🐛 Trivy config is ignored #147
Description
I want to use a trivy.config file but it is not used. The default values from the action are currently used. I guess the best solution is to add a check if the configuration is given and then directly call trivy and ignore all other args. Or we must check if the arg is containing in the configuration and if not we add it as arg.
Trivy config:
format: json
exit-code: 1
severity:
- CRITICAL
vulnerability:
ignore-unfixed: trueGitHub Action:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.6.0
with:
input: image.tar
trivy-config: ./trivy.yamlLogs:
Run aquasecurity/trivy-action@0.6.0
with:
image-ref: reference to image
trivy-config: ./trivy.yaml
scan-type: image
scan-ref: .
ignore-unfixed: false
vuln-type: os,library
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
format: table
list-all-pkgs: false
env:
IMAGE_NAME: name
TRIVY_USERNAME: ***
TRIVY_PASSWORD: ***
/usr/bin/docker run --name cd98fa5378eef44fc0a01cc22f225e4_423352 --label 4cd8f --workdir /github/workspace --rm -e IMAGE_NAME -e TRIVY_USERNAME -e TRIVY_PASSWORD -e INPUT_IMAGE-REF -e INPUT_TRIVY-CONFIG -e INPUT_SCAN-TYPE -e INPUT_INPUT -e INPUT_SCAN-REF -e INPUT_EXIT-CODE -e INPUT_IGNORE-UNFIXED -e INPUT_VULN-TYPE -e INPUT_SEVERITY -e INPUT_FORMAT -e INPUT_TEMPLATE -e INPUT_OUTPUT -e INPUT_SKIP-DIRS -e INPUT_SKIP-FILES -e INPUT_CACHE-DIR -e INPUT_TIMEOUT -e INPUT_IGNORE-POLICY -e INPUT_HIDE-PROGRESS -e INPUT_LIST-ALL-PKGS -e INPUT_SECURITY-CHECKS -e INPUT_TRIVYIGNORES -e INPUT_ARTIFACT-TYPE -e INPUT_GITHUB-PAT -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RETENTION_DAYS -e GITHUB_RUN_ATTEMPT -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL -e GITHUB_REF_NAME -e GITHUB_REF_PROTECTED -e GITHUB_REF_TYPE -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e GITHUB_ACTION_REPOSITORY -e GITHUB_ACTION_REF -e GITHUB_PATH -e GITHUB_ENV -e GITHUB_STEP_SUMMARY -e RUNNER_OS -e RUNNER_ARCH -e RUNNER_NAME -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/backend/backend":"/github/workspace" 4cd98f:a3537458eef44fc0a016cc227f2258e4 "-a image" "-b table" "-c " "-d " "-e false" "-f os,library" "-g UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" "-h " "-i ***/private/backend:dev-2f6464e8" "-j ." "-k " "-l " "-m " "-n " "-o " "-p " "-q " "-r false" "-s " "-t " "-u " "-v ./trivy.yaml"
Running Trivy with trivy.yaml config from: ./trivy.yaml
2022-07-22T07:32:30.870Z INFO Need to update DB
2022-07-22T07:32:30.870Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2022-07-22T07:32:30.870Z INFO Downloading DB...
33.12 MiB / 33.12 MiB [----------------------------------------------------------->] 0.00% ? p/s ?33.12 MiB / 33.12 MiB [----------------------------------------------------------->] 100.00% ? p/s ?33.12 MiB / 33.12 MiB [----------------------------------------------------------->] 100.00% ? p/s ?33.12 MiB / 33.12 MiB [----------------------------------------------------------->] 100.00% ? p/s ?33.12 MiB / 33.12 MiB [----------------------------------------------------------->] 100.00% ? p/s ?33.12 MiB / 33.12 MiB [----------------------------------------------------------->] 100.00% ? p/s ?33.12 MiB / 33.12 MiB [-------------------------------------------------] 100.00% 28.92 MiB p/s 1.3s2022-07-22T07:32:32.512Z INFO Vulnerability scanning is enabled
2022-07-22T07:32:32.513Z INFO Secret scanning is enabled
2022-07-22T07:32:32.513Z INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-07-22T07:32:32.513Z INFO Please see also https://aquasecurity.github.io/trivy/0.30.2/docs/secret/scanning/#recommendation for faster secret detection
2022-07-22T07:33:13.074Z INFO Detected OS: debian
2022-07-22T07:33:13.074Z INFO Detecting Debian vulnerabilities...
2022-07-22T07:33:13.085Z INFO Number of language-specific files: 1
2022-07-22T07:33:13.085Z INFO Detecting jar vulnerabilities...
image name
=================================================================
Total: 90 (UNKNOWN: 0, LOW: 64, MEDIUM: 2, HIGH: [16], CRITICAL: 8)
vulnerabilities