LIB_PATH }} bats --recursive --timing .
run: BATS_LIB_PATH=${{ env.BATS_LIB_PATH }} bats --recursive --timing .
2 changes: 1 addition & 1 deletion Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM ghcr.io/aquasecurity/trivy:0.45.0
FROM ghcr.io/aquasecurity/trivy:0.49.0
COPY entrypoint.sh /
RUN apk --no-cache add bash curl npm
RUN chmod +x /entrypoint.sh
70 changes: 44 additions & 26 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -79,14 +79,16 @@ In this case `trivy.yaml` is a YAML configuration that is checked in as part of
format: json
exit-code: 1
severity: CRITICAL
secret:
config: config/trivy/secret.yaml
```

It is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes. Defining the following is required as they cannot be defined with the config file:
- `scan-ref`: If using `fs, repo` scans.
- `image-ref`: If using `image` scan.
- `scan-type`: To define the scan type, e.g. `image`, `fs`, `repo`, etc.

#### Order of prerference for options
#### Order of preference for options
Trivy uses [Viper](https://github.com/spf13/viper) which has a defined precedence order for options. The order is as follows:
- GitHub Action flag
- Environment variable
@@ -479,39 +481,55 @@ jobs:

## Customizing

Configuration priority:
- [Inputs](#inputs)
- [Environment variables](#environment-variables)
- [Trivy config file](#trivy-config-file)
- Default values


### inputs

Following inputs can be used as `step.with` keys:

| Name | Type | Default | Description |
|-------------------|---------|------------------------------------|-------------------------------------------------------------------------------------------------|
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) |
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |
| `output` | String | | Save results to a file |
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
| `cache-dir` | String | | Cache directory |
| `timeout` | String | `5m0s` | Scan timeout duration |
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
| `hide-progress` | String | `true` | Suppress progress bar |
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
| `trivy-config` | String | | Path to trivy.yaml config |
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
| Name | Type | Default | Description |
|------------------------------|---------|------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) |
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |
| `tf-vars` | String | | path to Terraform variables file |
| `output` | String | | Save results to a file |
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
| `cache-dir` | String | | Cache directory |
| `timeout` | String | `5m0s` | Scan timeout duration |
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
| `hide-progress` | String | `true` | Suppress progress bar |
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
| `trivy-config` | String | | Path to trivy.yaml config |
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |

### Environment variables
You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).

### Trivy config file
When using the `trivy-config` [Input](#inputs), you can set options using the [Trivy config file][trivy-config] (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).

[release]: https://github.com/aquasecurity/trivy-action/releases/latest
[release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github
[marketplace]: https://github.com/marketplace/actions/aqua-security-trivy
[marketplace-img]: https://img.shields.io/badge/marketplace-trivy--action-blue?logo=github
[license]: https://github.com/aquasecurity/trivy-action/blob/master/LICENSE
[license-img]: https://img.shields.io/github/license/aquasecurity/trivy-action
[trivy-env]: https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables
[trivy-config]: https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/
7 changes: 6 additions & 1 deletion action.yaml
View file
Original file line number Diff line number Diff line change
@@ -8,7 +8,7 @@ inputs:
default: 'image'
image-ref:
description: 'image reference(for backward compatibility)'
required: true
required: false
input:
description: 'reference of tar file to scan'
required: false
@@ -88,6 +88,9 @@ inputs:
trivy-config:
description: 'path to trivy.yaml config'
required: false
tf-vars:
description: "path to terraform tfvars file"
required: false
limit-severities-for-sarif:
description: 'limit severities for SARIF format'
required: false
@@ -118,4 +121,6 @@ runs:
- '-t ${{ inputs.trivyignores }}'
- '-u ${{ inputs.github-pat }}'
- '-v ${{ inputs.trivy-config }}'
- '-x ${{ inputs.tf-vars }}'
- '-z ${{ inputs.limit-severities-for-sarif }}'

16 changes: 12 additions & 4 deletions entrypoint.sh
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
#!/bin/bash
set -e
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:" o; do
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:x:z:" o; do
case "${o}" in
a)
export scanType=${OPTARG}
@@ -68,6 +68,9 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:" o; do
v)
export trivyConfig=${OPTARG}
;;
x)
export tfVars=${OPTARG}
;;
z)
export limitSeveritiesForSARIF=${OPTARG}
;;
@@ -77,7 +80,7 @@ done

scanType=$(echo $scanType | tr -d '\r')
export artifactRef="${imageRef}"
if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "config" ] || [ "${scanType}" = "rootfs" ];then
if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "filesystem" ] || [ "${scanType}" = "config" ] || [ "${scanType}" = "rootfs" ];then
artifactRef=$(echo $scanRef | tr -d '\r')
fi
input=$(echo $input | tr -d '\r')
@@ -132,6 +135,10 @@ if [ $skipDirs ];then
SARIF_ARGS="$SARIF_ARGS --skip-dirs $i"
done
fi
if [ $tfVars ] && [ "$scanType" == "config" ];then
ARGS="$ARGS --tf-vars $tfVars"
fi

if [ $trivyIgnores ];then
for f in $(echo $trivyIgnores | tr "," "\n")
do
@@ -156,6 +163,7 @@ if [ $ignorePolicy ];then
fi
if [ "$hideProgress" == "true" ];then
ARGS="$ARGS --no-progress"
SARIF_ARGS="$SARIF_ARGS --no-progress"
fi

listAllPkgs=$(echo $listAllPkgs | tr -d '\r')
@@ -166,6 +174,7 @@ if [ "$skipFiles" ];then
for i in $(echo $skipFiles | tr "," "\n")
do
ARGS="$ARGS --skip-files $i"
SARIF_ARGS="$SARIF_ARGS --skip-files $i"
done
fi

@@ -181,13 +190,12 @@ if [ "${format}" == "sarif" ] && [ "${limitSeveritiesForSARIF}" != "true" ]; the
elif [ $trivyConfig ]; then
echo "Running Trivy with trivy.yaml config from: " $trivyConfig
trivy --config $trivyConfig ${scanType} ${artifactRef}
returnCode=$?
else
echo "Running trivy with options: trivy ${scanType} ${ARGS}" "${artifactRef}"
echo "Global options: " "${GLOBAL_ARGS}"
trivy $GLOBAL_ARGS ${scanType} ${ARGS} ${artifactRef}
returnCode=$?
fi
returnCode=$?

set -e
if [[ "${format}" == "github" ]]; then
Loading