aquasecurity / trivy-action Goto Github PK
View Code? Open in Web Editor NEWRuns Trivy as GitHub action to scan your Docker container image for vulnerabilities
License: Apache License 2.0
Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities
License: Apache License 2.0
Hi There!
We've recently moved to using Github for our CI steps. Our security auditor has access to the security panels for the org and repositories. He's raised the point that the severity flag is being overridden. In the case of a code error that is found the severity is listed as Error. Once you drill into the record you see the severity level.
Is this by design or have we missed something?
Cheers
bruno
I'm working with Openshift Container and I want to know how to use Aqua trivy to scan image in our container registry
It would be great to get additional information out of this action via outputs.
The thing I would be particularly interested in is the total number of vulnerabilities.
This would make it easier to create badges. Currently I can't use the trivy action because of that. For reference, I am currently getting this number like this: https://github.com/breucode/imisu/blob/6a8565a1b9d55023fa789ebdc3659c4cb0e7ca1c/.github/workflows/container-security-scan.yaml#L12 (Lines 12 to 27)
Today Trivy does not offer the ability to display vulnerabilities while still returning a pass for the pipeline run
Example:
Project has 4 vulns: 2 high, 2 low, 0 critical
$ trivy fs --exit-code=1 --severity=CRITICAL .
What I got:
Trivy shows no vulnerabilities. Exit code 0.
What I want:
Show all vulnerabilities regardless of the level, still have an exit code of 0 as none of the vulns are over the threshold of Critical.
Use case:
Trivy GitHub Action uses Trivy under the hood. In the above case, Trivy GitHub Action will not report any vulnerabilities in the project and subsequently also not report any to the GitHub Alerts tab (expected).
If we had the above feature, we could not fail the build but still add/update the vulnerabilities found in the project.
Workaround to fix this issue:
Run Trivy twice, one with no severity flag and one with. Store all vulns by running without severity flag. Then run again with the severity flag to pass/fail the build. Send saved vulns to GitHub Security Tab.
The latest Trivy release v0.19.1 includes the ability to scan configs which include IAC/YAML files, but this action does not appear to have the latest image to support using scan-type: 'config'. I'd like to propose updating the Trivy version used by this action to v0.19.1.
Hi there, with the recent release of the actions version 0.0.19 we are seeing our actions failing for
scan error: image scan failed: failed analysis: analyze error: failed to analyze layer: sha256:87ceb75dec9b514f26b1b9227e29d4f72790c37a5c1c3281efe349dda702e544 : config scan error: scan terraform error: terraform scan error: stat /github/workspace/evo-hub-infra/main/variables.tf: no such file or directory
This was working correctly before the version bump.
I believe this issue is relates to aquasecurity/trivy#1120 which is fixed in this PR aquasecurity/trivy#1133.
This was fixed in trivy version 0.19.2
According to https://github.com/aquasecurity/trivy-action/blob/master/Dockerfile we are based off of the 0.19.1 version.
Hopefully bumping the base docker image that is being used should cause this error to be fixed.
For reference we trigger the check in our github actions via:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.IMAGE_REF }}
format: "table"
exit-code: "1"
ignore-unfixed: true
skip-dirs: /bin/terraform,/usr/local/lib/python3.9/site-packages
changing the 'uses: aquasecurity/trivy-action@master' back to 'uses: aquasecurity/[email protected]' causes the issue to no longer be present.
Also able to reproduce this locally, where running with trivy version 0.19.1 causes the same error to be logged, 0.19.2 does not cause this issue to occur.
Hi Team,
I want an argument to enable--list-all-pkgs
option in trivy-action. Cloud you consider to add the option? or let me send PR.
I would like to write config like below:
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
format: "json"
list-all-pkgs: true
output: "trivy-results.json"
No such option in https://github.com/aquasecurity/trivy-action/blob/master/action.yaml
Make a decision of CI success/failure with not only vulnerability information but also package and version information. CI result can be controlled by trivy's package list and policy decision tool (e.g. OPA)
Seeing a lot of CI jobs failing inconsistently recently with the following:
Running trivy with options: --format table --exit-code 1 --ignore-unfixed --vuln-type os,library --severity HIGH,CRITICAL --no-progress eu.gcr.io/someimage:sometag
Global options:
2021-10-19T08:29:40.947Z INFO Need to update DB
2021-10-19T08:29:40.947Z INFO Downloading DB...
2021-10-19T08:34:40.941Z FATAL scan error: image scan failed: failed analysis: analyze error: timeout: context deadline exceeded
with:
image-ref: eu.gcr.io/someimage:sometag
vuln-type: os,library
ignore-unfixed: true
exit-code: 1
severity: HIGH,CRITICAL
scan-type: image
scan-ref: .
format: table
hide-progress: true
Note that its 5 minutes between Downloading DB...
and the eventual failure - so I don't think the timeout (2 mins according to your docs) is really applying here.
Hi Team,
I get the below error while using Github trivy action:
client: no podman socket found: stat podman/podman.sock: no such file or directory
Below is the code:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'github-k8s-runner'
format: 'table'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
Please advise
Hi @danielpacak,
I tried to use the latest tag, but it failed and i noticed that latest tag includes v
as part of the tag. Shall I update the README.md or a new tag shall be craeted?
hey @simar7 ,
it looks like there are no major versions published and the recommended practice is to include this action from the master
branch. That's a bit too yolo for me ๐
Are there any plans on publishing a version that can be referenced without going all the way to the patch-level? Ideally, I can reference a version that gives me all fixes and features, but no breaking changes.
If that's something you'd like help with, please let me know and I'll be happy to help.
Hi, I'm having difficulties getting to the json output file. This is my workflow:
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Run vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: 'docker.io/library/ubuntu:18.04'
format: 'json'
output: 'trivy-report.json'
exit-code: '0'
- name: test
run: find .
- name: test2
run: find /
- uses: actions/upload-artifact@v2
if: ${{ always() }}
with:
name: trivy-report
path: trivy-report.json # or path/to/artifact
but the json file is not present
What am I doing wrong here?
I would like to use the --ignore-policy
flag to filter vulnerabilities with OPA rego language
https://aquasecurity.github.io/trivy/v0.18.1/examples/filter/#by-open-policy-agent
I have a PR for this as well - #48
With latest release 0.20.1, we still have a timeout option description https://github.com/aquasecurity/trivy-action/blob/master/action.yaml#L56-L59, with wrong description vs default value.
Does .trivyignore
work with trivy-action out of the box? Can we put .trivyignore
file at the root of project and Action will ignore vulnerabilities that are in the file?
Motivation
Today Trivy supports both filesystem and repo scanning. We can take this paradigm and extend it even further by allow Trivy Github Action (this repo) to be used as a build time hook for Github repos.
Use Case
Adding a check to each PR (with Trivy Action configured as a Github Action) as it's opened, to check for vulnerabilities introduced by new changes.
Acceptance Criteria
image
based scans and the newfs
based scans should be configurable by the user.More information
GitHub Actions support conditional run and evaluation of expressions as mentioned here https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#about-contexts-and-expressions
With the current iteration of Trivy Github Action, the logic will be added as additional options to this configuration https://github.com/aquasecurity/trivy-action/blob/master/action.yaml#L32-L43
Here we could conditionally evaluate what options are passed in by the user and configure the Trivy Github Action to run appropriately.
The bulk of the logic here lies in figuring out how to accept the appropriate options/configs from the user and pass to Trivy. For the new mode it's as simple as running command trivy fs .
within the checked out PR/branch itself.
cc @jerbia
Hi guys,
Hope you are all well !
I tried trivy action and I have the following error:
Uploading sarif files: ["trivy-results.sarif"]
Error details: instance.runs[0].tool.driver.rules contains duplicate item
Is there a parameter to set in trivy to avoid duplicates ?
Here is my workflow file:
https://github.com/lucmichalski/prestashop-docker/blob/trivy/.github/workflows/security.yml
Cheers,
Luc Michalski
I've been trying to use the cache-dir
input introduced in commit b38389f and consistently get the following error when that input is set:
Running trivy with options: --no-progress --format table --exit-code 1 --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --cache-dir /tmp/trivy ghcr.io/xxx/xxx:xxx
Incorrect Usage: flag provided but not defined: -cache-dir
NAME:
trivy image - scan an image
USAGE:
trivy image [command options] image_name
OPTIONS:
... omitted for brevity
This seems to affect all recent versions of this action from v0.0.14 to and including v0.0.17.
I've had a quick look and this error seems to make sense: as per Trivy usage --cache-dir
is a global option which must be passed before the command. However the present implementation of this action passes it as a command option instead:
https://github.com/aquasecurity/trivy-action/blob/master/entrypoint.sh#L89-L97
Hi,
Hope someone can help:
We're attempting to run the trivy scanner on one of our terraform folders and are seeing a segmentation fault:
https://github.com/ministryofjustice/opg-lpa/runs/3382241340?check_suite_focus=true#step:4:20
Note it works on one of our other terraform folders.
not sure if this is something we should be seeing or is a known issue. can someone advise?
Hi there!
Is this trivy scanner can work with a public repository? My repository is a private.
Here is trivy.yml
file:
name: "Code Scanning"
on:
push:
pull_request:
schedule:
- cron: '*/30 * * * *'
watch:
types: [started]
jobs:
Trivy-Scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
# - name: Build an image from Dockerfile
# run: |
# docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
#
# - name: Run Trivy vulnerability scanner in docker mode
# uses: aquasecurity/trivy-action@master
# with:
# image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
# format: 'template'
# template: '@/contrib/sarif.tpl'
# output: 'trivy-results-docker.sarif'
# severity: 'CRITICAL'
#
# - name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v1
# with:
# sarif_file: 'trivy-results-docker.sarif'
- name: Run Trivy vulnerability scanner in fs mode
uses: anandg112/trivy-action@feat/add-skip-dirs-option
with:
scan-type: 'fs'
scan-ref: '.'
ignore-unfixed: true
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results-fs.sarif'
severity: 'CRITICAL'
skip-dirs: "ignored-dir"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: 'trivy-results-fs.sarif'
- name: DEBUG Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: 'debug-trivy-results.sarif'
And this is error log from actions:
RequestError [HttpError]: repository not enabled for code scanning
at /home/runner/work/_actions/github/codeql-action/v1/node_modules/@octokit/request/dist-node/index.js:66:23
at processTicksAndRejections (internal/process/task_queues.js:93:5)
at async Job.doExecute (/home/runner/work/_actions/github/codeql-action/v1/node_modules/bottleneck/light.js:405:18) {
name: 'HttpError',
status: 403,
headers: {
'access-control-allow-origin': '*',
'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, Deprecation, Sunset',
connection: 'close',
'content-encoding': 'gzip',
'content-security-policy': "default-src 'none'",
'content-type': 'application/json; charset=utf-8',
date: 'Wed, 27 Oct 2021 05:18:33 GMT',
'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
server: 'GitHub.com',
'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
'transfer-encoding': 'chunked',
vary: 'Accept-Encoding, Accept, X-Requested-With',
'x-content-type-options': 'nosniff',
'x-frame-options': 'deny',
'x-github-media-type': 'github.v3; format=json',
'x-github-request-id': '04C3:20BA:38F87B:8D23EC:6178E129',
'x-ratelimit-limit': '1000',
'x-ratelimit-remaining': '996',
'x-ratelimit-reset': '1635315047',
'x-ratelimit-resource': 'core',
'x-ratelimit-used': '4',
'x-xss-protection': '0'
},
request: {
method: 'PUT',
url: 'https://api.github.com/repos/denisgolius/winar/code-scanning/analysis/status',
headers: {
accept: 'application/vnd.github.v3+json',
'user-agent': 'CodeQL-Action/1.0.20 octokit-core.js/3.1.2 Node.js/12.13.1 (linux; x64)',
authorization: 'token [REDACTED]',
'content-type': 'application/json; charset=utf-8'
},
body: '{"workflow_run_id":1388719546,"workflow_name":"Code Scanning","job_name":"Trivy-Scan","analysis_key":".github/workflows/trivy.yml:Trivy-Scan","commit_oid":"cf463d7d3c6b4356e9ab19688f33e610e35c0561","ref":"refs/heads/main","action_name":"upload-sarif","action_ref":"v1","action_oid":"unknown","started_at":"2021-10-27T05:18:33.544Z","action_started_at":"2021-10-27T05:18:33.544Z","status":"starting","matrix_vars":"null"}',
request: { agent: [Agent], hook: [Function: bound bound register] }
},
documentation_url: 'https://docs.github.com/rest'
}
Error: repository not enabled for code scanning
What I am doing wrong? Maybe there is a working example for copy/paste and it will work?
Documentation (or the lack of) suggests that the action doesn't support pulling of remote image to scan, particularly private registries.
There are no inputs for credentials but perhaps a docker login
step would work? ๐คท๐ป
Either way we would like this supported in the action, just like the standard binary supports, because we often would like to run this as a seperate job from the build job and/or scan multiple images/tags
Using the template sarif, I can't see the information about the misconfiguration details.
Github workflow: https://github.com/krol3/demo-trivy/blob/main/.github/workflows/trivy-missconfiguration.yaml
See the output of this workflow: https://github.com/krol3/demo-trivy/pull/2/checks?check_run_id=3705915823
In the trivy scanning, I see a total of 30 CVE, and in the sarif report only 2. Can you help me to understand the result in sarif template?
I'm using the gh action to scan my container, and I have the severity field set to critical, but the scan seems to be returning ALL vulnerabilities. My code looks like:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2
with:
image-ref: ${{ env.REGISTRYNAME }}.azurecr.io/${{ env.IMAGENAME }}:${{ github.sha }}
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: 'trivy-results.sarif'
Hey,
Thank you for this nice action!
Would it be possible to support scanning image tarballs as generated by e.g. jib (Like it can already be done by trivy by using the --input
flag)
Best regards
Anton
Trivy scan action fails intermittently on multiple repositories at the step of Downloading DB
, a sample log is attached hereweith:
Running trivy with options: --format table --exit-code 1 --vuln-type os,library --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL --skip-dirs build --timeout 10m0s --no-progress /github/workspace/ballerina
Global options:
2021-10-29T01:04:20.497Z INFO Need to update DB
2021-10-29T01:04:20.497Z INFO Downloading DB...
2021-10-29T01:06:20.714Z FATAL DB error: failed to download vulnerability DB: failed to download vulnerability DB: failed to list releases: GET https://api.github.com/repos/aquasecurity/trivy-db/releases: 504 []
Here is the sample workflow file:
name: Trivy
on:
workflow_dispatch:
schedule:
- cron: '0 0 * * *'
jobs:
ubuntu-build:
name: Build on Ubuntu
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up JDK 11
uses: actions/setup-java@v2
with:
distribution: 'adopt'
java-version: 11
- name: Build with Gradle
run: ./gradlew build -x check -x test
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '/github/workspace/ballerina'
skip-dirs: 'build'
format: 'table'
timeout: '10m0s'
exit-code: '1'
The latest Trivy might break compatibility. The version should be fixed.
https://github.com/aquasecurity/trivy-action/blob/master/Dockerfile#L1
Hello! ๐
We are using your wonderful action to scan for CVEs in our Docker images โ thank you for hard work and contribution to open-source!
Sadly we noticed that there seems to be a regression in 0.0.9
with respect to ignore-unfixed
.
In 0.0.8
setting ignore-unfixed: true
correctly ignores CVEs that have no published fix version yet.
In 0.0.9
setting ignore-unfixed: true
has no effect and we can see CVEs being failed on that have no published fix version.
For example:
========================================================================================
Total: 44 (HIGH: 40, CRITICAL: 4)
+----------------------+------------------+----------+---------------------------+---------------+--------------------------------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------------------+------------------+----------+---------------------------+---------------+--------------------------------------------------------------+
| curl | CVE-2020-8169 | HIGH | 7.64.0-4+deb10u1 | | libcurl: partial password |
| | | | | | leak over DNS on HTTP redirect |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8169 |
+ +------------------+ + +---------------+--------------------------------------------------------------+
This is a scan result from 0.0.9 with ignore-unfixed: true
on and we can clearly see a CVE for curl
that does not yet have a fix version published.
Here is the action step config we were using:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: "<docker image repo/tag here>"
format: "table"
exit-code: "1"
ignore-unfixed: true
severity: "CRITICAL,HIGH"
Changing from master
to 0.0.8
after 0.0.9
was published fixed the issue:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: "<docker image repo/tag here>"
format: "table"
exit-code: "1"
ignore-unfixed: true
severity: "CRITICAL,HIGH"
Hi,
Thanks for this nice GitHub Action. It helps me a lot.
I have a GitHub Action using this, where I'm iterating over all images that I'm using in my setup.
This means some are public, some are private on ghcr.io.
When using the Environment variables as suggested https://github.com/aquasecurity/trivy-action/blob/master/README.md#docker-hub-registry the private ones works, but the public doesn't and wise versa.
Is that a way to only have the ENV used when needed?
I have also tried running the action https://github.com/docker/login-action before, but trivy, isn't respecting the login from there.
Any pointers would be appreciated.
Hi
Im trying to run trivy, generate a sarif report, upload the artifact, and then, depending on the vulnerabilities, break the workflow or allow it to continue.
Im setting something like this:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'javidr/vulnerbank:latest'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
exit-code: '1'
severity: 'LOW'
- name: Upload artifact
uses: actions/upload-artifact@v2
with:
name: trivy report
path: 'trivy-results.sarif'
If i set exit-code, then, the upload artifact step is not executed. Is there any way to do it? Maybe upload artifact can be embedded as an option in the action?
Thanks
Would it be possible to add support for --ignore-unfixed
flag in the action?
I tried many things but I haven't figured it out the proper syntax yet to open a Pull Request.
So far I've tried:
- '${{ inputs.ignore-unfixed == true && echo --ignore-unfixed }}'
- '${{ inputs.ignore-unfixed }} == true && echo "--ignore-unfixed"'
- '${{ inputs.ignore-unfixed }} == "true" && echo "--ignore-unfixed"'
&- '${{ inputs.ignore-unfixed == "true" && echo "--ignore-unfixed" }}'
Not sure how these ${{ }}
are expanded. Any help is appreciated.
Trivy has the --cache-dir flag to point to the location where DB and image layers are cached. If we combine that with the https://github.com/actions/cache we can speed up some build jobs.
Trivy now uses a different format of passing in skip-dirs, we need to update the trivy action to support this change: aquasecurity/trivy#966
Relevant line is here:
Line 84 in 9c91cd8
While the already implemented in the GitHub-action skip-dirs
does the job it feels not natural to use for files.
Since Trivy already support --skip-files
, it would be nice to support it also on the GitHub action.
I could implement the feature if you feel valuable.
We started seeing this issue because our github actions have started failing as --skip-dirs are being scanned and thats failing those actions.
v0.20.0 is out for 8 days now. Any plans for the update? ๐
Thanks in advance!
In my build workflow, i first build the image, push to private registry and then run trivy action. This takes time since trivy has to fetch the image from the private registry. Is there a way this could work with local image? This will save time for larger images.
Hi,
When I do trivy rootfs -h, it says the usage will be trivy rootfs [command options] dir
. In my local, I can give the dir. e.g.
trivy rootfs <GOLANG_BINARY_PATH>
But when I am using it as github action, I am not sure how to provide this <GOLANG_BINARY_PATH>. This is my sample github action.
- name: Run Trivy vulnerability scanner i repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'rootfs'
ignore-unfixed: true
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
Can you please help me to figure out where I should give the path. Prior to v0.0.20, I was using input flag, but that has been removed now.
For example, this part of code for github action send scan result to GH security tab your repo.
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: 'payment-service-trivy-results.sarif'
How can I send Trivy scan results to another (something other than github security) cloud-native / open-source security product/panel?
The image-ref description has the following:
Line 10 in 9c21d3c
To me, this implies that use of image-ref
is discouraged and preserved only for compatibility. Is that correct? If so, what should users prefer instead?
I tried using scan-ref
, but this results in images not being scanned at all, and no error message being emitted either (the checks pass and the logs only show Trivy's help output).
Getting false positives on dockerized rails apps due to aquasecurity/trivy#282
The solution is to use --skip-dirs
Would you be open to a PR?
For the benefit of GHA builders copy-pasting from README please update trivy version tag to 0.0.6.
After this #73 all the vulnerabilities show up in the Code scanning alerts.
I see from the PR that this is a feature, but now all the images are flagged as vulnerable even though there isn't a fix available (OS packages).
Should this feature take into consideration the ignore-unfixed
flag?
Or how is this supposed to work? Because at the moment we have 400+ alerts that we can't fix in any way since those packages are in the base image and don't have a fix.
Thanks!
I'd like to ignore some of the vulnerabilities same way as specifying .trivyignore does.
Could this be somehow passed to action?
Regards
Using version 0.0.9 seems to be buggy
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build an image from Dockerfile
env:
MY_TOKEN: ${{ secrets.MY_TOKEN }}
run: |
docker build . --tag this_repo
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: this_repo
format: 'table'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
The ignore-unfixed: true
will be ignored !
Tried the exact same with version 0.0.8 and it works (--ignore-unfixed is in the logs with that version)
The skip-dirs
option no longer works with a comma-separated list
Trivy is reporting vulnerabilities in the skipped directories
I think it could be due to aquasecurity/trivy#916
I have an issue where a manual scan locally will shows CVE's, but if I tell it to output as sarif i get no results;
trivy fs --security-checks vuln,config --f template --template "@contrib/sarif.tpl" -o report.sarif --severity CRITICAL,HIGH,MEDIUM,LOW ~/path/to/repo
returns
{
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "Trivy",
"informationUri": "https://github.com/aquasecurity/trivy",
"fullName": "Trivy Vulnerability Scanner",
"version": "0.15.0",
"rules": []
}
},
"results": [],
"columnKind": "utf16CodeUnits",
"originalUriBaseIds": {
"ROOTPATH": {
"uri": "file:///"
}
}
}
]
}
Whereas trivy fs --security-checks vuln,config --severity CRITICAL,HIGH ~/path/to/repo
will give a detailed analysis
Hi there!
I am new to Trivy and have a basic question.
Is it necessary to build the Docker image if we're just doing a filesystem scan?
Thanks!
Hi team
From security perspective , does scanning image exposes sensitive values used through environment variables in image
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.