You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have a discrepancy between the SARIF output and the JSON output. I have an issue reported in the JSON report ("RuleID": "sendgrid-api-token"), but this issue does not show in the SARIF report.
What did you expect to happen?
The same results in the SARIF report as in the JSON report.
What happened instead?
The SARIF report is empty
Output of run with -debug:
$ trivy fs --security-checks vuln,config,secret . --exit-code 1 --format sarif --output trivy_report_fs.sarif --debug
2022-09-01T12:10:53.439+0200 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-09-01T12:10:53.442+0200 DEBUG cache dir: /home/mika/.cache/trivy
2022-09-01T12:10:53.442+0200 DEBUG DB update was skipped because the local DB is the latest
2022-09-01T12:10:53.442+0200 DEBUG DB Schema: 2, UpdatedAt: 2022-09-01 06:14:05.457025002 +0000 UTC, NextUpdate: 2022-09-01 12:14:05.457024602 +0000 UTC, DownloadedAt: 2022-09-01 09:47:51.791175466 +0000 UTC
2022-09-01T12:10:53.443+0200 INFO Vulnerability scanning is enabled
2022-09-01T12:10:53.443+0200 DEBUG Vulnerability type: [os library]
2022-09-01T12:10:53.443+0200 INFO Misconfiguration scanning is enabled
2022-09-01T12:10:53.443+0200 INFO Secret scanning is enabled
2022-09-01T12:10:53.443+0200 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-01T12:10:53.443+0200 INFO Please see also https://aquasecurity.github.io/trivy/v0.31.3/docs/secret/scanning/#recommendation for faster secret detection
2022-09-01T12:10:53.443+0200 DEBUG No secret config detected: trivy-secret.yaml
2022-09-01T12:10:54.099+0200 DEBUG OS is not detected.
2022-09-01T12:10:54.099+0200 DEBUG Detected OS: unknown
2022-09-01T12:10:54.099+0200 INFO Number of language-specific files: 0
2022-09-01T12:10:54.099+0200 INFO Detected config files: 1
2022-09-01T12:10:54.099+0200 DEBUG Scanned config file: docker/Dockerfile
2022-09-01T12:10:54.099+0200 DEBUG Secret file: XXXXXX/appsettings.json
$ trivy fs --security-checks vuln,config,secret . --exit-code 1 --format json --output trivy_report_fs.json --debug
2022-09-01T12:09:57.031+0200 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-09-01T12:09:57.033+0200 DEBUG cache dir: /home/mika/.cache/trivy
2022-09-01T12:09:57.033+0200 DEBUG DB update was skipped because the local DB is the latest
2022-09-01T12:09:57.034+0200 DEBUG DB Schema: 2, UpdatedAt: 2022-09-01 06:14:05.457025002 +0000 UTC, NextUpdate: 2022-09-01 12:14:05.457024602 +0000 UTC, DownloadedAt: 2022-09-01 09:47:51.791175466 +0000 UTC
2022-09-01T12:09:57.034+0200 INFO Vulnerability scanning is enabled
2022-09-01T12:09:57.034+0200 DEBUG Vulnerability type: [os library]
2022-09-01T12:09:57.034+0200 INFO Misconfiguration scanning is enabled
2022-09-01T12:09:57.034+0200 INFO Secret scanning is enabled
2022-09-01T12:09:57.034+0200 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-01T12:09:57.034+0200 INFO Please see also https://aquasecurity.github.io/trivy/v0.31.3/docs/secret/scanning/#recommendation for faster secret detection
2022-09-01T12:09:57.034+0200 DEBUG No secret config detected: trivy-secret.yaml
2022-09-01T12:09:57.672+0200 DEBUG OS is not detected.
2022-09-01T12:09:57.672+0200 DEBUG Detected OS: unknown
2022-09-01T12:09:57.672+0200 INFO Number of language-specific files: 0
2022-09-01T12:09:57.672+0200 INFO Detected config files: 1
2022-09-01T12:09:57.672+0200 DEBUG Scanned config file: docker/Dockerfile
2022-09-01T12:09:57.672+0200 DEBUG Secret file: XXXXXX/appsettings.json
$ cat trivy_report_fs.sarif | jq '.runs[].results'
[]
$ cat trivy_report_fs.json | jq '.Results | length'
2
Output of trivy -v:
Version: 0.31.3
Vulnerability DB:
Version: 2
UpdatedAt: 2022-09-01 06:14:05.457025002 +0000 UTC
NextUpdate: 2022-09-01 12:14:05.457024602 +0000 UTC
DownloadedAt: 2022-09-01 09:47:51.791175466 +0000 UTC
The text was updated successfully, but these errors were encountered:
If I understand correctly, this is because sarif format doesn't currently contain secrets.
Let me know if your json report contains vulnerabilities or misconfigurations.
I created PR(#2820) where I added secrets to the sarif format.
Description
Hello,
I have a discrepancy between the SARIF output and the JSON output. I have an issue reported in the JSON report (
"RuleID": "sendgrid-api-token"
), but this issue does not show in the SARIF report.What did you expect to happen?
The same results in the SARIF report as in the JSON report.
What happened instead?
The SARIF report is empty
Output of run with
-debug
:Output of
trivy -v
:The text was updated successfully, but these errors were encountered: