diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..5c10534 --- /dev/null +++ b/Makefile @@ -0,0 +1,4 @@ +.PHONY: test + +test: + BATS_LIB_PATH=/usr/local/lib/ bats -r . \ No newline at end of file diff --git a/README.md b/README.md index 486c4a1..63e2948 100644 --- a/README.md +++ b/README.md @@ -64,14 +64,14 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@add-support-for-trivy-config + - name: Run Trivy vulnerability scanner in fs mode + uses: aquasecurity/trivy-action@master with: scan-type: 'fs' - ignore-unfixed: true - trivy-config: ./trivy.yaml + scan-ref: '.' + trivy-config: trivy.yaml ``` In this case `trivy.yaml` is a YAML configuration that is checked in as part of the repo. Detailed information is available on the Trivy website but an example is as follows: @@ -81,7 +81,17 @@ exit-code: 1 severity: CRITICAL ``` -It is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes. +It is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes. Defining the following is required as they cannot be defined with the config file: +- `scan-ref`: If using `fs, repo` scans. +- `image-ref`: If using `image` scan. +- `scan-type`: To define the scan type, e.g. `image`, `fs`, `repo`, etc. + +#### Order of prerference for options +Trivy uses [Viper](https://github.com/spf13/viper) which has a defined precedence order for options. The order is as follows: +- GitHub Action flag +- Environment variable +- Config file +- Default ### Scanning a Tarball ```yaml @@ -97,7 +107,7 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Generate tarball from image run: | @@ -123,10 +133,10 @@ on: jobs: build: name: Build - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Build an image from Dockerfile run: | @@ -158,10 +168,10 @@ on: jobs: build: name: Build - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Build an image from Dockerfile run: | @@ -197,10 +207,10 @@ on: jobs: build: name: Build - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Run Trivy vulnerability scanner in repo mode uses: aquasecurity/trivy-action@master @@ -231,10 +241,10 @@ on: jobs: build: name: Build - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Run Trivy vulnerability scanner with rootfs command uses: aquasecurity/trivy-action@master @@ -266,10 +276,10 @@ on: jobs: build: name: Build - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Run Trivy vulnerability scanner in IaC mode uses: aquasecurity/trivy-action@master @@ -335,10 +345,10 @@ on: jobs: build: name: Build - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master @@ -371,10 +381,10 @@ on: jobs: build: name: Build - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master @@ -407,10 +417,10 @@ on: jobs: build: name: Build - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master @@ -440,10 +450,10 @@ on: jobs: build: name: Build - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master diff --git a/entrypoint.sh b/entrypoint.sh index cebbba7..bb5a434 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -164,7 +164,7 @@ fi trivyConfig=$(echo $trivyConfig | tr -d '\r') if [ $trivyConfig ]; then echo "Running Trivy with trivy.yaml config from: " $trivyConfig - trivy --config $trivyConfig ${scanType} $ARGS ${artifactRef} + trivy --config $trivyConfig ${scanType} ${artifactRef} returnCode=$? else echo "Running trivy with options: ${ARGS}" "${artifactRef}" diff --git a/test/data/trivy.yaml b/test/data/trivy.yaml index 1bb57b4..f2b0201 100644 --- a/test/data/trivy.yaml +++ b/test/data/trivy.yaml @@ -1,2 +1,5 @@ format: json -severity: CRITICAL \ No newline at end of file +severity: CRITICAL +vulnerability: + type: os +output: yamlconfig.test \ No newline at end of file diff --git a/test/data/yamlconfig.test b/test/data/yamlconfig.test index ff3156f..b7106b2 100644 --- a/test/data/yamlconfig.test +++ b/test/data/yamlconfig.test @@ -1,29 +1,104 @@ { "SchemaVersion": 2, - "ArtifactName": ".", - "ArtifactType": "filesystem", + "ArtifactName": "alpine:3.10", + "ArtifactType": "container_image", "Metadata": { + "OS": { + "Family": "alpine", + "Name": "3.10.9", + "EOSL": true + }, + "ImageID": "sha256:e7b300aee9f9bf3433d32bc9305bfdd22183beb59d933b48d77ab56ba53a197a", + "DiffIDs": [ + "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635" + ], + "RepoTags": [ + "alpine:3.10" + ], + "RepoDigests": [ + "alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98" + ], "ImageConfig": { - "architecture": "", - "created": "0001-01-01T00:00:00Z", - "os": "", + "architecture": "amd64", + "container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4", + "created": "2021-04-14T19:20:05.338397761Z", + "docker_version": "19.03.12", + "history": [ + { + "created": "2021-04-14T19:20:04.987219124Z", + "created_by": "/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / " + }, + { + "created": "2021-04-14T19:20:05.338397761Z", + "created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]", + "empty_layer": true + } + ], + "os": "linux", "rootfs": { - "type": "", - "diff_ids": null + "type": "layers", + "diff_ids": [ + "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635" + ] }, - "config": {} + "config": { + "Cmd": [ + "/bin/sh" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ], + "Image": "sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8" + } } }, "Results": [ { - "Target": "Dockerfile", - "Class": "config", - "Type": "dockerfile", - "MisconfSummary": { - "Successes": 6, - "Failures": 0, - "Exceptions": 0 - } + "Target": "alpine:3.10 (alpine 3.10.9)", + "Class": "os-pkgs", + "Type": "alpine", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2021-36159", + "PkgName": "apk-tools", + "InstalledVersion": "2.10.6-r0", + "FixedVersion": "2.10.7-r0", + "Layer": { + "Digest": "sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5", + "DiffID": "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-36159", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-125" + ], + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "V2Score": 6.4, + "V3Score": 9.1 + } + }, + "References": [ + "https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch", + "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749", + "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E", + "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E", + "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E", + "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E" + ], + "PublishedDate": "2021-08-03T14:15:00Z", + "LastModifiedDate": "2021-10-18T12:19:00Z" + } + ] } ] } diff --git a/test/test.bats b/test/test.bats index 31b5da3..d2628e0 100644 --- a/test/test.bats +++ b/test/test.bats @@ -74,9 +74,9 @@ bats_load_library bats-file assert_output --partial '"package_url": "pkg:apk/ca-certificates@20171114-r0",' # TODO: Output contains time, need to mock } -@test "trivy repo with trivy.yaml config" { - # trivy --config=./data/trivy.yaml fs --security-checks=config,secret --output=yamlconfig.test . - run ./entrypoint.sh "-a fs" "-j ." "-s config,secret" "-v ./test/data/trivy.yaml" "-h yamlconfig.test" +@test "trivy image with trivy.yaml config" { + # trivy --config=./test/data/trivy.yaml image alpine:3.10 + run ./entrypoint.sh "-v ./test/data/trivy.yaml" "-a image" "-i alpine:3.10" run diff yamlconfig.test ./test/data/yamlconfig.test echo "$output" assert_files_equal yamlconfig.test ./test/data/yamlconfig.test