feat(yaml): Add support for trivy.yaml (#143)

* feat(yaml): Add support for trivy.yaml

Signed-off-by: Simar <[email protected]>

* chore: fixing test using trivy v 0.30.0

* chore(deps): Update to use Trivy v0.30.2

Signed-off-by: Simar <[email protected]>

Co-authored-by: carolina valencia <[email protected]>

.github/workflows/build.yaml

@@ -1,7 +1,8 @@
 name: "build"
 on: [push, pull_request]
 env:
-  TRIVY_VERSION: 0.29.2
+  TRIVY_VERSION: 0.30.2
+  BATS_LIB_PATH: '/usr/lib/'
 jobs:
   build:
     name: build
@@ -11,7 +12,7 @@ jobs:
       - name: Setup BATS
         uses: mig4/setup-bats@v1
         with:
-          bats-version: 1.2.1
+          bats-version: 1.7.0
 
       - name: Setup Bats libs
         uses: brokenpip3/[email protected]
@@ -24,10 +25,4 @@ jobs:
           curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
 
       - name: Test
-        run: bats --recursive --timing .
-
-      - name: Debug show artifacts
-        if: always()
-        run: |
-          cat ./config.test
-          cat ./fs-scheck.test
+        run: BATS_LIB_PATH=${{ env.BATS_LIB_PATH }} bats --recursive --timing .

Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/aquasecurity/trivy:0.29.2
+FROM ghcr.io/aquasecurity/trivy:0.30.2
 COPY entrypoint.sh /
 RUN apk --no-cache add bash curl
 RUN chmod +x /entrypoint.sh

README.md

@@ -19,7 +19,7 @@
 
 ## Usage
 
-### Workflow
+### Scan CI Pipeline
 
 ```yaml
 name: build
@@ -31,15 +31,13 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-20.04
     steps:
       - name: Checkout code
         uses: actions/checkout@v2
-
       - name: Build an image from Dockerfile
         run: |
           docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
-
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
@@ -51,6 +49,39 @@ jobs:
           severity: 'CRITICAL,HIGH'
 ```
 
+### Scan CI Pipeline (w/ Trivy Config)
+
+```yaml
+name: build
+on:
+  push:
+    branches:
+    - master
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-20.04
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v2
+
+    - name: Run Trivy vulnerability scanner in repo mode
+      uses: aquasecurity/trivy-action@add-support-for-trivy-config
+      with:
+        scan-type: 'fs'
+        ignore-unfixed: true
+        trivy-config: ./trivy.yaml
+```
+
+In this case `trivy.yaml` is a YAML configuration that is checked in as part of the repo. Detailed information is available on the Trivy website but an example is as follows:
+```yaml
+format: json
+exit-code: 1
+severity: CRITICAL
+```
+
+It is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes.
 
 ### Scanning a Tarball
 ```yaml

action.yaml

@@ -85,6 +85,9 @@ inputs:
   github-pat:
     description: 'GitHub Personal Access Token (PAT) for submitting SBOM to GitHub Dependency Snapshot API'
     required: false
+  trivy-config:
+    description: 'path to trivy.yaml config'
+    required: false
 
 runs:
   using: 'docker'
@@ -111,3 +114,4 @@ runs:
     - '-s ${{ inputs.security-checks }}'
     - '-t ${{ inputs.trivyignores }}'
     - '-u ${{ inputs.github-pat }}'
+    - '-v ${{ inputs.trivy-config }}'

entrypoint.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 set -e
-while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:" o; do
+while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" o; do
    case "${o}" in
        a)
          export scanType=${OPTARG}
@@ -65,9 +65,13 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:" o; do
        u)
          export githubPAT=${OPTARG}
        ;;
+       v)
+         export trivyConfig=${OPTARG}
+       ;;
   esac
 done
 
+
 scanType=$(echo $scanType | tr -d '\r')
 export artifactRef="${imageRef}"
 if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] ||  [ "${scanType}" = "config" ] ||  [ "${scanType}" = "rootfs" ];then
@@ -157,10 +161,17 @@ if [ "$skipFiles" ];then
   done
 fi
 
-echo "Running trivy with options: ${ARGS}" "${artifactRef}"
-echo "Global options: " "${GLOBAL_ARGS}"
-trivy $GLOBAL_ARGS ${scanType} $ARGS ${artifactRef}
-returnCode=$?
+trivyConfig=$(echo $trivyConfig | tr -d '\r')
+if [ $trivyConfig ]; then
+   echo "Running Trivy with trivy.yaml config from: " $trivyConfig
+   trivy --config $trivyConfig ${scanType} $ARGS ${artifactRef}
+   returnCode=$?
+else
+   echo "Running trivy with options: ${ARGS}" "${artifactRef}"
+   echo "Global options: " "${GLOBAL_ARGS}"
+   trivy $GLOBAL_ARGS ${scanType} $ARGS ${artifactRef}
+   returnCode=$?
+fi
 
 # SARIF is special. We output all vulnerabilities,
 # regardless of severity level specified in this report.

test/data/config-sarif.test

@@ -0,0 +1,77 @@
+{
+  "version": "2.1.0",
+  "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "fullName": "Trivy Vulnerability Scanner",
+          "informationUri": "https://github.com/aquasecurity/trivy",
+          "name": "Trivy",
+          "rules": [
+            {
+              "id": "DS002",
+              "name": "Misconfiguration",
+              "shortDescription": {
+                "text": "DS002"
+              },
+              "fullDescription": {
+                "text": "Running containers with \u0026#39;root\u0026#39; user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a \u0026#39;USER\u0026#39; statement to the Dockerfile."
+              },
+              "defaultConfiguration": {
+                "level": "error"
+              },
+              "helpUri": "https://avd.aquasec.com/misconfig/ds002",
+              "help": {
+                "text": "Misconfiguration DS002\nType: Dockerfile Security Check\nSeverity: HIGH\nCheck: Image user should not be 'root'\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
+                "markdown": "**Misconfiguration DS002**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|HIGH|Image user should not be 'root'|Specify at least 1 USER command in Dockerfile with non-root user as argument|[DS002](https://avd.aquasec.com/misconfig/ds002)|\n\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile."
+              },
+              "properties": {
+                "precision": "very-high",
+                "security-severity": "8.0",
+                "tags": [
+                  "misconfiguration",
+                  "security",
+                  "HIGH"
+                ]
+              }
+            }
+          ],
+          "version": "0.30.2"
+        }
+      },
+      "results": [
+        {
+          "ruleId": "DS002",
+          "ruleIndex": 0,
+          "level": "error",
+          "message": {
+            "text": "Artifact: Dockerfile\nType: dockerfile\nVulnerability DS002\nSeverity: HIGH\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "Dockerfile",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1,
+                  "startColumn": 1,
+                  "endLine": 1,
+                  "endColumn": 1
+                }
+              }
+            }
+          ]
+        }
+      ],
+      "columnKind": "utf16CodeUnits",
+      "originalUriBaseIds": {
+        "ROOTPATH": {
+          "uri": "file:///"
+        }
+      }
+    }
+  ]
+}

test/data/image-trivyignores.test

@@ -1,3 +1,8 @@
+
+knqyf263/vuln-image:1.2.3 (alpine 3.7.1)
+========================================
+Total: 19 (CRITICAL: 19)
+
 ┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
 │   Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                             │
 ├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
@@ -67,6 +72,11 @@
 │ sqlite-libs │ CVE-2019-8457  │ CRITICAL │ 3.21.0-r1         │ 3.25.3-r1     │ sqlite: heap out-of-bound read in function rtreenode()       │
 │             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-8457                    │
 └─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
+
+rust-app/Cargo.lock (cargo)
+===========================
+Total: 1 (CRITICAL: 1)
+
 ┌──────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
 │ Library  │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
 ├──────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤

test/data/image.test

@@ -1,3 +1,8 @@
+
+knqyf263/vuln-image:1.2.3 (alpine 3.7.1)
+========================================
+Total: 19 (CRITICAL: 19)
+
 ┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
 │   Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                             │
 ├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
@@ -67,6 +72,11 @@
 │ sqlite-libs │ CVE-2019-8457  │ CRITICAL │ 3.21.0-r1         │ 3.25.3-r1     │ sqlite: heap out-of-bound read in function rtreenode()       │
 │             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-8457                    │
 └─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
+
+rust-app/Cargo.lock (cargo)
+===========================
+Total: 4 (CRITICAL: 4)
+
 ┌───────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
 │  Library  │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
 ├───────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤

test/data/repo.test

@@ -1,5 +1,76 @@
-┌──────────┬──────────────────────────────┬──────────┬─────────┬─────────────────────────┐
-│ Category │         Description          │ Severity │ Line No │          Match          │
-├──────────┼──────────────────────────────┼──────────┼─────────┼─────────────────────────┤
-│  GitHub  │ GitHub Personal Access Token │ CRITICAL │    5    │ export GITHUB_PAT=***** │
-└──────────┴──────────────────────────────┴──────────┴─────────┴─────────────────────────┘
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "https://github.com/krol3/demo-trivy/",
+  "ArtifactType": "repository",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
+  "Results": [
+    {
+      "Target": "env",
+      "Class": "secret",
+      "Secrets": [
+        {
+          "RuleID": "github-pat",
+          "Category": "GitHub",
+          "Severity": "CRITICAL",
+          "Title": "GitHub Personal Access Token",
+          "StartLine": 5,
+          "EndLine": 5,
+          "Code": {
+            "Lines": [
+              {
+                "Number": 3,
+                "Content": "export AWS_ACCESS_KEY_ID=1234567",
+                "IsCause": false,
+                "Annotation": "",
+                "Truncated": false,
+                "Highlighted": "export AWS_ACCESS_KEY_ID=1234567",
+                "FirstCause": false,
+                "LastCause": false
+              },
+              {
+                "Number": 4,
+                "Content": "",
+                "IsCause": false,
+                "Annotation": "",
+                "Truncated": false,
+                "FirstCause": false,
+                "LastCause": false
+              },
+              {
+                "Number": 5,
+                "Content": "export GITHUB_PAT=****************************************",
+                "IsCause": true,
+                "Annotation": "",
+                "Truncated": false,
+                "Highlighted": "export GITHUB_PAT=****************************************",
+                "FirstCause": true,
+                "LastCause": true
+              },
+              {
+                "Number": 6,
+                "Content": "",
+                "IsCause": false,
+                "Annotation": "",
+                "Truncated": false,
+                "FirstCause": false,
+                "LastCause": false
+              }
+            ]
+          },
+          "Match": "export GITHUB_PAT=****************************************"
+        }
+      ]
+    }
+  ]
+}

test/data/trivy.yaml

@@ -0,0 +1,2 @@
+format: json
+severity: CRITICAL