From 1e0bef4613b3986796a743eb62267bd327212bdd Mon Sep 17 00:00:00 2001 From: AndreyLevchenko Date: Thu, 2 Feb 2023 06:18:31 +0600 Subject: [PATCH 1/4] fix(sarif): Add option to limit severities for sarif (aquasecurity#192) (#198) --- README.md | 1 + action.yaml | 4 ++++ entrypoint.sh | 23 +++++++++++++---------- 3 files changed, 18 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 230e2d0c..4b3a2070 100644 --- a/README.md +++ b/README.md @@ -501,6 +501,7 @@ Following inputs can be used as `step.with` keys: | `security-checks` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) | | `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files | | `github-pat` | String | | GitHub Personal Access Token (PAT) for sending SBOM scan results to GitHub Dependency Snapshots | +| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** | [release]: https://github.com/aquasecurity/trivy-action/releases/latest [release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github diff --git a/action.yaml b/action.yaml index b9b7d8c2..f2dcc239 100644 --- a/action.yaml +++ b/action.yaml @@ -88,6 +88,9 @@ inputs: trivy-config: description: 'path to trivy.yaml config' required: false + limit-severities-for-sarif: + description: 'limit severities for SARIF format' + required: false runs: using: 'docker' @@ -115,3 +118,4 @@ runs: - '-t ${{ inputs.trivyignores }}' - '-u ${{ inputs.github-pat }}' - '-v ${{ inputs.trivy-config }}' + - '-z ${{ inputs.limit-severities-for-sarif }}' diff --git a/entrypoint.sh b/entrypoint.sh index 28826121..f265929b 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,6 +1,6 @@ #!/bin/bash set -e -while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" o; do +while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:" o; do case "${o}" in a) export scanType=${OPTARG} @@ -68,6 +68,9 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" o; do v) export trivyConfig=${OPTARG} ;; + z) + export limitSeveritiesForSARIF=${OPTARG} + ;; esac done @@ -81,8 +84,10 @@ input=$(echo $input | tr -d '\r') if [ $input ]; then artifactRef="--input $input" fi +#trim leading spaces for boolean params ignoreUnfixed=$(echo $ignoreUnfixed | tr -d '\r') hideProgress=$(echo $hideProgress | tr -d '\r') +limitSeveritiesForSARIF=$(echo $limitSeveritiesForSARIF | tr -d '\r') GLOBAL_ARGS="" if [ $cacheDir ];then @@ -164,7 +169,13 @@ if [ "$skipFiles" ];then fi trivyConfig=$(echo $trivyConfig | tr -d '\r') -if [ $trivyConfig ]; then +if [ "${format}" == "sarif" ] && [ "${limitSeveritiesForSARIF}" != "true" ]; then + # SARIF is special. We output all vulnerabilities, + # regardless of severity level specified in this report. + # This is a feature, not a bug :) + echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}" + trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef} +elif [ $trivyConfig ]; then echo "Running Trivy with trivy.yaml config from: " $trivyConfig trivy --config $trivyConfig ${scanType} ${artifactRef} returnCode=$? @@ -175,14 +186,6 @@ else returnCode=$? fi -# SARIF is special. We output all vulnerabilities, -# regardless of severity level specified in this report. -# This is a feature, not a bug :) -if [[ "${format}" == "sarif" ]]; then - echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}" - trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef} -fi - if [[ "${format}" == "github" ]]; then if [[ "$(echo $githubPAT | xargs)" != "" ]]; then printf "\n Uploading GitHub Dependency Snapshot" From cacfd7a2434ebf4fd19b4f908ba16ec78b8570d2 Mon Sep 17 00:00:00 2001 From: Omar Silva <77329033+omarsilva1@users.noreply.github.com> Date: Thu, 2 Feb 2023 01:19:16 +0100 Subject: [PATCH 2/4] docs: add trivy-config to table (#195) --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 4b3a2070..5b0ceb11 100644 --- a/README.md +++ b/README.md @@ -500,6 +500,7 @@ Following inputs can be used as `step.with` keys: | `list-all-pkgs` | String | | Output all packages regardless of vulnerability | | `security-checks` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) | | `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files | +| `trivy-config` | String | | Path to trivy.yaml config | | `github-pat` | String | | GitHub Personal Access Token (PAT) for sending SBOM scan results to GitHub Dependency Snapshots | | `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** | From ab158915960c21b5b963684052b5e6139b6f85a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Cant=C3=BA?= <12145912+mcantu@users.noreply.github.com> Date: Wed, 1 Feb 2023 18:23:59 -0600 Subject: [PATCH 3/4] Update README.md (#186) Fix typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5b0ceb11..2c9d2b92 100644 --- a/README.md +++ b/README.md @@ -262,7 +262,7 @@ jobs: sarif_file: 'trivy-results.sarif' ``` -### Using Trivy to scan Infrastucture as Code +### Using Trivy to scan Infrastructure as Code It's also possible to scan your IaC repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR. If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows: From cff3e9a7f62c41dd51975266d0ae235709e39c41 Mon Sep 17 00:00:00 2001 From: simar7 <1254783+simar7@users.noreply.github.com> Date: Wed, 1 Feb 2023 16:40:29 -0800 Subject: [PATCH 4/4] feat(trivy): Bump Trivy to v0.37.1 (#199) Signed-off-by: Simar --- .github/workflows/build.yaml | 2 +- Dockerfile | 2 +- test/data/config-sarif.test | 56 +++++++++++++++++++++++++++++++++++- test/data/config.test | 30 +++++++++++++++++-- test/data/fs-scheck.test | 30 +++++++++++++++++-- test/data/image-sarif.test | 2 +- 6 files changed, 114 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 2e54c72e..42188616 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -1,7 +1,7 @@ name: "build" on: [push, pull_request] env: - TRIVY_VERSION: 0.34.0 + TRIVY_VERSION: 0.37.1 BATS_LIB_PATH: '/usr/lib/' jobs: build: diff --git a/Dockerfile b/Dockerfile index 9e0d6090..194cb65e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/aquasecurity/trivy:0.34.0 +FROM ghcr.io/aquasecurity/trivy:0.37.1 COPY entrypoint.sh / RUN apk --no-cache add bash curl npm RUN chmod +x /entrypoint.sh diff --git a/test/data/config-sarif.test b/test/data/config-sarif.test index 2dc4fad0..62aa67b7 100644 --- a/test/data/config-sarif.test +++ b/test/data/config-sarif.test @@ -35,9 +35,36 @@ "HIGH" ] } + }, + { + "id": "DS026", + "name": "Misconfiguration", + "shortDescription": { + "text": "No HEALTHCHECK defined" + }, + "fullDescription": { + "text": "You shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/misconfig/ds026", + "help": { + "text": "Misconfiguration DS026\nType: Dockerfile Security Check\nSeverity: LOW\nCheck: No HEALTHCHECK defined\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)\nYou shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", + "markdown": "**Misconfiguration DS026**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|LOW|No HEALTHCHECK defined|Add HEALTHCHECK instruction in your Dockerfile|[DS026](https://avd.aquasec.com/misconfig/ds026)|\n\nYou shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "misconfiguration", + "security", + "LOW" + ] + } } ], - "version": "0.34.0" + "version": "0.37.1" } }, "results": [ @@ -67,6 +94,33 @@ } } ] + }, + { + "ruleId": "DS026", + "ruleIndex": 1, + "level": "note", + "message": { + "text": "Artifact: Dockerfile\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "Dockerfile", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "Dockerfile" + } + } + ] } ], "columnKind": "utf16CodeUnits", diff --git a/test/data/config.test b/test/data/config.test index d75ec79f..a2451305 100644 --- a/test/data/config.test +++ b/test/data/config.test @@ -20,8 +20,8 @@ "Class": "config", "Type": "dockerfile", "MisconfSummary": { - "Successes": 21, - "Failures": 1, + "Successes": 22, + "Failures": 2, "Exceptions": 0 }, "Misconfigurations": [ @@ -50,6 +50,32 @@ "Lines": null } } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS026", + "AVDID": "AVD-DS-0026", + "Title": "No HEALTHCHECK defined", + "Description": "You shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", + "Message": "Add HEALTHCHECK instruction in your Dockerfile", + "Namespace": "builtin.dockerfile.DS026", + "Query": "data.builtin.dockerfile.DS026.deny", + "Resolution": "Add HEALTHCHECK instruction in Dockerfile", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", + "References": [ + "https://blog.aquasec.com/docker-security-best-practices", + "https://avd.aquasec.com/misconfig/ds026" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } } ] } diff --git a/test/data/fs-scheck.test b/test/data/fs-scheck.test index d75ec79f..a2451305 100644 --- a/test/data/fs-scheck.test +++ b/test/data/fs-scheck.test @@ -20,8 +20,8 @@ "Class": "config", "Type": "dockerfile", "MisconfSummary": { - "Successes": 21, - "Failures": 1, + "Successes": 22, + "Failures": 2, "Exceptions": 0 }, "Misconfigurations": [ @@ -50,6 +50,32 @@ "Lines": null } } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS026", + "AVDID": "AVD-DS-0026", + "Title": "No HEALTHCHECK defined", + "Description": "You shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", + "Message": "Add HEALTHCHECK instruction in your Dockerfile", + "Namespace": "builtin.dockerfile.DS026", + "Query": "data.builtin.dockerfile.DS026.deny", + "Resolution": "Add HEALTHCHECK instruction in Dockerfile", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", + "References": [ + "https://blog.aquasec.com/docker-security-best-practices", + "https://avd.aquasec.com/misconfig/ds026" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } } ] } diff --git a/test/data/image-sarif.test b/test/data/image-sarif.test index ae8439c7..ae71deee 100644 --- a/test/data/image-sarif.test +++ b/test/data/image-sarif.test @@ -37,7 +37,7 @@ } } ], - "version": "0.34.0" + "version": "0.37.1" } }, "results": [