aquasecurity/trivy-action
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy-action.git synced 2026-05-14 03:02:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #481 from aquasecurity/bump-trivy-1755898251

Browse Source
This commit is contained in:
Nikita Pivkin
2025-08-27 13:19:48 +06:00
committed by GitHub
parent 644762e8d4 85abccb4a4
commit f9424c10c3
12 changed files with 56 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/bump-trivy.yaml
+3
View File
@@ -22,6 +22,9 @@ jobs:
- name: Update Trivy versions - name: Update Trivy versions
run: make bump-trivy run: make bump-trivy
- name: Update golden files
run: make update-golden
- name: Create PR - name: Create PR
id: create-pr id: create-pr
uses: peter-evans/create-pull-request@v5 uses: peter-evans/create-pull-request@v5
.github/workflows/test.yaml
+1 -1
View File
@@ -6,7 +6,7 @@ on:
workflow_dispatch: workflow_dispatch:
env: env:
TRIVY_VERSION: 0.64.1 TRIVY_VERSION: 0.65.0
BATS_LIB_PATH: '/usr/lib/' BATS_LIB_PATH: '/usr/lib/'
jobs: jobs:
Makefile
+18 -4
View File
@@ -7,12 +7,26 @@ SED = gsed
BATS_LIB_PATH = /opt/homebrew/lib BATS_LIB_PATH = /opt/homebrew/lib
endif endif
BATS_ENV := BATS_LIB_PATH=$(BATS_LIB_PATH) \
GITHUB_REPOSITORY_OWNER=aquasecurity \
TRIVY_CACHE_DIR=.cache \
TRIVY_DISABLE_VEX_NOTICE=true \
TRIVY_DEBUG=true
BATS_FLAGS := --recursive --timing --verbose-run .
.PHONY: test .PHONY: test
test: test: init-cache
$(BATS_ENV) bats $(BATS_FLAGS)
.PHONY: update-golden
update-golden: init-cache
UPDATE_GOLDEN=1 $(BATS_ENV) bats $(BATS_FLAGS)
.PHONY: init-cache
init-cache:
mkdir -p .cache mkdir -p .cache
BATS_LIB_PATH=$(BATS_LIB_PATH) GITHUB_REPOSITORY_OWNER=aquasecurity\ rm -f .cache/fanal/fanal.db
TRIVY_CACHE_DIR=.cache TRIVY_DISABLE_VEX_NOTICE=true TRIVY_DEBUG=true\
bats --recursive --timing --verbose-run .
bump-trivy: bump-trivy:
@[ $$NEW_VERSION ] || ( echo "env 'NEW_VERSION' is not set"; exit 1 ) @[ $$NEW_VERSION ] || ( echo "env 'NEW_VERSION' is not set"; exit 1 )
README.md
+2 -2
View File
@@ -215,7 +215,7 @@ jobs:
uses: aquasecurity/setup-trivy@v0.2.0 uses: aquasecurity/setup-trivy@v0.2.0
with: with:
cache: true cache: true
version: v0.64.1 version: v0.65.0
- name: Run Trivy vulnerability scanner in repo mode - name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master uses: aquasecurity/trivy-action@master
@@ -847,7 +847,7 @@ Following inputs can be used as `step.with` keys:
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN | | `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** | | `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
| `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values (`unix:/` or other prefix is required) | | `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values (`unix:/` or other prefix is required) |
| `version` | String | `v0.64.1` | Trivy version to use, e.g. `latest` or `v0.64.1` | | `version` | String | `v0.65.0` | Trivy version to use, e.g. `latest` or `v0.65.0` |
| `skip-setup-trivy` | Boolean | false | Skip calling the `setup-trivy` action to install `trivy` | | `skip-setup-trivy` | Boolean | false | Skip calling the `setup-trivy` action to install `trivy` |
| `token-setup-trivy` | Boolean | | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository | | `token-setup-trivy` | Boolean | | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository |
action.yaml
+1 -1
View File
@@ -98,7 +98,7 @@ inputs:
version: version:
description: 'Trivy version to use' description: 'Trivy version to use'
required: false required: false
default: 'v0.64.1' default: 'v0.65.0'
cache: cache:
description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.' description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.'
required: false required: false
test/data/config-scan/report.json
+8 -37
View File
@@ -2,18 +2,6 @@
"SchemaVersion": 2, "SchemaVersion": 2,
"ArtifactName": "test/data/config-scan", "ArtifactName": "test/data/config-scan",
"ArtifactType": "filesystem", "ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [ "Results": [
{ {
"Target": ".", "Target": ".",
@@ -50,7 +38,6 @@
"https://avd.aquasec.com/misconfig/avd-aws-0086" "https://avd.aquasec.com/misconfig/avd-aws-0086"
], ],
"Status": "FAIL", "Status": "FAIL",
"Layer": {},
"CauseMetadata": { "CauseMetadata": {
"Resource": "aws_s3_bucket.bucket", "Resource": "aws_s3_bucket.bucket",
"Provider": "AWS", "Provider": "AWS",
@@ -90,8 +77,7 @@
"LastCause": true "LastCause": true
} }
] ]
}, }
"RenderedCause": {}
} }
}, },
{ {
@@ -111,7 +97,6 @@
"https://avd.aquasec.com/misconfig/avd-aws-0087" "https://avd.aquasec.com/misconfig/avd-aws-0087"
], ],
"Status": "FAIL", "Status": "FAIL",
"Layer": {},
"CauseMetadata": { "CauseMetadata": {
"Resource": "aws_s3_bucket.bucket", "Resource": "aws_s3_bucket.bucket",
"Provider": "AWS", "Provider": "AWS",
@@ -151,8 +136,7 @@
"LastCause": true "LastCause": true
} }
] ]
}, }
"RenderedCause": {}
} }
}, },
{ {
@@ -172,7 +156,6 @@
"https://avd.aquasec.com/misconfig/avd-aws-0088" "https://avd.aquasec.com/misconfig/avd-aws-0088"
], ],
"Status": "FAIL", "Status": "FAIL",
"Layer": {},
"CauseMetadata": { "CauseMetadata": {
"Resource": "aws_s3_bucket.bucket", "Resource": "aws_s3_bucket.bucket",
"Provider": "AWS", "Provider": "AWS",
@@ -212,8 +195,7 @@
"LastCause": true "LastCause": true
} }
] ]
}, }
"RenderedCause": {}
} }
}, },
{ {
@@ -234,7 +216,6 @@
"https://avd.aquasec.com/misconfig/s3-bucket-logging" "https://avd.aquasec.com/misconfig/s3-bucket-logging"
], ],
"Status": "FAIL", "Status": "FAIL",
"Layer": {},
"CauseMetadata": { "CauseMetadata": {
"Resource": "aws_s3_bucket.bucket", "Resource": "aws_s3_bucket.bucket",
"Provider": "AWS", "Provider": "AWS",
@@ -274,8 +255,7 @@
"LastCause": true "LastCause": true
} }
] ]
}, }
"RenderedCause": {}
} }
}, },
{ {
@@ -295,7 +275,6 @@
"https://avd.aquasec.com/misconfig/avd-aws-0090" "https://avd.aquasec.com/misconfig/avd-aws-0090"
], ],
"Status": "FAIL", "Status": "FAIL",
"Layer": {},
"CauseMetadata": { "CauseMetadata": {
"Resource": "aws_s3_bucket_versioning.bucket_versioning", "Resource": "aws_s3_bucket_versioning.bucket_versioning",
"Provider": "AWS", "Provider": "AWS",
@@ -416,7 +395,6 @@
"https://avd.aquasec.com/misconfig/avd-aws-0091" "https://avd.aquasec.com/misconfig/avd-aws-0091"
], ],
"Status": "FAIL", "Status": "FAIL",
"Layer": {},
"CauseMetadata": { "CauseMetadata": {
"Resource": "aws_s3_bucket.bucket", "Resource": "aws_s3_bucket.bucket",
"Provider": "AWS", "Provider": "AWS",
@@ -456,8 +434,7 @@
"LastCause": true "LastCause": true
} }
] ]
}, }
"RenderedCause": {}
} }
}, },
{ {
@@ -477,7 +454,6 @@
"https://avd.aquasec.com/misconfig/avd-aws-0093" "https://avd.aquasec.com/misconfig/avd-aws-0093"
], ],
"Status": "FAIL", "Status": "FAIL",
"Layer": {},
"CauseMetadata": { "CauseMetadata": {
"Resource": "aws_s3_bucket.bucket", "Resource": "aws_s3_bucket.bucket",
"Provider": "AWS", "Provider": "AWS",
@@ -517,8 +493,7 @@
"LastCause": true "LastCause": true
} }
] ]
}, }
"RenderedCause": {}
} }
}, },
{ {
@@ -538,7 +513,6 @@
"https://avd.aquasec.com/misconfig/avd-aws-0094" "https://avd.aquasec.com/misconfig/avd-aws-0094"
], ],
"Status": "FAIL", "Status": "FAIL",
"Layer": {},
"CauseMetadata": { "CauseMetadata": {
"Resource": "aws_s3_bucket.bucket", "Resource": "aws_s3_bucket.bucket",
"Provider": "AWS", "Provider": "AWS",
@@ -578,8 +552,7 @@
"LastCause": true "LastCause": true
} }
] ]
}, }
"RenderedCause": {}
} }
}, },
{ {
@@ -599,7 +572,6 @@
"https://avd.aquasec.com/misconfig/avd-aws-0132" "https://avd.aquasec.com/misconfig/avd-aws-0132"
], ],
"Status": "FAIL", "Status": "FAIL",
"Layer": {},
"CauseMetadata": { "CauseMetadata": {
"Resource": "aws_s3_bucket.bucket", "Resource": "aws_s3_bucket.bucket",
"Provider": "AWS", "Provider": "AWS",
@@ -639,8 +611,7 @@
"LastCause": true "LastCause": true
} }
] ]
}, }
"RenderedCause": {}
} }
} }
] ]
test/data/image-scan/report
+2 -1
View File
@@ -51,7 +51,8 @@ Total: 19 (CRITICAL: 19)
│ │ │ │ │ │ │ Windows Subsystem for... │ │ │ │ │ │ │ │ Windows Subsystem for... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: bzip2: Data integrity error when decompressing (with
│ │ │ │ │ │ │ data integrity tests fail).... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl │ CVE-2018-16839 │ │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │ │ libcurl │ CVE-2018-16839 │ │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
test/data/secret-scan/report.json
+7 -12
View File
@@ -3,16 +3,12 @@
"ArtifactName": "https://github.com/krol3/demo-trivy/", "ArtifactName": "https://github.com/krol3/demo-trivy/",
"ArtifactType": "repository", "ArtifactType": "repository",
"Metadata": { "Metadata": {
"ImageConfig": { "RepoURL": "https://github.com/krol3/demo-trivy/",
"architecture": "", "Branch": "main",
"created": "0001-01-01T00:00:00Z", "Commit": "547db823c73fdb3385871f6235e946c72291f734",
"os": "", "CommitMsg": "chore: add gitignore",
"rootfs": { "Author": "carolina valencia <krol3@users.noreply.github.com>",
"type": "", "Committer": "carolina valencia <krol3@users.noreply.github.com>"
"diff_ids": null
},
"config": {}
}
}, },
"Results": [ "Results": [
{ {
@@ -68,8 +64,7 @@
} }
] ]
}, },
"Match": "export GITHUB_PAT=****************************************", "Match": "export GITHUB_PAT=****************************************"
"Layer": {}
} }
] ]
} }
test/data/with-ignore-files/report
+2 -1
View File
@@ -51,7 +51,8 @@ Total: 19 (CRITICAL: 19)
│ │ │ │ │ │ │ Windows Subsystem for... │ │ │ │ │ │ │ │ Windows Subsystem for... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: bzip2: Data integrity error when decompressing (with
│ │ │ │ │ │ │ data integrity tests fail).... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl │ CVE-2018-16839 │ │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │ │ libcurl │ CVE-2018-16839 │ │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
test/data/with-tf-vars/report.json
-12
View File
@@ -2,18 +2,6 @@
"SchemaVersion": 2, "SchemaVersion": 2,
"ArtifactName": "test/data/with-tf-vars/main.tf", "ArtifactName": "test/data/with-tf-vars/main.tf",
"ArtifactType": "filesystem", "ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [ "Results": [
{ {
"Target": ".", "Target": ".",
test/data/with-trivy-yaml-cfg/report.json
+2 -3
View File
@@ -1,6 +1,5 @@
{ {
"SchemaVersion": 2, "SchemaVersion": 2,
"CreatedAt": "2025-06-03T01:26:45.367171-06:00",
"ArtifactName": "alpine:3.10", "ArtifactName": "alpine:3.10",
"ArtifactType": "container_image", "ArtifactType": "container_image",
"Metadata": { "Metadata": {
@@ -72,7 +71,7 @@
"PkgID": "apk-tools@2.10.6-r0", "PkgID": "apk-tools@2.10.6-r0",
"PkgName": "apk-tools", "PkgName": "apk-tools",
"PkgIdentifier": { "PkgIdentifier": {
"PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64\u0026distro=3.10.9", "PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64&distro=3.10.9",
"UID": "b7a64ae671a99195" "UID": "b7a64ae671a99195"
}, },
"InstalledVersion": "2.10.6-r0", "InstalledVersion": "2.10.6-r0",
@@ -123,7 +122,7 @@
"https://www.cve.org/CVERecord?id=CVE-2021-36159" "https://www.cve.org/CVERecord?id=CVE-2021-36159"
], ],
"PublishedDate": "2021-08-03T14:15:08.233Z", "PublishedDate": "2021-08-03T14:15:08.233Z",
"LastModifiedDate": "2023-11-07T03:36:43.337Z" "LastModifiedDate": "2024-11-21T06:13:13.57Z"
} }
] ]
} }
test/test.bats
+10 -3
View File
@@ -57,9 +57,16 @@ function compare_files() {
remove_github_fields "$file1" remove_github_fields "$file1"
remove_github_fields "$file2" remove_github_fields "$file2"
run diff "$file1" "$file2" if [ "${UPDATE_GOLDEN}" = "1" ]; then
echo "$output" cp "$file1" "$file2"
assert_files_equal "$file1" "$file2" echo "Updated golden file: $file2"
else
run diff "$file1" "$file2"
echo "$output"
assert_files_equal "$file1" "$file2"
fi
rm -f "$file1"
} }
@test "trivy repo with securityCheck secret only" { @test "trivy repo with securityCheck secret only" {