From 9fbcc910087fabe4b288a0421bb10378ed4a8666 Mon Sep 17 00:00:00 2001 From: oranmoshai Date: Wed, 13 Apr 2022 16:25:40 +0300 Subject: [PATCH] (feat) Add support for security-checks flag When using fs mode add option to list of what security issues to detect --- README.md | 1 + action.yaml | 5 +++++ entrypoint.sh | 8 +++++++- 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index fd7d873..2f698d8 100644 --- a/README.md +++ b/README.md @@ -394,6 +394,7 @@ Following inputs can be used as `step.with` keys: | `timeout` | String | `5m0s` | Scan timeout duration | | `ignore-policy` | String | | Filter vulnerabilities with OPA rego language | | `list-all-pkgs` | String | | Output all packages regardless of vulnerability | +| `security-checks`| String | `vuln` | comma-separated list of what security issues to detect (`vuln`,`config`)| [release]: https://github.com/aquasecurity/trivy-action/releases/latest [release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github diff --git a/action.yaml b/action.yaml index 403fb49..03a22a9 100644 --- a/action.yaml +++ b/action.yaml @@ -73,6 +73,10 @@ inputs: description: 'output all packages regardless of vulnerability' required: false default: 'false' + security-checks: + description: 'comma-separated list of what security issues to detect' + required: false + default: '' runs: using: 'docker' image: "Dockerfile" @@ -95,3 +99,4 @@ runs: - '-p ${{ inputs.hide-progress }}' - '-q ${{ inputs.skip-files }}' - '-r ${{ inputs.list-all-pkgs }}' + - '-s ${{ inputs.security-checks }}' diff --git a/entrypoint.sh b/entrypoint.sh index 996c3e8..7db1bbb 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,6 +1,6 @@ #!/bin/bash set -e -while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:" o; do +while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:" o; do case "${o}" in a) export scanType=${OPTARG} @@ -56,6 +56,9 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:" o; do r) export listAllPkgs=${OPTARG} ;; + s) + export securityChecks=${OPTARG} + ;; esac done @@ -95,6 +98,9 @@ if [ $vulnType ] && [ "$scanType" != "config" ];then ARGS="$ARGS --vuln-type $vulnType" SARIF_ARGS="$SARIF_ARGS --vuln-type $vulnType" fi +if [ $securityChecks ] && [ "$scanType" == "fs" ];then + ARGS="$ARGS --security-checks $securityChecks" +fi if [ $severity ];then ARGS="$ARGS --severity $severity" fi