Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with Targeted IaC and SAST Scanning in Trivy Action #298

Open
ameurmeddeb-zero opened this issue Jan 15, 2024 · 2 comments
Open

Issue with Targeted IaC and SAST Scanning in Trivy Action #298

ameurmeddeb-zero opened this issue Jan 15, 2024 · 2 comments

Comments

@ameurmeddeb-zero
Copy link

I'm encountering an issue where Trivy scans the entire repository instead of just the changed files or the latest commits.

I initially attempted the fetch-depth: 1 method in the checkout action, but this did not limit the scan to recent changes. Subsequently, I tried the shallow cloning approach i have used with TruffleHog, but Trivy still scanned the entire repository instead of focusing on the modified files (new commits).

What am I doing wrong or how else can I achieve my goal (scanning only the changed files and the pushed code)?

I am not able to scan with trivy just the changed files/ lastest commits. On Every Scan the whole Repo is scanned.

What i am doing wrong or can i achieve my intention ?

I have first tested with the Checkout fetch-depth: 1 Way, was not working

`
name: IaC scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
name: Checkout
with:
fetch-depth: 1

  - name: Run Trivy static analysis
    uses: aquasecurity/trivy-action@master
    with:
      scan-type: 'fs'
      scanners: 'config'
      ignore-unfixed: false
      format: 'table'
      vuln-type: 'os,library'
      severity: 'CRITICAL'

`

` name: IAC Scan with Trivy
runs-on: ubuntu-latest
steps:
- name: File Change Detection
shell: bash
run: |
if [ "${{ github.event_name }}" == "push" ]; then
echo "depth=$(($(jq length <<< '${{ toJson(github.event.commits) }}') + 2))" >> $GITHUB_ENV
echo "branch=${{ github.ref_name }}" >> $GITHUB_ENV
fi
if [ "${{ github.event_name }}" == "pull_request" ]; then
echo "depth=$((${{ github.event.pull_request.commits }}+2))" >> $GITHUB_ENV
echo "branch=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV
fi

  - uses: actions/checkout@v4
    with:
      ref: ${{env.branch}}
      fetch-depth: ${{env.depth}}

  - name: Run Trivy static analysis
    uses: aquasecurity/trivy-action@master
    with:
      scan-type: 'fs'
      format: 'table'
      severity: 'CRITICAL,HIGH'

`
@kderck
Copy link
Contributor

kderck commented Jan 15, 2024
edited

Hi @ameurmeddeb-zero. I don't think this is possible with trivy, trivy fs will scan all files and directories recursively, If you wanted to scan just Terraform you could do trivy config (scan-type: config). The fetch with --depth will still include all of the files from your git repository, However, the git history will be incomplete.

You could possibly do this by using git diff on the current versus the last commit? and by piping the paths into Trivy. But I don't see why this would be useful.

@velvetzhero
Copy link

Hello @kderck 👋
I need to create the same functionality: having trivy to run solely on the committed files. I understand this may be not a part of the action feature, and it is more focus on having a periodic full scan, that would report back to github code scanning. ref.

Having a closer look, it looks like the code can easily be patched by adding an additional command[ line argument for a file path ].(https://github.com/aquasecurity/trivy-action/blob/1f6384b6ceecbbc6673526f865b818a2a06b07c9/entrypoint.sh#L196C4-L196C57)
Is this something you are thinking to add ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@velvetzhero @kderck @ameurmeddeb-zero