aquasecurity/trivy-action
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy-action.git synced 2026-05-14 03:02:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #496 from aquasecurity/bump-trivy-1765431074

Browse Source
This commit is contained in:
Nikita Pivkin
2025-12-11 14:34:44 +06:00
committed by GitHub
parent 83690f7d38 0024b3f39e
commit 22438a4357
5 changed files with 10 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/test.yaml
+1 -1
View File
@@ -6,7 +6,7 @@ on:
workflow_dispatch: workflow_dispatch:
env: env:
TRIVY_VERSION: 0.65.0 TRIVY_VERSION: 0.68.1
BATS_LIB_PATH: '/usr/lib/' BATS_LIB_PATH: '/usr/lib/'
jobs: jobs:
README.md
+2 -2
View File
@@ -215,7 +215,7 @@ jobs:
uses: aquasecurity/setup-trivy@v0.2.0 uses: aquasecurity/setup-trivy@v0.2.0
with: with:
cache: true cache: true
version: v0.65.0 version: v0.68.1
- name: Run Trivy vulnerability scanner in repo mode - name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master uses: aquasecurity/trivy-action@master
@@ -891,7 +891,7 @@ Following inputs can be used as `step.with` keys:
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN | | `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** | | `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
| `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values (`unix:/` or other prefix is required) | | `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values (`unix:/` or other prefix is required) |
| `version` | String | `v0.65.0` | Trivy version to use, e.g. `latest` or `v0.65.0` | | `version` | String | `v0.68.1` | Trivy version to use, e.g. `latest` or `v0.68.1` |
| `skip-setup-trivy` | Boolean | false | Skip calling the `setup-trivy` action to install `trivy` | | `skip-setup-trivy` | Boolean | false | Skip calling the `setup-trivy` action to install `trivy` |
| `token-setup-trivy` | Boolean | | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository | | `token-setup-trivy` | Boolean | | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository |
action.yaml
+1 -1
View File
@@ -98,7 +98,7 @@ inputs:
version: version:
description: 'Trivy version to use' description: 'Trivy version to use'
required: false required: false
default: 'v0.65.0' default: 'v0.68.1'
cache: cache:
description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.' description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.'
required: false required: false
test/data/secret-scan/report.json
+3 -1
View File
@@ -1,5 +1,6 @@
{ {
"SchemaVersion": 2, "SchemaVersion": 2,
"ArtifactID": "sha256:79ce4c2f8371bef1ce2a321518d3136bc1bd8f3c307ed679944a38e7cbd76c14",
"ArtifactName": "https://github.com/krol3/demo-trivy/", "ArtifactName": "https://github.com/krol3/demo-trivy/",
"ArtifactType": "repository", "ArtifactType": "repository",
"Metadata": { "Metadata": {
@@ -64,7 +65,8 @@
} }
] ]
}, },
"Match": "export GITHUB_PAT=****************************************" "Match": "export GITHUB_PAT=****************************************",
"Offset": 63
} }
] ]
} }
test/data/with-trivy-yaml-cfg/report.json
+3
View File
@@ -1,5 +1,6 @@
{ {
"SchemaVersion": 2, "SchemaVersion": 2,
"ArtifactID": "sha256:aab05ff324c90bb728aa5177b75d7e39d363be13323873de70959d2251edcebc",
"ArtifactName": "alpine:3.10", "ArtifactName": "alpine:3.10",
"ArtifactType": "container_image", "ArtifactType": "container_image",
"Metadata": { "Metadata": {
@@ -19,6 +20,7 @@
"RepoDigests": [ "RepoDigests": [
"alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98" "alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98"
], ],
"Reference": "alpine:3.10",
"ImageConfig": { "ImageConfig": {
"architecture": "amd64", "architecture": "amd64",
"container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4", "container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4",
@@ -88,6 +90,7 @@
"Name": "Alpine Secdb", "Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/" "URL": "https://secdb.alpinelinux.org/"
}, },
"Fingerprint": "sha256:f86484d912018e22a8212a9c21359a64583d86342016ed1c57e3b3d6e9afa63c",
"Title": "libfetch: an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes leads to information leak or crash", "Title": "libfetch: an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes leads to information leak or crash",
"Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.", "Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
"Severity": "CRITICAL", "Severity": "CRITICAL",