aquasecurity / trivy-action Goto Github PK

Hi There!

We've recently moved to using Github for our CI steps. Our security auditor has access to the security panels for the org and repositories. He's raised the point that the severity flag is being overridden. In the case of a code error that is found the severity is listed as Error. Once you drill into the record you see the severity level.

Is this by design or have we missed something?

Cheers
bruno

I'm working with Openshift Container and I want to know how to use Aqua trivy to scan image in our container registry

It would be great to get additional information out of this action via outputs.

The thing I would be particularly interested in is the total number of vulnerabilities.

This would make it easier to create badges. Currently I can't use the trivy action because of that. For reference, I am currently getting this number like this: https://github.com/breucode/imisu/blob/6a8565a1b9d55023fa789ebdc3659c4cb0e7ca1c/.github/workflows/container-security-scan.yaml#L12 (Lines 12 to 27)

Today Trivy does not offer the ability to display vulnerabilities while still returning a pass for the pipeline run

Example:
Project has 4 vulns: 2 high, 2 low, 0 critical
$ trivy fs --exit-code=1 --severity=CRITICAL .

What I got:
Trivy shows no vulnerabilities. Exit code 0.

What I want:
Show all vulnerabilities regardless of the level, still have an exit code of 0 as none of the vulns are over the threshold of Critical.

Use case:
Trivy GitHub Action uses Trivy under the hood. In the above case, Trivy GitHub Action will not report any vulnerabilities in the project and subsequently also not report any to the GitHub Alerts tab (expected).

If we had the above feature, we could not fail the build but still add/update the vulnerabilities found in the project.

Workaround to fix this issue:
Run Trivy twice, one with no severity flag and one with. Store all vulns by running without severity flag. Then run again with the severity flag to pass/fail the build. Send saved vulns to GitHub Security Tab.

The latest Trivy release v0.19.1 includes the ability to scan configs which include IAC/YAML files, but this action does not appear to have the latest image to support using scan-type: 'config'. I'd like to propose updating the Trivy version used by this action to v0.19.1.

Hi there, with the recent release of the actions version 0.0.19 we are seeing our actions failing for
scan error: image scan failed: failed analysis: analyze error: failed to analyze layer: sha256:87ceb75dec9b514f26b1b9227e29d4f72790c37a5c1c3281efe349dda702e544 : config scan error: scan terraform error: terraform scan error: stat /github/workspace/evo-hub-infra/main/variables.tf: no such file or directory
This was working correctly before the version bump.

I believe this issue is relates to aquasecurity/trivy#1120 which is fixed in this PR aquasecurity/trivy#1133.
This was fixed in trivy version 0.19.2
According to https://github.com/aquasecurity/trivy-action/blob/master/Dockerfile we are based off of the 0.19.1 version.
Hopefully bumping the base docker image that is being used should cause this error to be fixed.

For reference we trigger the check in our github actions via:

- name: Run Trivy vulnerability scanner
  uses: aquasecurity/trivy-action@master
  with:
    image-ref: ${{ env.IMAGE_REF }}
    format: "table"
    exit-code: "1"
    ignore-unfixed: true
    skip-dirs: /bin/terraform,/usr/local/lib/python3.9/site-packages

changing the 'uses: aquasecurity/trivy-action@master' back to 'uses: aquasecurity/[email protected]' causes the issue to no longer be present.

Also able to reproduce this locally, where running with trivy version 0.19.1 causes the same error to be logged, 0.19.2 does not cause this issue to occur.

Hi Team,

I want an argument to enable--list-all-pkgs option in trivy-action. Cloud you consider to add the option? or let me send PR.

What I want

I would like to write config like below:

      - name: Run Trivy vulnerability scanner in repo mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: "fs"
          format: "json"
          list-all-pkgs: true
          output: "trivy-results.json"

What I got

No such option in https://github.com/aquasecurity/trivy-action/blob/master/action.yaml

Use case

Make a decision of CI success/failure with not only vulnerability information but also package and version information. CI result can be controlled by trivy's package list and policy decision tool (e.g. OPA)

• Found malicious code is injected to OSS package, however the vulnerability is not assigned ID or not registered in Trivy DB yet for the moment
• Stop using OSS packages that own team evaluated as low quality

Seeing a lot of CI jobs failing inconsistently recently with the following:

Running trivy with options:  --format  table --exit-code  1 --ignore-unfixed --vuln-type  os,library --severity  HIGH,CRITICAL --no-progress  eu.gcr.io/someimage:sometag
Global options:  
2021-10-19T08:29:40.947Z	INFO	Need to update DB
2021-10-19T08:29:40.947Z	INFO	Downloading DB...
2021-10-19T08:34:40.941Z	FATAL	scan error: image scan failed: failed analysis: analyze error: timeout: context deadline exceeded

 with:
    image-ref: eu.gcr.io/someimage:sometag
    vuln-type: os,library
    ignore-unfixed: true
    exit-code: 1
    severity: HIGH,CRITICAL
    scan-type: image
    scan-ref: .
    format: table
    hide-progress: true

Note that its 5 minutes between Downloading DB... and the eventual failure - so I don't think the timeout (2 mins according to your docs) is really applying here.

Hi Team,

I get the below error while using Github trivy action:

client: no podman socket found: stat podman/podman.sock: no such file or directory

Below is the code:

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'github-k8s-runner'
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          severity: 'CRITICAL,HIGH'

Please advise

Hi @danielpacak,

I tried to use the latest tag, but it failed and i noticed that latest tag includes v as part of the tag. Shall I update the README.md or a new tag shall be craeted?

When using a jobs that uses a container which runs after the trivy github action you likely get a permission denied when you try to write to .config. It seems like whenever you run the trivy action the folder ends up root owned:

hey @simar7 ,

it looks like there are no major versions published and the recommended practice is to include this action from the master branch. That's a bit too yolo for me 😄

Are there any plans on publishing a version that can be referenced without going all the way to the patch-level? Ideally, I can reference a version that gives me all fixes and features, but no breaking changes.

If that's something you'd like help with, please let me know and I'll be happy to help.

Hi, I'm having difficulties getting to the json output file. This is my workflow:

name: build
on:
  push:
    branches:
      - master
  pull_request:
jobs:
  build:
    name: Build
    runs-on: ubuntu-18.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Run vulnerability scanner
        uses: aquasecurity/[email protected]
        with:
          image-ref: 'docker.io/library/ubuntu:18.04'
          format: 'json'
          output: 'trivy-report.json'
          exit-code: '0'
      - name: test
        run: find .
      - name: test2
        run: find /
      - uses: actions/upload-artifact@v2
        if: ${{ always() }}
        with:
          name: trivy-report
          path: trivy-report.json # or path/to/artifact

but the json file is not present

What am I doing wrong here?

I would like to use the --ignore-policy flag to filter vulnerabilities with OPA rego language
https://aquasecurity.github.io/trivy/v0.18.1/examples/filter/#by-open-policy-agent

I have a PR for this as well - #48

With latest release 0.20.1, we still have a timeout option description https://github.com/aquasecurity/trivy-action/blob/master/action.yaml#L56-L59, with wrong description vs default value.

AFAIK it's possible to request setting a custom icon for the action (see actions by Amazon and Google), which is displayed in the Marketplace:

Our action has the default play icon, which is not very appealing:

Does .trivyignore work with trivy-action out of the box? Can we put .trivyignore file at the root of project and Action will ignore vulnerabilities that are in the file?

Motivation
Today Trivy supports both filesystem and repo scanning. We can take this paradigm and extend it even further by allow Trivy Github Action (this repo) to be used as a build time hook for Github repos.

Use Case
Adding a check to each PR (with Trivy Action configured as a Github Action) as it's opened, to check for vulnerabilities introduced by new changes.

Acceptance Criteria

1. User adds Trivy Github Action as a build step to run on each PR
2. Trivy Github Action scans and finds vulnerabilities, if any and reports.
3. Optionally, the check can be marked as a fail for PRs that introduce vulnerable dependencies into the repo.
4. Both the existing image based scans and the newfs based scans should be configurable by the user.

More information
GitHub Actions support conditional run and evaluation of expressions as mentioned here https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#about-contexts-and-expressions

With the current iteration of Trivy Github Action, the logic will be added as additional options to this configuration https://github.com/aquasecurity/trivy-action/blob/master/action.yaml#L32-L43

Here we could conditionally evaluate what options are passed in by the user and configure the Trivy Github Action to run appropriately.

The bulk of the logic here lies in figuring out how to accept the appropriate options/configs from the user and pass to Trivy. For the new mode it's as simple as running command trivy fs . within the checked out PR/branch itself.

cc @jerbia

Hi guys,

Hope you are all well !

I tried trivy action and I have the following error:

Uploading sarif files: ["trivy-results.sarif"]
Error details: instance.runs[0].tool.driver.rules contains duplicate item

Is there a parameter to set in trivy to avoid duplicates ?

Here is my workflow file:
https://github.com/lucmichalski/prestashop-docker/blob/trivy/.github/workflows/security.yml

Cheers,
Luc Michalski

I've been trying to use the cache-dir input introduced in commit b38389f and consistently get the following error when that input is set:

Running trivy with options:  --no-progress  --format  table --exit-code  1 --ignore-unfixed --vuln-type  os,library --severity  CRITICAL,HIGH --cache-dir  /tmp/trivy  ghcr.io/xxx/xxx:xxx
Incorrect Usage: flag provided but not defined: -cache-dir

NAME:
   trivy image - scan an image

USAGE:
   trivy image [command options] image_name

OPTIONS:
... omitted for brevity

This seems to affect all recent versions of this action from v0.0.14 to and including v0.0.17.

I've had a quick look and this error seems to make sense: as per Trivy usage --cache-dir is a global option which must be passed before the command. However the present implementation of this action passes it as a command option instead:

https://github.com/aquasecurity/trivy-action/blob/master/entrypoint.sh#L89-L97

Hi,

Hope someone can help:
We're attempting to run the trivy scanner on one of our terraform folders and are seeing a segmentation fault:

https://github.com/ministryofjustice/opg-lpa/runs/3382241340?check_suite_focus=true#step:4:20

Note it works on one of our other terraform folders.
not sure if this is something we should be seeing or is a known issue. can someone advise?

Hi there!
Is this trivy scanner can work with a public repository? My repository is a private.
Here is trivy.yml file:

name: "Code Scanning"

on:
  push:
  pull_request:
  schedule:
    - cron: '*/30 * * * *'
  watch:
    types: [started]

jobs:
  Trivy-Scan:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v2

#      - name: Build an image from Dockerfile
#        run: |
#          docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
#
#      - name: Run Trivy vulnerability scanner in docker mode
#        uses: aquasecurity/trivy-action@master
#        with:
#          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
#          format: 'template'
#          template: '@/contrib/sarif.tpl'
#          output: 'trivy-results-docker.sarif'
#          severity: 'CRITICAL'
#
#      - name: Upload Trivy scan results to GitHub Security tab
#        uses: github/codeql-action/upload-sarif@v1
#        with:
#          sarif_file: 'trivy-results-docker.sarif'

      - name: Run Trivy vulnerability scanner in fs mode
        uses: anandg112/trivy-action@feat/add-skip-dirs-option
        with:
          scan-type: 'fs'
          scan-ref: '.'
          ignore-unfixed: true
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'trivy-results-fs.sarif'
          severity: 'CRITICAL'
          skip-dirs: "ignored-dir"

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: 'trivy-results-fs.sarif'

      - name: DEBUG Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: 'debug-trivy-results.sarif'

And this is error log from actions:

RequestError [HttpError]: repository not enabled for code scanning
    at /home/runner/work/_actions/github/codeql-action/v1/node_modules/@octokit/request/dist-node/index.js:66:23
    at processTicksAndRejections (internal/process/task_queues.js:93:5)
    at async Job.doExecute (/home/runner/work/_actions/github/codeql-action/v1/node_modules/bottleneck/light.js:405:18) {
  name: 'HttpError',
  status: 403,
  headers: {
    'access-control-allow-origin': '*',
    'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, Deprecation, Sunset',
    connection: 'close',
    'content-encoding': 'gzip',
    'content-security-policy': "default-src 'none'",
    'content-type': 'application/json; charset=utf-8',
    date: 'Wed, 27 Oct 2021 05:18:33 GMT',
    'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
    server: 'GitHub.com',
    'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
    'transfer-encoding': 'chunked',
    vary: 'Accept-Encoding, Accept, X-Requested-With',
    'x-content-type-options': 'nosniff',
    'x-frame-options': 'deny',
    'x-github-media-type': 'github.v3; format=json',
    'x-github-request-id': '04C3:20BA:38F87B:8D23EC:6178E129',
    'x-ratelimit-limit': '1000',
    'x-ratelimit-remaining': '996',
    'x-ratelimit-reset': '1635315047',
    'x-ratelimit-resource': 'core',
    'x-ratelimit-used': '4',
    'x-xss-protection': '0'
  },
  request: {
    method: 'PUT',
    url: 'https://api.github.com/repos/denisgolius/winar/code-scanning/analysis/status',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'CodeQL-Action/1.0.20 octokit-core.js/3.1.2 Node.js/12.13.1 (linux; x64)',
      authorization: 'token [REDACTED]',
      'content-type': 'application/json; charset=utf-8'
    },
    body: '{"workflow_run_id":1388719546,"workflow_name":"Code Scanning","job_name":"Trivy-Scan","analysis_key":".github/workflows/trivy.yml:Trivy-Scan","commit_oid":"cf463d7d3c6b4356e9ab19688f33e610e35c0561","ref":"refs/heads/main","action_name":"upload-sarif","action_ref":"v1","action_oid":"unknown","started_at":"2021-10-27T05:18:33.544Z","action_started_at":"2021-10-27T05:18:33.544Z","status":"starting","matrix_vars":"null"}',
    request: { agent: [Agent], hook: [Function: bound bound register] }
  },
  documentation_url: 'https://docs.github.com/rest'
}
Error: repository not enabled for code scanning

What I am doing wrong? Maybe there is a working example for copy/paste and it will work?

Documentation (or the lack of) suggests that the action doesn't support pulling of remote image to scan, particularly private registries.

There are no inputs for credentials but perhaps a docker login step would work? 🤷🏻

Either way we would like this supported in the action, just like the standard binary supports, because we often would like to run this as a seperate job from the build job and/or scan multiple images/tags

Using the template sarif, I can't see the information about the misconfiguration details.

Github workflow: https://github.com/krol3/demo-trivy/blob/main/.github/workflows/trivy-missconfiguration.yaml

See the output of this workflow: https://github.com/krol3/demo-trivy/pull/2/checks?check_run_id=3705915823

In the trivy scanning, I see a total of 30 CVE, and in the sarif report only 2. Can you help me to understand the result in sarif template?

I'm using the gh action to scan my container, and I have the severity field set to critical, but the scan seems to be returning ALL vulnerabilities. My code looks like:

    - name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2
      with:
        image-ref: ${{ env.REGISTRYNAME }}.azurecr.io/${{ env.IMAGENAME }}:${{ github.sha }}
        format: 'template'
        template: '@/contrib/sarif.tpl'
        output: 'trivy-results.sarif'
        ignore-unfixed: true
        vuln-type: 'os,library'
        severity: 'CRITICAL'

    - name: Upload Trivy scan results to GitHub Security tab
      uses: github/codeql-action/upload-sarif@v1
      with:
        sarif_file: 'trivy-results.sarif'

Hey,
Thank you for this nice action!
Would it be possible to support scanning image tarballs as generated by e.g. jib (Like it can already be done by trivy by using the --input flag)
Best regards
Anton

Trivy scan action fails intermittently on multiple repositories at the step of Downloading DB, a sample log is attached hereweith:

Running trivy with options:  --format  table --exit-code  1 --vuln-type  os,library --severity  UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL --skip-dirs build --timeout  10m0s --no-progress /github/workspace/ballerina
Global options:  
2021-10-29T01:04:20.497Z	INFO	Need to update DB
2021-10-29T01:04:20.497Z	INFO	Downloading DB...
2021-10-29T01:06:20.714Z	FATAL	DB error: failed to download vulnerability DB: failed to download vulnerability DB: failed to list releases: GET https://api.github.com/repos/aquasecurity/trivy-db/releases: 504  []

Here is the sample workflow file:

name: Trivy

on:
  workflow_dispatch:
  schedule:
    - cron:  '0 0 * * *'

jobs:
  ubuntu-build:
    name: Build on Ubuntu
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Set up JDK 11
        uses: actions/setup-java@v2
        with:
          distribution: 'adopt'
          java-version: 11
      - name: Build with Gradle
        run: ./gradlew build -x check -x test
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: '/github/workspace/ballerina'
          skip-dirs: 'build'
          format: 'table'
          timeout: '10m0s'
          exit-code: '1'

The latest Trivy might break compatibility. The version should be fixed.
https://github.com/aquasecurity/trivy-action/blob/master/Dockerfile#L1

Hello! 👋

We are using your wonderful action to scan for CVEs in our Docker images — thank you for hard work and contribution to open-source!

Sadly we noticed that there seems to be a regression in 0.0.9 with respect to ignore-unfixed.

In 0.0.8 setting ignore-unfixed: true correctly ignores CVEs that have no published fix version yet.
In 0.0.9 setting ignore-unfixed: true has no effect and we can see CVEs being failed on that have no published fix version.

For example:

========================================================================================
Total: 44 (HIGH: 40, CRITICAL: 4)

+----------------------+------------------+----------+---------------------------+---------------+--------------------------------------------------------------+
|       LIBRARY        | VULNERABILITY ID | SEVERITY |     INSTALLED VERSION     | FIXED VERSION |                            TITLE                             |
+----------------------+------------------+----------+---------------------------+---------------+--------------------------------------------------------------+
| curl                 | CVE-2020-8169    | HIGH     | 7.64.0-4+deb10u1          |               | libcurl: partial password                                    |
|                      |                  |          |                           |               | leak over DNS on HTTP redirect                               |
|                      |                  |          |                           |               | -->avd.aquasec.com/nvd/cve-2020-8169                         |
+                      +------------------+          +                           +---------------+--------------------------------------------------------------+

This is a scan result from 0.0.9 with ignore-unfixed: true on and we can clearly see a CVE for curl that does not yet have a fix version published.

Here is the action step config we were using:

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: "<docker image repo/tag here>"
          format: "table"
          exit-code: "1"
          ignore-unfixed: true
          severity: "CRITICAL,HIGH"

Changing from master to 0.0.8 after 0.0.9 was published fixed the issue:

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/[email protected]
        with:
          image-ref: "<docker image repo/tag here>"
          format: "table"
          exit-code: "1"
          ignore-unfixed: true
          severity: "CRITICAL,HIGH"

Hi,

Thanks for this nice GitHub Action. It helps me a lot.

I have a GitHub Action using this, where I'm iterating over all images that I'm using in my setup.
This means some are public, some are private on ghcr.io.

When using the Environment variables as suggested https://github.com/aquasecurity/trivy-action/blob/master/README.md#docker-hub-registry the private ones works, but the public doesn't and wise versa.

Is that a way to only have the ENV used when needed?

I have also tried running the action https://github.com/docker/login-action before, but trivy, isn't respecting the login from there.

Any pointers would be appreciated.

Hi

Im trying to run trivy, generate a sarif report, upload the artifact, and then, depending on the vulnerabilities, break the workflow or allow it to continue.

Im setting something like this:

  - name: Run Trivy vulnerability scanner
    uses: aquasecurity/trivy-action@master
    with:
      image-ref: 'javidr/vulnerbank:latest'
      format: 'template'
      template: '@/contrib/sarif.tpl'
      output: 'trivy-results.sarif'
      exit-code: '1'
      severity: 'LOW'
  - name: Upload artifact
    uses: actions/upload-artifact@v2
    with:
      name: trivy report
      path: 'trivy-results.sarif'

If i set exit-code, then, the upload artifact step is not executed. Is there any way to do it? Maybe upload artifact can be embedded as an option in the action?

Thanks

Would it be possible to add support for --ignore-unfixed flag in the action?

I tried many things but I haven't figured it out the proper syntax yet to open a Pull Request.

So far I've tried:

• - '${{ inputs.ignore-unfixed == true && echo --ignore-unfixed }}'
• - '${{ inputs.ignore-unfixed }} == true && echo "--ignore-unfixed"'
• - '${{ inputs.ignore-unfixed }} == "true" && echo "--ignore-unfixed"' &
• - '${{ inputs.ignore-unfixed == "true" && echo "--ignore-unfixed" }}'

Not sure how these ${{ }} are expanded. Any help is appreciated.

Trivy has the --cache-dir flag to point to the location where DB and image layers are cached. If we combine that with the https://github.com/actions/cache we can speed up some build jobs.

Trivy now uses a different format of passing in skip-dirs, we need to update the trivy action to support this change: aquasecurity/trivy#966

Relevant line is here:

While the already implemented in the GitHub-action skip-dirs does the job it feels not natural to use for files.

Since Trivy already support --skip-files, it would be nice to support it also on the GitHub action.

I could implement the feature if you feel valuable.

We started seeing this issue because our github actions have started failing as --skip-dirs are being scanned and thats failing those actions.

v0.20.0 is out for 8 days now. Any plans for the update? 🙂

Thanks in advance!

In my build workflow, i first build the image, push to private registry and then run trivy action. This takes time since trivy has to fetch the image from the private registry. Is there a way this could work with local image? This will save time for larger images.

Hi,

When I do trivy rootfs -h, it says the usage will be trivy rootfs [command options] dir. In my local, I can give the dir. e.g.

trivy rootfs <GOLANG_BINARY_PATH>

But when I am using it as github action, I am not sure how to provide this <GOLANG_BINARY_PATH>. This is my sample github action.

-       name: Run Trivy vulnerability scanner i repo mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'rootfs'
          ignore-unfixed: true
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'trivy-results.sarif'

Can you please help me to figure out where I should give the path. Prior to v0.0.20, I was using input flag, but that has been removed now.

For example, this part of code for github action send scan result to GH security tab your repo.

- name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: 'payment-service-trivy-results.sarif'

How can I send Trivy scan results to another (something other than github security) cloud-native / open-source security product/panel?

The image-ref description has the following:

To me, this implies that use of image-ref is discouraged and preserved only for compatibility. Is that correct? If so, what should users prefer instead?

I tried using scan-ref, but this results in images not being scanned at all, and no error message being emitted either (the checks pass and the logs only show Trivy's help output).

Getting false positives on dockerized rails apps due to aquasecurity/trivy#282

The solution is to use --skip-dirs

Would you be open to a PR?

For the benefit of GHA builders copy-pasting from README please update trivy version tag to 0.0.6.

After this #73 all the vulnerabilities show up in the Code scanning alerts.

I see from the PR that this is a feature, but now all the images are flagged as vulnerable even though there isn't a fix available (OS packages).

Should this feature take into consideration the ignore-unfixed flag?
Or how is this supposed to work? Because at the moment we have 400+ alerts that we can't fix in any way since those packages are in the base image and don't have a fix.

Thanks!

I'd like to ignore some of the vulnerabilities same way as specifying .trivyignore does.
Could this be somehow passed to action?

Regards

Using version 0.0.9 seems to be buggy

    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Build an image from Dockerfile
        env:
          MY_TOKEN: ${{ secrets.MY_TOKEN }}
        run: |
          docker build . --tag this_repo
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: this_repo
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          severity: 'CRITICAL,HIGH'

The ignore-unfixed: true will be ignored !

Tried the exact same with version 0.0.8 and it works (--ignore-unfixed is in the logs with that version)

The skip-dirs option no longer works with a comma-separated list

Trivy is reporting vulnerabilities in the skipped directories

I think it could be due to aquasecurity/trivy#916

I have an issue where a manual scan locally will shows CVE's, but if I tell it to output as sarif i get no results;
trivy fs --security-checks vuln,config --f template --template "@contrib/sarif.tpl" -o report.sarif --severity CRITICAL,HIGH,MEDIUM,LOW ~/path/to/repo

returns

{
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
  "version": "2.1.0",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "Trivy",
          "informationUri": "https://github.com/aquasecurity/trivy",
          "fullName": "Trivy Vulnerability Scanner",
          "version": "0.15.0",
          "rules": []
        }
      },
      "results": [],
      "columnKind": "utf16CodeUnits",
      "originalUriBaseIds": {
        "ROOTPATH": {
          "uri": "file:///"
        }
      }
    }
  ]
}

Whereas trivy fs --security-checks vuln,config --severity CRITICAL,HIGH ~/path/to/repo will give a detailed analysis

Hi there!

I am new to Trivy and have a basic question.

Is it necessary to build the Docker image if we're just doing a filesystem scan?

Thanks!

Hi team

From security perspective , does scanning image exposes sensitive values used through environment variables in image