debug

2026-05-14 11:12:40 +00:00 · 2022-06-28 17:15:06 -07:00
39 changed files with 6613 additions and 2384 deletions
@@ -0,0 +1,27 @@
 name: "build"
 on: [push, pull_request]
 env:
  TRIVY_VERSION: 0.29.1
 jobs:
  build:
    name: build
    runs-on: ubuntu-20.04
    steps:
      - name: Setup BATS
        uses: mig4/setup-bats@v1
        with:
          bats-version: 1.2.1
      - name: Setup Bats libs
        uses: brokenpip3/setup-bats-libs@0.1.0
      - name: Check out code
        uses: actions/checkout@v1
      - name: Install Trivy
        run: |
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
      - name: Test
        run: bats -r .
@@ -1,39 +0,0 @@
 name: Bump trivy
 on:
  workflow_dispatch:
    inputs:
      trivy_version:
        required: true
        type: string
        description: the trivy version
 run-name: Bump trivy to v${{ inputs.trivy_version }}
 jobs:
  bump:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Update Trivy versions
        run: |
          sed -r -i "s/ghcr.io\/aquasecurity\/trivy:[0-9]+\.[0-9]+\.[0-9]+/ghcr.io\/aquasecurity\/trivy:${{ inputs.trivy_version }}/" Dockerfile
          find test/data -type f -name '*.test' | xargs sed -r -i 's/"version": "[0-9]+\.[0-9]+\.[0-9]+"/"version": "${{ inputs.trivy_version }}"/'
      - name: Create PR
        id: create-pr
        uses: peter-evans/create-pull-request@v5
        with:
          token: ${{ secrets.ORG_REPO_TOKEN }}
          title: "chore(deps): Update trivy to v${{ inputs.trivy_version }}"
          commit-message: "chore(deps): Update trivy to v${{ inputs.trivy_version }}"
          committer: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
          author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
          branch-suffix: timestamp
          branch: bump-trivy
          delete-branch: true
      - name: Check outputs
        run: |
          echo "Pull Request Number - ${{ steps.create-pr.outputs.pull-request-number }}"
          echo "Pull Request URL - ${{ steps.create-pr.outputs.pull-request-url }}"
@@ -1,24 +0,0 @@
 name: Sync Trivy Checks
 on:
  workflow_dispatch:
 env:
  IMAGE_NAME: ${{ github.repository_owner }}/trivy-checks-act
  REGISTRY: ghcr.io
 jobs:
  sync-trivy-checks:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Login to GitHub Packages Container registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Copy Trivy Checks
        run: |
          oras cp ghcr.io/aquasecurity/trivy-checks:1 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
@@ -1,24 +0,0 @@
 name: Sync Trivy DB
 on:
  workflow_dispatch:
 env:
  IMAGE_NAME: ${{ github.repository_owner }}/trivy-db-act
  REGISTRY: ghcr.io
 jobs:
  sync-trivy-db:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Login to GitHub Packages Container registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Copy Trivy DB
        run: |
          oras cp ghcr.io/aquasecurity/trivy-db:2 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
@@ -1,24 +0,0 @@
 name: Sync Trivy Java DB
 on:
  workflow_dispatch:
 env:
  IMAGE_NAME: ${{ github.repository_owner }}/trivy-java-db-act
  REGISTRY: ghcr.io
 jobs:
  sync-trivy-db:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Login to GitHub Packages Container registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Copy Trivy Java DB
        run: |
          oras cp ghcr.io/aquasecurity/trivy-java-db:1 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
@@ -1,31 +0,0 @@
 name: Test
 on:
  push:
  pull_request:
  workflow_dispatch:
 env:
  TRIVY_VERSION: 0.56.1
  BATS_LIB_PATH: '/usr/lib/'
 jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Setup Bats and bats libs
        uses: bats-core/bats-action@2.0.0
      - name: Install Trivy
        run: |
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
          trivy --version
      - name: Test
        run: |
          chmod +x entrypoint.sh 
           GITHUB_REPOSITORY_OWNER=aquasecurity\
           TRIVY_CACHE_DIR=.cache TRIVY_DISABLE_VEX_NOTICE=true TRIVY_DEBUG=true\
           bats --recursive --timing --verbose-run .
@@ -2,6 +2,3 @@
 *.test
 !test/data/*.test
 trivyignores
 .vscode/
 .cache
@@ -1,5 +1,5 @@
-FROM ghcr.io/aquasecurity/trivy:0.56.1
+FROM ghcr.io/aquasecurity/trivy:0.29.1
 COPY entrypoint.sh /
-RUN apk --no-cache add bash curl npm
+RUN apk --no-cache add bash curl
 RUN chmod +x /entrypoint.sh
 ENTRYPOINT ["/entrypoint.sh"]
@@ -1,15 +0,0 @@
 OS := $(shell uname)
 ifeq ($(OS), Darwin)
 BATS_LIB_PATH=/opt/homebrew/lib
 endif
 ifeq ($(OS), Linux)
 BATS_LIB_PATH=/usr/local/lib/ 
 endif
 .PHONY: test
 test:
 	mkdir -p .cache
 	BATS_LIB_PATH=$(BATS_LIB_PATH) GITHUB_REPOSITORY_OWNER=aquasecurity\
 	  TRIVY_CACHE_DIR=.cache TRIVY_DISABLE_VEX_NOTICE=true TRIVY_DEBUG=true\
 	  bats --recursive --timing --verbose-run .
@@ -19,27 +19,29 @@
 ## Usage
-### Scan CI Pipeline
+### Workflow
 ```yaml
 name: build
 on:
  push:
    branches:
-      - main
+      - master
  pull_request:
 jobs:
  build:
    name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
      - name: Build an image from Dockerfile
        run: |
          docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.20.0
+        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'table'
@@ -49,80 +51,6 @@ jobs:
          severity: 'CRITICAL,HIGH'
 ```
 ### Scan CI Pipeline (w/ Trivy Config)
 ```yaml
 name: build
 on:
  push:
    branches:
    - main
  pull_request:
 jobs:
  build:
    name: Build
    runs-on: ubuntu-20.04
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
    - name: Run Trivy vulnerability scanner in fs mode
      uses: aquasecurity/trivy-action@0.20.0
      with:
        scan-type: 'fs'
        scan-ref: '.'
        trivy-config: trivy.yaml
 ```
 In this case `trivy.yaml` is a YAML configuration that is checked in as part of the repo. Detailed information is available on the Trivy website but an example is as follows:
 ```yaml
 format: json
 exit-code: 1
 severity: CRITICAL
 secret:
  config: config/trivy/secret.yaml
 ```
 It is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes. Defining the following is required as they cannot be defined with the config file:
 - `scan-ref`: If using `fs, repo` scans.
 - `image-ref`: If using `image` scan.
 - `scan-type`: To define the scan type, e.g. `image`, `fs`, `repo`, etc.
 #### Order of preference for options
 Trivy uses [Viper](https://github.com/spf13/viper) which has a defined precedence order for options. The order is as follows:
 - GitHub Action flag
 - Environment variable
 - Config file
 - Default
 ### Scanning a Tarball
 ```yaml
 name: build
 on:
  push:
    branches:
    - main
  pull_request:
 jobs:
  build:
    name: Build
    runs-on: ubuntu-20.04
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
    - name: Generate tarball from image
      run: |
        docker pull <your-docker-image>
        docker save -o vuln-image.tar <your-docker-image>
    - name: Run Trivy vulnerability scanner in tarball mode
      uses: aquasecurity/trivy-action@0.20.0
      with:
        input: /github/workspace/vuln-image.tar
        severity: 'CRITICAL,HIGH'
 ```
 ### Using Trivy with GitHub Code Scanning
 If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
 ```yaml
@@ -130,29 +58,29 @@ name: build
 on:
  push:
    branches:
-      - main
+      - master
  pull_request:
 jobs:
  build:
    name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v2
      - name: Build an image from Dockerfile
        run: |
          docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.20.0
+        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'sarif'
          output: 'trivy-results.sarif'
      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'
 ```
@@ -165,29 +93,29 @@ name: build
 on:
  push:
    branches:
-      - main
+      - master
  pull_request:
 jobs:
  build:
    name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v2
      - name: Build an image from Dockerfile
        run: |
          docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.20.0
+        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'sarif'
          output: 'trivy-results.sarif'
      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v2
        if: always()
        with:
          sarif_file: 'trivy-results.sarif'
@@ -204,18 +132,18 @@ name: build
 on:
  push:
    branches:
-      - main
+      - master
  pull_request:
 jobs:
  build:
    name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v2
      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@0.20.0
+        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          ignore-unfixed: true
@@ -224,7 +152,7 @@ jobs:
          severity: 'CRITICAL'
      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'
 ```
@@ -238,18 +166,18 @@ name: build
 on:
  push:
    branches:
-      - main
+      - master
  pull_request:
 jobs:
  build:
    name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v2
      - name: Run Trivy vulnerability scanner with rootfs command
-        uses: aquasecurity/trivy-action@0.20.0
+        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'rootfs'
          scan-ref: 'rootfs-example-binary'
@@ -259,12 +187,12 @@ jobs:
          severity: 'CRITICAL'
      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'
 ```
-### Using Trivy to scan Infrastructure as Code
+### Using Trivy to scan Infrastucture as Code
 It's also possible to scan your IaC repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
 If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
@@ -273,111 +201,62 @@ name: build
 on:
  push:
    branches:
-      - main
+      - master
  pull_request:
 jobs:
  build:
    name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v2
      - name: Run Trivy vulnerability scanner in IaC mode
-        uses: aquasecurity/trivy-action@0.20.0
+        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'config'
-          hide-progress: true
+          hide-progress: false
-          format: 'sarif'
+          format: 'table'
          output: 'trivy-results.sarif'
          exit-code: '1'
          ignore-unfixed: true
          severity: 'CRITICAL,HIGH'
      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'
 ```
 ### Using Trivy to generate SBOM
-It's possible for Trivy to generate an [SBOM](https://www.aquasec.com/cloud-native-academy/supply-chain-security/sbom/) of your dependencies and submit them to a consumer like [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).
+It's possible for Trivy to generate an SBOM of your dependencies and submit them to a consumer like GitHub Dependency Snapshot.
-The [sending of an SBOM to GitHub](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) feature is only available if you currently have GitHub Dependency Graph [enabled in your repo](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository).
+The sending of SBOM to GitHub feature is only available if you currently have [GitHub Dependency Snapshot](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) available to you in your repo. 
 In order to send results to GitHub Dependency Graph, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) or use the [GitHub installation access token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication) (also known as `GITHUB_TOKEN`):
 In order to send results to the GitHub Dependency Snapshot, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)
 ```yaml
 ---
 name: Pull Request
 on:
  push:
    branches:
-    - main
+    - master
-
+  pull_request:
 ## GITHUB_TOKEN authentication, add only if you're not going to use a PAT
 permissions:
  contents: write
 jobs:
  build:
    name: Checks
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
-      - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
+      - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Snapshots
-        uses: aquasecurity/trivy-action@0.20.0
+        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          format: 'github'
          output: 'dependency-results.sbom.json'
          image-ref: '.'
-          github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
+          github-pat: '<github_pat_token>'
 ```
 When scanning images you may want to parse the actual output JSON as Github Dependency doesn't show all details like the file path of each dependency for instance.
 You can upload the report as an artifact and download it, for instance using the [upload-artifact action](https://github.com/actions/upload-artifact):
 ```yaml
 ---
 name: Pull Request
 on:
  push:
    branches:
    - main
 ## GITHUB_TOKEN authentication, add only if you're not going to use a PAT
 permissions:
  contents: write
 jobs:
  build:
    name: Checks
    runs-on: ubuntu-20.04
    steps:
      - name: Scan image in a private registry
        uses: aquasecurity/trivy-action@0.20.0
        with:
          image-ref: "private_image_registry/image_name:image_tag"
          scan-type: image
          format: 'github'
          output: 'dependency-results.sbom.json'
          github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
          severity: "MEDIUM,HIGH,CRITICAL"
          scanners: "vuln"
        env:
          TRIVY_USERNAME: "image_registry_admin_username"
          TRIVY_PASSWORD: "image_registry_admin_password"
      - name: Upload trivy report as a Github artifact
        uses: actions/upload-artifact@v4
        with:
          name: trivy-sbom-report
          path: '${{ github.workspace }}/dependency-results.sbom.json'
          retention-days: 20 # 90 is the default
 ```
 ### Using Trivy to scan your private registry
@@ -391,18 +270,18 @@ name: build
 on:
  push:
    branches:
-      - main
+      - master
  pull_request:
 jobs:
  build:
    name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v2
      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.20.0
+        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'sarif'
@@ -412,7 +291,7 @@ jobs:
          TRIVY_PASSWORD: Password
      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'
 ```
@@ -427,18 +306,18 @@ name: build
 on:
  push:
    branches:
-      - main
+      - master
  pull_request:
 jobs:
  build:
    name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v2
      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.20.0
+        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}'
          format: 'sarif'
@@ -449,7 +328,7 @@ jobs:
          AWS_DEFAULT_REGION: us-west-2
      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'
 ```
@@ -463,18 +342,18 @@ name: build
 on:
  push:
    branches:
-      - main
+      - master
  pull_request:
 jobs:
  build:
    name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v2
      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.20.0
+        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'sarif'
@@ -483,7 +362,7 @@ jobs:
          GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json
      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'
 ```
@@ -496,18 +375,18 @@ name: build
 on:
  push:
    branches:
-      - main
+      - master
  pull_request:
 jobs:
  build:
    name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v2
      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.20.0
+        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'sarif'
@@ -517,86 +396,40 @@ jobs:
          TRIVY_PASSWORD: Password
      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'
 ```
 ### Using Trivy if you don't have code scanning enabled
 It's also possible to browse a scan result in a workflow summary.
 This step is especially useful for private repositories without [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) license.
 ```yaml
 - name: Run Trivy scanner
  uses: aquasecurity/trivy-action@0.20.0
  with:
    scan-type: config
    hide-progress: true
    output: trivy.txt
 - name: Publish Trivy Output to Summary
  run: |
    if [[ -s trivy.txt ]]; then
      {
        echo "### Security Output"
        echo "<details><summary>Click to expand</summary>"
        echo ""
        echo '```terraform'
        cat trivy.txt
        echo '```'
        echo "</details>"
      } >> $GITHUB_STEP_SUMMARY
    fi
 ```
 ## Customizing
 Configuration priority:
 - [Inputs](#inputs)
 - [Environment variables](#environment-variables)
 - [Trivy config file](#trivy-config-file)
 - Default values
 ### inputs
 Following inputs can be used as `step.with` keys:
-| Name                         | Type    | Default                            | Description                                                                                                                                                    |
+| Name              | Type    | Default                            | Description                                                                                     |
-|------------------------------|---------|------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|-------------------|---------|------------------------------------|-------------------------------------------------------------------------------------------------|
-| `scan-type`                  | String  | `image`                            | Scan type, e.g. `image` or `fs`                                                                                                                                |
+| `scan-type`       | String  | `image`                            | Scan type, e.g. `image` or `fs`                                                                 |
-| `input`                      | String  |                                    | Tar reference, e.g. `alpine-latest.tar`                                                                                                                        |
+| `input`           | String  |                                    | Tar reference, e.g. `alpine-latest.tar`                                                         |
-| `image-ref`                  | String  |                                    | Image reference, e.g. `alpine:3.10.2`                                                                                                                          |
+| `image-ref`       | String  |                                    | Image reference, e.g. `alpine:3.10.2`                                                           |
-| `scan-ref`                   | String  | `/github/workspace/`               | Scan reference, e.g. `/github/workspace/` or `.`                                                                                                               |
+| `scan-ref`        | String  | `/github/workspace/`               | Scan reference, e.g. `/github/workspace/` or `.`                                                |
-| `format`                     | String  | `table`                            | Output format (`table`, `json`, `sarif`, `github`)                                                                                                             |
+| `format`          | String  | `table`                            | Output format (`table`, `json`, `sarif`, `github`)                                              |
-| `template`                   | String  |                                    | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`)                                                                                                |
+| `template`        | String  |                                    | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`)                                 |
-| `tf-vars`                    | String  |                                    | path to Terraform variables file                                                                                                                               |
+| `output`          | String  |                                    | Save results to a file                                                                          |
-| `output`                     | String  |                                    | Save results to a file                                                                                                                                         |
+| `exit-code`       | String  | `0`                                | Exit code when specified vulnerabilities are found                                              |
-| `exit-code`                  | String  | `0`                                | Exit code when specified vulnerabilities are found                                                                                                             |
+| `ignore-unfixed`  | Boolean | false                              | Ignore unpatched/unfixed vulnerabilities                                                        |
-| `ignore-unfixed`             | Boolean | false                              | Ignore unpatched/unfixed vulnerabilities                                                                                                                       |
+| `vuln-type`       | String  | `os,library`                       | Vulnerability types (os,library)                                                                |
-| `vuln-type`                  | String  | `os,library`                       | Vulnerability types (os,library)                                                                                                                               |
+| `severity`        | String  | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed                                      |
-| `severity`                   | String  | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed                                                                                                     |
+| `skip-dirs`       | String  |                                    | Comma separated list of directories where traversal is skipped                                  |
-| `skip-dirs`                  | String  |                                    | Comma separated list of directories where traversal is skipped                                                                                                 |
+| `skip-files`      | String  |                                    | Comma separated list of files where traversal is skipped                                        |
-| `skip-files`                 | String  |                                    | Comma separated list of files where traversal is skipped                                                                                                       |
+| `cache-dir`       | String  |                                    | Cache directory                                                                                 |
-| `cache-dir`                  | String  |                                    | Cache directory                                                                                                                                                |
+| `timeout`         | String  | `5m0s`                             | Scan timeout duration                                                                           |
-| `timeout`                    | String  | `5m0s`                             | Scan timeout duration                                                                                                                                          |
+| `ignore-policy`   | String  |                                    | Filter vulnerabilities with OPA rego language                                                   |
-| `ignore-policy`              | String  |                                    | Filter vulnerabilities with OPA rego language                                                                                                                  |
+| `hide-progress`   | String  | `true`                             | Suppress progress bar                                                                           |
-| `hide-progress`              | String  | `false`                            | Suppress progress bar and log output                                                                                                                           |
+| `list-all-pkgs`   | String  |                                    | Output all packages regardless of vulnerability                                                 |
-| `list-all-pkgs`              | String  |                                    | Output all packages regardless of vulnerability                                                                                                                |
+| `security-checks` | String  | `vuln,secret`                      | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`)               |
-| `scanners`                   | String  | `vuln,secret`                      | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`)                                                                              |
+| `trivyignores`    | String  |                                    | comma-separated list of relative paths in repository to one or more `.trivyignore` files        |
-| `trivyignores`               | String  |                                    | comma-separated list of relative paths in repository to one or more `.trivyignore` files                                                                       |
+| `github-pat`      | String  |                                    | GitHub Personal Access Token (PAT) for sending SBOM scan results to GitHub Dependency Snapshots |
 | `trivy-config`               | String  |                                    | Path to trivy.yaml config                                                                                                                                      |
 | `github-pat`                 | String  |                                    | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN        |
 | `limit-severities-for-sarif` | Boolean | false                              | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
 | `docker-host`                | String  |                                    | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values                                      |
 ### Environment variables
 You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
 ### Trivy config file
 When using the `trivy-config` [Input](#inputs), you can set options using the [Trivy config file][trivy-config] (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
 [release]: https://github.com/aquasecurity/trivy-action/releases/latest
 [release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github
@@ -604,5 +437,3 @@ When using the `trivy-config` [Input](#inputs), you can set options using the [T
 [marketplace-img]: https://img.shields.io/badge/marketplace-trivy--action-blue?logo=github
 [license]: https://github.com/aquasecurity/trivy-action/blob/master/LICENSE
 [license-img]: https://img.shields.io/github/license/aquasecurity/trivy-action
 [trivy-env]: https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables
 [trivy-config]: https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/
@@ -8,7 +8,7 @@ inputs:
    default: 'image'
  image-ref:
    description: 'image reference(for backward compatibility)'
-    required: false
+    required: true
  input:
    description: 'reference of tar file to scan'
    required: false
@@ -65,13 +65,13 @@ inputs:
    required: false
    default: ''
  hide-progress:
-    description: 'suppress progress bar and log output'
+    description: 'hide progress output'
    required: false
  list-all-pkgs:
    description: 'output all packages regardless of vulnerability'
    required: false
    default: 'false'
-  scanners:
+  security-checks:
    description: 'comma-separated list of what security issues to detect'
    required: false
    default: ''
@@ -85,18 +85,6 @@ inputs:
  github-pat:
    description: 'GitHub Personal Access Token (PAT) for submitting SBOM to GitHub Dependency Snapshot API'
    required: false
  trivy-config:
    description: 'path to trivy.yaml config'
    required: false
  tf-vars:
    description: "path to terraform tfvars file"
    required: false
  limit-severities-for-sarif:
    description: 'limit severities for SARIF format'
    required: false
  docker-host:
    description: 'unix domain socket path to use for docker scanning, ex. unix:///var/run/docker.sock'
    required: false
 runs:
  using: 'docker'
@@ -120,10 +108,6 @@ runs:
    - '-p ${{ inputs.hide-progress }}'
    - '-q ${{ inputs.skip-files }}'
    - '-r ${{ inputs.list-all-pkgs }}'
-    - '-s ${{ inputs.scanners }}'
+    - '-s ${{ inputs.security-checks }}'
    - '-t ${{ inputs.trivyignores }}'
    - '-u ${{ inputs.github-pat }}'
    - '-v ${{ inputs.trivy-config }}'
    - '-x ${{ inputs.tf-vars }}'
    - '-z ${{ inputs.limit-severities-for-sarif }}'
    - '-y ${{ inputs.docker-host }}'
@@ -1,6 +1,6 @@
 #!/bin/bash
 set -e
-while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:x:y:z:" o; do
+while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:" o; do
   case "${o}" in
       a)
         export scanType=${OPTARG}
@@ -57,7 +57,7 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:x:y:z:" o; do
         export listAllPkgs=${OPTARG}
       ;;
       s)
-         export scanners=${OPTARG}
+         export securityChecks=${OPTARG}
       ;;
       t)
         export trivyIgnores=${OPTARG}
@@ -65,35 +65,20 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:x:y:z:" o; do
       u)
         export githubPAT=${OPTARG}
       ;;
       v)
         export trivyConfig=${OPTARG}
       ;;
       x)
         export tfVars=${OPTARG}
       ;;
       y)
         export dockerHost=${OPTARG}
       ;;
       z)
         export limitSeveritiesForSARIF=${OPTARG}
       ;;
  esac
 done
 scanType=$(echo $scanType | tr -d '\r')
 export artifactRef="${imageRef}"
-if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "filesystem" ] ||  [ "${scanType}" = "config" ] ||  [ "${scanType}" = "rootfs" ] || [ "${scanType}" = "sbom" ];then
+if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] ||  [ "${scanType}" = "config" ] ||  [ "${scanType}" = "rootfs" ];then
  artifactRef=$(echo $scanRef | tr -d '\r')
 fi
 input=$(echo $input | tr -d '\r')
 if [ $input ]; then
  artifactRef="--input $input"
 fi
 #trim leading spaces for boolean params
 ignoreUnfixed=$(echo $ignoreUnfixed | tr -d '\r')
 hideProgress=$(echo $hideProgress | tr -d '\r')
 limitSeveritiesForSARIF=$(echo $limitSeveritiesForSARIF | tr -d '\r')
 GLOBAL_ARGS=""
 if [ $cacheDir ];then
@@ -111,7 +96,6 @@ if [ $template ] ;then
 fi
 if [ $exitCode ];then
 ARGS="$ARGS --exit-code $exitCode"
 SARIF_ARGS="$SARIF_ARGS --exit-code $exitCode"
 fi
 if [ "$ignoreUnfixed" == "true" ] && [ "$scanType" != "config" ];then
  ARGS="$ARGS --ignore-unfixed"
@@ -121,9 +105,8 @@ if [ $vulnType ] && [ "$scanType" != "config" ] && [ "$scanType" != "sbom" ];the
  ARGS="$ARGS --vuln-type $vulnType"
  SARIF_ARGS="$SARIF_ARGS --vuln-type $vulnType"
 fi
-if [ $scanners ];then
+if [ $securityChecks ];then
-  ARGS="$ARGS --scanners $scanners"
+  ARGS="$ARGS --security-checks $securityChecks"
  SARIF_ARGS="$SARIF_ARGS --scanners $scanners"
 fi
 if [ $severity ];then
  ARGS="$ARGS --severity $severity"
@@ -138,10 +121,6 @@ if [ $skipDirs ];then
    SARIF_ARGS="$SARIF_ARGS --skip-dirs $i"
  done
 fi
 if [ $tfVars ] && [ "$scanType" == "config" ];then
  ARGS="$ARGS --tf-vars $tfVars"
 fi
 if [ $trivyIgnores ];then
  for f in $(echo $trivyIgnores | tr "," "\n")
  do
@@ -158,18 +137,13 @@ if [ $trivyIgnores ];then
 fi
 if [ $timeout ];then
  ARGS="$ARGS --timeout $timeout"
  SARIF_ARGS="$SARIF_ARGS --timeout $timeout"
 fi
 if [ $ignorePolicy ];then
  ARGS="$ARGS --ignore-policy $ignorePolicy"
  SARIF_ARGS="$SARIF_ARGS --ignore-policy $ignorePolicy"
 fi
 if [ "$hideProgress" == "true" ];then
-  ARGS="$ARGS --quiet"
+  ARGS="$ARGS --no-progress"
  SARIF_ARGS="$SARIF_ARGS --quiet"
 fi
 if [ $dockerHost ];then
  ARGS="$ARGS --docker-host $dockerHost"
 fi
 listAllPkgs=$(echo $listAllPkgs | tr -d '\r')
@@ -180,37 +154,26 @@ if [ "$skipFiles" ];then
  for i in $(echo $skipFiles | tr "," "\n")
  do
    ARGS="$ARGS --skip-files $i"
    SARIF_ARGS="$SARIF_ARGS --skip-files $i"
  done
 fi
-trivyConfig=$(echo $trivyConfig | tr -d '\r')
+echo "Running trivy with options: ${ARGS}" "${artifactRef}"
-# To make sure that uploda GitHub Dependency Snapshot succeeds, disable the script that fails first.
+echo "Global options: " "${GLOBAL_ARGS}"
-set +e
+trivy $GLOBAL_ARGS ${scanType} $ARGS ${artifactRef}
 if [ "${format}" == "sarif" ] && [ "${limitSeveritiesForSARIF}" != "true" ]; then
  # SARIF is special. We output all vulnerabilities,
  # regardless of severity level specified in this report.
  # This is a feature, not a bug :)
  echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
  trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
 elif [ $trivyConfig ]; then
   echo "Running Trivy with trivy.yaml config from: " $trivyConfig
   trivy --config $trivyConfig ${scanType} ${artifactRef}
 else
   echo "Running trivy with options: trivy ${scanType} ${ARGS}" "${artifactRef}"
   echo "Global options: " "${GLOBAL_ARGS}"
   trivy $GLOBAL_ARGS ${scanType} ${ARGS} ${artifactRef}
 fi
 returnCode=$?
-set -e
+# SARIF is special. We output all vulnerabilities,
-if [[ "${format}" == "github" ]]; then
+# regardless of severity level specified in this report.
-  if [[ "$(echo $githubPAT | xargs)" != "" ]]; then
+# This is a feature, not a bug :)
-    printf "\n Uploading GitHub Dependency Snapshot"
+if [[ "${format}" == "sarif" ]]; then
-    curl -H 'Accept: application/vnd.github+json' -H "Authorization: token $githubPAT" 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./$(echo $output | xargs)
+  echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
-  else
+  trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
    printf "\n Failing GitHub Dependency Snapshot. Missing github-pat"
  fi
 fi
 if [[ "${format}" == "github" ]] && [[ "$(echo $githubPAT | xargs)" != "" ]]; then
  echo "Uploading GitHub Dependency Snapshot"
  curl -u "${githubPAT}" -H 'Content-Type: application/json' 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./$(echo $output | xargs)
 fi
 echo "returnCode: " $returnCode
 exit $returnCode
@@ -1,18 +0,0 @@
 # test data for trivy config with terraform variables
 variable "bucket_versioning_enabled" {
  type    = string
  default = "Disabled"
 }
 resource "aws_s3_bucket" "bucket" {
  bucket = "trivy-action-bucket"
 }
 resource "aws_s3_bucket_versioning" "bucket_versioning" {
  bucket = aws_s3_bucket.bucket.id
  versioning_configuration {
    status = var.bucket_versioning_enabled
  }
 }
@@ -1,74 +0,0 @@
 {
  "version": "2.1.0",
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
  "runs": [
    {
      "tool": {
        "driver": {
          "fullName": "Trivy Vulnerability Scanner",
          "informationUri": "https://github.com/aquasecurity/trivy",
          "name": "Trivy",
          "rules": [
            {
              "id": "AVD-AWS-0089",
              "name": "Misconfiguration",
              "shortDescription": {
                "text": "S3 Bucket Logging"
              },
              "fullDescription": {
                "text": "Ensures S3 bucket logging is enabled for S3 buckets"
              },
              "defaultConfiguration": {
                "level": "note"
              },
              "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0089",
              "help": {
                "text": "Misconfiguration AVD-AWS-0089\nType: Terraform Security Check\nSeverity: LOW\nCheck: S3 Bucket Logging\nMessage: Bucket has logging disabled\nLink: [AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)\nEnsures S3 bucket logging is enabled for S3 buckets",
                "markdown": "**Misconfiguration AVD-AWS-0089**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|LOW|S3 Bucket Logging|Bucket has logging disabled|[AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)|\n\nEnsures S3 bucket logging is enabled for S3 buckets"
              },
              "properties": {
                "precision": "very-high",
                "security-severity": "2.0",
                "tags": [
                  "misconfiguration",
                  "security",
                  "LOW"
                ]
              }
            }
          ]
        }
      },
      "results": [
        {
          "ruleId": "AVD-AWS-0089",
          "ruleIndex": 0,
          "level": "note",
          "message": {
            "text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0089\nSeverity: LOW\nMessage: Bucket has logging disabled\nLink: [AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "main.tf",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 8,
                  "startColumn": 1,
                  "endLine": 10,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "main.tf"
              }
            }
          ]
        }
      ],
      "columnKind": "utf16CodeUnits"
    }
  ]
 }
@@ -1,18 +0,0 @@
 # test data for trivy config with terraform variables
 variable "bucket_versioning_enabled" {
  type    = string
  default = "Disabled"
 }
 resource "aws_s3_bucket" "bucket" {
  bucket = "trivy-action-bucket"
 }
 resource "aws_s3_bucket_versioning" "bucket_versioning" {
  bucket = aws_s3_bucket.bucket.id
  versioning_configuration {
    status = var.bucket_versioning_enabled
  }
 }
@@ -1,101 +0,0 @@
 {
  "SchemaVersion": 2,
  "ArtifactName": "test/data/config-scan",
  "ArtifactType": "filesystem",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  },
  "Results": [
    {
      "Target": ".",
      "Class": "config",
      "Type": "terraform",
      "MisconfSummary": {
        "Successes": 2,
        "Failures": 0,
        "Exceptions": 0
      }
    },
    {
      "Target": "main.tf",
      "Class": "config",
      "Type": "terraform",
      "MisconfSummary": {
        "Successes": 0,
        "Failures": 1,
        "Exceptions": 0
      },
      "Misconfigurations": [
        {
          "Type": "Terraform Security Check",
          "ID": "AVD-AWS-0089",
          "AVDID": "AVD-AWS-0089",
          "Title": "S3 Bucket Logging",
          "Description": "Ensures S3 bucket logging is enabled for S3 buckets",
          "Message": "Bucket has logging disabled",
          "Namespace": "builtin.aws.s3.aws0089",
          "Query": "data.builtin.aws.s3.aws0089.deny",
          "Resolution": "Add a logging block to the resource to enable access logging",
          "Severity": "LOW",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0089",
          "References": [
            "https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html",
            "https://avd.aquasec.com/misconfig/avd-aws-0089"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Resource": "aws_s3_bucket.bucket",
            "Provider": "AWS",
            "Service": "s3",
            "StartLine": 8,
            "EndLine": 10,
            "Code": {
              "Lines": [
                {
                  "Number": 8,
                  "Content": "resource \"aws_s3_bucket\" \"bucket\" {",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
                  "FirstCause": true,
                  "LastCause": false
                },
                {
                  "Number": 9,
                  "Content": "  bucket = \"trivy-action-bucket\"",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "Highlighted": "  \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 10,
                  "Content": "}",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "Highlighted": "\u001b[0m}",
                  "FirstCause": false,
                  "LastCause": true
                }
              ]
            }
          }
        }
      ]
    }
  ]
 }
@@ -0,0 +1,56 @@
 {
  "SchemaVersion": 2,
  "ArtifactName": ".",
  "ArtifactType": "filesystem",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  },
  "Results": [
    {
      "Target": "Dockerfile",
      "Class": "config",
      "Type": "dockerfile",
      "MisconfSummary": {
        "Successes": 21,
        "Failures": 1,
        "Exceptions": 0
      },
      "Misconfigurations": [
        {
          "Type": "Dockerfile Security Check",
          "ID": "DS002",
          "Title": "Image user should not be 'root'",
          "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
          "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
          "Namespace": "builtin.dockerfile.DS002",
          "Query": "data.builtin.dockerfile.DS002.deny",
          "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
          "Severity": "HIGH",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
          "References": [
            "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
            "https://avd.aquasec.com/misconfig/ds002"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Provider": "Dockerfile",
            "Service": "general",
            "Code": {
              "Lines": null
            }
          }
        }
      ]
    }
  ]
 }
@@ -0,0 +1,56 @@
 {
  "SchemaVersion": 2,
  "ArtifactName": ".",
  "ArtifactType": "filesystem",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  },
  "Results": [
    {
      "Target": "Dockerfile",
      "Class": "config",
      "Type": "dockerfile",
      "MisconfSummary": {
        "Successes": 21,
        "Failures": 1,
        "Exceptions": 0
      },
      "Misconfigurations": [
        {
          "Type": "Dockerfile Security Check",
          "ID": "DS002",
          "Title": "Image user should not be 'root'",
          "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
          "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
          "Namespace": "builtin.dockerfile.DS002",
          "Query": "data.builtin.dockerfile.DS002.deny",
          "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
          "Severity": "HIGH",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
          "References": [
            "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
            "https://avd.aquasec.com/misconfig/ds002"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Provider": "Dockerfile",
            "Service": "general",
            "Code": {
              "Lines": null
            }
          }
        }
      ]
    }
  ]
 }
@@ -0,0 +1,17 @@
 {
  "SchemaVersion": 2,
  "ArtifactName": ".",
  "ArtifactType": "filesystem",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  }
 }
@@ -1,98 +0,0 @@
 knqyf263/vuln-image:1.2.3 (alpine 3.7.1)
 ========================================
 Total: 19 (CRITICAL: 19)
 ┌─────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
 │   Library   │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
 ├─────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
 │ curl        │ CVE-2018-14618 │ CRITICAL │ fixed  │ 7.61.0-r0         │ 7.61.1-r0     │ curl: NTLM password overflow via integer overflow            │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2018-14618                   │
 │             ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
 │             │ CVE-2018-16839 │          │        │                   │ 7.61.1-r1     │ curl: Integer overflow leading to heap-based buffer overflow │
 │             │                │          │        │                   │               │ in Curl_sasl_create_plain_message()                          │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2018-16839                   │
 │             ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
 │             │ CVE-2018-16840 │          │        │                   │               │ curl: Use-after-free when closing "easy" handle in           │
 │             │                │          │        │                   │               │ Curl_close()                                                 │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2018-16840                   │
 │             ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
 │             │ CVE-2018-16842 │          │        │                   │               │ curl: Heap-based buffer over-read in the curl tool warning   │
 │             │                │          │        │                   │               │ formatting                                                   │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2018-16842                   │
 │             ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
 │             │ CVE-2019-3822  │          │        │                   │ 7.61.1-r2     │ curl: NTLMv2 type-3 header stack buffer overflow             │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-3822                    │
 │             ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
 │             │ CVE-2019-5481  │          │        │                   │ 7.61.1-r3     │ curl: double free due to subsequent call of realloc()        │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-5481                    │
 │             ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
 │             │ CVE-2019-5482  │          │        │                   │               │ curl: heap buffer overflow in function tftp_receive_packet() │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-5482                    │
 ├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
 │ git         │ CVE-2018-17456 │          │        │ 2.15.2-r0         │ 2.15.3-r0     │ git: arbitrary code execution via .gitmodules                │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2018-17456                   │
 │             ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
 │             │ CVE-2019-1353  │          │        │                   │ 2.15.4-r0     │ git: NTFS protections inactive when running Git in the       │
 │             │                │          │        │                   │               │ Windows Subsystem for...                                     │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-1353                    │
 ├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
 │ libbz2      │ CVE-2019-12900 │          │        │ 1.0.6-r6          │ 1.0.6-r7      │ bzip2: out-of-bounds write in function BZ2_decompress        │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-12900                   │
 ├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
 │ libcurl     │ CVE-2018-16839 │          │        │ 7.61.1-r0         │ 7.61.1-r1     │ curl: Integer overflow leading to heap-based buffer overflow │
 │             │                │          │        │                   │               │ in Curl_sasl_create_plain_message()                          │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2018-16839                   │
 │             ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
 │             │ CVE-2018-16840 │          │        │                   │               │ curl: Use-after-free when closing "easy" handle in           │
 │             │                │          │        │                   │               │ Curl_close()                                                 │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2018-16840                   │
 │             ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
 │             │ CVE-2018-16842 │          │        │                   │               │ curl: Heap-based buffer over-read in the curl tool warning   │
 │             │                │          │        │                   │               │ formatting                                                   │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2018-16842                   │
 │             ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
 │             │ CVE-2019-3822  │          │        │                   │ 7.61.1-r2     │ curl: NTLMv2 type-3 header stack buffer overflow             │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-3822                    │
 │             ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
 │             │ CVE-2019-5481  │          │        │                   │ 7.61.1-r3     │ curl: double free due to subsequent call of realloc()        │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-5481                    │
 │             ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
 │             │ CVE-2019-5482  │          │        │                   │               │ curl: heap buffer overflow in function tftp_receive_packet() │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-5482                    │
 ├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
 │ musl        │ CVE-2019-14697 │          │        │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack     │
 │             │                │          │        │                   │               │ adjustment im ......                                         │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697                   │
 ├─────────────┤                │          │        │                   │               │                                                              │
 │ musl-utils  │                │          │        │                   │               │                                                              │
 │             │                │          │        │                   │               │                                                              │
 │             │                │          │        │                   │               │                                                              │
 ├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
 │ sqlite-libs │ CVE-2019-8457  │          │        │ 3.21.0-r1         │ 3.25.3-r1     │ sqlite: heap out-of-bound read in function rtreenode()       │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-8457                    │
 └─────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
 rust-app/Cargo.lock (cargo)
 ===========================
 Total: 4 (CRITICAL: 4)
 ┌───────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
 │  Library  │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
 ├───────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
 │ rand_core │ CVE-2020-25576 │ CRITICAL │ fixed  │ 0.4.0             │ 0.4.2, 0.3.1  │ An issue was discovered in the rand_core crate before 0.4.2 │
 │           │                │          │        │                   │               │ for Rust....                                                │
 │           │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2020-25576                  │
 ├───────────┼────────────────┤          │        ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
 │ smallvec  │ CVE-2019-15551 │          │        │ 0.6.9             │ 0.6.10        │ An issue was discovered in the smallvec crate before 0.6.10 │
 │           │                │          │        │                   │               │ for Rust....                                                │
 │           │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-15551                  │
 │           ├────────────────┤          │        │                   │               ├─────────────────────────────────────────────────────────────┤
 │           │ CVE-2019-15554 │          │        │                   │               │ An issue was discovered in the smallvec crate before 0.6.10 │
 │           │                │          │        │                   │               │ for Rust....                                                │
 │           │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-15554                  │
 │           ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
 │           │ CVE-2021-25900 │          │        │                   │ 0.6.14, 1.6.1 │ An issue was discovered in the smallvec crate before 0.6.14 │
 │           │                │          │        │                   │               │ and 1.x...                                                  │
 │           │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2021-25900                  │
 └───────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
@@ -0,0 +1,34 @@
 {
  "SchemaVersion": 2,
  "ArtifactName": "https://github.com/krol3/demo-trivy/",
  "ArtifactType": "repository",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  },
  "Results": [
    {
      "Target": "env",
      "Class": "secret",
      "Secrets": [
        {
          "RuleID": "github-pat",
          "Category": "GitHub",
          "Severity": "CRITICAL",
          "Title": "GitHub Personal Access Token",
          "StartLine": 5,
          "EndLine": 5,
          "Match": "export GITHUB_PAT=*****"
        }
      ]
    }
  ]
 }
@@ -0,0 +1,17 @@
 {
  "SchemaVersion": 2,
  "ArtifactName": ".",
  "ArtifactType": "filesystem",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  }
 }
@@ -1,77 +0,0 @@
 {
  "SchemaVersion": 2,
  "ArtifactName": "https://github.com/krol3/demo-trivy/",
  "ArtifactType": "repository",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  },
  "Results": [
    {
      "Target": "env",
      "Class": "secret",
      "Secrets": [
        {
          "RuleID": "github-pat",
          "Category": "GitHub",
          "Severity": "CRITICAL",
          "Title": "GitHub Personal Access Token",
          "StartLine": 5,
          "EndLine": 5,
          "Code": {
            "Lines": [
              {
                "Number": 3,
                "Content": "export AWS_ACCESS_KEY_ID=1234567",
                "IsCause": false,
                "Annotation": "",
                "Truncated": false,
                "Highlighted": "export AWS_ACCESS_KEY_ID=1234567",
                "FirstCause": false,
                "LastCause": false
              },
              {
                "Number": 4,
                "Content": "",
                "IsCause": false,
                "Annotation": "",
                "Truncated": false,
                "FirstCause": false,
                "LastCause": false
              },
              {
                "Number": 5,
                "Content": "export GITHUB_PAT=****************************************",
                "IsCause": true,
                "Annotation": "",
                "Truncated": false,
                "Highlighted": "export GITHUB_PAT=****************************************",
                "FirstCause": true,
                "LastCause": true
              },
              {
                "Number": 6,
                "Content": "",
                "IsCause": false,
                "Annotation": "",
                "Truncated": false,
                "FirstCause": false,
                "LastCause": false
              }
            ]
          },
          "Match": "export GITHUB_PAT=****************************************",
          "Layer": {}
        }
      ]
    }
  ]
 }
@@ -1,86 +0,0 @@
 knqyf263/vuln-image:1.2.3 (alpine 3.7.1)
 ========================================
 Total: 19 (CRITICAL: 19)
 ┌─────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
 │   Library   │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
 ├─────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
 │ curl        │ CVE-2018-14618 │ CRITICAL │ fixed  │ 7.61.0-r0         │ 7.61.1-r0     │ curl: NTLM password overflow via integer overflow            │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2018-14618                   │
 │             ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
 │             │ CVE-2018-16839 │          │        │                   │ 7.61.1-r1     │ curl: Integer overflow leading to heap-based buffer overflow │
 │             │                │          │        │                   │               │ in Curl_sasl_create_plain_message()                          │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2018-16839                   │
 │             ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
 │             │ CVE-2018-16840 │          │        │                   │               │ curl: Use-after-free when closing "easy" handle in           │
 │             │                │          │        │                   │               │ Curl_close()                                                 │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2018-16840                   │
 │             ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
 │             │ CVE-2018-16842 │          │        │                   │               │ curl: Heap-based buffer over-read in the curl tool warning   │
 │             │                │          │        │                   │               │ formatting                                                   │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2018-16842                   │
 │             ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
 │             │ CVE-2019-3822  │          │        │                   │ 7.61.1-r2     │ curl: NTLMv2 type-3 header stack buffer overflow             │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-3822                    │
 │             ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
 │             │ CVE-2019-5481  │          │        │                   │ 7.61.1-r3     │ curl: double free due to subsequent call of realloc()        │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-5481                    │
 │             ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
 │             │ CVE-2019-5482  │          │        │                   │               │ curl: heap buffer overflow in function tftp_receive_packet() │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-5482                    │
 ├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
 │ git         │ CVE-2018-17456 │          │        │ 2.15.2-r0         │ 2.15.3-r0     │ git: arbitrary code execution via .gitmodules                │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2018-17456                   │
 │             ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
 │             │ CVE-2019-1353  │          │        │                   │ 2.15.4-r0     │ git: NTFS protections inactive when running Git in the       │
 │             │                │          │        │                   │               │ Windows Subsystem for...                                     │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-1353                    │
 ├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
 │ libbz2      │ CVE-2019-12900 │          │        │ 1.0.6-r6          │ 1.0.6-r7      │ bzip2: out-of-bounds write in function BZ2_decompress        │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-12900                   │
 ├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
 │ libcurl     │ CVE-2018-16839 │          │        │ 7.61.1-r0         │ 7.61.1-r1     │ curl: Integer overflow leading to heap-based buffer overflow │
 │             │                │          │        │                   │               │ in Curl_sasl_create_plain_message()                          │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2018-16839                   │
 │             ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
 │             │ CVE-2018-16840 │          │        │                   │               │ curl: Use-after-free when closing "easy" handle in           │
 │             │                │          │        │                   │               │ Curl_close()                                                 │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2018-16840                   │
 │             ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
 │             │ CVE-2018-16842 │          │        │                   │               │ curl: Heap-based buffer over-read in the curl tool warning   │
 │             │                │          │        │                   │               │ formatting                                                   │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2018-16842                   │
 │             ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
 │             │ CVE-2019-3822  │          │        │                   │ 7.61.1-r2     │ curl: NTLMv2 type-3 header stack buffer overflow             │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-3822                    │
 │             ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
 │             │ CVE-2019-5481  │          │        │                   │ 7.61.1-r3     │ curl: double free due to subsequent call of realloc()        │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-5481                    │
 │             ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
 │             │ CVE-2019-5482  │          │        │                   │               │ curl: heap buffer overflow in function tftp_receive_packet() │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-5482                    │
 ├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
 │ musl        │ CVE-2019-14697 │          │        │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack     │
 │             │                │          │        │                   │               │ adjustment im ......                                         │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697                   │
 ├─────────────┤                │          │        │                   │               │                                                              │
 │ musl-utils  │                │          │        │                   │               │                                                              │
 │             │                │          │        │                   │               │                                                              │
 │             │                │          │        │                   │               │                                                              │
 ├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
 │ sqlite-libs │ CVE-2019-8457  │          │        │ 3.21.0-r1         │ 3.25.3-r1     │ sqlite: heap out-of-bound read in function rtreenode()       │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-8457                    │
 └─────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
 rust-app/Cargo.lock (cargo)
 ===========================
 Total: 1 (CRITICAL: 1)
 ┌──────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
 │ Library  │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
 ├──────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
 │ smallvec │ CVE-2021-25900 │ CRITICAL │ fixed  │ 0.6.9             │ 0.6.14, 1.6.1 │ An issue was discovered in the smallvec crate before 0.6.14 │
 │          │                │          │        │                   │               │ and 1.x...                                                  │
 │          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2021-25900                  │
 └──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
@@ -1,2 +0,0 @@
 # test data for trivy config with terraform variables
 bucket_versioning_enabled="Enabled"
@@ -1,18 +0,0 @@
 # test data for trivy config with terraform variables
 variable "bucket_versioning_enabled" {
  type    = string
  default = "Disabled"
 }
 resource "aws_s3_bucket" "bucket" {
  bucket = "trivy-action-bucket"
 }
 resource "aws_s3_bucket_versioning" "bucket_versioning" {
  bucket = aws_s3_bucket.bucket.id
  versioning_configuration {
    status = var.bucket_versioning_enabled
  }
 }
@@ -1,34 +0,0 @@
 {
  "SchemaVersion": 2,
  "ArtifactName": "test/data/with-tf-vars/main.tf",
  "ArtifactType": "filesystem",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  },
  "Results": [
    {
      "Target": ".",
      "Class": "config",
      "Type": "terraform",
      "MisconfSummary": {
        "Successes": 2,
        "Failures": 0,
        "Exceptions": 0
      }
    },
    {
      "Target": "main.tf",
      "Class": "config",
      "Type": "terraform"
    }
  ]
 }
@@ -1,122 +0,0 @@
 {
  "SchemaVersion": 2,
  "ArtifactName": "alpine:3.10",
  "ArtifactType": "container_image",
  "Metadata": {
    "OS": {
      "Family": "alpine",
      "Name": "3.10.9",
      "EOSL": true
    },
    "ImageID": "sha256:e7b300aee9f9bf3433d32bc9305bfdd22183beb59d933b48d77ab56ba53a197a",
    "DiffIDs": [
      "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
    ],
    "RepoTags": [
      "alpine:3.10"
    ],
    "RepoDigests": [
      "alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98"
    ],
    "ImageConfig": {
      "architecture": "amd64",
      "container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4",
      "created": "2021-04-14T19:20:05.338397761Z",
      "docker_version": "19.03.12",
      "history": [
        {
          "created": "2021-04-14T19:20:04.987219124Z",
          "created_by": "/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / "
        },
        {
          "created": "2021-04-14T19:20:05.338397761Z",
          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
          "empty_layer": true
        }
      ],
      "os": "linux",
      "rootfs": {
        "type": "layers",
        "diff_ids": [
          "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
        ]
      },
      "config": {
        "Cmd": [
          "/bin/sh"
        ],
        "Env": [
          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
        ],
        "Image": "sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8"
      }
    }
  },
  "Results": [
    {
      "Target": "alpine:3.10 (alpine 3.10.9)",
      "Class": "os-pkgs",
      "Type": "alpine",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2021-36159",
          "PkgID": "apk-tools@2.10.6-r0",
          "PkgName": "apk-tools",
          "PkgIdentifier": {
            "PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64&distro=3.10.9",
            "UID": "99f6581ffed6b22"
          },
          "InstalledVersion": "2.10.6-r0",
          "FixedVersion": "2.10.7-r0",
          "Status": "fixed",
          "Layer": {
            "Digest": "sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5",
            "DiffID": "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-36159",
          "DataSource": {
            "ID": "alpine",
            "Name": "Alpine Secdb",
            "URL": "https://secdb.alpinelinux.org/"
          },
          "Title": "libfetch: an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes leads to information leak or crash",
          "Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
          "Severity": "CRITICAL",
          "CweIDs": [
            "CWE-125"
          ],
          "VendorSeverity": {
            "nvd": 4,
            "redhat": 3
          },
          "CVSS": {
            "nvd": {
              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
              "V2Score": 6.4,
              "V3Score": 9.1
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
              "V3Score": 9.1
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2021-36159",
            "https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch",
            "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749",
            "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E",
            "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E",
            "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E",
            "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E",
            "https://nvd.nist.gov/vuln/detail/CVE-2021-36159",
            "https://www.cve.org/CVERecord?id=CVE-2021-36159"
          ],
          "PublishedDate": "2021-08-03T14:15:08.233Z",
          "LastModifiedDate": "2023-11-07T03:36:43.337Z"
        }
      ]
    }
  ]
 }
@@ -1,5 +0,0 @@
 format: json
 severity: CRITICAL
 vulnerability:
  type: os
 output: yamlconfig.json
@@ -1,123 +1,65 @@
 #!/usr/bin/env bats
-
+load '/usr/lib/bats-support/load.bash'
-setup_file() {
+load '/usr/lib/bats-assert/load.bash'
  local owner=$GITHUB_REPOSITORY_OWNER
  export TRIVY_DB_REPOSITORY=ghcr.io/${owner}/trivy-db-act:latest
  export TRIVY_JAVA_DB_REPOSITORY=ghcr.io/${owner}/trivy-java-db-act:latest
  export TRIVY_CHECKS_BUNDLE_REPOSITORY=ghcr.io/${owner}/trivy-checks-act:latest
 }
 setup() {
  bats_load_library bats-support
  bats_load_library bats-assert
  bats_load_library bats-file
 }
 function remove_json_fields() {
  local file="$1"
  if [[ "$file" == *.json ]]; then
      jq 'del(.CreatedAt)' "$file" > tmp && mv tmp "$file"
  fi
 }
 function remove_sarif_fields() {
  local file="$1"
  if [[ "$file" == *.sarif ]]; then
      jq 'del(.runs[].tool.driver.version) | del(.runs[].originalUriBaseIds)' "$file" > tmp && mv tmp "$file"
  fi
 }
 function remove_github_fields() {
  local file="$1"
  if [[ "$file" == *.gsbom  ]]; then
      jq 'del(.detector.version) | del(.scanned) | del(.job) | del(.ref) | del(.sha)' "$file" > tmp && mv tmp "$file"
  fi
 }
 function compare_files() {
  local file1="$1"
  local file2="$2"
  # Some fields should be removed as they are environment dependent 
  # and may cause undesirable results when comparing files.
  remove_json_fields "$file1"
  remove_json_fields "$file2"
  remove_sarif_fields "$file1"
  remove_sarif_fields "$file2"
  remove_github_fields "$file1"
  remove_github_fields "$file2"
  run diff "$file1" "$file2"
  echo "$output"
  assert_files_equal "$file1" "$file2"
 }
@test "trivy repo with securityCheck secret only" {
  # trivy repo -f json -o repo.test --scanners=secret https://github.com/krol3/demo-trivy/
  run ./entrypoint.sh '-b json' '-h repo.json' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
  compare_files repo.json ./test/data/secret-scan/report.json
 }
@test "trivy image" {
-  # trivy image --severity CRITICAL -o image.test knqyf263/vuln-image:1.2.3
+  # trivy image --severity CRITICAL --format json --output image.test knqyf263/vuln-image:1.2.3
-  run ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image.test' '-g CRITICAL'
+  ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b json' '-h image.test' '-g CRITICAL'
-  compare_files image.test ./test/data/image-scan/report
+  result="$(diff ./test/data/image.test image.test)"
  [ "$result" == '' ]
 }
-@test "trivy config sarif report" {
+@test "trivy image sarif report" {
-  # trivy config -f sarif -o  config-sarif.test ./test/data/config-sarif-report
+  # trivy image --severity CRITICAL -f sarif --output image-sarif.test knqyf263/vuln-image:1.2.3
-  run ./entrypoint.sh '-a config' '-b sarif' '-h config-sarif.sarif' '-j ./test/data/config-sarif-report/main.tf'
+  ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b sarif' '-h image-sarif.test' '-g CRITICAL'
-  compare_files config-sarif.sarif ./test/data/config-sarif-report/report.sarif
+  result="$(diff ./test/data/image-sarif.test image-sarif.test)"
  [ "$result" == '' ]
 }
@test "trivy config" {
-  # trivy config -f json -o config.json ./test/data/config-scan
+  # trivy config --format json --output config.test .
-  run ./entrypoint.sh '-a config' '-b json' '-j ./test/data/config-scan' '-h config.json'
+  ./entrypoint.sh '-a config' '-j .' '-b json' '-h config.test'
-  compare_files config.json ./test/data/config-scan/report.json
+  result="$(diff ./test/data/config.test config.test)"
  [ "$result" == '' ]
 }
@test "trivy rootfs" {
-  # trivy rootfs --output rootfs.test ./test/data/rootfs-scan
+  # trivy rootfs --format json --output rootfs.test .
-  # TODO: add data
+  ./entrypoint.sh '-a rootfs' '-j .' '-b json' '-h rootfs.test'
-  run ./entrypoint.sh '-a rootfs' '-j ./test/data/rootfs-scan' '-h rootfs.test'
+  result="$(diff ./test/data/rootfs.test rootfs.test)"
-  compare_files rootfs.test ./test/data/rootfs-scan/report
+  [ "$result" == '' ]
 }
@test "trivy fs" {
-  # trivy fs --output fs.test ./test/data/fs-scan
+  # trivy fs --format json --output fs.test .
-  # TODO: add data
+  ./entrypoint.sh '-a fs' '-j .' '-b json' '-h fs.test'
-  run ./entrypoint.sh '-a fs' '-j ./test/data/fs-scan' '-h fs.test'
+  result="$(diff ./test/data/fs.test fs.test)"
-  compare_files fs.test ./test/data/fs-scan/report
+  [ "$result" == '' ]
 }
@test "trivy fs with securityChecks option" {
  # trivy fs --format json --security-checks=vuln,config --output fs-scheck.test .
  ./entrypoint.sh '-a fs' '-j .' '-b json' '-s vuln,config,secret' '-h fs-scheck.test'
  result="$(diff ./test/data/fs-scheck.test fs-scheck.test)"
  [ "$result" == '' ]
 }
@test "trivy repo with securityCheck secret only" {
  # trivy repo --format json --output repo.test --security-checks=secret https://github.com/krol3/demo-trivy/
  ./entrypoint.sh '-b json' '-h repo.test' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
  result="$(diff ./test/data/repo.test repo.test)"
  [ "$result" == '' ]
 }
@test "trivy image with trivyIgnores option" {
-  # cat ./test/data/with-ignore-files/.trivyignore1 ./test/data/with-ignore-files/.trivyignore2 > ./trivyignores ; trivy image --severity CRITICAL  --output image-trivyignores.test --ignorefile ./trivyignores knqyf263/vuln-image:1.2.3
+  # cat ./test/data/.trivyignore1 ./test/data/.trivyignore2 > ./trivyignores ; trivy image --severity CRITICAL --format json --output image-trivyignores.test --ignorefile ./trivyignores knqyf263/vuln-image:1.2.3
-  run ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image-trivyignores.test' '-g CRITICAL' '-t ./test/data/with-ignore-files/.trivyignore1,./test/data/with-ignore-files/.trivyignore2'
+  ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b json' '-h image-trivyignores.test' '-g CRITICAL' '-t ./test/data/.trivyignore1,./test/data/.trivyignore2'
-  compare_files image-trivyignores.test ./test/data/with-ignore-files/report
+  result="$(diff ./test/data/image-trivyignores.test image-trivyignores.test)"
  [ "$result" == '' ]
 }
@test "trivy image with sbom output" {
  # trivy image --format  github knqyf263/vuln-image:1.2.3
-  run ./entrypoint.sh  "-a image" "-b github" "-h github-dep-snapshot.gsbom" "-i knqyf263/vuln-image:1.2.3"
+  run ./entrypoint.sh  "-a image" "-b github" "-i knqyf263/vuln-image:1.2.3"
-  compare_files github-dep-snapshot.gsbom ./test/data/github-dep-snapshot/report.gsbom
+  assert_output --partial '"package_url": "pkg:apk/ca-certificates@20171114-r0",' # TODO: Output contains time, need to mock
 }
@test "trivy image with trivy.yaml config" {
  # trivy --config=./test/data/with-trivy-yaml-cfg/trivy.yaml image alpine:3.10
  run ./entrypoint.sh "-v ./test/data/with-trivy-yaml-cfg/trivy.yaml" "-a image" "-i alpine:3.10"
  compare_files yamlconfig.json ./test/data/with-trivy-yaml-cfg/report.json
 }
@test "trivy image with custom docker-host" {
  # trivy image --docker-host unix:///var/run/docker.sock --severity CRITICAL --output image.test knqyf263/vuln-image:1.2.3
  run ./entrypoint.sh '-y unix:///var/run/docker.sock' '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image.test' '-g CRITICAL'
  compare_files image.test ./test/data/image-scan/report
 }
@test "trivy config with terraform variables" {
  # trivy config -f json -o tfvars.json --severity  MEDIUM  --tf-vars  ./test/data/with-tf-vars/dev.tfvars ./test/data/with-tf-vars/main.tf  
  run ./entrypoint.sh "-a config"  "-j ./test/data/with-tf-vars/main.tf" "-h tfvars.json" "-g MEDIUM" "-x ./test/data/with-tf-vars/dev.tfvars" "-b json"
  compare_files tfvars.json ./test/data/with-tf-vars/report.json
 }
@@ -7,10 +7,10 @@ on:
 jobs:
  build:
    name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
      - name: Build an image from Dockerfile
        run: |
@@ -29,6 +29,6 @@ jobs:
          severity: 'CRITICAL,HIGH'
      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'
		`@@ -1,2 +0,0 @@`
			`# test data for trivy config with terraform variables`
			`bucket_versioning_enabled="Enabled"`