Merge branch 'master' into feat/addDockerHost

aquasecurity · Apr 3, 2024 · a5562a9 · a5562a9
2 parents 129ed55 + f72b7e8
commit a5562a9
Show file tree

Hide file tree

Showing 15 changed files with 1,910 additions and 57 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -1,7 +1,7 @@
 name: "build"
 on: [push, pull_request]
 env:
-  TRIVY_VERSION: 0.45.0
+  TRIVY_VERSION: 0.50.1
   BATS_LIB_PATH: '/usr/lib/'
 jobs:
   build:
@@ -25,4 +25,4 @@ jobs:
           curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
 
       - name: Test
-        run: BATS_LIB_PATH=${{ env.BATS_LIB_PATH }} bats --recursive --timing .
+        run: BATS_LIB_PATH=${{ env.BATS_LIB_PATH }} bats --recursive --timing .
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM ghcr.io/aquasecurity/trivy:0.45.0
+FROM ghcr.io/aquasecurity/trivy:0.50.1
 COPY entrypoint.sh /
 RUN apk --no-cache add bash curl npm
 RUN chmod +x /entrypoint.sh

diff --git a/README.md b/README.md
diff --git a/action.yaml b/action.yaml
@@ -65,7 +65,7 @@ inputs:
     required: false
     default: ''
   hide-progress:
-    description: 'hide progress output'
+    description: 'suppress progress bar and log output'
     required: false
   list-all-pkgs:
     description: 'output all packages regardless of vulnerability'
@@ -88,6 +88,9 @@ inputs:
   trivy-config:
     description: 'path to trivy.yaml config'
     required: false
+  tf-vars:
+    description: "path to terraform tfvars file"
+    required: false
   limit-severities-for-sarif:
     description: 'limit severities for SARIF format'
     required: false
@@ -121,5 +124,6 @@ runs:
     - '-t ${{ inputs.trivyignores }}'
     - '-u ${{ inputs.github-pat }}'
     - '-v ${{ inputs.trivy-config }}'
+    - '-x ${{ inputs.tf-vars }}'
     - '-z ${{ inputs.limit-severities-for-sarif }}'
     - '-y ${{ inputs.docker-host }}'
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 set -e
-while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:y:" o; do
+while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:x:y:z:" o; do
    case "${o}" in
        a)
          export scanType=${OPTARG}
@@ -68,19 +68,22 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:y:" o; do
        v)
          export trivyConfig=${OPTARG}
        ;;
-       z)
-         export limitSeveritiesForSARIF=${OPTARG}
+       x)
+         export tfVars=${OPTARG}
        ;;
        y)
          export dockerHost=${OPTARG}
        ;;
+       z)
+         export limitSeveritiesForSARIF=${OPTARG}
+       ;;
   esac
 done
 
 
 scanType=$(echo $scanType | tr -d '\r')
 export artifactRef="${imageRef}"
-if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] ||  [ "${scanType}" = "config" ] ||  [ "${scanType}" = "rootfs" ];then
+if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "filesystem" ] ||  [ "${scanType}" = "config" ] ||  [ "${scanType}" = "rootfs" ] || [ "${scanType}" = "sbom" ];then
   artifactRef=$(echo $scanRef | tr -d '\r')
 fi
 input=$(echo $input | tr -d '\r')
@@ -135,6 +138,10 @@ if [ $skipDirs ];then
     SARIF_ARGS="$SARIF_ARGS --skip-dirs $i"
   done
 fi
+if [ $tfVars ] && [ "$scanType" == "config" ];then
+  ARGS="$ARGS --tf-vars $tfVars"
+fi
+
 if [ $trivyIgnores ];then
   for f in $(echo $trivyIgnores | tr "," "\n")
   do
@@ -158,7 +165,8 @@ if [ $ignorePolicy ];then
   SARIF_ARGS="$SARIF_ARGS --ignore-policy $ignorePolicy"
 fi
 if [ "$hideProgress" == "true" ];then
-  ARGS="$ARGS --no-progress"
+  ARGS="$ARGS --quiet"
+  SARIF_ARGS="$SARIF_ARGS --quiet"
 fi
 if [ "$dockerHost" == "true" ];then
   ARGS="$ARGS --docker-host $dockerHost"
@@ -172,6 +180,7 @@ if [ "$skipFiles" ];then
   for i in $(echo $skipFiles | tr "," "\n")
   do
     ARGS="$ARGS --skip-files $i"
+    SARIF_ARGS="$SARIF_ARGS --skip-files $i"
   done
 fi
 
@@ -187,13 +196,12 @@ if [ "${format}" == "sarif" ] && [ "${limitSeveritiesForSARIF}" != "true" ]; the
 elif [ $trivyConfig ]; then
    echo "Running Trivy with trivy.yaml config from: " $trivyConfig
    trivy --config $trivyConfig ${scanType} ${artifactRef}
-   returnCode=$?
 else
    echo "Running trivy with options: trivy ${scanType} ${ARGS}" "${artifactRef}"
    echo "Global options: " "${GLOBAL_ARGS}"
    trivy $GLOBAL_ARGS ${scanType} ${ARGS} ${artifactRef}
-   returnCode=$?
 fi
+returnCode=$?
 
 set -e
 if [[ "${format}" == "github" ]]; then

diff --git a/test/data/config-sarif.test b/test/data/config-sarif.test