(feat) Add support for security-checks flag

When using fs mode add option to list of what security issues to detect
aquasecurity · Apr 13, 2022 · 9fbcc91 · 9fbcc91
1 parent 40c4ca9
commit 9fbcc91
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -394,6 +394,7 @@ Following inputs can be used as `step.with` keys:
 | `timeout`        | String  | `5m0s`                             | Scan timeout duration                         |
 | `ignore-policy`  | String  |                                    | Filter vulnerabilities with OPA rego language |
 | `list-all-pkgs`  | String  |                                    | Output all packages regardless of vulnerability |
+| `security-checks`| String  | `vuln`                             | comma-separated list of what security issues to detect (`vuln`,`config`)|
 
 [release]: https://github.com/aquasecurity/trivy-action/releases/latest
 [release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github

diff --git a/action.yaml b/action.yaml
@@ -73,6 +73,10 @@ inputs:
     description: 'output all packages regardless of vulnerability'
     required: false
     default: 'false'
+  security-checks:
+    description: 'comma-separated list of what security issues to detect'
+    required: false
+    default: ''
 runs:
   using: 'docker'
   image: "Dockerfile"
@@ -95,3 +99,4 @@ runs:
     - '-p ${{ inputs.hide-progress }}'
     - '-q ${{ inputs.skip-files }}'
     - '-r ${{ inputs.list-all-pkgs }}'
+    - '-s ${{ inputs.security-checks }}'
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 set -e
-while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:" o; do
+while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:" o; do
    case "${o}" in
        a)
          export scanType=${OPTARG}
@@ -56,6 +56,9 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:" o; do
        r)
          export listAllPkgs=${OPTARG}
        ;;
+       s)
+         export securityChecks=${OPTARG}
+       ;;
   esac
 done
 
@@ -95,6 +98,9 @@ if [ $vulnType ] && [ "$scanType" != "config" ];then
   ARGS="$ARGS --vuln-type $vulnType"
   SARIF_ARGS="$SARIF_ARGS --vuln-type $vulnType"
 fi
+if [ $securityChecks ] && [ "$scanType" == "fs" ];then
+  ARGS="$ARGS --security-checks $securityChecks"
+fi
 if [ $severity ];then
   ARGS="$ARGS --severity $severity"
 fi