update tests

aquasecurity · Apr 12, 2024 · 90f38eb · 90f38eb
1 parent 207cd40
commit 90f38eb
Show file tree

Hide file tree

Showing 26 changed files with 1,990 additions and 1,556 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
diff --git a/.github/workflows/sync-trivy-checks.yaml b/.github/workflows/sync-trivy-checks.yaml
@@ -0,0 +1,24 @@
+name: Sync Trivy Checks
+
+on:
+  workflow_dispatch:
+env:
+  IMAGE_NAME: ${{ github.repository_owner }}/trivy-checks
+  REGISTRY: ghcr.io
+
+jobs:
+  sync-trivy-checks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login to GitHub Packages Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Copy Trivy Checks
+        run: |
+          oras cp ghcr.io/aquasecurity/trivy-checks:0 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
diff --git a/.github/workflows/sync-trivy-db.yaml b/.github/workflows/sync-trivy-db.yaml
@@ -0,0 +1,24 @@
+name: Sync Trivy DB
+
+on:
+  workflow_dispatch:
+env:
+  IMAGE_NAME: ${{ github.repository_owner }}/trivy-db
+  REGISTRY: ghcr.io
+
+jobs:
+  sync-trivy-db:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login to GitHub Packages Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Copy Trivy Checks
+        run: |
+          oras cp ghcr.io/aquasecurity/trivy-db:2 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
diff --git a/.github/workflows/sync-trivy-java-db.yaml b/.github/workflows/sync-trivy-java-db.yaml
@@ -0,0 +1,24 @@
+name: Sync Trivy Java DB
+
+on:
+  workflow_dispatch:
+env:
+  IMAGE_NAME: ${{ github.repository_owner }}/trivy-java-db
+  REGISTRY: ghcr.io
+
+jobs:
+  sync-trivy-db:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login to GitHub Packages Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Copy Trivy Checks
+        run: |
+          oras cp ghcr.io/aquasecurity/trivy-java-db:1 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -0,0 +1,29 @@
+name: Test
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+
+env:
+  TRIVY_VERSION: 0.50.1
+  BATS_LIB_PATH: '/usr/lib/'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Bats and bats libs
+        uses: bats-core/bats-action@2.0.0
+
+      - name: Install Trivy
+        run: |
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
+          trivy --version
+
+      - name: Test
+        run: |
+          chmod +x entrypoint.sh 
+          bats -r -T .
diff --git a/test/data/main.tf → test/data/config-sarif-report/main.tf b/test/data/main.tf → test/data/config-sarif-report/main.tf
diff --git a/test/data/config-sarif-report/report.sarif b/test/data/config-sarif-report/report.sarif
diff --git a/test/data/config-sarif.test b/test/data/config-sarif.test
diff --git a/test/data/config-scan/main.tf b/test/data/config-scan/main.tf
@@ -0,0 +1,18 @@
+# test data for trivy config with terraform variables
+
+variable "bucket_versioning_enabled" {
+  type    = string
+  default = "Disabled"
+}
+
+resource "aws_s3_bucket" "bucket" {
+  bucket = "trivy-action-bucket"
+}
+
+resource "aws_s3_bucket_versioning" "bucket_versioning" {
+  bucket = aws_s3_bucket.bucket.id
+
+  versioning_configuration {
+    status = var.bucket_versioning_enabled
+  }
+}
diff --git a/test/data/config.test → test/data/config-scan/report.json b/test/data/config.test → test/data/config-scan/report.json
@@ -1,7 +1,7 @@
 {
   "SchemaVersion": 2,
-  "CreatedAt": "2024-01-02T23:40:12.036390742Z",
-  "ArtifactName": ".",
+  "CreatedAt": "2024-04-12T16:53:35.5567541+03:00",
+  "ArtifactName": "test/data/config-scan",
   "ArtifactType": "filesystem",
   "Metadata": {
     "ImageConfig": {
@@ -17,71 +17,7 @@
   },
   "Results": [
     {
-      "Target": "Dockerfile",
-      "Class": "config",
-      "Type": "dockerfile",
-      "MisconfSummary": {
-        "Successes": 24,
-        "Failures": 2,
-        "Exceptions": 0
-      },
-      "Misconfigurations": [
-        {
-          "Type": "Dockerfile Security Check",
-          "ID": "DS002",
-          "AVDID": "AVD-DS-0002",
-          "Title": "Image user should not be 'root'",
-          "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
-          "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
-          "Namespace": "builtin.dockerfile.DS002",
-          "Query": "data.builtin.dockerfile.DS002.deny",
-          "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
-          "Severity": "HIGH",
-          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
-          "References": [
-            "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
-            "https://avd.aquasec.com/misconfig/ds002"
-          ],
-          "Status": "FAIL",
-          "Layer": {},
-          "CauseMetadata": {
-            "Provider": "Dockerfile",
-            "Service": "general",
-            "Code": {
-              "Lines": null
-            }
-          }
-        },
-        {
-          "Type": "Dockerfile Security Check",
-          "ID": "DS026",
-          "AVDID": "AVD-DS-0026",
-          "Title": "No HEALTHCHECK defined",
-          "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
-          "Message": "Add HEALTHCHECK instruction in your Dockerfile",
-          "Namespace": "builtin.dockerfile.DS026",
-          "Query": "data.builtin.dockerfile.DS026.deny",
-          "Resolution": "Add HEALTHCHECK instruction in Dockerfile",
-          "Severity": "LOW",
-          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026",
-          "References": [
-            "https://blog.aquasec.com/docker-security-best-practices",
-            "https://avd.aquasec.com/misconfig/ds026"
-          ],
-          "Status": "FAIL",
-          "Layer": {},
-          "CauseMetadata": {
-            "Provider": "Dockerfile",
-            "Service": "general",
-            "Code": {
-              "Lines": null
-            }
-          }
-        }
-      ]
-    },
-    {
-      "Target": "test/data",
+      "Target": ".",
       "Class": "config",
       "Type": "terraform",
       "MisconfSummary": {
@@ -91,7 +27,7 @@
       }
     },
     {
-      "Target": "test/data/main.tf",
+      "Target": "main.tf",
       "Class": "config",
       "Type": "terraform",
       "MisconfSummary": {
@@ -436,15 +372,15 @@
             "Occurrences": [
               {
                 "Resource": "versioning_configuration",
-                "Filename": "test/data/main.tf",
+                "Filename": "main.tf",
                 "Location": {
                   "StartLine": 15,
                   "EndLine": 17
                 }
               },
               {
                 "Resource": "aws_s3_bucket_versioning.bucket_versioning",
-                "Filename": "test/data/main.tf",
+                "Filename": "main.tf",
                 "Location": {
                   "StartLine": 12,
                   "EndLine": 18

diff --git a/test/data/fs.test → test/data/fs-scan/report b/test/data/fs.test → test/data/fs-scan/report