diff --git a/.github/actions/trivy-action-0.28.0/.github/workflows/bump-trivy.yaml b/.github/actions/trivy-action-0.28.0/.github/workflows/bump-trivy.yaml deleted file mode 100644 index 25f282aba..000000000 --- a/.github/actions/trivy-action-0.28.0/.github/workflows/bump-trivy.yaml +++ /dev/null @@ -1,40 +0,0 @@ -name: Bump trivy - -on: - workflow_dispatch: - inputs: - trivy_version: - required: true - type: string - description: the trivy version - -run-name: Bump trivy to v${{ inputs.trivy_version }} - -jobs: - bump: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: Update Trivy versions - run: | - find test/data -type f -name '*.test' | xargs sed -r -i 's/"version": "[0-9]+\.[0-9]+\.[0-9]+"/"version": "${{ inputs.trivy_version }}"/' - sed -r -i '/^\| `version`/ s/[0-9]+\.[0-9]+\.[0-9]+/${{ inputs.trivy_version }}/g' README.md - sed -r -i 's/(default:[ ]*'"'"')v[0-9]+\.[0-9]+\.[0-9]+/\1v${{ inputs.trivy_version }}/' action.yaml - - - name: Create PR - id: create-pr - uses: peter-evans/create-pull-request@v5 - with: - token: ${{ secrets.ORG_REPO_TOKEN }} - title: "chore(deps): Update trivy to v${{ inputs.trivy_version }}" - commit-message: "chore(deps): Update trivy to v${{ inputs.trivy_version }}" - committer: github-actions[bot] - author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com> - branch-suffix: timestamp - branch: bump-trivy - delete-branch: true - - - name: Check outputs - run: | - echo "Pull Request Number - ${{ steps.create-pr.outputs.pull-request-number }}" - echo "Pull Request URL - ${{ steps.create-pr.outputs.pull-request-url }}" diff --git a/.github/actions/trivy-action-0.28.0/.github/workflows/sync-trivy-checks.yaml b/.github/actions/trivy-action-0.28.0/.github/workflows/sync-trivy-checks.yaml deleted file mode 100644 index 518742c0f..000000000 --- a/.github/actions/trivy-action-0.28.0/.github/workflows/sync-trivy-checks.yaml +++ /dev/null @@ -1,24 +0,0 @@ -name: Sync Trivy Checks - -on: - workflow_dispatch: -env: - IMAGE_NAME: ${{ github.repository_owner }}/trivy-checks-act - REGISTRY: ghcr.io - -jobs: - sync-trivy-checks: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Login to GitHub Packages Container registry - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Copy Trivy Checks - run: | - oras cp ghcr.io/aquasecurity/trivy-checks:1 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest \ No newline at end of file diff --git a/.github/actions/trivy-action-0.28.0/.github/workflows/sync-trivy-db.yaml b/.github/actions/trivy-action-0.28.0/.github/workflows/sync-trivy-db.yaml deleted file mode 100644 index ef16e424b..000000000 --- a/.github/actions/trivy-action-0.28.0/.github/workflows/sync-trivy-db.yaml +++ /dev/null @@ -1,24 +0,0 @@ -name: Sync Trivy DB - -on: - workflow_dispatch: -env: - IMAGE_NAME: ${{ github.repository_owner }}/trivy-db-act - REGISTRY: ghcr.io - -jobs: - sync-trivy-db: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Login to GitHub Packages Container registry - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Copy Trivy DB - run: | - oras cp ghcr.io/aquasecurity/trivy-db:2 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest diff --git a/.github/actions/trivy-action-0.28.0/.github/workflows/sync-trivy-java-db.yaml b/.github/actions/trivy-action-0.28.0/.github/workflows/sync-trivy-java-db.yaml deleted file mode 100644 index 53cabdba3..000000000 --- a/.github/actions/trivy-action-0.28.0/.github/workflows/sync-trivy-java-db.yaml +++ /dev/null @@ -1,24 +0,0 @@ -name: Sync Trivy Java DB - -on: - workflow_dispatch: -env: - IMAGE_NAME: ${{ github.repository_owner }}/trivy-java-db-act - REGISTRY: ghcr.io - -jobs: - sync-trivy-db: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Login to GitHub Packages Container registry - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Copy Trivy Java DB - run: | - oras cp ghcr.io/aquasecurity/trivy-java-db:1 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest diff --git a/.github/actions/trivy-action-0.28.0/.github/workflows/test.yaml b/.github/actions/trivy-action-0.28.0/.github/workflows/test.yaml deleted file mode 100644 index 04755f478..000000000 --- a/.github/actions/trivy-action-0.28.0/.github/workflows/test.yaml +++ /dev/null @@ -1,31 +0,0 @@ -name: Test - -on: - push: - pull_request: - workflow_dispatch: - -env: - TRIVY_VERSION: 0.56.1 - BATS_LIB_PATH: '/usr/lib/' - -jobs: - test: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Setup Bats and bats libs - uses: bats-core/bats-action@2.0.0 - - - name: Install Trivy - run: | - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }} - trivy --version - - - name: Test - run: bats --recursive --timing --verbose-run . - env: - TRIVY_CACHE_DIR: .cache - TRIVY_DISABLE_VEX_NOTICE: true - TRIVY_DEBUG: true \ No newline at end of file diff --git a/.github/actions/trivy-action-0.28.0/.gitignore b/.github/actions/trivy-action-0.28.0/.gitignore deleted file mode 100644 index e69de29bb..000000000 diff --git a/.github/actions/trivy-action-0.28.0/LICENSE b/.github/actions/trivy-action-0.28.0/LICENSE deleted file mode 100644 index f49a4e16e..000000000 --- a/.github/actions/trivy-action-0.28.0/LICENSE +++ /dev/null @@ -1,201 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. \ No newline at end of file diff --git a/.github/actions/trivy-action-0.28.0/Makefile b/.github/actions/trivy-action-0.28.0/Makefile deleted file mode 100644 index 27b68685b..000000000 --- a/.github/actions/trivy-action-0.28.0/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -OS := $(shell uname) -ifeq ($(OS), Darwin) -BATS_LIB_PATH=/opt/homebrew/lib -endif -ifeq ($(OS), Linux) -BATS_LIB_PATH=/usr/local/lib/ -endif - - -.PHONY: test -test: - mkdir -p .cache - BATS_LIB_PATH=$(BATS_LIB_PATH) GITHUB_REPOSITORY_OWNER=aquasecurity\ - TRIVY_CACHE_DIR=.cache TRIVY_DISABLE_VEX_NOTICE=true TRIVY_DEBUG=true\ - bats --recursive --timing --verbose-run . \ No newline at end of file diff --git a/.github/actions/trivy-action-0.28.0/README.md b/.github/actions/trivy-action-0.28.0/README.md deleted file mode 100644 index 6e4b55145..000000000 --- a/.github/actions/trivy-action-0.28.0/README.md +++ /dev/null @@ -1,698 +0,0 @@ -# Trivy Action - -> [GitHub Action](https://github.com/features/actions) for [Trivy](https://github.com/aquasecurity/trivy) - -[![GitHub Release][release-img]][release] -[![GitHub Marketplace][marketplace-img]][marketplace] -[![License][license-img]][license] - -![](docs/images/trivy-action.png) - -## Table of Contents - -* [Usage](#usage) - * [Scan CI Pipeline](#scan-ci-pipeline) - * [Scan CI Pipeline (w/ Trivy Config)](#scan-ci-pipeline-w-trivy-config) - * [Cache](#cache) - * [Scanning a Tarball](#scanning-a-tarball) - * [Using Trivy with GitHub Code Scanning](#using-trivy-with-github-code-scanning) - * [Using Trivy to scan your Git repo](#using-trivy-to-scan-your-git-repo) - * [Using Trivy to scan your rootfs directories](#using-trivy-to-scan-your-rootfs-directories) - * [Using Trivy to scan Infrastructure as Code](#using-trivy-to-scan-infrastructure-as-code) - * [Using Trivy to generate SBOM](#using-trivy-to-generate-sbom) - * [Using Trivy to scan your private registry](#using-trivy-to-scan-your-private-registry) - * [Using Trivy if you don't have code scanning enabled](#using-trivy-if-you-dont-have-code-scanning-enabled) -* [Customizing](#customizing) - * [inputs](#inputs) - * [Environment variables](#environment-variables) - * [Trivy config file](#trivy-config-file) - -## Usage - -### Scan CI Pipeline - -```yaml -name: build -on: - push: - branches: - - main - pull_request: -jobs: - build: - name: Build - runs-on: ubuntu-20.04 - steps: - - name: Checkout code - uses: actions/checkout@v3 - - name: Build an image from Dockerfile - run: docker build -t docker.io/my-organization/my-app:${{ github.sha }} . - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.20.0 - with: - image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' -``` - -### Scan CI Pipeline (w/ Trivy Config) - -```yaml -name: build -on: - push: - branches: - - main - pull_request: -jobs: - build: - name: Build - runs-on: ubuntu-20.04 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Run Trivy vulnerability scanner in fs mode - uses: aquasecurity/trivy-action@0.20.0 - with: - scan-type: 'fs' - scan-ref: '.' - trivy-config: trivy.yaml -``` - -In this case `trivy.yaml` is a YAML configuration that is checked in as part of the repo. Detailed information is available on the Trivy website but an example is as follows: -```yaml -format: json -exit-code: 1 -severity: CRITICAL -secret: - config: config/trivy/secret.yaml -``` - -It is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes. Defining the following is required as they cannot be defined with the config file: -- `scan-ref`: If using `fs, repo` scans. -- `image-ref`: If using `image` scan. -- `scan-type`: To define the scan type, e.g. `image`, `fs`, `repo`, etc. - -#### Order of preference for options -Trivy uses [Viper](https://github.com/spf13/viper) which has a defined precedence order for options. The order is as follows: -- GitHub Action flag -- Environment variable -- Config file -- Default - -### Cache -The action has a built-in functionality for caching and restoring [the vulnerability DB](https://github.com/aquasecurity/trivy-db), [the Java DB](https://github.com/aquasecurity/trivy-java-db) and [the checks bundle](https://github.com/aquasecurity/trivy-checks) if they are downloaded during the scan. -The cache is stored in the `$GITHUB_WORKSPACE/.cache/trivy` directory by default. -The cache is restored before the scan starts and saved after the scan finishes. - -It uses [actions/cache](https://github.com/actions/cache) under the hood but requires less configuration settings. -The cache input is optional, and caching is turned on by default. - -#### Disabling caching -If you want to disable caching, set the `cache` input to `false`, but we recommend keeping it enabled to avoid rate limiting issues. - -```yaml - - name: Run Trivy scanner without cache - uses: aquasecurity/trivy-action@0.20.0 - with: - scan-type: 'fs' - scan-ref: '.' - cache: 'false' -``` - -#### Updating caches in the default branch -Please note that there are [restrictions on cache access](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache) between branches in GitHub Actions. -By default, a workflow can access and restore a cache created in either the current branch or the default branch (usually `main` or `master`). -If you need to share caches across branches, you may need to create a cache in the default branch and restore it in the current branch. - -To optimize your workflow, you can set up a cron job to regularly update the cache in the default branch. -This allows subsequent scans to use the cached DB without downloading it again. - -```yaml -# Note: This workflow only updates the cache. You should create a separate workflow for your actual Trivy scans. -# In your scan workflow, set TRIVY_SKIP_DB_UPDATE=true and TRIVY_SKIP_JAVA_DB_UPDATE=true. -name: Update Trivy Cache - -on: - schedule: - - cron: '0 0 * * *' # Run daily at midnight UTC - workflow_dispatch: # Allow manual triggering - -jobs: - update-trivy-db: - runs-on: ubuntu-latest - steps: - - name: Get current date - id: date - run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT - - - name: Download and extract the vulnerability DB - run: | - mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db - oras pull ghcr.io/aquasecurity/trivy-db:2 - tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db - rm db.tar.gz - - - name: Download and extract the Java DB - run: | - mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db - oras pull ghcr.io/aquasecurity/trivy-java-db:1 - tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db - rm javadb.tar.gz - - - name: Cache DBs - uses: actions/cache/save@v4 - with: - path: ${{ github.workspace }}/.cache/trivy - key: cache-trivy-${{ steps.date.outputs.date }} -``` - -When running a scan, set the environment variables `TRIVY_SKIP_DB_UPDATE` and `TRIVY_SKIP_JAVA_DB_UPDATE` to skip the download process. - -```yaml - - name: Run Trivy scanner without downloading DBs - uses: aquasecurity/trivy-action@0.20.0 - with: - scan-type: 'image' - scan-ref: 'myimage' - env: - TRIVY_SKIP_DB_UPDATE: true - TRIVY_SKIP_JAVA_DB_UPDATE: true -``` - -### Scanning a Tarball -```yaml -name: build -on: - push: - branches: - - main - pull_request: -jobs: - build: - name: Build - runs-on: ubuntu-20.04 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Generate tarball from image - run: | - docker pull - docker save -o vuln-image.tar - - - name: Run Trivy vulnerability scanner in tarball mode - uses: aquasecurity/trivy-action@0.20.0 - with: - input: /github/workspace/vuln-image.tar - severity: 'CRITICAL,HIGH' -``` - -### Using Trivy with GitHub Code Scanning -If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows: -```yaml -name: build -on: - push: - branches: - - main - pull_request: -jobs: - build: - name: Build - runs-on: ubuntu-20.04 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Build an image from Dockerfile - run: | - docker build -t docker.io/my-organization/my-app:${{ github.sha }} . - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.20.0 - with: - image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' - format: 'sarif' - output: 'trivy-results.sarif' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: 'trivy-results.sarif' -``` - -You can find a more in-depth example here: https://github.com/aquasecurity/trivy-sarif-demo/blob/master/.github/workflows/scan.yml - -If you would like to upload SARIF results to GitHub Code scanning even upon a non zero exit code from Trivy Scan, you can add the following to your upload step: -```yaml -name: build -on: - push: - branches: - - main - pull_request: -jobs: - build: - name: Build - runs-on: ubuntu-20.04 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Build an image from Dockerfile - run: | - docker build -t docker.io/my-organization/my-app:${{ github.sha }} . - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.20.0 - with: - image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' - format: 'sarif' - output: 'trivy-results.sarif' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: 'trivy-results.sarif' -``` - -See this for more details: https://docs.github.com/en/actions/learn-github-actions/expressions#always - -### Using Trivy to scan your Git repo -It's also possible to scan your git repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR. - -If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows: -```yaml -name: build -on: - push: - branches: - - main - pull_request: -jobs: - build: - name: Build - runs-on: ubuntu-20.04 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@0.20.0 - with: - scan-type: 'fs' - ignore-unfixed: true - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: 'trivy-results.sarif' -``` - -### Using Trivy to scan your rootfs directories -It's also possible to scan your rootfs directories with Trivy's built-in rootfs scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR. - -If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows: -```yaml -name: build -on: - push: - branches: - - main - pull_request: -jobs: - build: - name: Build - runs-on: ubuntu-20.04 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Run Trivy vulnerability scanner with rootfs command - uses: aquasecurity/trivy-action@0.20.0 - with: - scan-type: 'rootfs' - scan-ref: 'rootfs-example-binary' - ignore-unfixed: true - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: 'trivy-results.sarif' -``` - -### Using Trivy to scan Infrastructure as Code -It's also possible to scan your IaC repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR. - -If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows: -```yaml -name: build -on: - push: - branches: - - main - pull_request: -jobs: - build: - name: Build - runs-on: ubuntu-20.04 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Run Trivy vulnerability scanner in IaC mode - uses: aquasecurity/trivy-action@0.20.0 - with: - scan-type: 'config' - hide-progress: true - format: 'sarif' - output: 'trivy-results.sarif' - exit-code: '1' - ignore-unfixed: true - severity: 'CRITICAL,HIGH' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: 'trivy-results.sarif' -``` - -### Using Trivy to generate SBOM -It's possible for Trivy to generate an [SBOM](https://www.aquasec.com/cloud-native-academy/supply-chain-security/sbom/) of your dependencies and submit them to a consumer like [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph). - -The [sending of an SBOM to GitHub](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) feature is only available if you currently have GitHub Dependency Graph [enabled in your repo](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository). - -In order to send results to GitHub Dependency Graph, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) or use the [GitHub installation access token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication) (also known as `GITHUB_TOKEN`): - -```yaml ---- -name: Pull Request -on: - push: - branches: - - main - -## GITHUB_TOKEN authentication, add only if you're not going to use a PAT -permissions: - contents: write - -jobs: - build: - name: Checks - runs-on: ubuntu-20.04 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph - uses: aquasecurity/trivy-action@0.20.0 - with: - scan-type: 'fs' - format: 'github' - output: 'dependency-results.sbom.json' - image-ref: '.' - github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT -``` - -When scanning images you may want to parse the actual output JSON as Github Dependency doesn't show all details like the file path of each dependency for instance. - -You can upload the report as an artifact and download it, for instance using the [upload-artifact action](https://github.com/actions/upload-artifact): - -```yaml ---- -name: Pull Request -on: - push: - branches: - - main - -## GITHUB_TOKEN authentication, add only if you're not going to use a PAT -permissions: - contents: write - -jobs: - build: - name: Checks - runs-on: ubuntu-20.04 - steps: - - name: Scan image in a private registry - uses: aquasecurity/trivy-action@0.20.0 - with: - image-ref: "private_image_registry/image_name:image_tag" - scan-type: image - format: 'github' - output: 'dependency-results.sbom.json' - github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT - severity: "MEDIUM,HIGH,CRITICAL" - scanners: "vuln" - env: - TRIVY_USERNAME: "image_registry_admin_username" - TRIVY_PASSWORD: "image_registry_admin_password" - - - name: Upload trivy report as a Github artifact - uses: actions/upload-artifact@v4 - with: - name: trivy-sbom-report - path: '${{ github.workspace }}/dependency-results.sbom.json' - retention-days: 20 # 90 is the default -``` - -### Using Trivy to scan your private registry -It's also possible to scan your private registry with Trivy's built-in image scan. All you have to do is set ENV vars. - -#### Docker Hub registry -Docker Hub needs `TRIVY_USERNAME` and `TRIVY_PASSWORD`. -You don't need to set ENV vars when downloading from a public repository. -```yaml -name: build -on: - push: - branches: - - main - pull_request: -jobs: - build: - name: Build - runs-on: ubuntu-20.04 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.20.0 - with: - image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' - format: 'sarif' - output: 'trivy-results.sarif' - env: - TRIVY_USERNAME: Username - TRIVY_PASSWORD: Password - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: 'trivy-results.sarif' -``` - -#### AWS ECR (Elastic Container Registry) -Trivy uses AWS SDK. You don't need to install `aws` CLI tool. -You can use [AWS CLI's ENV Vars][env-var]. - -[env-var]: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html -```yaml -name: build -on: - push: - branches: - - main - pull_request: -jobs: - build: - name: Build - runs-on: ubuntu-20.04 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.20.0 - with: - image-ref: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}' - format: 'sarif' - output: 'trivy-results.sarif' - env: - AWS_ACCESS_KEY_ID: key_id - AWS_SECRET_ACCESS_KEY: access_key - AWS_DEFAULT_REGION: us-west-2 - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: 'trivy-results.sarif' -``` - -#### GCR (Google Container Registry) -Trivy uses Google Cloud SDK. You don't need to install `gcloud` command. - -If you want to use target project's repository, you can set it via `GOOGLE_APPLICATION_CREDENTIAL`. -```yaml -name: build -on: - push: - branches: - - main - pull_request: -jobs: - build: - name: Build - runs-on: ubuntu-20.04 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.20.0 - with: - image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' - format: 'sarif' - output: 'trivy-results.sarif' - env: - GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: 'trivy-results.sarif' -``` - -#### Self-Hosted -BasicAuth server needs `TRIVY_USERNAME` and `TRIVY_PASSWORD`. -if you want to use 80 port, use NonSSL `TRIVY_NON_SSL=true` -```yaml -name: build -on: - push: - branches: - - main - pull_request: -jobs: - build: - name: Build - runs-on: ubuntu-20.04 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.20.0 - with: - image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' - format: 'sarif' - output: 'trivy-results.sarif' - env: - TRIVY_USERNAME: Username - TRIVY_PASSWORD: Password - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: 'trivy-results.sarif' -``` - -### Using Trivy if you don't have code scanning enabled - -It's also possible to browse a scan result in a workflow summary. - -This step is especially useful for private repositories without [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) license. - -```yaml -- name: Run Trivy scanner - uses: aquasecurity/trivy-action@0.20.0 - with: - scan-type: config - hide-progress: true - output: trivy.txt - -- name: Publish Trivy Output to Summary - run: | - if [[ -s trivy.txt ]]; then - { - echo "### Security Output" - echo "
Click to expand" - echo "" - echo '```terraform' - cat trivy.txt - echo '```' - echo "
" - } >> $GITHUB_STEP_SUMMARY - fi -``` - -## Customizing - -Configuration priority: -- [Inputs](#inputs) -- [Environment variables](#environment-variables) -- [Trivy config file](#trivy-config-file) -- Default values - - -### inputs - -Following inputs can be used as `step.with` keys: - -| Name | Type | Default | Description | -|------------------------------|---------|------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` | -| `input` | String | | Tar reference, e.g. `alpine-latest.tar` | -| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` | -| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` | -| `format` | String | `table` | Output format (`table`, `json`, `template`, `sarif`, `cyclonedx`, `spdx`, `spdx-json`, `github`, `cosign-vuln`) | -| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) | -| `tf-vars` | String | | path to Terraform variables file | -| `output` | String | | Save results to a file | -| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found | -| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities | -| `vuln-type` | String | `os,library` | Vulnerability types (os,library) | -| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed | -| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped | -| `skip-files` | String | | Comma separated list of files where traversal is skipped | -| `cache-dir` | String | `$GITHUB_WORKSPACE/.cache/trivy` | Cache directory. NOTE: This value cannot be configured by `trivy.yaml`. | -| `timeout` | String | `5m0s` | Scan timeout duration | -| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language | -| `hide-progress` | String | `false` | Suppress progress bar and log output | -| `list-all-pkgs` | String | | Output all packages regardless of vulnerability | -| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`misconfig`,`license`) | -| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files | -| `trivy-config` | String | | Path to trivy.yaml config | -| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN | -| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** | -| `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values | -| `version` | String | `v0.56.1` | Trivy version to use, e.g. `latest` or `v0.56.1` | - -### Environment variables -You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`). - -### Trivy config file -When using the `trivy-config` [Input](#inputs), you can set options using the [Trivy config file][trivy-config] (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`). - -[release]: https://github.com/aquasecurity/trivy-action/releases/latest -[release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github -[marketplace]: https://github.com/marketplace/actions/aqua-security-trivy -[marketplace-img]: https://img.shields.io/badge/marketplace-trivy--action-blue?logo=github -[license]: https://github.com/aquasecurity/trivy-action/blob/master/LICENSE -[license-img]: https://img.shields.io/github/license/aquasecurity/trivy-action -[trivy-env]: https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables -[trivy-config]: https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/ diff --git a/.github/actions/trivy-action-0.28.0/action.yaml b/.github/actions/trivy-action-0.28.0/action.yaml deleted file mode 100644 index 21ab169c3..000000000 --- a/.github/actions/trivy-action-0.28.0/action.yaml +++ /dev/null @@ -1,189 +0,0 @@ -name: 'Aqua Security Trivy' -description: 'Scans container images for vulnerabilities with Trivy' -author: 'Aqua Security' - -inputs: - scan-type: - description: 'Scan type to use for scanning vulnerability' - required: false - default: 'image' - image-ref: - description: 'image reference(for backward compatibility)' - required: false - input: - description: 'reference of tar file to scan' - required: false - default: '' - scan-ref: - description: 'Scan reference' - required: false - default: '.' - exit-code: - description: 'exit code when vulnerabilities were found' - required: false - ignore-unfixed: - description: 'ignore unfixed vulnerabilities' - required: false - default: 'false' - vuln-type: # TODO: rename to pkg-types - description: 'comma-separated list of vulnerability types (os,library)' - required: false - default: 'os,library' - severity: - description: 'severities of vulnerabilities to be displayed' - required: false - default: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' - format: - description: 'output format (table, json, template)' - required: false - default: 'table' - template: - description: 'use an existing template for rendering output (@/contrib/gitlab.tpl, @/contrib/junit.tpl, @/contrib/html.tpl)' - required: false - default: '' - output: - description: 'writes results to a file with the specified file name' - required: false - default: '' - skip-dirs: - description: 'comma separated list of directories where traversal is skipped' - required: false - default: '' - skip-files: - description: 'comma separated list of files to be skipped' - required: false - default: '' - cache-dir: - description: 'specify where the cache is stored' - required: false - default: '${{ github.workspace }}/.cache/trivy' - timeout: - description: 'timeout (default 5m0s)' - required: false - default: '' - ignore-policy: - description: 'filter vulnerabilities with OPA rego language' - required: false - default: '' - hide-progress: - description: 'suppress progress bar and log output' - required: false - list-all-pkgs: - description: 'output all packages regardless of vulnerability' - required: false - default: 'false' - scanners: - description: 'comma-separated list of what security issues to detect' - required: false - default: '' - trivyignores: - description: 'comma-separated list of relative paths in repository to one or more .trivyignore files' - required: false - default: '' - github-pat: - description: 'GitHub Personal Access Token (PAT) for submitting SBOM to GitHub Dependency Snapshot API' - required: false - trivy-config: - description: 'path to trivy.yaml config' - required: false - tf-vars: - description: "path to terraform tfvars file" - required: false - limit-severities-for-sarif: - description: 'limit severities for SARIF format' - required: false - docker-host: - description: 'unix domain socket path to use for docker scanning, ex. unix:///var/run/docker.sock' - required: false - version: - description: 'Trivy version to use' - required: false - default: 'v0.56.1' - cache: - description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.' - required: false - default: 'true' - -runs: - using: 'composite' - steps: - - name: Install Trivy - uses: aquasecurity/setup-trivy@v0.2.1 - with: - version: ${{ inputs.version }} - cache: ${{ inputs.cache }} - - - name: Get current date - id: date - shell: bash - run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT - - - name: Restore DB from cache - if: ${{ inputs.cache == 'true' }} - uses: actions/cache@v4 - with: - path: ${{ inputs.cache-dir }} - key: cache-trivy-${{ steps.date.outputs.date }} - restore-keys: cache-trivy- - - - name: Set GitHub Path - run: echo "$GITHUB_ACTION_PATH" >> $GITHUB_PATH - shell: bash - env: - GITHUB_ACTION_PATH: ${{ github.action_path }} - - - name: Set Trivy environment variables - shell: bash - run: | - # Note: There is currently no way to distinguish between undefined variables and empty strings in GitHub Actions. - # This limitation affects how we handle default values and empty inputs. - # For more information, see: https://github.com/actions/runner/issues/924 - - # Function to set environment variable only if the input is provided and different from default - set_env_var_if_provided() { - local var_name="$1" - local input_value="$2" - local default_value="$3" - - if [ ! -z "$input_value" ] && [ "$input_value" != "$default_value" ]; then - echo "$var_name=$input_value" >> $GITHUB_ENV - fi - } - - # Set environment variables, handling those with default values - # cf. https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables - set_env_var_if_provided "TRIVY_INPUT" "${{ inputs.input }}" "" - set_env_var_if_provided "TRIVY_EXIT_CODE" "${{ inputs.exit-code }}" "" - set_env_var_if_provided "TRIVY_IGNORE_UNFIXED" "${{ inputs.ignore-unfixed }}" "false" - set_env_var_if_provided "TRIVY_PKG_TYPES" "${{ inputs.vuln-type }}" "os,library" - set_env_var_if_provided "TRIVY_SEVERITY" "${{ inputs.severity }}" "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" - set_env_var_if_provided "TRIVY_FORMAT" "${{ inputs.format }}" "table" - set_env_var_if_provided "TRIVY_TEMPLATE" "${{ inputs.template }}" "" - set_env_var_if_provided "TRIVY_OUTPUT" "${{ inputs.output }}" "" - set_env_var_if_provided "TRIVY_SKIP_DIRS" "${{ inputs.skip-dirs }}" "" - set_env_var_if_provided "TRIVY_SKIP_FILES" "${{ inputs.skip-files }}" "" - set_env_var_if_provided "TRIVY_TIMEOUT" "${{ inputs.timeout }}" "" - set_env_var_if_provided "TRIVY_IGNORE_POLICY" "${{ inputs.ignore-policy }}" "" - set_env_var_if_provided "TRIVY_QUIET" "${{ inputs.hide-progress }}" "" - set_env_var_if_provided "TRIVY_LIST_ALL_PKGS" "${{ inputs.list-all-pkgs }}" "false" - set_env_var_if_provided "TRIVY_SCANNERS" "${{ inputs.scanners }}" "" - set_env_var_if_provided "TRIVY_CONFIG" "${{ inputs.trivy-config }}" "" - set_env_var_if_provided "TRIVY_TF_VARS" "${{ inputs.tf-vars }}" "" - set_env_var_if_provided "TRIVY_DOCKER_HOST" "${{ inputs.docker-host }}" "" - - - name: Run Trivy - shell: bash - run: entrypoint.sh - env: - # For shell script - # > If the action is written using a composite, then it will not automatically get INPUT_ - # cf. https://docs.github.com/en/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs - INPUT_SCAN_TYPE: ${{ inputs.scan-type }} - INPUT_IMAGE_REF: ${{ inputs.image-ref }} - INPUT_SCAN_REF: ${{ inputs.scan-ref }} - INPUT_TRIVYIGNORES: ${{ inputs.trivyignores }} - INPUT_GITHUB_PAT: ${{ inputs.github-pat }} - INPUT_LIMIT_SEVERITIES_FOR_SARIF: ${{ inputs.limit-severities-for-sarif }} - - # For Trivy - TRIVY_CACHE_DIR: ${{ inputs.cache-dir }} # Always set \ No newline at end of file diff --git a/.github/actions/trivy-action-0.28.0/docs/images/trivy-action.png b/.github/actions/trivy-action-0.28.0/docs/images/trivy-action.png deleted file mode 100644 index e69de29bb..000000000 diff --git a/.github/actions/trivy-action-0.28.0/entrypoint.sh b/.github/actions/trivy-action-0.28.0/entrypoint.sh deleted file mode 100755 index 1a8d4e376..000000000 --- a/.github/actions/trivy-action-0.28.0/entrypoint.sh +++ /dev/null @@ -1,63 +0,0 @@ -#!/bin/bash -# -# Copyright (c) 2020, 2024, Oracle and/or its affiliates. -# Licensed under the Universal Permissive License v 1.0 as shown at -# http://oss.oracle.com/licenses/upl. -# - -set -euo pipefail - -# Set artifact reference -scanType="${INPUT_SCAN_TYPE:-image}" -scanRef="${INPUT_SCAN_REF:-.}" -if [ -n "${INPUT_IMAGE_REF:-}" ]; then - scanRef="${INPUT_IMAGE_REF}" # backwards compatibility -fi - -# Handle trivy ignores -if [ -n "${INPUT_TRIVYIGNORES:-}" ]; then - ignorefile="./trivyignores" - - # Clear the ignore file if it exists, or create a new empty file - : > "$ignorefile" - - for f in ${INPUT_TRIVYIGNORES//,/ }; do - if [ -f "$f" ]; then - echo "Found ignorefile '${f}':" - cat "${f}" - cat "${f}" >> "$ignorefile" - else - echo "ERROR: cannot find ignorefile '${f}'." >&2 - exit 1 - fi - done - export TRIVY_IGNOREFILE="$ignorefile" -fi - -# Handle SARIF -if [ "${TRIVY_FORMAT:-}" = "sarif" ]; then - if [ "${INPUT_LIMIT_SEVERITIES_FOR_SARIF:-false,,}" != "true" ]; then - echo "Building SARIF report with all severities" - unset TRIVY_SEVERITY - else - echo "Building SARIF report" - fi -fi - -# Run Trivy -cmd=(trivy "$scanType" "$scanRef") -echo "Running Trivy with options: ${cmd[*]}" -"${cmd[@]}" -returnCode=$? - -if [ "${TRIVY_FORMAT:-}" = "github" ]; then - if [ -n "${INPUT_GITHUB_PAT:-}" ]; then - printf "\n Uploading GitHub Dependency Snapshot" - curl -H 'Accept: application/vnd.github+json' -H "Authorization: token ${INPUT_GITHUB_PAT}" \ - "https://api.github.com/repos/$GITHUB_REPOSITORY/dependency-graph/snapshots" -d @"${TRIVY_OUTPUT:-}" - else - printf "\n Failing GitHub Dependency Snapshot. Missing github-pat" >&2 - fi -fi - -exit $returnCode \ No newline at end of file diff --git a/.github/actions/trivy-action-0.28.0/test/data/config-sarif-report/main.tf b/.github/actions/trivy-action-0.28.0/test/data/config-sarif-report/main.tf deleted file mode 100644 index e69de29bb..000000000 diff --git a/.github/actions/trivy-action-0.28.0/test/data/config-sarif-report/report.sarif b/.github/actions/trivy-action-0.28.0/test/data/config-sarif-report/report.sarif deleted file mode 100644 index e69de29bb..000000000 diff --git a/.github/actions/trivy-action-0.28.0/test/data/config-scan/main.tf b/.github/actions/trivy-action-0.28.0/test/data/config-scan/main.tf deleted file mode 100644 index e69de29bb..000000000 diff --git a/.github/actions/trivy-action-0.28.0/test/data/config-scan/report.json b/.github/actions/trivy-action-0.28.0/test/data/config-scan/report.json deleted file mode 100644 index 9cea638d5..000000000 --- a/.github/actions/trivy-action-0.28.0/test/data/config-scan/report.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "SchemaVersion": 2, - "ArtifactName": "test/data/config-scan", - "ArtifactType": "filesystem", - "Metadata": { - "ImageConfig": { - "architecture": "", - "created": "0001-01-01T00:00:00Z", - "os": "", - "rootfs": { - "type": "", - "diff_ids": null - }, - "config": {} - } - }, - "Results": [ - { - "Target": ".", - "Class": "config", - "Type": "terraform", - "MisconfSummary": { - "Successes": 2, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "main.tf", - "Class": "config", - "Type": "terraform", - "MisconfSummary": { - "Successes": 0, - "Failures": 1, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Terraform Security Check", - "ID": "AVD-AWS-0089", - "AVDID": "AVD-AWS-0089", - "Title": "S3 Bucket Logging", - "Description": "Ensures S3 bucket logging is enabled for S3 buckets", - "Message": "Bucket has logging disabled", - "Namespace": "builtin.aws.s3.aws0089", - "Query": "data.builtin.aws.s3.aws0089.deny", - "Resolution": "Add a logging block to the resource to enable access logging", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0089", - "References": [ - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html", - "https://avd.aquasec.com/misconfig/avd-aws-0089" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Resource": "aws_s3_bucket.bucket", - "Provider": "AWS", - "Service": "s3", - "StartLine": 8, - "EndLine": 10, - "Code": { - "Lines": [ - { - "Number": 8, - "Content": "resource \"aws_s3_bucket\" \"bucket\" {", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 9, - "Content": " bucket = \"trivy-action-bucket\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 10, - "Content": "}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m}", - "FirstCause": false, - "LastCause": true - } - ] - } - } - } - ] - } - ] -} diff --git a/.github/actions/trivy-action-0.28.0/test/data/fs-scan/report b/.github/actions/trivy-action-0.28.0/test/data/fs-scan/report deleted file mode 100644 index e69de29bb..000000000 diff --git a/.github/actions/trivy-action-0.28.0/test/data/github-dep-snapshot/report.gsbom b/.github/actions/trivy-action-0.28.0/test/data/github-dep-snapshot/report.gsbom deleted file mode 100644 index e69de29bb..000000000 diff --git a/.github/actions/trivy-action-0.28.0/test/data/image-scan/report b/.github/actions/trivy-action-0.28.0/test/data/image-scan/report deleted file mode 100644 index e69de29bb..000000000 diff --git a/.github/actions/trivy-action-0.28.0/test/data/rootfs-scan/report b/.github/actions/trivy-action-0.28.0/test/data/rootfs-scan/report deleted file mode 100644 index e69de29bb..000000000 diff --git a/.github/actions/trivy-action-0.28.0/test/data/secret-scan/report.json b/.github/actions/trivy-action-0.28.0/test/data/secret-scan/report.json deleted file mode 100644 index b7bc4dcad..000000000 --- a/.github/actions/trivy-action-0.28.0/test/data/secret-scan/report.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "SchemaVersion": 2, - "ArtifactName": "https://github.com/krol3/demo-trivy/", - "ArtifactType": "repository", - "Metadata": { - "ImageConfig": { - "architecture": "", - "created": "0001-01-01T00:00:00Z", - "os": "", - "rootfs": { - "type": "", - "diff_ids": null - }, - "config": {} - } - }, - "Results": [ - { - "Target": "env", - "Class": "secret", - "Secrets": [ - { - "RuleID": "github-pat", - "Category": "GitHub", - "Severity": "CRITICAL", - "Title": "GitHub Personal Access Token", - "StartLine": 5, - "EndLine": 5, - "Code": { - "Lines": [ - { - "Number": 3, - "Content": "export AWS_ACCESS_KEY_ID=1234567", - "IsCause": false, - "Annotation": "", - "Truncated": false, - "Highlighted": "export AWS_ACCESS_KEY_ID=1234567", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 4, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - }, - { - "Number": 5, - "Content": "export GITHUB_PAT=****************************************", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "export GITHUB_PAT=****************************************", - "FirstCause": true, - "LastCause": true - }, - { - "Number": 6, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - } - ] - }, - "Match": "export GITHUB_PAT=****************************************", - "Layer": {} - } - ] - } - ] -} diff --git a/.github/actions/trivy-action-0.28.0/test/data/with-ignore-files/.trivyignore1 b/.github/actions/trivy-action-0.28.0/test/data/with-ignore-files/.trivyignore1 deleted file mode 100644 index e69de29bb..000000000 diff --git a/.github/actions/trivy-action-0.28.0/test/data/with-ignore-files/.trivyignore2 b/.github/actions/trivy-action-0.28.0/test/data/with-ignore-files/.trivyignore2 deleted file mode 100644 index e69de29bb..000000000 diff --git a/.github/actions/trivy-action-0.28.0/test/data/with-ignore-files/report b/.github/actions/trivy-action-0.28.0/test/data/with-ignore-files/report deleted file mode 100644 index e69de29bb..000000000 diff --git a/.github/actions/trivy-action-0.28.0/test/data/with-tf-vars/dev.tfvars b/.github/actions/trivy-action-0.28.0/test/data/with-tf-vars/dev.tfvars deleted file mode 100644 index e69de29bb..000000000 diff --git a/.github/actions/trivy-action-0.28.0/test/data/with-tf-vars/main.tf b/.github/actions/trivy-action-0.28.0/test/data/with-tf-vars/main.tf deleted file mode 100644 index e69de29bb..000000000 diff --git a/.github/actions/trivy-action-0.28.0/test/data/with-tf-vars/report.json b/.github/actions/trivy-action-0.28.0/test/data/with-tf-vars/report.json deleted file mode 100644 index 981200eb4..000000000 --- a/.github/actions/trivy-action-0.28.0/test/data/with-tf-vars/report.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "SchemaVersion": 2, - "ArtifactName": "test/data/with-tf-vars/main.tf", - "ArtifactType": "filesystem", - "Metadata": { - "ImageConfig": { - "architecture": "", - "created": "0001-01-01T00:00:00Z", - "os": "", - "rootfs": { - "type": "", - "diff_ids": null - }, - "config": {} - } - }, - "Results": [ - { - "Target": ".", - "Class": "config", - "Type": "terraform", - "MisconfSummary": { - "Successes": 2, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "main.tf", - "Class": "config", - "Type": "terraform" - } - ] -} diff --git a/.github/actions/trivy-action-0.28.0/test/data/with-trivy-yaml-cfg/report.json b/.github/actions/trivy-action-0.28.0/test/data/with-trivy-yaml-cfg/report.json deleted file mode 100644 index fb205384b..000000000 --- a/.github/actions/trivy-action-0.28.0/test/data/with-trivy-yaml-cfg/report.json +++ /dev/null @@ -1,122 +0,0 @@ -{ - "SchemaVersion": 2, - "ArtifactName": "alpine:3.10", - "ArtifactType": "container_image", - "Metadata": { - "OS": { - "Family": "alpine", - "Name": "3.10.9", - "EOSL": true - }, - "ImageID": "sha256:e7b300aee9f9bf3433d32bc9305bfdd22183beb59d933b48d77ab56ba53a197a", - "DiffIDs": [ - "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635" - ], - "RepoTags": [ - "alpine:3.10" - ], - "RepoDigests": [ - "alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98" - ], - "ImageConfig": { - "architecture": "amd64", - "container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4", - "created": "2021-04-14T19:20:05.338397761Z", - "docker_version": "19.03.12", - "history": [ - { - "created": "2021-04-14T19:20:04.987219124Z", - "created_by": "/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / " - }, - { - "created": "2021-04-14T19:20:05.338397761Z", - "created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]", - "empty_layer": true - } - ], - "os": "linux", - "rootfs": { - "type": "layers", - "diff_ids": [ - "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635" - ] - }, - "config": { - "Cmd": [ - "/bin/sh" - ], - "Env": [ - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" - ], - "Image": "sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8" - } - } - }, - "Results": [ - { - "Target": "alpine:3.10 (alpine 3.10.9)", - "Class": "os-pkgs", - "Type": "alpine", - "Vulnerabilities": [ - { - "VulnerabilityID": "CVE-2021-36159", - "PkgID": "apk-tools@2.10.6-r0", - "PkgName": "apk-tools", - "PkgIdentifier": { - "PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64&distro=3.10.9", - "UID": "99f6581ffed6b22" - }, - "InstalledVersion": "2.10.6-r0", - "FixedVersion": "2.10.7-r0", - "Status": "fixed", - "Layer": { - "Digest": "sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5", - "DiffID": "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635" - }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-36159", - "DataSource": { - "ID": "alpine", - "Name": "Alpine Secdb", - "URL": "https://secdb.alpinelinux.org/" - }, - "Title": "libfetch: an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes leads to information leak or crash", - "Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.", - "Severity": "CRITICAL", - "CweIDs": [ - "CWE-125" - ], - "VendorSeverity": { - "nvd": 4, - "redhat": 3 - }, - "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", - "V2Score": 6.4, - "V3Score": 9.1 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", - "V3Score": 9.1 - } - }, - "References": [ - "https://access.redhat.com/security/cve/CVE-2021-36159", - "https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch", - "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749", - "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2021-36159", - "https://www.cve.org/CVERecord?id=CVE-2021-36159" - ], - "PublishedDate": "2021-08-03T14:15:08.233Z", - "LastModifiedDate": "2023-11-07T03:36:43.337Z" - } - ] - } - ] -} diff --git a/.github/actions/trivy-action-0.28.0/test/data/with-trivy-yaml-cfg/trivy.yaml b/.github/actions/trivy-action-0.28.0/test/data/with-trivy-yaml-cfg/trivy.yaml deleted file mode 100644 index 33fdd4e6f..000000000 --- a/.github/actions/trivy-action-0.28.0/test/data/with-trivy-yaml-cfg/trivy.yaml +++ /dev/null @@ -1,5 +0,0 @@ -format: json -severity: CRITICAL -vulnerability: - type: os -output: yamlconfig.json \ No newline at end of file diff --git a/.github/actions/trivy-action-0.28.0/test/test.bats b/.github/actions/trivy-action-0.28.0/test/test.bats deleted file mode 100644 index e69de29bb..000000000 diff --git a/.github/actions/trivy-action-0.28.0/workflow.yml b/.github/actions/trivy-action-0.28.0/workflow.yml deleted file mode 100644 index ceae9d1db..000000000 --- a/.github/actions/trivy-action-0.28.0/workflow.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: build -on: - push: - branches: - - master - pull_request: -jobs: - build: - name: Build - runs-on: ubuntu-20.04 - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Build an image from Dockerfile - run: | - docker build -t docker.io/my-organization/my-app:${{ github.sha }} . - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - format: 'template' - template: '@/contrib/sarif.tpl' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: 'trivy-results.sarif' \ No newline at end of file diff --git a/.github/workflows/trivy-db-download.yaml b/.github/workflows/trivy-db-download.yaml deleted file mode 100644 index e2744f1da..000000000 --- a/.github/workflows/trivy-db-download.yaml +++ /dev/null @@ -1,48 +0,0 @@ -# Copyright 2024, Oracle Corporation and/or its affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at -# http://oss.oracle.com/licenses/upl. - -# Note: This workflow only updates the cache. You should create a separate workflow for your actual Trivy scans. -# In your scan workflow, set TRIVY_SKIP_DB_UPDATE=true and TRIVY_SKIP_JAVA_DB_UPDATE=true. -name: Update Trivy Cache - -on: - schedule: - - cron: '0 0 * * *' # Run daily at midnight UTC - workflow_dispatch: # Allow manual triggering - -jobs: - update-trivy-db: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Setup oras - uses: ./.github/actions/setup-oras-1.2.1 - - - name: Get current date - id: date - run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT - - - name: Download and extract the vulnerability DB - run: | - mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db - oras pull ghcr.io/aquasecurity/trivy-db:2 - tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db - rm db.tar.gz - - - name: Download and extract the Java DB - run: | - mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db - oras pull ghcr.io/aquasecurity/trivy-java-db:1 - tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db - rm javadb.tar.gz - - - name: Cache DBs - uses: actions/cache/save@v4 - with: - path: ${{ github.workspace }}/.cache/trivy - key: cache-trivy-${{ steps.date.outputs.date }} diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 313bc1cae..fbf7b035e 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -56,25 +56,36 @@ jobs: key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} restore-keys: ${{ runner.os }}-m2 + - name: Setup oras + uses: ./.github/actions/setup-oras-1.2.1 + + - name: Get current date + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + + - name: Download and extract the vulnerability DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db + oras pull ghcr.io/aquasecurity/trivy-db:2 + tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db + rm db.tar.gz + + - name: Download and extract the Java DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db + oras pull ghcr.io/aquasecurity/trivy-java-db:1 + tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db + rm javadb.tar.gz + - name: Edit DNS Resolve shell: bash run: | sudo chown -R runner:runner /run/systemd/resolve/stub-resolv.conf sudo echo nameserver 8.8.8.8 > /run/systemd/resolve/stub-resolv.conf - - name: Build Image + - name: Image Scan shell: bash run: | - export VERSION=${{ github.sha }} - make build-operator-images - - - name: Run Trivy scanner without downloading DBs - uses: ./.github/actions/trivy-action-0.28.0 - with: - image-ref: 'ghcr.io/oracle/coherence-operator:${{ github.sha }}' - format: 'table' - exit-code: '1' - ignore-unfixed: true - env: - TRIVY_SKIP_DB_UPDATE: true - TRIVY_SKIP_JAVA_DB_UPDATE: true + echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin + export TRIVY_CACHE=$GITHUB_WORKSPACE/.cache/trivy + make trivy-scan diff --git a/Makefile b/Makefile index 4cbb3ae30..fb605231f 100644 --- a/Makefile +++ b/Makefile @@ -1974,16 +1974,26 @@ tanzu-install: ## Install the Coherence Operator package into Tanzu # ====================================================================================================================== ##@ Miscellaneous -TRIVY_IMAGE=ghcr.io/aquasecurity/trivy:0.54.1 +TRIVY_CACHE ?= + .PHONY: trivy-scan -trivy-scan: $(BUILD_TARGETS)/build-operator ## Scan the Operator image using Trivy - docker pull $(TRIVY_IMAGE) +trivy-scan: build-operator-images $(TOOLS_BIN)/trivy ## Scan the Operator image using Trivy ifeq (Darwin, $(UNAME_S)) - docker run --rm -v $HOME/Library/Caches:/root/.cache/ -v /var/run/docker.sock:/var/run/docker.sock $(TRIVY_IMAGE) image $(OPERATOR_IMAGE) + $(TOOLS_BIN)/trivy --exit-code 1 --severity CRITICAL,HIGH --cache-dir $(HOME)/Library/Caches/trivy image $(OPERATOR_IMAGE) +else +ifdef TRIVY_CACHE + $(TOOLS_BIN)/trivy --exit-code 1 --severity CRITICAL,HIGH --cache-dir $(TRIVY_CACHE) image $(OPERATOR_IMAGE) else - docker run --rm -v /var/run/docker.sock:/var/run/docker.sock $(TRIVY_IMAGE) image $(OPERATOR_IMAGE) + $(TOOLS_BIN)/trivy --exit-code 1 --severity CRITICAL,HIGH image $(OPERATOR_IMAGE) +endif endif +.PHONY: get-trivy +get-trivy: $(TOOLS_BIN)/trivy + +$(TOOLS_BIN)/trivy: + test -s $(TOOLS_BIN)/trivy || curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b $(TOOLS_BIN) v0.56.2 + # ---------------------------------------------------------------------------------------------------------------------- # find or download controller-gen # ---------------------------------------------------------------------------------------------------------------------- diff --git a/go.mod b/go.mod index a4bb23182..ec1b84054 100644 --- a/go.mod +++ b/go.mod @@ -2,7 +2,7 @@ module github.com/oracle/coherence-operator go 1.22.0 -toolchain go1.22.2 +toolchain go1.22.7 require ( github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc