Skip to content

Commit

Permalink
fix: merge with master
Browse files Browse the repository at this point in the history
  • Loading branch information
@krol3
krol3 committed Jul 27, 2022
2 parents eddd22f + 81b9a6f commit d0dd7b4
Show file tree
Hide file tree
Showing 12 changed files with 315 additions and 50 deletions.
13 changes: 4 additions & 9 deletions .github/workflows/build.yaml
View file
@@ -1,7 +1,8 @@
name: "build"
on: [push, pull_request]
env:
TRIVY_VERSION: 0.29.2
TRIVY_VERSION: 0.30.4
BATS_LIB_PATH: '/usr/lib/'
jobs:
build:
name: build
Expand All @@ -11,7 +12,7 @@ jobs:
- name: Setup BATS
uses: mig4/setup-bats@v1
with:
bats-version: 1.2.1
bats-version: 1.7.0

- name: Setup Bats libs
uses: brokenpip3/setup-bats-libs@0.1.0
Expand All @@ -24,10 +25,4 @@ jobs:
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
- name: Test
run: bats --recursive --timing .

- name: Debug show artifacts
if: always()
run: |
cat ./config.test
cat ./fs-scheck.test
run: BATS_LIB_PATH=${{ env.BATS_LIB_PATH }} bats --recursive --timing .
2 changes: 1 addition & 1 deletion Dockerfile
View file
@@ -1,4 +1,4 @@
FROM ghcr.io/aquasecurity/trivy:0.29.2
FROM ghcr.io/aquasecurity/trivy:0.30.4
COPY entrypoint.sh /
RUN apk --no-cache add bash curl
RUN chmod +x /entrypoint.sh
Expand Down
39 changes: 35 additions & 4 deletions README.md
View file
Expand Up @@ -19,7 +19,7 @@

## Usage

### Workflow
### Scan CI Pipeline

```yaml
name: build
Expand All @@ -31,15 +31,13 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2

- name: Build an image from Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
Expand All @@ -51,6 +49,39 @@ jobs:
severity: 'CRITICAL,HIGH'
```

### Scan CI Pipeline (w/ Trivy Config)

```yaml
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2

- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@add-support-for-trivy-config
with:
scan-type: 'fs'
ignore-unfixed: true
trivy-config: ./trivy.yaml
```

In this case `trivy.yaml` is a YAML configuration that is checked in as part of the repo. Detailed information is available on the Trivy website but an example is as follows:
```yaml
format: json
exit-code: 1
severity: CRITICAL
```

It is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes.

### Scanning a Tarball
```yaml
Expand Down
4 changes: 4 additions & 0 deletions action.yaml
View file
Expand Up @@ -85,6 +85,9 @@ inputs:
github-pat:
description: 'GitHub Personal Access Token (PAT) for submitting SBOM to GitHub Dependency Snapshot API'
required: false
trivy-config:
description: 'path to trivy.yaml config'
required: false

runs:
using: 'docker'
Expand All @@ -111,3 +114,4 @@ runs:
- '-s ${{ inputs.security-checks }}'
- '-t ${{ inputs.trivyignores }}'
- '-u ${{ inputs.github-pat }}'
- '-v ${{ inputs.trivy-config }}'
21 changes: 16 additions & 5 deletions entrypoint.sh
View file
@@ -1,6 +1,6 @@
#!/bin/bash
set -e
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:" o; do
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" o; do
case "${o}" in
a)
export scanType=${OPTARG}
Expand Down Expand Up @@ -65,9 +65,13 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:" o; do
u)
export githubPAT=${OPTARG}
;;
v)
export trivyConfig=${OPTARG}
;;
esac
done


scanType=$(echo $scanType | tr -d '\r')
export artifactRef="${imageRef}"
if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "config" ] || [ "${scanType}" = "rootfs" ];then
Expand Down Expand Up @@ -157,10 +161,17 @@ if [ "$skipFiles" ];then
done
fi

echo "Running: trivy ${scanType} ${ARGS}" "${artifactRef}"
echo "Global options: " "${GLOBAL_ARGS}"
trivy $GLOBAL_ARGS ${scanType} $ARGS ${artifactRef}
returnCode=$?
trivyConfig=$(echo $trivyConfig | tr -d '\r')
if [ $trivyConfig ]; then
echo "Running Trivy with trivy.yaml config from: " $trivyConfig
trivy --config $trivyConfig ${scanType} $ARGS ${artifactRef}
returnCode=$?
else
echo "Running trivy with options: trivy ${scanType} ${ARGS}" "${artifactRef}"
echo "Global options: " "${GLOBAL_ARGS}"
trivy $GLOBAL_ARGS ${scanType} $ARGS ${artifactRef}
returnCode=$?
fi

# SARIF is special. We output all vulnerabilities,
# regardless of severity level specified in this report.
Expand Down
77 changes: 77 additions & 0 deletions test/data/config-sarif.test
View file
@@ -0,0 +1,77 @@
{
"version": "2.1.0",
"$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
"runs": [
{
"tool": {
"driver": {
"fullName": "Trivy Vulnerability Scanner",
"informationUri": "https://github.com/aquasecurity/trivy",
"name": "Trivy",
"rules": [
{
"id": "DS002",
"name": "Misconfiguration",
"shortDescription": {
"text": "DS002"
},
"fullDescription": {
"text": "Running containers with \u0026#39;root\u0026#39; user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a \u0026#39;USER\u0026#39; statement to the Dockerfile."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/ds002",
"help": {
"text": "Misconfiguration DS002\nType: Dockerfile Security Check\nSeverity: HIGH\nCheck: Image user should not be 'root'\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"markdown": "**Misconfiguration DS002**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|HIGH|Image user should not be 'root'|Specify at least 1 USER command in Dockerfile with non-root user as argument|[DS002](https://avd.aquasec.com/misconfig/ds002)|\n\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile."
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
}
],
"version": "0.30.4"
}
},
"results": [
{
"ruleId": "DS002",
"ruleIndex": 0,
"level": "error",
"message": {
"text": "Artifact: Dockerfile\nType: dockerfile\nVulnerability DS002\nSeverity: HIGH\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "Dockerfile",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
}
}
]
}
],
"columnKind": "utf16CodeUnits",
"originalUriBaseIds": {
"ROOTPATH": {
"uri": "file:///"
}
}
}
]
}
10 changes: 10 additions & 0 deletions test/data/image-trivyignores.test
View file
@@ -1,3 +1,8 @@

knqyf263/vuln-image:1.2.3 (alpine 3.7.1)
========================================
Total: 19 (CRITICAL: 19)

┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
Expand Down Expand Up @@ -67,6 +72,11 @@
│ sqlite-libs │ CVE-2019-8457 │ CRITICAL │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │
└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

rust-app/Cargo.lock (cargo)
===========================
Total: 1 (CRITICAL: 1)

┌──────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
Expand Down
10 changes: 10 additions & 0 deletions test/data/image.test
View file
@@ -1,3 +1,8 @@

knqyf263/vuln-image:1.2.3 (alpine 3.7.1)
========================================
Total: 19 (CRITICAL: 19)

┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
Expand Down Expand Up @@ -67,6 +72,11 @@
│ sqlite-libs │ CVE-2019-8457 │ CRITICAL │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │
└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

rust-app/Cargo.lock (cargo)
===========================
Total: 4 (CRITICAL: 4)

┌───────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├───────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
Expand Down
81 changes: 76 additions & 5 deletions test/data/repo.test
View file
@@ -1,5 +1,76 @@
┌──────────┬──────────────────────────────┬──────────┬─────────┬─────────────────────────┐
│ Category │ Description │ Severity │ Line No │ Match │
├──────────┼──────────────────────────────┼──────────┼─────────┼─────────────────────────┤
│ GitHub │ GitHub Personal Access Token │ CRITICAL │ 5 │ export GITHUB_PAT=***** │
└──────────┴──────────────────────────────┴──────────┴─────────┴─────────────────────────┘
{
"SchemaVersion": 2,
"ArtifactName": "https://github.com/krol3/demo-trivy/",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "env",
"Class": "secret",
"Secrets": [
{
"RuleID": "github-pat",
"Category": "GitHub",
"Severity": "CRITICAL",
"Title": "GitHub Personal Access Token",
"StartLine": 5,
"EndLine": 5,
"Code": {
"Lines": [
{
"Number": 3,
"Content": "export AWS_ACCESS_KEY_ID=1234567",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": "export AWS_ACCESS_KEY_ID=1234567",
"FirstCause": false,
"LastCause": false
},
{
"Number": 4,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"FirstCause": false,
"LastCause": false
},
{
"Number": 5,
"Content": "export GITHUB_PAT=****************************************",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "export GITHUB_PAT=****************************************",
"FirstCause": true,
"LastCause": true
},
{
"Number": 6,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"FirstCause": false,
"LastCause": false
}
]
},
"Match": "export GITHUB_PAT=****************************************"
}
]
}
]
}
2 changes: 2 additions & 0 deletions test/data/trivy.yaml
View file
@@ -0,0 +1,2 @@
format: json
severity: CRITICAL

0 comments on commit d0dd7b4

Please sign in to comment.