debug

.github/workflows/build.yaml

@@ -1,8 +1,7 @@
 name: "build"
 on: [push, pull_request]
 env:
-  TRIVY_VERSION: 0.45.0
+  TRIVY_VERSION: 0.29.1
-  BATS_LIB_PATH: '/usr/lib/'
 jobs:
   build:
     name: build
@@ -12,7 +11,7 @@ jobs:
       - name: Setup BATS
         uses: mig4/setup-bats@v1
         with:
-          bats-version: 1.7.0
+          bats-version: 1.2.1
 
       - name: Setup Bats libs
         uses: brokenpip3/setup-bats-libs@0.1.0
@@ -25,4 +24,4 @@ jobs:
           curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
 
       - name: Test
-        run: BATS_LIB_PATH=${{ env.BATS_LIB_PATH }} bats --recursive --timing .
+        run: bats -r .

.github/workflows/bump-trivy.yaml

@@ -1,40 +0,0 @@
-name: Bump trivy
-
-on:
-  workflow_dispatch:
-    inputs:
-      trivy_version:
-        required: true
-        type: string
-        description: the trivy version
-
-run-name: Bump trivy to v${{ inputs.trivy_version }}
-
-jobs:
-  bump:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - name: Update Trivy versions
-        run: |
-          sed -r -i "s/ghcr.io\/aquasecurity\/trivy:[0-9]+\.[0-9]+\.[0-9]+/ghcr.io\/aquasecurity\/trivy:${{ inputs.trivy_version }}/" Dockerfile
-          sed -r -i "s/TRIVY_VERSION: [0-9]+\.[0-9]+\.[0-9]+/TRIVY_VERSION: ${{ inputs.trivy_version }}/" .github/workflows/build.yaml
-          find test/data -type f -name '*.test' | xargs sed -r -i 's/"version": "[0-9]+\.[0-9]+\.[0-9]+"/"version": "${{ inputs.trivy_version }}"/'
-
-      - name: Create PR
-        id: create-pr
-        uses: peter-evans/create-pull-request@v5
-        with:
-          token: ${{ secrets.ORG_REPO_TOKEN }}
-          title: "chore(deps): Update trivy to v${{ inputs.trivy_version }}"
-          commit-message: "chore(deps): Update trivy to v${{ inputs.trivy_version }}"
-          committer: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
-          author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
-          branch-suffix: timestamp
-          branch: bump-trivy
-          delete-branch: true
-
-      - name: Check outputs
-        run: |
-          echo "Pull Request Number - ${{ steps.create-pr.outputs.pull-request-number }}"
-          echo "Pull Request URL - ${{ steps.create-pr.outputs.pull-request-url }}"

.gitignore

@@ -2,4 +2,3 @@
 *.test
 !test/data/*.test
 trivyignores
-.vscode/

Dockerfile

@@ -1,5 +1,5 @@
-FROM ghcr.io/aquasecurity/trivy:0.47.0
+FROM ghcr.io/aquasecurity/trivy:0.29.1
 COPY entrypoint.sh /
-RUN apk --no-cache add bash curl npm
+RUN apk --no-cache add bash curl
 RUN chmod +x /entrypoint.sh
 ENTRYPOINT ["/entrypoint.sh"]

Makefile

@@ -1,4 +0,0 @@
-.PHONY: test
-
-test:
-	BATS_LIB_PATH=/usr/local/lib/ bats -r .

README.md

@@ -19,25 +19,27 @@
 
 ## Usage
 
-### Scan CI Pipeline
+### Workflow
 
 ```yaml
 name: build
 on:
   push:
     branches:
-      - main
+      - master
   pull_request:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
         uses: actions/checkout@v2
+
       - name: Build an image from Dockerfile
         run: |
           docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
+
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
@@ -49,78 +51,6 @@ jobs:
           severity: 'CRITICAL,HIGH'
 ```
 
-### Scan CI Pipeline (w/ Trivy Config)
-
-```yaml
-name: build
-on:
-  push:
-    branches:
-    - main
-  pull_request:
-jobs:
-  build:
-    name: Build
-    runs-on: ubuntu-20.04
-    steps:
-    - name: Checkout code
-      uses: actions/checkout@v3
-
-    - name: Run Trivy vulnerability scanner in fs mode
-      uses: aquasecurity/trivy-action@master
-      with:
-        scan-type: 'fs'
-        scan-ref: '.'
-        trivy-config: trivy.yaml
-```
-
-In this case `trivy.yaml` is a YAML configuration that is checked in as part of the repo. Detailed information is available on the Trivy website but an example is as follows:
-```yaml
-format: json
-exit-code: 1
-severity: CRITICAL
-```
-
-It is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes. Defining the following is required as they cannot be defined with the config file:
-- `scan-ref`: If using `fs, repo` scans.
-- `image-ref`: If using `image` scan.
-- `scan-type`: To define the scan type, e.g. `image`, `fs`, `repo`, etc.
-
-#### Order of prerference for options
-Trivy uses [Viper](https://github.com/spf13/viper) which has a defined precedence order for options. The order is as follows:
-- GitHub Action flag
-- Environment variable
-- Config file
-- Default
-
-### Scanning a Tarball
-```yaml
-name: build
-on:
-  push:
-    branches:
-    - main
-  pull_request:
-jobs:
-  build:
-    name: Build
-    runs-on: ubuntu-20.04
-    steps:
-    - name: Checkout code
-      uses: actions/checkout@v3
-
-    - name: Generate tarball from image
-      run: |
-        docker pull <your-docker-image>
-        docker save -o vuln-image.tar <your-docker-image>
-        
-    - name: Run Trivy vulnerability scanner in tarball mode
-      uses: aquasecurity/trivy-action@master
-      with:
-        input: /github/workspace/vuln-image.tar
-        severity: 'CRITICAL,HIGH'
-```
-
 ### Using Trivy with GitHub Code Scanning
 If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
 ```yaml
@@ -128,15 +58,15 @@ name: build
 on:
   push:
     branches:
-      - main
+      - master
   pull_request:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: Build an image from Dockerfile
         run: |
@@ -163,15 +93,15 @@ name: build
 on:
   push:
     branches:
-      - main
+      - master
   pull_request:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: Build an image from Dockerfile
         run: |
@@ -202,15 +132,15 @@ name: build
 on:
   push:
     branches:
-      - main
+      - master
   pull_request:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: Run Trivy vulnerability scanner in repo mode
         uses: aquasecurity/trivy-action@master
@@ -236,15 +166,15 @@ name: build
 on:
   push:
     branches:
-      - main
+      - master
   pull_request:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: Run Trivy vulnerability scanner with rootfs command
         uses: aquasecurity/trivy-action@master
@@ -262,7 +192,7 @@ jobs:
           sarif_file: 'trivy-results.sarif'
 ```
 
-### Using Trivy to scan Infrastructure as Code
+### Using Trivy to scan Infrastucture as Code
 It's also possible to scan your IaC repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
 
 If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
@@ -271,23 +201,22 @@ name: build
 on:
   push:
     branches:
-      - main
+      - master
   pull_request:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: Run Trivy vulnerability scanner in IaC mode
         uses: aquasecurity/trivy-action@master
         with:
           scan-type: 'config'
           hide-progress: false
-          format: 'sarif'
+          format: 'table'
-          output: 'trivy-results.sarif'
           exit-code: '1'
           ignore-unfixed: true
           severity: 'CRITICAL,HIGH'
@@ -299,24 +228,19 @@ jobs:
 ```
 
 ### Using Trivy to generate SBOM
-It's possible for Trivy to generate an [SBOM](https://www.aquasec.com/cloud-native-academy/supply-chain-security/sbom/) of your dependencies and submit them to a consumer like [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).
+It's possible for Trivy to generate an SBOM of your dependencies and submit them to a consumer like GitHub Dependency Snapshot.
 
-The [sending of an SBOM to GitHub](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) feature is only available if you currently have GitHub Dependency Graph [enabled in your repo](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository). 
+The sending of SBOM to GitHub feature is only available if you currently have [GitHub Dependency Snapshot](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) available to you in your repo. 
-
-In order to send results to GitHub Dependency Graph, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) or use the [GitHub installation access token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication) (also known as `GITHUB_TOKEN`):
 
+In order to send results to the GitHub Dependency Snapshot, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)
 ```yaml
 ---
 name: Pull Request
 on:
   push:
     branches:
-    - main
+    - master
-
+  pull_request:
-## GITHUB_TOKEN authentication, add only if you're not going to use a PAT
-permissions:
-  contents: write
-
 jobs:
   build:
     name: Checks
@@ -325,14 +249,14 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v3
 
-      - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
+      - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Snapshots
         uses: aquasecurity/trivy-action@master
         with:
           scan-type: 'fs'
           format: 'github'
           output: 'dependency-results.sbom.json'
           image-ref: '.'
-          github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
+          github-pat: '<github_pat_token>'
 ```
 
 ### Using Trivy to scan your private registry
@@ -346,15 +270,15 @@ name: build
 on:
   push:
     branches:
-      - main
+      - master
   pull_request:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
@@ -382,15 +306,15 @@ name: build
 on:
   push:
     branches:
-      - main
+      - master
   pull_request:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
@@ -418,15 +342,15 @@ name: build
 on:
   push:
     branches:
-      - main
+      - master
   pull_request:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
@@ -451,15 +375,15 @@ name: build
 on:
   push:
     branches:
-      - main
+      - master
   pull_request:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
@@ -503,11 +427,9 @@ Following inputs can be used as `step.with` keys:
 | `ignore-policy`   | String  |                                    | Filter vulnerabilities with OPA rego language                                                   |
 | `hide-progress`   | String  | `true`                             | Suppress progress bar                                                                           |
 | `list-all-pkgs`   | String  |                                    | Output all packages regardless of vulnerability                                                 |
-| `scanners` | String  | `vuln,secret`                      | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`)               |
+| `security-checks` | String  | `vuln,secret`                      | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`)               |
 | `trivyignores`    | String  |                                    | comma-separated list of relative paths in repository to one or more `.trivyignore` files        |
-| `trivy-config`    | String  |                                    | Path to trivy.yaml config                                                                       |
+| `github-pat`      | String  |                                    | GitHub Personal Access Token (PAT) for sending SBOM scan results to GitHub Dependency Snapshots |
-| `github-pat`      | String  |                                    | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
-| `limit-severities-for-sarif`      | Boolean  | false                                   | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
 
 [release]: https://github.com/aquasecurity/trivy-action/releases/latest
 [release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github

action.yaml

@@ -8,7 +8,7 @@ inputs:
     default: 'image'
   image-ref:
     description: 'image reference(for backward compatibility)'
-    required: false
+    required: true
   input:
     description: 'reference of tar file to scan'
     required: false
@@ -71,7 +71,7 @@ inputs:
     description: 'output all packages regardless of vulnerability'
     required: false
     default: 'false'
-  scanners:
+  security-checks:
     description: 'comma-separated list of what security issues to detect'
     required: false
     default: ''
@@ -85,12 +85,6 @@ inputs:
   github-pat:
     description: 'GitHub Personal Access Token (PAT) for submitting SBOM to GitHub Dependency Snapshot API'
     required: false
-  trivy-config:
-    description: 'path to trivy.yaml config'
-    required: false
-  limit-severities-for-sarif:
-    description: 'limit severities for SARIF format'
-    required: false
 
 runs:
   using: 'docker'
@@ -114,8 +108,6 @@ runs:
     - '-p ${{ inputs.hide-progress }}'
     - '-q ${{ inputs.skip-files }}'
     - '-r ${{ inputs.list-all-pkgs }}'
-    - '-s ${{ inputs.scanners }}'
+    - '-s ${{ inputs.security-checks }}'
     - '-t ${{ inputs.trivyignores }}'
     - '-u ${{ inputs.github-pat }}'
-    - '-v ${{ inputs.trivy-config }}'
-    - '-z ${{ inputs.limit-severities-for-sarif }}'

entrypoint.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 set -e
-while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:" o; do
+while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:" o; do
    case "${o}" in
        a)
          export scanType=${OPTARG}
@@ -57,7 +57,7 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:" o; do
          export listAllPkgs=${OPTARG}
        ;;
        s)
-         export scanners=${OPTARG}
+         export securityChecks=${OPTARG}
        ;;
        t)
          export trivyIgnores=${OPTARG}
@@ -65,29 +65,20 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:" o; do
        u)
          export githubPAT=${OPTARG}
        ;;
-       v)
-         export trivyConfig=${OPTARG}
-       ;;
-       z)
-         export limitSeveritiesForSARIF=${OPTARG}
-       ;;
   esac
 done
 
-
 scanType=$(echo $scanType | tr -d '\r')
 export artifactRef="${imageRef}"
-if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "filesystem" ] ||  [ "${scanType}" = "config" ] ||  [ "${scanType}" = "rootfs" ];then
+if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] ||  [ "${scanType}" = "config" ] ||  [ "${scanType}" = "rootfs" ];then
   artifactRef=$(echo $scanRef | tr -d '\r')
 fi
 input=$(echo $input | tr -d '\r')
 if [ $input ]; then
   artifactRef="--input $input"
 fi
-#trim leading spaces for boolean params
 ignoreUnfixed=$(echo $ignoreUnfixed | tr -d '\r')
 hideProgress=$(echo $hideProgress | tr -d '\r')
-limitSeveritiesForSARIF=$(echo $limitSeveritiesForSARIF | tr -d '\r')
 
 GLOBAL_ARGS=""
 if [ $cacheDir ];then
@@ -105,7 +96,6 @@ if [ $template ] ;then
 fi
 if [ $exitCode ];then
  ARGS="$ARGS --exit-code $exitCode"
- SARIF_ARGS="$SARIF_ARGS --exit-code $exitCode"
 fi
 if [ "$ignoreUnfixed" == "true" ] && [ "$scanType" != "config" ];then
   ARGS="$ARGS --ignore-unfixed"
@@ -115,9 +105,8 @@ if [ $vulnType ] && [ "$scanType" != "config" ] && [ "$scanType" != "sbom" ];the
   ARGS="$ARGS --vuln-type $vulnType"
   SARIF_ARGS="$SARIF_ARGS --vuln-type $vulnType"
 fi
-if [ $scanners ];then
+if [ $securityChecks ];then
-  ARGS="$ARGS --scanners $scanners"
+  ARGS="$ARGS --security-checks $securityChecks"
-  SARIF_ARGS="$SARIF_ARGS --scanners $scanners"
 fi
 if [ $severity ];then
   ARGS="$ARGS --severity $severity"
@@ -148,7 +137,6 @@ if [ $trivyIgnores ];then
 fi
 if [ $timeout ];then
   ARGS="$ARGS --timeout $timeout"
-  SARIF_ARGS="$SARIF_ARGS --timeout $timeout"
 fi
 if [ $ignorePolicy ];then
   ARGS="$ARGS --ignore-policy $ignorePolicy"
@@ -169,33 +157,23 @@ if [ "$skipFiles" ];then
   done
 fi
 
-trivyConfig=$(echo $trivyConfig | tr -d '\r')
+echo "Running trivy with options: ${ARGS}" "${artifactRef}"
-# To make sure that uploda GitHub Dependency Snapshot succeeds, disable the script that fails first.
+echo "Global options: " "${GLOBAL_ARGS}"
-set +e
+trivy $GLOBAL_ARGS ${scanType} $ARGS ${artifactRef}
-if [ "${format}" == "sarif" ] && [ "${limitSeveritiesForSARIF}" != "true" ]; then
-  # SARIF is special. We output all vulnerabilities,
-  # regardless of severity level specified in this report.
-  # This is a feature, not a bug :)
-  echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
-  trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
-elif [ $trivyConfig ]; then
-   echo "Running Trivy with trivy.yaml config from: " $trivyConfig
-   trivy --config $trivyConfig ${scanType} ${artifactRef}
-else
-   echo "Running trivy with options: trivy ${scanType} ${ARGS}" "${artifactRef}"
-   echo "Global options: " "${GLOBAL_ARGS}"
-   trivy $GLOBAL_ARGS ${scanType} ${ARGS} ${artifactRef}
-fi
 returnCode=$?
 
-set -e
+# SARIF is special. We output all vulnerabilities,
-if [[ "${format}" == "github" ]]; then
+# regardless of severity level specified in this report.
-  if [[ "$(echo $githubPAT | xargs)" != "" ]]; then
+# This is a feature, not a bug :)
-    printf "\n Uploading GitHub Dependency Snapshot"
+if [[ "${format}" == "sarif" ]]; then
-    curl -H 'Accept: application/vnd.github+json' -H "Authorization: token $githubPAT" 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./$(echo $output | xargs)
+  echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
-  else
+  trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
-    printf "\n Failing GitHub Dependency Snapshot. Missing github-pat"
-  fi
 fi
 
+if [[ "${format}" == "github" ]] && [[ "$(echo $githubPAT | xargs)" != "" ]]; then
+  echo "Uploading GitHub Dependency Snapshot"
+  curl -u "${githubPAT}" -H 'Content-Type: application/json' 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./$(echo $output | xargs)
+fi
+
+echo "returnCode: " $returnCode
 exit $returnCode

test/data/config-sarif.test

@@ -1,134 +0,0 @@
-{
-  "version": "2.1.0",
-  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
-  "runs": [
-    {
-      "tool": {
-        "driver": {
-          "fullName": "Trivy Vulnerability Scanner",
-          "informationUri": "https://github.com/aquasecurity/trivy",
-          "name": "Trivy",
-          "rules": [
-            {
-              "id": "DS002",
-              "name": "Misconfiguration",
-              "shortDescription": {
-                "text": "Image user should not be \u0026#39;root\u0026#39;"
-              },
-              "fullDescription": {
-                "text": "Running containers with \u0026#39;root\u0026#39; user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a \u0026#39;USER\u0026#39; statement to the Dockerfile."
-              },
-              "defaultConfiguration": {
-                "level": "error"
-              },
-              "helpUri": "https://avd.aquasec.com/misconfig/ds002",
-              "help": {
-                "text": "Misconfiguration DS002\nType: Dockerfile Security Check\nSeverity: HIGH\nCheck: Image user should not be 'root'\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
-                "markdown": "**Misconfiguration DS002**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|HIGH|Image user should not be 'root'|Specify at least 1 USER command in Dockerfile with non-root user as argument|[DS002](https://avd.aquasec.com/misconfig/ds002)|\n\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile."
-              },
-              "properties": {
-                "precision": "very-high",
-                "security-severity": "8.0",
-                "tags": [
-                  "misconfiguration",
-                  "security",
-                  "HIGH"
-                ]
-              }
-            },
-            {
-              "id": "DS026",
-              "name": "Misconfiguration",
-              "shortDescription": {
-                "text": "No HEALTHCHECK defined"
-              },
-              "fullDescription": {
-                "text": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
-              },
-              "defaultConfiguration": {
-                "level": "note"
-              },
-              "helpUri": "https://avd.aquasec.com/misconfig/ds026",
-              "help": {
-                "text": "Misconfiguration DS026\nType: Dockerfile Security Check\nSeverity: LOW\nCheck: No HEALTHCHECK defined\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
-                "markdown": "**Misconfiguration DS026**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|LOW|No HEALTHCHECK defined|Add HEALTHCHECK instruction in your Dockerfile|[DS026](https://avd.aquasec.com/misconfig/ds026)|\n\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
-              },
-              "properties": {
-                "precision": "very-high",
-                "security-severity": "2.0",
-                "tags": [
-                  "misconfiguration",
-                  "security",
-                  "LOW"
-                ]
-              }
-            }
-          ],
-          "version": "0.45.0"
-        }
-      },
-      "results": [
-        {
-          "ruleId": "DS002",
-          "ruleIndex": 0,
-          "level": "error",
-          "message": {
-            "text": "Artifact: Dockerfile\nType: dockerfile\nVulnerability DS002\nSeverity: HIGH\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)"
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "Dockerfile",
-                  "uriBaseId": "ROOTPATH"
-                },
-                "region": {
-                  "startLine": 1,
-                  "startColumn": 1,
-                  "endLine": 1,
-                  "endColumn": 1
-                }
-              },
-              "message": {
-                "text": "Dockerfile"
-              }
-            }
-          ]
-        },
-        {
-          "ruleId": "DS026",
-          "ruleIndex": 1,
-          "level": "note",
-          "message": {
-            "text": "Artifact: Dockerfile\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "Dockerfile",
-                  "uriBaseId": "ROOTPATH"
-                },
-                "region": {
-                  "startLine": 1,
-                  "startColumn": 1,
-                  "endLine": 1,
-                  "endColumn": 1
-                }
-              },
-              "message": {
-                "text": "Dockerfile"
-              }
-            }
-          ]
-        }
-      ],
-      "columnKind": "utf16CodeUnits",
-      "originalUriBaseIds": {
-        "ROOTPATH": {
-          "uri": "file:///"
-        }
-      }
-    }
-  ]
-}

test/data/config.test

@@ -20,15 +20,14 @@
       "Class": "config",
       "Type": "dockerfile",
       "MisconfSummary": {
-        "Successes": 24,
+        "Successes": 21,
-        "Failures": 2,
+        "Failures": 1,
         "Exceptions": 0
       },
       "Misconfigurations": [
         {
           "Type": "Dockerfile Security Check",
           "ID": "DS002",
-          "AVDID": "AVD-DS-0002",
           "Title": "Image user should not be 'root'",
           "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
           "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
@@ -50,32 +49,6 @@
               "Lines": null
             }
           }
-        },
-        {
-          "Type": "Dockerfile Security Check",
-          "ID": "DS026",
-          "AVDID": "AVD-DS-0026",
-          "Title": "No HEALTHCHECK defined",
-          "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
-          "Message": "Add HEALTHCHECK instruction in your Dockerfile",
-          "Namespace": "builtin.dockerfile.DS026",
-          "Query": "data.builtin.dockerfile.DS026.deny",
-          "Resolution": "Add HEALTHCHECK instruction in Dockerfile",
-          "Severity": "LOW",
-          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026",
-          "References": [
-            "https://blog.aquasec.com/docker-security-best-practices",
-            "https://avd.aquasec.com/misconfig/ds026"
-          ],
-          "Status": "FAIL",
-          "Layer": {},
-          "CauseMetadata": {
-            "Provider": "Dockerfile",
-            "Service": "general",
-            "Code": {
-              "Lines": null
-            }
-          }
         }
       ]
     }

test/data/fs-scheck.test

@@ -20,15 +20,14 @@
       "Class": "config",
       "Type": "dockerfile",
       "MisconfSummary": {
-        "Successes": 24,
+        "Successes": 21,
-        "Failures": 2,
+        "Failures": 1,
         "Exceptions": 0
       },
       "Misconfigurations": [
         {
           "Type": "Dockerfile Security Check",
           "ID": "DS002",
-          "AVDID": "AVD-DS-0002",
           "Title": "Image user should not be 'root'",
           "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
           "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
@@ -50,32 +49,6 @@
               "Lines": null
             }
           }
-        },
-        {
-          "Type": "Dockerfile Security Check",
-          "ID": "DS026",
-          "AVDID": "AVD-DS-0026",
-          "Title": "No HEALTHCHECK defined",
-          "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
-          "Message": "Add HEALTHCHECK instruction in your Dockerfile",
-          "Namespace": "builtin.dockerfile.DS026",
-          "Query": "data.builtin.dockerfile.DS026.deny",
-          "Resolution": "Add HEALTHCHECK instruction in Dockerfile",
-          "Severity": "LOW",
-          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026",
-          "References": [
-            "https://blog.aquasec.com/docker-security-best-practices",
-            "https://avd.aquasec.com/misconfig/ds026"
-          ],
-          "Status": "FAIL",
-          "Layer": {},
-          "CauseMetadata": {
-            "Provider": "Dockerfile",
-            "Service": "general",
-            "Code": {
-              "Lines": null
-            }
-          }
         }
       ]
     }

test/data/fs.test

@@ -0,0 +1,17 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": ".",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  }
+}

test/data/repo.test

@@ -26,50 +26,7 @@
           "Title": "GitHub Personal Access Token",
           "StartLine": 5,
           "EndLine": 5,
-          "Code": {
+          "Match": "export GITHUB_PAT=*****"
-            "Lines": [
-              {
-                "Number": 3,
-                "Content": "export AWS_ACCESS_KEY_ID=1234567",
-                "IsCause": false,
-                "Annotation": "",
-                "Truncated": false,
-                "Highlighted": "export AWS_ACCESS_KEY_ID=1234567",
-                "FirstCause": false,
-                "LastCause": false
-              },
-              {
-                "Number": 4,
-                "Content": "",
-                "IsCause": false,
-                "Annotation": "",
-                "Truncated": false,
-                "FirstCause": false,
-                "LastCause": false
-              },
-              {
-                "Number": 5,
-                "Content": "export GITHUB_PAT=****************************************",
-                "IsCause": true,
-                "Annotation": "",
-                "Truncated": false,
-                "Highlighted": "export GITHUB_PAT=****************************************",
-                "FirstCause": true,
-                "LastCause": true
-              },
-              {
-                "Number": 6,
-                "Content": "",
-                "IsCause": false,
-                "Annotation": "",
-                "Truncated": false,
-                "FirstCause": false,
-                "LastCause": false
-              }
-            ]
-          },
-          "Match": "export GITHUB_PAT=****************************************",
-          "Layer": {}
         }
       ]
     }

test/data/rootfs.test

@@ -0,0 +1,17 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": ".",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  }
+}

test/data/trivy.yaml

@@ -1,5 +0,0 @@
-format: json
-severity: CRITICAL
-vulnerability:
-  type: os
-output: yamlconfig.test

test/data/yamlconfig.test

@@ -1,114 +0,0 @@
-{
-  "SchemaVersion": 2,
-  "ArtifactName": "alpine:3.10",
-  "ArtifactType": "container_image",
-  "Metadata": {
-    "OS": {
-      "Family": "alpine",
-      "Name": "3.10.9",
-      "EOSL": true
-    },
-    "ImageID": "sha256:e7b300aee9f9bf3433d32bc9305bfdd22183beb59d933b48d77ab56ba53a197a",
-    "DiffIDs": [
-      "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
-    ],
-    "RepoTags": [
-      "alpine:3.10"
-    ],
-    "RepoDigests": [
-      "alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98"
-    ],
-    "ImageConfig": {
-      "architecture": "amd64",
-      "container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4",
-      "created": "2021-04-14T19:20:05.338397761Z",
-      "docker_version": "19.03.12",
-      "history": [
-        {
-          "created": "2021-04-14T19:20:04.987219124Z",
-          "created_by": "/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / "
-        },
-        {
-          "created": "2021-04-14T19:20:05.338397761Z",
-          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
-          "empty_layer": true
-        }
-      ],
-      "os": "linux",
-      "rootfs": {
-        "type": "layers",
-        "diff_ids": [
-          "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
-        ]
-      },
-      "config": {
-        "Cmd": [
-          "/bin/sh"
-        ],
-        "Env": [
-          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-        ],
-        "Image": "sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8"
-      }
-    }
-  },
-  "Results": [
-    {
-      "Target": "alpine:3.10 (alpine 3.10.9)",
-      "Class": "os-pkgs",
-      "Type": "alpine",
-      "Vulnerabilities": [
-        {
-          "VulnerabilityID": "CVE-2021-36159",
-          "PkgID": "apk-tools@2.10.6-r0",
-          "PkgName": "apk-tools",
-          "InstalledVersion": "2.10.6-r0",
-          "FixedVersion": "2.10.7-r0",
-          "Status": "fixed",
-          "Layer": {
-            "Digest": "sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5",
-            "DiffID": "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-36159",
-          "DataSource": {
-            "ID": "alpine",
-            "Name": "Alpine Secdb",
-            "URL": "https://secdb.alpinelinux.org/"
-          },
-          "Title": "an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes leads to information leak or crash",
-          "Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
-          "Severity": "CRITICAL",
-          "CweIDs": [
-            "CWE-125"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
-              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
-              "V2Score": 6.4,
-              "V3Score": 9.1
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
-              "V3Score": 9.1
-            }
-          },
-          "References": [
-            "https://access.redhat.com/security/cve/CVE-2021-36159",
-            "https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch",
-            "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749",
-            "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E",
-            "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E",
-            "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E",
-            "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E",
-            "https://nvd.nist.gov/vuln/detail/CVE-2021-36159",
-            "https://www.cve.org/CVERecord?id=CVE-2021-36159"
-          ],
-          "PublishedDate": "2021-08-03T14:15:00Z",
-          "LastModifiedDate": "2021-10-18T12:19:00Z"
-        }
-      ]
-    }
-  ]
-}

test/test.bats

@@ -1,71 +1,61 @@
 #!/usr/bin/env bats
-bats_load_library bats-support
+load '/usr/lib/bats-support/load.bash'
-bats_load_library bats-assert
+load '/usr/lib/bats-assert/load.bash'
-bats_load_library bats-file
-
-@test "trivy repo with securityCheck secret only" {
-  # trivy repo --format json --output repo.test --scanners=secret https://github.com/krol3/demo-trivy/
-  run ./entrypoint.sh '-b json' '-h repo.test' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
-  run diff repo.test ./test/data/repo.test
-  echo "$output"
-  assert_files_equal repo.test ./test/data/repo.test
-}
 
 @test "trivy image" {
-  # trivy image --severity CRITICAL --output image.test knqyf263/vuln-image:1.2.3
+  # trivy image --severity CRITICAL --format json --output image.test knqyf263/vuln-image:1.2.3
-  run ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image.test' '-g CRITICAL'
+  ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b json' '-h image.test' '-g CRITICAL'
-  run diff image.test ./test/data/image.test
+  result="$(diff ./test/data/image.test image.test)"
-  echo "$output"
+  [ "$result" == '' ]
-  assert_files_equal image.test ./test/data/image.test
 }
 
-@test "trivy config sarif report" {
+@test "trivy image sarif report" {
-  # trivy config --format sarif --output  config-sarif.test .
+  # trivy image --severity CRITICAL -f sarif --output image-sarif.test knqyf263/vuln-image:1.2.3
-  run ./entrypoint.sh '-a config' '-b sarif' '-h config-sarif.test' '-j .'
+  ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b sarif' '-h image-sarif.test' '-g CRITICAL'
-  run diff config-sarif.test ./test/data/config-sarif.test
+  result="$(diff ./test/data/image-sarif.test image-sarif.test)"
-  echo "$output"
+  [ "$result" == '' ]
-  assert_files_equal config-sarif.test ./test/data/config-sarif.test
 }
 
 @test "trivy config" {
   # trivy config --format json --output config.test .
-  run ./entrypoint.sh '-a config' '-b json' '-j .' '-h config.test'
+  ./entrypoint.sh '-a config' '-j .' '-b json' '-h config.test'
-  run diff config.test ./test/data/config.test
+  result="$(diff ./test/data/config.test config.test)"
-  echo "$output"
+  [ "$result" == '' ]
-  assert_files_equal config.test ./test/data/config.test
 }
 
 @test "trivy rootfs" {
-  # trivy rootfs --output rootfs.test .
+  # trivy rootfs --format json --output rootfs.test .
-  run ./entrypoint.sh '-a rootfs' '-j .' '-h rootfs.test'
+  ./entrypoint.sh '-a rootfs' '-j .' '-b json' '-h rootfs.test'
-  run diff rootfs.test ./test/data/rootfs.test
+  result="$(diff ./test/data/rootfs.test rootfs.test)"
-  echo "$output"
+  [ "$result" == '' ]
-  assert_files_equal rootfs.test ./test/data/rootfs.test
 }
 
 @test "trivy fs" {
-  # trivy fs --output fs.test .
+  # trivy fs --format json --output fs.test .
-  run ./entrypoint.sh '-a fs' '-j .' '-h fs.test'
+  ./entrypoint.sh '-a fs' '-j .' '-b json' '-h fs.test'
-  run diff fs.test ./test/data/fs.test
+  result="$(diff ./test/data/fs.test fs.test)"
-  echo "$output"
+  [ "$result" == '' ]
-  assert_files_equal fs.test ./test/data/fs.test
 }
 
 @test "trivy fs with securityChecks option" {
-  # trivy fs --format json --scanners=vuln,config --output fs-scheck.test .
+  # trivy fs --format json --security-checks=vuln,config --output fs-scheck.test .
-  run ./entrypoint.sh '-a fs' '-b json' '-j .' '-s vuln,config,secret' '-h fs-scheck.test'
+  ./entrypoint.sh '-a fs' '-j .' '-b json' '-s vuln,config,secret' '-h fs-scheck.test'
-  run diff fs-scheck.test ./test/data/fs-scheck.test
+  result="$(diff ./test/data/fs-scheck.test fs-scheck.test)"
-  echo "$output"
+  [ "$result" == '' ]
-  assert_files_equal fs-scheck.test ./test/data/fs-scheck.test
 }
 
+@test "trivy repo with securityCheck secret only" {
+  # trivy repo --format json --output repo.test --security-checks=secret https://github.com/krol3/demo-trivy/
+  ./entrypoint.sh '-b json' '-h repo.test' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
+  result="$(diff ./test/data/repo.test repo.test)"
+  [ "$result" == '' ]
+}
 
 @test "trivy image with trivyIgnores option" {
-  # cat ./test/data/.trivyignore1 ./test/data/.trivyignore2 > ./trivyignores ; trivy image --severity CRITICAL  --output image-trivyignores.test --ignorefile ./trivyignores knqyf263/vuln-image:1.2.3
+  # cat ./test/data/.trivyignore1 ./test/data/.trivyignore2 > ./trivyignores ; trivy image --severity CRITICAL --format json --output image-trivyignores.test --ignorefile ./trivyignores knqyf263/vuln-image:1.2.3
-  run ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image-trivyignores.test' '-g CRITICAL' '-t ./test/data/.trivyignore1,./test/data/.trivyignore2'
+  ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b json' '-h image-trivyignores.test' '-g CRITICAL' '-t ./test/data/.trivyignore1,./test/data/.trivyignore2'
-  run diff image-trivyignores.test ./test/data/image-trivyignores.test
+  result="$(diff ./test/data/image-trivyignores.test image-trivyignores.test)"
-  echo "$output"
+  [ "$result" == '' ]
-  assert_files_equal image-trivyignores.test ./test/data/image-trivyignores.test
 }
 
 @test "trivy image with sbom output" {
@@ -73,11 +63,3 @@ bats_load_library bats-file
   run ./entrypoint.sh  "-a image" "-b github" "-i knqyf263/vuln-image:1.2.3"
   assert_output --partial '"package_url": "pkg:apk/ca-certificates@20171114-r0",' # TODO: Output contains time, need to mock
 }
-
-@test "trivy image with trivy.yaml config" {
-  # trivy --config=./test/data/trivy.yaml image alpine:3.10
-  run ./entrypoint.sh "-v ./test/data/trivy.yaml" "-a image" "-i alpine:3.10"
-  run diff yamlconfig.test ./test/data/yamlconfig.test
-  echo "$output"
-  assert_files_equal yamlconfig.test ./test/data/yamlconfig.test
-}

workflow.yml

@@ -7,7 +7,7 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
         uses: actions/checkout@v2