gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-10 14:50:50 -08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: gitea-mirror:release/v0.54
Branches Tags
gitea-mirror:main gitea-mirror:release-please--branches--main gitea-mirror:gh-pages gitea-mirror:dependabot/go_modules/aws-9d2ed512d3 gitea-mirror:dependabot/go_modules/docker-fd300ea992 gitea-mirror:release-please--branches--release/v0.68 gitea-mirror:release/v0.68 gitea-mirror:dependabot/docker/docker-b99cc7e132 gitea-mirror:dependabot/go_modules/github.com/quic-go/quic-go-0.54.1 gitea-mirror:release/v0.67 gitea-mirror:release/v0.66 gitea-mirror:release/v0.65 gitea-mirror:release/v0.64 gitea-mirror:feat/rootio-support gitea-mirror:release/v0.63 gitea-mirror:release/v0.62 gitea-mirror:release/v0.61 gitea-mirror:refactor/custom_flags gitea-mirror:release/v0.60 gitea-mirror:release/v0.59 gitea-mirror:release/v0.58 gitea-mirror:release/v0.57 gitea-mirror:release/v0.56 gitea-mirror:release/v0.55 gitea-mirror:release/v0.54 gitea-mirror:release/v0.53 gitea-mirror:release/v0.52 gitea-mirror:v0.51 gitea-mirror:v0.48 gitea-mirror:v0.43
gitea-mirror:v0.68.1 gitea-mirror:v0.68.0 gitea-mirror:v0.67.2 gitea-mirror:v0.67.1 gitea-mirror:v0.67.0 gitea-mirror:v0.66.0 gitea-mirror:v0.65.0 gitea-mirror:v0.64.1 gitea-mirror:v0.64.0 gitea-mirror:v0.63.0 gitea-mirror:v0.62.1 gitea-mirror:v0.62.0 gitea-mirror:v0.61.1 gitea-mirror:v0.61.0 gitea-mirror:v0.60.0 gitea-mirror:v0.59.1 gitea-mirror:v0.59.0 gitea-mirror:v0.58.2 gitea-mirror:v0.58.1 gitea-mirror:v0.58.0 gitea-mirror:v0.57.1 gitea-mirror:v0.57.0 gitea-mirror:v0.56.2 gitea-mirror:v0.56.1 gitea-mirror:v0.56.0 gitea-mirror:v0.55.2 gitea-mirror:v0.55.1 gitea-mirror:v0.55.0 gitea-mirror:v0.54.1 gitea-mirror:v0.54.0 gitea-mirror:v0.53.0 gitea-mirror:v0.52.2 gitea-mirror:v0.52.1 gitea-mirror:v0.52.0 gitea-mirror:v0.51.4 gitea-mirror:v0.51.2 gitea-mirror:v0.51.1 gitea-mirror:v0.51.0 gitea-mirror:v0.50.4 gitea-mirror:v0.50.2 gitea-mirror:v0.50.1 gitea-mirror:v0.50.0 gitea-mirror:v0.49.1 gitea-mirror:v0.49.0 gitea-mirror:v0.48.3 gitea-mirror:v0.48.2 gitea-mirror:v0.48.1 gitea-mirror:v0.48.0 gitea-mirror:v0.47.0 gitea-mirror:v0.46.1 gitea-mirror:v0.46.0 gitea-mirror:v0.45.1 gitea-mirror:v0.45.0 gitea-mirror:v0.44.1 gitea-mirror:v0.44.0 gitea-mirror:v0.43.1 gitea-mirror:v0.43.0 gitea-mirror:v0.42.1 gitea-mirror:v0.42.0 gitea-mirror:v0.41.0 gitea-mirror:v0.40.0 gitea-mirror:v0.39.1 gitea-mirror:v0.39.0 gitea-mirror:v0.38.3 gitea-mirror:v0.38.2 gitea-mirror:v0.38.1 gitea-mirror:v0.38.0 gitea-mirror:v0.37.3 gitea-mirror:v0.37.2 gitea-mirror:v0.37.1 gitea-mirror:v0.37.0 gitea-mirror:v0.36.1 gitea-mirror:v0.36.0 gitea-mirror:v0.35.0 gitea-mirror:v0.34.0 gitea-mirror:v0.33.0 gitea-mirror:v0.32.1 gitea-mirror:v0.32.0 gitea-mirror:v0.31.3 gitea-mirror:v0.31.2 gitea-mirror:v0.31.1 gitea-mirror:v0.31.0 gitea-mirror:v0.30.4 gitea-mirror:v0.30.3 gitea-mirror:v0.30.2 gitea-mirror:v0.30.1 gitea-mirror:v0.30.0 gitea-mirror:v0.29.2 gitea-mirror:v0.29.1 gitea-mirror:v0.29.0 gitea-mirror:v0.28.1 gitea-mirror:v0.28.0 gitea-mirror:v0.27.1 gitea-mirror:v0.27.0 gitea-mirror:v0.26.0 gitea-mirror:v0.25.4 gitea-mirror:v0.25.3 gitea-mirror:v0.25.2 gitea-mirror:v0.25.1 gitea-mirror:v0.25.0 gitea-mirror:v0.24.4 gitea-mirror:v0.24.3 gitea-mirror:v0.24.2 gitea-mirror:v0.24.1 gitea-mirror:v0.24.0 gitea-mirror:v0.23.0 gitea-mirror:v0.22.0 gitea-mirror:v0.21.3 gitea-mirror:v0.21.2 gitea-mirror:v0.21.1 gitea-mirror:v0.21.0 gitea-mirror:v0.20.2 gitea-mirror:v0.20.1 gitea-mirror:v0.20.0 gitea-mirror:v0.19.2 gitea-mirror:v0.19.1 gitea-mirror:v0.19.0 gitea-mirror:v0.18.3 gitea-mirror:v0.18.2 gitea-mirror:v0.18.1 gitea-mirror:v0.18.0 gitea-mirror:v0.17.2 gitea-mirror:v0.17.1 gitea-mirror:v0.17.0 gitea-mirror:v0.16.0 gitea-mirror:v0.15.0 gitea-mirror:v0.14.0 gitea-mirror:v0.13.0 gitea-mirror:v0.12.0 gitea-mirror:v0.11.0 gitea-mirror:v0.10.2 gitea-mirror:v0.10.1 gitea-mirror:v0.10.0 gitea-mirror:v0.9.2 gitea-mirror:v0.9.1 gitea-mirror:v0.9.0 gitea-mirror:v0.8.0 gitea-mirror:v0.7.0 gitea-mirror:v0.6.0 gitea-mirror:v0.5.4 gitea-mirror:v0.5.3 gitea-mirror:v0.5.2 gitea-mirror:v0.5.1 gitea-mirror:v0.5.0 gitea-mirror:v0.4.4 gitea-mirror:v0.4.3 gitea-mirror:v0.4.2 gitea-mirror:v0.4.1 gitea-mirror:v0.4.0 gitea-mirror:v0.3.1 gitea-mirror:v0.3.0 gitea-mirror:v0.2.1 gitea-mirror:v0.2.0 gitea-mirror:v0.1.7 gitea-mirror:v0.1.6 gitea-mirror:v0.1.5 gitea-mirror:v0.1.4 gitea-mirror:v0.1.3 gitea-mirror:v0.1.2 gitea-mirror:v0.1.1 gitea-mirror:v0.1.0 gitea-mirror:v0.0.16 gitea-mirror:v0.0.15 gitea-mirror:v0.0.14 gitea-mirror:v0.0.13 gitea-mirror:v0.0.12 gitea-mirror:v0.0.11 gitea-mirror:v0.0.10 gitea-mirror:v0.0.9 gitea-mirror:v0.0.8 gitea-mirror:v0.0.7 gitea-mirror:v0.0.6 gitea-mirror:v0.0.5 gitea-mirror:v0.0.4 gitea-mirror:v0.0.3 gitea-mirror:v0.0.2 gitea-mirror:v0.0.1
..
compare: gitea-mirror:v0.0.1
Branches Tags
gitea-mirror:release-please--branches--main gitea-mirror:main gitea-mirror:gh-pages gitea-mirror:dependabot/go_modules/aws-9d2ed512d3 gitea-mirror:dependabot/go_modules/docker-fd300ea992 gitea-mirror:release-please--branches--release/v0.68 gitea-mirror:release/v0.68 gitea-mirror:dependabot/docker/docker-b99cc7e132 gitea-mirror:dependabot/go_modules/github.com/quic-go/quic-go-0.54.1 gitea-mirror:release/v0.67 gitea-mirror:release/v0.66 gitea-mirror:release/v0.65 gitea-mirror:release/v0.64 gitea-mirror:feat/rootio-support gitea-mirror:release/v0.63 gitea-mirror:release/v0.62 gitea-mirror:release/v0.61 gitea-mirror:refactor/custom_flags gitea-mirror:release/v0.60 gitea-mirror:release/v0.59 gitea-mirror:release/v0.58 gitea-mirror:release/v0.57 gitea-mirror:release/v0.56 gitea-mirror:release/v0.55 gitea-mirror:release/v0.54 gitea-mirror:release/v0.53 gitea-mirror:release/v0.52 gitea-mirror:v0.51 gitea-mirror:v0.48 gitea-mirror:v0.43
gitea-mirror:v0.68.1 gitea-mirror:v0.68.0 gitea-mirror:v0.67.2 gitea-mirror:v0.67.1 gitea-mirror:v0.67.0 gitea-mirror:v0.66.0 gitea-mirror:v0.65.0 gitea-mirror:v0.64.1 gitea-mirror:v0.64.0 gitea-mirror:v0.63.0 gitea-mirror:v0.62.1 gitea-mirror:v0.62.0 gitea-mirror:v0.61.1 gitea-mirror:v0.61.0 gitea-mirror:v0.60.0 gitea-mirror:v0.59.1 gitea-mirror:v0.59.0 gitea-mirror:v0.58.2 gitea-mirror:v0.58.1 gitea-mirror:v0.58.0 gitea-mirror:v0.57.1 gitea-mirror:v0.57.0 gitea-mirror:v0.56.2 gitea-mirror:v0.56.1 gitea-mirror:v0.56.0 gitea-mirror:v0.55.2 gitea-mirror:v0.55.1 gitea-mirror:v0.55.0 gitea-mirror:v0.54.1 gitea-mirror:v0.54.0 gitea-mirror:v0.53.0 gitea-mirror:v0.52.2 gitea-mirror:v0.52.1 gitea-mirror:v0.52.0 gitea-mirror:v0.51.4 gitea-mirror:v0.51.2 gitea-mirror:v0.51.1 gitea-mirror:v0.51.0 gitea-mirror:v0.50.4 gitea-mirror:v0.50.2 gitea-mirror:v0.50.1 gitea-mirror:v0.50.0 gitea-mirror:v0.49.1 gitea-mirror:v0.49.0 gitea-mirror:v0.48.3 gitea-mirror:v0.48.2 gitea-mirror:v0.48.1 gitea-mirror:v0.48.0 gitea-mirror:v0.47.0 gitea-mirror:v0.46.1 gitea-mirror:v0.46.0 gitea-mirror:v0.45.1 gitea-mirror:v0.45.0 gitea-mirror:v0.44.1 gitea-mirror:v0.44.0 gitea-mirror:v0.43.1 gitea-mirror:v0.43.0 gitea-mirror:v0.42.1 gitea-mirror:v0.42.0 gitea-mirror:v0.41.0 gitea-mirror:v0.40.0 gitea-mirror:v0.39.1 gitea-mirror:v0.39.0 gitea-mirror:v0.38.3 gitea-mirror:v0.38.2 gitea-mirror:v0.38.1 gitea-mirror:v0.38.0 gitea-mirror:v0.37.3 gitea-mirror:v0.37.2 gitea-mirror:v0.37.1 gitea-mirror:v0.37.0 gitea-mirror:v0.36.1 gitea-mirror:v0.36.0 gitea-mirror:v0.35.0 gitea-mirror:v0.34.0 gitea-mirror:v0.33.0 gitea-mirror:v0.32.1 gitea-mirror:v0.32.0 gitea-mirror:v0.31.3 gitea-mirror:v0.31.2 gitea-mirror:v0.31.1 gitea-mirror:v0.31.0 gitea-mirror:v0.30.4 gitea-mirror:v0.30.3 gitea-mirror:v0.30.2 gitea-mirror:v0.30.1 gitea-mirror:v0.30.0 gitea-mirror:v0.29.2 gitea-mirror:v0.29.1 gitea-mirror:v0.29.0 gitea-mirror:v0.28.1 gitea-mirror:v0.28.0 gitea-mirror:v0.27.1 gitea-mirror:v0.27.0 gitea-mirror:v0.26.0 gitea-mirror:v0.25.4 gitea-mirror:v0.25.3 gitea-mirror:v0.25.2 gitea-mirror:v0.25.1 gitea-mirror:v0.25.0 gitea-mirror:v0.24.4 gitea-mirror:v0.24.3 gitea-mirror:v0.24.2 gitea-mirror:v0.24.1 gitea-mirror:v0.24.0 gitea-mirror:v0.23.0 gitea-mirror:v0.22.0 gitea-mirror:v0.21.3 gitea-mirror:v0.21.2 gitea-mirror:v0.21.1 gitea-mirror:v0.21.0 gitea-mirror:v0.20.2 gitea-mirror:v0.20.1 gitea-mirror:v0.20.0 gitea-mirror:v0.19.2 gitea-mirror:v0.19.1 gitea-mirror:v0.19.0 gitea-mirror:v0.18.3 gitea-mirror:v0.18.2 gitea-mirror:v0.18.1 gitea-mirror:v0.18.0 gitea-mirror:v0.17.2 gitea-mirror:v0.17.1 gitea-mirror:v0.17.0 gitea-mirror:v0.16.0 gitea-mirror:v0.15.0 gitea-mirror:v0.14.0 gitea-mirror:v0.13.0 gitea-mirror:v0.12.0 gitea-mirror:v0.11.0 gitea-mirror:v0.10.2 gitea-mirror:v0.10.1 gitea-mirror:v0.10.0 gitea-mirror:v0.9.2 gitea-mirror:v0.9.1 gitea-mirror:v0.9.0 gitea-mirror:v0.8.0 gitea-mirror:v0.7.0 gitea-mirror:v0.6.0 gitea-mirror:v0.5.4 gitea-mirror:v0.5.3 gitea-mirror:v0.5.2 gitea-mirror:v0.5.1 gitea-mirror:v0.5.0 gitea-mirror:v0.4.4 gitea-mirror:v0.4.3 gitea-mirror:v0.4.2 gitea-mirror:v0.4.1 gitea-mirror:v0.4.0 gitea-mirror:v0.3.1 gitea-mirror:v0.3.0 gitea-mirror:v0.2.1 gitea-mirror:v0.2.0 gitea-mirror:v0.1.7 gitea-mirror:v0.1.6 gitea-mirror:v0.1.5 gitea-mirror:v0.1.4 gitea-mirror:v0.1.3 gitea-mirror:v0.1.2 gitea-mirror:v0.1.1 gitea-mirror:v0.1.0 gitea-mirror:v0.0.16 gitea-mirror:v0.0.15 gitea-mirror:v0.0.14 gitea-mirror:v0.0.13 gitea-mirror:v0.0.12 gitea-mirror:v0.0.11 gitea-mirror:v0.0.10 gitea-mirror:v0.0.9 gitea-mirror:v0.0.8 gitea-mirror:v0.0.7 gitea-mirror:v0.0.6 gitea-mirror:v0.0.5 gitea-mirror:v0.0.4 gitea-mirror:v0.0.3 gitea-mirror:v0.0.2 gitea-mirror:v0.0.1

1 Commits
release/v0 ... v0.0.1

Author SHA1 Message Date
knqyf263
3b8aedad58 Update README 2019-05-07 15:48:22 +09:00
3155 changed files with 3902 additions and 534405 deletions
Expand all files Collapse all files

42
.circleci/config.yml Normal file
View File

@@ -0,0 +1,42 @@
defaults: &defaults
docker :
- image: knqyf263/ci-trivy:latest
environment:
CGO_ENABLED: "1"
jobs:
release:
<<: *defaults
steps:
- checkout
- run:
name: Release
command: goreleaser --rm-dist
- run:
name: Clone trivy repository
command: git clone git@github.com:knqyf263/trivy-repo.git
- run:
name: Setup git settings
command: |
git config --global user.email "knqyf263@gmail.com"
git config --global user.name "Teppei Fukuda"
- run:
name: Create rpm repository
command: ci/deploy-rpm.sh
- run:
name: Import GPG key
command: echo -e "$GPG_KEY" | gpg --import
- run:
name: Create deb repository
command: ci/deploy-deb.sh
workflows:
version: 2
release:
jobs:
- release:
filters:
branches:
ignore: /.*/
tags:
only: /.*/

5
.clang-format
View File

@@ -1,5 +0,0 @@
---
Language: Proto
BasedOnStyle: Google
AlignConsecutiveAssignments: true
AlignConsecutiveDeclarations: true

6
.dockerignore
View File

@@ -1,6 +0,0 @@
.git
.github
.cache
.circleci
integration
imgs

1
.gitattributes vendored
View File

@@ -1 +0,0 @@
* text=auto eol=lf

22
.github/CODEOWNERS vendored
View File

@@ -1,22 +0,0 @@
# Global
* @knqyf263
# SBOM/Vulnerability scanning
pkg/dependency/ @knqyf263 @DmitriyLewen
pkg/fanal/ @knqyf263 @DmitriyLewen
pkg/sbom/ @knqyf263 @DmitriyLewen
pkg/scanner/ @knqyf263 @DmitriyLewen
# Misconfiguration scanning
docs/docs/scanner/misconfiguration/ @simar7 @nikpivkin
docs/docs/target/aws.md @simar7 @nikpivkin
pkg/fanal/analyzer/config/ @simar7 @nikpivkin
pkg/cloud/ @simar7 @nikpivkin
pkg/iac/ @simar7 @nikpivkin
# Helm chart
helm/trivy/ @chen-keinan
# Kubernetes scanning
pkg/k8s/ @chen-keinan
docs/docs/target/kubernetes.md @chen-keinan

47
.github/DISCUSSION_TEMPLATE/adopters.yml vendored
View File

@@ -1,47 +0,0 @@
title: "<company name>"
labels: ["adopters"]
body:
- type: textarea
id: info
attributes:
label: "[Optional] How do you use Trivy?"
validations:
required: false
- type: textarea
id: info
attributes:
label: "[Optional] Can you provide us with a quote on your favourite part of Trivy? This may be used on the trivy.dev website, posted on Twitter (@AquaTrivy) or similar marketing material."
validations:
required: false
- type: checkboxes
attributes:
label: "[Optional] Which targets are you scanning with Trivy?"
options:
- label: "Container Image"
- label: "Filesystem"
- label: "Git Repository"
- label: "Virtual Machine Image"
- label: "Kubernetes"
- label: "AWS"
- label: "SBOM"
validations:
required: false
- type: checkboxes
attributes:
label: "[Optional] What kind of issues are scanning with Trivy?"
options:
- label: "Software Bill of Materials (SBOM)"
- label: "Known vulnerabilities (CVEs)"
- label: "IaC issues and misconfigurations"
- label: "Sensitive information and secrets"
- label: "Software licenses"
- type: markdown
attributes:
value: |
## Get in touch
We are always looking for
* User feedback
* Collaboration with other companies and organisations
* Or just to have a chat with you about trivy.
If any of this interests you or your marketing team, please reach out at: oss@aquasec.com
We would love to hear from you!

124
.github/DISCUSSION_TEMPLATE/bugs.yml vendored
View File

@@ -1,124 +0,0 @@
labels: ["kind/bug"]
body:
- type: markdown
attributes:
value: |
#### Note
Feel free to raise a bug report if something doesn't work as expected.
Please ensure that you're not creating a duplicate report by searching the [issues](https://github.com/aquasecurity/trivy/issues)/[discussions](https://github.com/aquasecurity/trivy/discussions) beforehand.
If you see any false positives or false negatives, please file a ticket [here](https://github.com/aquasecurity/trivy/discussions/new?category=false-detection).
**Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
- type: textarea
attributes:
label: Description
description: Briefly describe the problem you are having in a few paragraphs.
validations:
required: true
- type: textarea
attributes:
label: Desired Behavior
description: What did you expect to happen?
validations:
required: true
- type: textarea
attributes:
label: Actual Behavior
description: What happened instead?
validations:
required: true
- type: textarea
attributes:
label: Reproduction Steps
description: How do you trigger this bug? Please walk us through it step by step.
value: |
1.
2.
3.
...
render: bash
validations:
required: true
- type: dropdown
attributes:
label: Target
description: Which target are you scanning? It is equal to which subcommand you are using.
options:
- Container Image
- Filesystem
- Git Repository
- Virtual Machine Image
- Kubernetes
- AWS
- SBOM
validations:
required: false
- type: dropdown
attributes:
label: Scanner
description: Which scanner are you using?
options:
- Vulnerability
- Misconfiguration
- Secret
- License
validations:
required: false
- type: dropdown
attributes:
label: Output Format
description: Which output format are you using?
options:
- Table
- JSON
- Template
- SARIF
- CycloneDX
- SPDX
validations:
required: false
- type: dropdown
attributes:
label: Mode
description: Which mode are you using? Specify "Standalone" if you are not using `trivy server`.
options:
- Standalone
- Client/Server
validations:
required: false
- type: textarea
attributes:
label: Debug Output
description: Output of run with `--debug`
placeholder: "$ trivy <target> <subject> --debug"
render: bash
validations:
required: true
- type: input
attributes:
label: Operating System
description: On what operating system are you running Trivy?
placeholder: "e.g. macOS Big Sur"
validations:
required: true
- type: textarea
attributes:
label: Version
description: Output of `trivy --version`
placeholder: "$ trivy --version"
render: bash
validations:
required: true
- type: checkboxes
attributes:
label: Checklist
description: Have you tried the following?
options:
- label: Run `trivy clean --all`
- label: Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)
- type: markdown
attributes:
value: |
We would be happy if you could share how you are using Trivy [here](https://github.com/aquasecurity/trivy/discussions/new?category=adopters).

28
.github/DISCUSSION_TEMPLATE/documentation.yml vendored
View File

@@ -1,28 +0,0 @@
labels: ["kind/documentation"]
body:
- type: markdown
attributes:
value: |
#### Note
Feel free to create a docs report if something doesn't work as expected or is unclear in the documentation.
Please ensure that you're not creating a duplicate report by searching the [issues](https://github.com/aquasecurity/trivy/issues)/[discussions](https://github.com/aquasecurity/trivy/discussions) beforehand.
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
- type: textarea
attributes:
label: Description
description: Briefly describe the what has been unclear in the existing documentation
validations:
required: true
- type: textarea
attributes:
label: Link
description: Please provide a link to the current documentation or where you thought to find the information you were looking for
validations:
required: false
- type: textarea
attributes:
label: Suggestions
description: What would you like to have added or changed in the documentation?
validations:
required: true

96
.github/DISCUSSION_TEMPLATE/false-detection.yml vendored
View File

@@ -1,96 +0,0 @@
body:
- type: markdown
attributes:
value: |
#### Note
Feel free to raise a bug report if something doesn't work as expected.
Please ensure that you're not creating a duplicate report by searching the [issues](https://github.com/aquasecurity/trivy/issues)/[discussions](https://github.com/aquasecurity/trivy/discussions) beforehand.
**Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
- type: input
attributes:
label: IDs
description: List the IDs of vulnerabilities, misconfigurations, secrets, or licenses that are either not detected or mistakenly detected.
placeholder: "e.g. CVE-2021-44228, CVE-2022-22965"
validations:
required: true
- type: textarea
attributes:
label: Description
description: Describe the false detection.
validations:
required: true
- type: textarea
attributes:
label: Reproduction Steps
description: How do you trigger this bug? Please walk us through it step by step.
value: |
1.
2.
3.
...
render: bash
validations:
required: true
- type: dropdown
attributes:
label: Target
description: Which target are you scanning? It is equal to which subcommand you are using.
options:
- Container Image
- Filesystem
- Git Repository
- Virtual Machine Image
- Kubernetes
- AWS
- SBOM
validations:
required: true
- type: dropdown
attributes:
label: Scanner
description: Which scanner are you using?
options:
- Vulnerability
- Misconfiguration
- Secret
- License
validations:
required: true
- type: input
attributes:
label: Target OS
description: What operating system are you scanning? Fill in this field if the scanning target is an operating system.
placeholder: "Example: Ubuntu 22.04"
validations:
required: false
- type: textarea
attributes:
label: Debug Output
description: Output of run with `--debug`
placeholder: "$ trivy <target> <subject> --debug"
render: bash
validations:
required: true
- type: textarea
attributes:
label: Version
description: Output of `trivy --version`
placeholder: "$ trivy --version"
render: bash
validations:
required: true
- type: checkboxes
attributes:
label: Checklist
options:
- label: Read [the documentation regarding wrong detection](https://aquasecurity.github.io/trivy/dev/community/contribute/discussion/#false-detection)
- label: Ran Trivy with `-f json` that shows data sources and confirmed that the security advisory in data sources was correct
validations:
required: true
- type: markdown
attributes:
value: |
We would be happy if you could share how you are using Trivy [here](https://github.com/aquasecurity/trivy/discussions/new?category=adopters).

47
.github/DISCUSSION_TEMPLATE/ideas.yml vendored
View File

@@ -1,47 +0,0 @@
labels: ["kind/feature"]
body:
- type: markdown
attributes:
value: |
#### Note
Feel free to share your idea.
Please ensure that you're not creating a duplicate ticket by searching the [issues](https://github.com/aquasecurity/trivy/issues)/[discussions](https://github.com/aquasecurity/trivy/discussions) beforehand.
**Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
- type: textarea
attributes:
label: Description
description: Describe your idea.
validations:
required: true
- type: dropdown
attributes:
label: Target
description: Which target is your idea related to?
options:
- Container Image
- Filesystem
- Git Repository
- Virtual Machine Image
- Kubernetes
- AWS
- SBOM
validations:
required: false
- type: dropdown
attributes:
label: Scanner
description: Which scanner is your idea related to?
options:
- Vulnerability
- Misconfiguration
- Secret
- License
validations:
required: false
- type: markdown
attributes:
value: |
We would be happy if you could share how you are using Trivy [here](https://github.com/aquasecurity/trivy/discussions/new?category=adopters).

84
.github/DISCUSSION_TEMPLATE/q-a.yml vendored
View File

@@ -1,84 +0,0 @@
labels: ["triage/support"]
body:
- type: markdown
attributes:
value: |
#### Note
If you have any troubles/questions, feel free to ask.
Please ensure that you're not asking a duplicate question by searching the [issues](https://github.com/aquasecurity/trivy/issues)/[discussions](https://github.com/aquasecurity/trivy/discussions) beforehand.
**Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
- type: textarea
attributes:
label: Question
description: What kind of problem are you facing? Or, what questions do you have?
validations:
required: true
- type: dropdown
attributes:
label: Target
description: Which target are you scanning? It is equal to which subcommand you are using.
options:
- Container Image
- Filesystem
- Git Repository
- Virtual Machine Image
- Kubernetes
- AWS
- SBOM
validations:
required: false
- type: dropdown
attributes:
label: Scanner
description: Which scanner are you using?
options:
- Vulnerability
- Misconfiguration
- Secret
- License
validations:
required: false
- type: dropdown
attributes:
label: Output Format
description: Which output format are you using?
options:
- Table
- JSON
- Template
- SARIF
- CycloneDX
- SPDX
validations:
required: false
- type: dropdown
attributes:
label: Mode
description: Which mode are you using? Specify "Standalone" if you are not using `trivy server`.
options:
- Standalone
- Client/Server
validations:
required: false
- type: input
attributes:
label: Operating System
description: What operating system are you using?
placeholder: "Example: macOS Big Sur"
validations:
required: false
- type: textarea
attributes:
label: Version
description: Output of `trivy --version`
placeholder: "$ trivy --version"
render: bash
validations:
required: false
- type: markdown
attributes:
value: |
We would be happy if you could share how you are using Trivy [here](https://github.com/aquasecurity/trivy/discussions/new?category=adopters.

17
.github/ISSUE_TEMPLATE/config.yml vendored
View File

@@ -1,17 +0,0 @@
blank_issues_enabled: false
contact_links:
- name: Report a false detection
url: https://github.com/aquasecurity/trivy/discussions/new?category=false-detection
about: Report false positives/negatives
- name: Report a bug
url: https://github.com/aquasecurity/trivy/discussions/new?category=bugs
about: Report bugs
- name: Enhance documentation
url: https://github.com/aquasecurity/trivy/discussions/new?category=documentation
about: Make suggestions to the documentation
- name: Request a feature enhancement
url: https://github.com/aquasecurity/trivy/discussions/new?category=ideas
about: Share ideas for new features
- name: Ask the community for help
url: https://github.com/aquasecurity/trivy/discussions/new?category=q-a
about: Ask questions and discuss with other community members

3
.github/actions/trivy-triage/Makefile vendored
View File

@@ -1,3 +0,0 @@
.PHONEY: test
test: helpers.js helpers.test.js
node --test helpers.test.js

29
.github/actions/trivy-triage/action.yaml vendored
View File

@@ -1,29 +0,0 @@
name: 'trivy-discussion-triage'
description: 'automatic triage of Trivy discussions'
inputs:
discussion_num:
description: 'Discussion number to triage'
required: false
runs:
using: "composite"
steps:
- name: Conditionally label discussions based on category and content
env:
GH_TOKEN: ${{ github.token }}
uses: actions/github-script@v6
with:
script: |
const {detectDiscussionLabels, fetchDiscussion, labelDiscussion } = require('${{ github.action_path }}/helpers.js');
const config = require('${{ github.action_path }}/config.json');
discussionNum = parseInt(${{ inputs.discussion_num }});
let discussion;
if (discussionNum > 0) {
discussion = (await fetchDiscussion(github, context.repo.owner, context.repo.repo, discussionNum)).repository.discussion;
} else {
discussion = context.payload.discussion;
}
const labels = detectDiscussionLabels(discussion, config.discussionLabels);
if (labels.length > 0) {
console.log(`Adding labels ${labels} to discussion ${discussion.node_id}`);
labelDiscussion(github, discussion.node_id, labels);
}

14
.github/actions/trivy-triage/config.json vendored
View File

@@ -1,14 +0,0 @@
{
"discussionLabels": {
"Container Image":"LA_kwDOCsUTCM75TTQU",
"Filesystem":"LA_kwDOCsUTCM75TTQX",
"Git Repository":"LA_kwDOCsUTCM75TTQk",
"Virtual Machine Image":"LA_kwDOCsUTCM8AAAABMpz1bw",
"Kubernetes":"LA_kwDOCsUTCM75TTQv",
"AWS":"LA_kwDOCsUTCM8AAAABMpz1aA",
"Vulnerability":"LA_kwDOCsUTCM75TTPa",
"Misconfiguration":"LA_kwDOCsUTCM75TTP8",
"License":"LA_kwDOCsUTCM77ztRR",
"Secret":"LA_kwDOCsUTCM75TTQL"
}
}

70
.github/actions/trivy-triage/helpers.js vendored
View File

@@ -1,70 +0,0 @@
module.exports = {
detectDiscussionLabels: (discussion, configDiscussionLabels) => {
res = [];
const discussionId = discussion.id;
const category = discussion.category.name;
const body = discussion.body;
if (category !== "Ideas") {
console.log(`skipping discussion with category ${category} and body ${body}`);
return [];
}
const scannerPattern = /### Scanner\n\n(.+)/;
const scannerFound = body.match(scannerPattern);
if (scannerFound && scannerFound.length > 1) {
res.push(configDiscussionLabels[scannerFound[1]]);
}
const targetPattern = /### Target\n\n(.+)/;
const targetFound = body.match(targetPattern);
if (targetFound && targetFound.length > 1) {
res.push(configDiscussionLabels[targetFound[1]]);
}
return res;
},
fetchDiscussion: async (github, owner, repo, discussionNum) => {
const query = `query Discussion ($owner: String!, $repo: String!, $discussion_num: Int!){
repository(name: $repo, owner: $owner) {
discussion(number: $discussion_num) {
number,
id,
body,
category {
id,
name
},
labels(first: 100) {
edges {
node {
id,
name
}
}
}
}
}
}`;
const vars = {
owner: owner,
repo: repo,
discussion_num: discussionNum
};
return github.graphql(query, vars);
},
labelDiscussion: async (github, discussionId, labelIds) => {
const query = `mutation AddLabels($labelId: ID!, $labelableId:ID!) {
addLabelsToLabelable(
input: {labelIds: [$labelId], labelableId: $labelableId}
) {
clientMutationId
}
}`;
// TODO: add all labels in one call
labelIds.forEach((labelId) => {
const vars = {
labelId: labelId,
labelableId: discussionId
};
github.graphql(query, vars);
});
}
};

87
.github/actions/trivy-triage/helpers.test.js vendored
View File

@@ -1,87 +0,0 @@
const assert = require('node:assert/strict');
const { describe, it } = require('node:test');
const {detectDiscussionLabels} = require('./helpers.js');
const configDiscussionLabels = {
"Container Image":"ContainerImageLabel",
"Filesystem":"FilesystemLabel",
"Vulnerability":"VulnerabilityLabel",
"Misconfiguration":"MisconfigurationLabel",
};
describe('trivy-triage', async function() {
describe('detectDiscussionLabels', async function() {
it('detect scanner label', async function() {
const discussion = {
body: 'hello hello\nbla bla.\n### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.',
category: {
name: 'Ideas'
}
};
const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
assert(labels.includes('VulnerabilityLabel'));
});
it('detect target label', async function() {
const discussion = {
body: 'hello hello\nbla bla.\n### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.',
category: {
name: 'Ideas'
}
};
const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
assert(labels.includes('ContainerImageLabel'));
});
it('detect label when it is first', async function() {
const discussion = {
body: '### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.',
category: {
name: 'Ideas'
}
};
const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
assert(labels.includes('ContainerImageLabel'));
});
it('detect label when it is last', async function() {
const discussion = {
body: '### Scanner\n\nVulnerability\n### Target\n\nContainer Image',
category: {
name: 'Ideas'
}
};
const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
assert(labels.includes('ContainerImageLabel'));
});
it('detect scanner and target labels', async function() {
const discussion = {
body: 'hello hello\nbla bla.\n### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.',
category: {
name: 'Ideas'
}
};
const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
assert(labels.includes('ContainerImageLabel'));
assert(labels.includes('VulnerabilityLabel'));
});
it('not detect other labels', async function() {
const discussion = {
body: 'hello hello\nbla bla.\n### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.',
category: {
name: 'Ideas'
}
};
const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
assert(!labels.includes('FilesystemLabel'));
assert(!labels.includes('MisconfigurationLabel'));
});
it('process only relevant categories', async function() {
const discussion = {
body: 'hello world',
category: {
name: 'Announcements'
}
};
const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
assert(labels.length === 0);
});
});
});

65
.github/actions/trivy-triage/testutils/discussion-payload-sample.json vendored
View File

@@ -1,65 +0,0 @@
{
"active_lock_reason": null,
"answer_chosen_at": null,
"answer_chosen_by": null,
"answer_html_url": null,
"author_association": "OWNER",
"body": "### Description\n\nlfdjs lfkdj dflsakjfd ';djk \r\nfadfd \r\nasdlkf \r\na;df \r\ndfsal;kfd ;akjl\n\n### Target\n\nContainer Image\n\n### Scanner\n\nMisconfiguration",
"category": {
"created_at": "2023-07-02T10:14:46.000+03:00",
"description": "Share ideas for new features",
"emoji": ":bulb:",
"id": 39743708,
"is_answerable": false,
"name": "Ideas",
"node_id": "DIC_kwDOE0GiPM4CXnDc",
"repository_id": 323068476,
"slug": "ideas",
"updated_at": "2023-07-02T10:14:46.000+03:00"
},
"comments": 0,
"created_at": "2023-09-11T08:40:11Z",
"html_url": "https://github.com/itaysk/testactions/discussions/9",
"id": 5614504,
"locked": false,
"node_id": "D_kwDOE0GiPM4AVauo",
"number": 9,
"reactions": {
"+1": 0,
"-1": 0,
"confused": 0,
"eyes": 0,
"heart": 0,
"hooray": 0,
"laugh": 0,
"rocket": 0,
"total_count": 0,
"url": "https://api.github.com/repos/itaysk/testactions/discussions/9/reactions"
},
"repository_url": "https://api.github.com/repos/itaysk/testactions",
"state": "open",
"state_reason": null,
"timeline_url": "https://api.github.com/repos/itaysk/testactions/discussions/9/timeline",
"title": "Title title",
"updated_at": "2023-09-11T08:40:11Z",
"user": {
"avatar_url": "https://avatars.githubusercontent.com/u/1161307?v=4",
"events_url": "https://api.github.com/users/itaysk/events{/privacy}",
"followers_url": "https://api.github.com/users/itaysk/followers",
"following_url": "https://api.github.com/users/itaysk/following{/other_user}",
"gists_url": "https://api.github.com/users/itaysk/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/itaysk",
"id": 1161307,
"login": "itaysk",
"node_id": "MDQ6VXNlcjExNjEzMDc=",
"organizations_url": "https://api.github.com/users/itaysk/orgs",
"received_events_url": "https://api.github.com/users/itaysk/received_events",
"repos_url": "https://api.github.com/users/itaysk/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/itaysk/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/itaysk/subscriptions",
"type": "User",
"url": "https://api.github.com/users/itaysk"
}
}

29
.github/actions/trivy-triage/testutils/fetchDiscussion.sh vendored
View File

@@ -1,29 +0,0 @@
#! /bin/bash
# fetch discussion by discussion number
# requires authenticated gh cli, assumes repo but current git repository
# args:
# $1: discussion number, e.g 123, required
discussion_num="$1"
gh api graphql -F discussion_num="$discussion_num" -F repo="{repo}" -F owner="{owner}" -f query='
query Discussion ($owner: String!, $repo: String!, $discussion_num: Int!){
repository(name: $repo, owner: $owner) {
discussion(number: $discussion_num) {
number,
id,
body,
category {
id,
name
},
labels(first: 100) {
edges {
node {
id,
name
}
}
}
}
}
}'

16
.github/actions/trivy-triage/testutils/fetchLabels.sh vendored
View File

@@ -1,16 +0,0 @@
#! /bin/bash
# fetch labels and their IDs
# requires authenticated gh cli, assumes repo but current git repository
gh api graphql -F repo="{repo}" -F owner="{owner}" -f query='
query GetLabelIds($owner: String!, $repo: String!) {
repository(name: $repo, owner: $owner) {
id
labels(first: 100) {
nodes {
id
name
}
}
}
}'

16
.github/actions/trivy-triage/testutils/labelDiscussion.sh vendored
View File

@@ -1,16 +0,0 @@
#! /bin/bash
# add a label to a discussion
# requires authenticated gh cli, assumes repo but current git repository
# args:
# $1: discussion ID (not number!), e.g DIC_kwDOE0GiPM4CXnDc, required
# $2: label ID, e.g. MDU6TGFiZWwzNjIzNjY0MjQ=, required
discussion_id="$1"
label_id="$2"
gh api graphql -F labelableId="$discussion_id" -F labelId="$label_id" -F repo="{repo}" -F owner="{owner}" -f query='
mutation AddLabels($labelId: ID!, $labelableId:ID!) {
addLabelsToLabelable(
input: {labelIds: [$labelId], labelableId: $labelableId}
) {
clientMutationId
}
}'

41
.github/dependabot.yml vendored
View File

@@ -1,41 +0,0 @@
version: 2
updates:
- package-ecosystem: github-actions
directory: /
schedule:
interval: monthly
groups:
github-actions:
patterns:
- "*"
- package-ecosystem: docker
directory: /
schedule:
interval: monthly
groups:
docker:
patterns:
- "*"
- package-ecosystem: gomod
open-pull-requests-limit: 10
directory: /
schedule:
interval: weekly
ignore:
- dependency-name: "github.com/aquasecurity/trivy-*" ## `trivy-*` dependencies are updated manually
groups:
aws:
patterns:
- "github.com/aws/*"
docker:
patterns:
- "github.com/docker/*"
- "github.com/moby/*"
testcontainers:
patterns:
- "github.com/testcontainers/*"
common:
exclude-patterns:
- "github.com/aquasecurity/trivy-*"
patterns:
- "*"

18
.github/pull_request_template.md vendored
View File

@@ -1,18 +0,0 @@
## Description
## Related issues
- Close #XXX
## Related PRs
- [ ] #XXX
- [ ] #YYY
Remove this section if you don't have related PRs.
## Checklist
- [ ] I've read the [guidelines for contributing](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/) to this repository.
- [ ] I've followed the [conventions](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/#title) in the PR title.
- [ ] I've added tests that prove my fix is effective or that my feature works.
- [ ] I've updated the [documentation](https://github.com/aquasecurity/trivy/blob/main/docs) with the relevant information (if needed).
- [ ] I've added usage information (if the PR introduces new options)
- [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).

46
.github/workflows/auto-close-issue.yaml vendored
View File

@@ -1,46 +0,0 @@
name: Auto-close issues
on:
issues:
types: [opened]
jobs:
close_issue:
runs-on: ubuntu-latest
steps:
- name: Close issue if user does not have write or admin permissions
uses: actions/github-script@v7
with:
script: |
// Get the issue creator's username
const issueCreator = context.payload.issue.user.login;
// Check the user's permissions for the repository
const repoPermissions = await github.rest.repos.getCollaboratorPermissionLevel({
owner: context.repo.owner,
repo: context.repo.repo,
username: issueCreator
});
const permission = repoPermissions.data.permission;
// If the user does not have write or admin permissions, leave a comment and close the issue
if (permission !== 'write' && permission !== 'admin') {
const commentBody = "Please see https://aquasecurity.github.io/trivy/latest/community/contribute/issue/";
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.issue.number,
body: commentBody
});
await github.rest.issues.update({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.issue.number,
state: 'closed',
state_reason: 'not_planned'
});
console.log(`Issue #${context.payload.issue.number} closed because ${issueCreator} does not have sufficient permissions.`);
}

32
.github/workflows/auto-update-labels.yaml vendored
View File

@@ -1,32 +0,0 @@
name: Auto-update labels
on:
push:
paths:
- 'misc/triage/labels.yaml'
branches:
- main
env:
GO_VERSION: '1.22'
jobs:
deploy:
name: Auto-update labels
runs-on: ubuntu-latest
steps:
- name: Checkout main
uses: actions/checkout@v4.1.6
- name: Set up Go
uses: actions/setup-go@v5
with:
# cf. https://github.com/aquasecurity/trivy/pull/6711
go-version: ${{ env.GO_VERSION }}
- name: Install aqua tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: update labels
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: mage label

58
.github/workflows/backport.yaml vendored
View File

@@ -1,58 +0,0 @@
name: Automatic Backporting
on:
issue_comment:
types: [created]
jobs:
check_permission:
name: Check comment author permissions
runs-on: ubuntu-latest
outputs:
is_maintainer: ${{ steps.check_permission.outputs.is_maintainer }}
steps:
- name: Check permission
id: check_permission
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
PERMISSION=$(gh api /repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission --jq '.permission')
if [ "$PERMISSION" == "admin" ] || [ "$PERMISSION" == "write" ]; then
echo "is_maintainer=true" >> $GITHUB_OUTPUT
else
echo "is_maintainer=false" >> $GITHUB_OUTPUT
fi
backport:
name: Backport PR
needs: check_permission # run this job after checking permissions
if: |
needs.check_permission.outputs.is_maintainer == 'true' &&
github.event.issue.pull_request &&
github.event.issue.pull_request.merged_at != null &&
startsWith(github.event.comment.body, '@aqua-bot backport release/')
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Extract branch name
run: |
BRANCH_NAME=$(echo ${{ github.event.comment.body }} | grep -oE '@aqua-bot backport\s+(\S+)' | awk '{print $3}')
echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV
- name: Set up Git user
run: |
git config --global user.email "actions@github.com"
git config --global user.name "GitHub Actions"
- name: Run backport script
run: ./misc/backport/backport.sh ${{ env.BRANCH_NAME }} ${{ github.event.issue.number }}
env:
# Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
# This allows the created PR to trigger tests and other workflows
GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}

12
.github/workflows/bypass-cla.yaml vendored
View File

@@ -1,12 +0,0 @@
# This workflow is used to bypass the required status checks in merge queue.
# cf. https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/troubleshooting-required-status-checks
name: CLA
on:
merge_group:
jobs:
cla:
name: license/cla
runs-on: ubuntu-latest
steps:
- run: 'echo "No test required"'

33
.github/workflows/bypass-test.yaml vendored
View File

@@ -1,33 +0,0 @@
# This workflow is used to bypass the required status checks.
# cf. https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/troubleshooting-required-status-checks
name: Test
on:
push:
paths:
- '**.md'
- 'docs/**'
- 'mkdocs.yml'
- 'LICENSE'
- '.release-please-manifest.json'
pull_request:
paths:
- '**.md'
- 'docs/**'
- 'mkdocs.yml'
- 'LICENSE'
- '.release-please-manifest.json'
jobs:
test:
name: Test
runs-on: ${{ matrix.operating-system }}
strategy:
matrix:
operating-system: [ubuntu-latest, windows-latest, macos-latest]
steps:
- run: 'echo "No test required"'
integration:
name: Integration Test
runs-on: ubuntu-latest
steps:
- run: 'echo "No test required"'

60
.github/workflows/canary.yaml vendored
View File

@@ -1,60 +0,0 @@
name: Canary build
on:
push:
branches:
- 'main'
paths:
- '**.go'
- 'go.mod'
- 'Dockerfile.canary'
- '.github/workflows/canary.yaml'
workflow_dispatch:
jobs:
build-binaries:
name: Build binaries
uses: ./.github/workflows/reusable-release.yaml
with:
goreleaser_config: goreleaser-canary.yml
goreleaser_options: '--snapshot --clean --timeout 60m' # will not release
secrets: inherit
upload-binaries:
name: Upload binaries
needs: build-binaries # run this job after 'build-binaries' job completes
runs-on: ubuntu-latest
steps:
- name: Restore Trivy binaries from cache
uses: actions/cache@v4.0.2
with:
path: dist/
key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
# Upload artifacts
- name: Upload artifacts (trivy_Linux-64bit)
uses: actions/upload-artifact@v4
with:
name: trivy_Linux-64bit
path: dist/trivy_*_Linux-64bit.tar.gz
if-no-files-found: error
- name: Upload artifacts (trivy_Linux-ARM64)
uses: actions/upload-artifact@v4
with:
name: trivy_Linux-ARM64
path: dist/trivy_*_Linux-ARM64.tar.gz
if-no-files-found: error
- name: Upload artifacts (trivy_macOS-64bit)
uses: actions/upload-artifact@v4
with:
name: trivy_macOS-64bit
path: dist/trivy_*_macOS-64bit.tar.gz
if-no-files-found: error
- name: Upload artifacts (trivy_macOS-ARM64)
uses: actions/upload-artifact@v4
with:
name: trivy_macOS-ARM64
path: dist/trivy_*_macOS-ARM64.tar.gz
if-no-files-found: error

34
.github/workflows/mkdocs-dev.yaml vendored
View File

@@ -1,34 +0,0 @@
name: Deploy the dev documentation
on:
push:
paths:
- 'docs/**'
- mkdocs.yml
branches:
- main
jobs:
deploy:
name: Deploy the dev documentation
runs-on: ubuntu-22.04
steps:
- name: Checkout main
uses: actions/checkout@v4.1.6
with:
fetch-depth: 0
persist-credentials: true
- uses: actions/setup-python@v5
with:
python-version: 3.x
- name: Install dependencies
run: |
python -m pip install --upgrade pip setuptools wheel
pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
pip install -r docs/build/requirements.txt
env:
GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}
- name: Configure the git user
run: |
git config user.name "knqyf263"
git config user.email "knqyf263@gmail.com"
- name: Deploy the dev documents
run: mike deploy --push dev

42
.github/workflows/mkdocs-latest.yaml vendored
View File

@@ -1,42 +0,0 @@
name: Deploy the latest documentation
on:
workflow_dispatch:
inputs:
version:
description: Version to be deployed
required: true
push:
tags:
- "v*"
jobs:
deploy:
name: Deploy the latest documentation
runs-on: ubuntu-22.04
steps:
- name: Checkout main
uses: actions/checkout@v4.1.6
with:
fetch-depth: 0
persist-credentials: true
- uses: actions/setup-python@v5
with:
python-version: 3.x
- name: Install dependencies
run: |
python -m pip install --upgrade pip setuptools wheel
pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
pip install -r docs/build/requirements.txt
env:
GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}
- name: Configure the git user
run: |
git config user.name "knqyf263"
git config user.email "knqyf263@gmail.com"
- name: Deploy the latest documents from new tag push
if: ${{ github.event.inputs.version == '' }}
run: |
VERSION=$(echo ${{ github.ref }} | sed -e "s#refs/tags/##g")
mike deploy --push --update-aliases ${VERSION%.*} latest
- name: Deploy the latest documents from manual trigger
if: ${{ github.event.inputs.version != '' }}
run: mike deploy --push --update-aliases ${{ github.event.inputs.version }} latest

87
.github/workflows/publish-chart.yaml vendored
View File

@@ -1,87 +0,0 @@
name: Publish Helm chart
on:
workflow_dispatch:
pull_request:
branches:
- main
paths:
- 'helm/trivy/**'
push:
tags:
- "v*"
env:
HELM_REP: helm-charts
GH_OWNER: aquasecurity
CHART_DIR: helm/trivy
KIND_VERSION: "v0.14.0"
KIND_IMAGE: "kindest/node:v1.23.6@sha256:b1fa224cc6c7ff32455e0b1fd9cbfd3d3bc87ecaa8fcb06961ed1afb3db0f9ae"
jobs:
test-chart:
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v4.1.6
with:
fetch-depth: 0
- name: Install Helm
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
with:
version: v3.5.0
- name: Set up python
uses: actions/setup-python@v5
with:
python-version: 3.7
- name: Setup Chart Linting
id: lint
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992
- name: Setup Kubernetes cluster (KIND)
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde
with:
version: ${{ env.KIND_VERSION }}
image: ${{ env.KIND_IMAGE }}
- name: Run chart-testing
run: ct lint-and-install --validate-maintainers=false --charts helm/trivy
- name: Run chart-testing (Ingress enabled)
run: |
sed -i -e '136s,false,'true',g' ./helm/trivy/values.yaml
ct lint-and-install --validate-maintainers=false --charts helm/trivy
publish-chart:
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
needs:
- test-chart
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v4.1.6
with:
fetch-depth: 0
- name: Install chart-releaser
run: |
wget https://github.com/helm/chart-releaser/releases/download/v1.3.0/chart-releaser_1.3.0_linux_amd64.tar.gz
echo "baed2315a9bb799efb71d512c5198a2a3b8dcd139d7f22f878777cffcd649a37 chart-releaser_1.3.0_linux_amd64.tar.gz" | sha256sum -c -
tar xzvf chart-releaser_1.3.0_linux_amd64.tar.gz cr
- name: Package helm chart
run: |
./cr package ${{ env.CHART_DIR }}
- name: Upload helm chart
# Failed with upload the same version: https://github.com/helm/chart-releaser/issues/101
continue-on-error: true
run: |
./cr upload -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} --token ${{ secrets.ORG_REPO_TOKEN }} -p .cr-release-packages
- name: Index helm chart
run: |
./cr index -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} -c https://${{ env.GH_OWNER }}.github.io/${{ env.HELM_REP }}/ -i index.yaml
- name: Push index file
uses: dmnemec/copy_file_to_another_repo_action@c93037aa10fa8893de271f19978c980d0c1a9b37 #v1.1.1
env:
API_TOKEN_GITHUB: ${{ secrets.ORG_REPO_TOKEN }}
with:
source_file: 'index.yaml'
destination_repo: '${{ env.GH_OWNER }}/${{ env.HELM_REP }}'
destination_folder: '.'
destination_branch: 'gh-pages'
user_email: aqua-bot@users.noreply.github.com
user_name: 'aqua-bot'

109
.github/workflows/release-please.yaml vendored
View File

@@ -1,109 +0,0 @@
name: Release Please
on:
push:
branches:
- main
- 'release/v*'
workflow_dispatch:
inputs:
version:
required: true
description: 'Release version without the "v" prefix (e.g., 0.51.0)'
type: string
jobs:
release-please:
runs-on: ubuntu-latest
if: ${{ !startsWith(github.event.head_commit.message, 'release:') && !github.event.inputs.version }}
steps:
- name: Release Please
id: release
uses: googleapis/release-please-action@v4
with:
token: ${{ secrets.ORG_REPO_TOKEN }}
target-branch: ${{ github.ref_name }}
manual-release-please:
runs-on: ubuntu-latest
if: ${{ github.event.inputs.version }}
steps:
- name: Install Release Please CLI
run: npm install release-please -g
- name: Release Please
run: |
release-please release-pr --repo-url=${{ github.server_url }}/${{ github.repository }} \
--token=${{ secrets.ORG_REPO_TOKEN }} \
--release-as=${{ github.event.inputs.version }} \
--target-branch=${{ github.ref_name }}
release-tag:
runs-on: ubuntu-latest
if: ${{ startsWith(github.event.head_commit.message, 'release:') }}
steps:
# Since skip-github-release is specified, the outputs of googleapis/release-please-action cannot be used.
# Therefore, we need to parse the version ourselves.
- name: Extract version and PR number from commit message
id: extract_info
shell: bash
run: |
echo "version=$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT
echo "pr_number=$( echo "${{ github.event.head_commit.message }}" | sed 's/.*(\#\([0-9]\+\)).*$/\1/' )" >> $GITHUB_OUTPUT
echo "release_branch=release/v$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT
- name: Tag release
if: ${{ steps.extract_info.outputs.version }}
uses: actions/github-script@v7
with:
github-token: ${{ secrets.ORG_REPO_TOKEN }} # To trigger another workflow
script: |
await github.rest.git.createRef({
owner: context.repo.owner,
repo: context.repo.repo,
ref: `refs/tags/v${{ steps.extract_info.outputs.version }}`,
sha: context.sha
});
# When v0.50.0 is released, a release branch "release/v0.50" is created.
- name: Create release branch for patch versions
if: ${{ endsWith(steps.extract_info.outputs.version, '.0') }}
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }} # Should not trigger the workflow again
script: |
const releaseBranch = '${{ steps.extract_info.outputs.release_branch }}';
await github.rest.git.createRef({
owner: context.repo.owner,
repo: context.repo.repo,
ref: `refs/heads/${releaseBranch}`,
sha: context.sha
});
# Add release branch to rulesets to enable merge queue
- name: Add release branch to rulesets
if: ${{ endsWith(steps.extract_info.outputs.version, '.0') }}
env:
GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
shell: bash
run: |
RULESET_ID=$(gh api /repos/${{ github.repository }}/rulesets --jq '.[] | select(.name=="release") | .id')
gh api /repos/${{ github.repository }}/rulesets/$RULESET_ID | jq '{conditions}' | jq '.conditions.ref_name.include += ["refs/heads/${{ steps.extract_info.outputs.release_branch }}"]' | gh api --method put --input - /repos/${{ github.repository }}/rulesets/$RULESET_ID
# Since skip-github-release is specified, googleapis/release-please-action doesn't delete the label from PR.
# This label prevents the subsequent PRs from being created. Therefore, we need to delete it ourselves.
# cf. https://github.com/googleapis/release-please?tab=readme-ov-file#release-please-bot-does-not-create-a-release-pr-why
- name: Remove the label from PR
if: ${{ steps.extract_info.outputs.pr_number }}
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const prNumber = parseInt('${{ steps.extract_info.outputs.pr_number }}', 10);
github.rest.issues.removeLabel({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: prNumber,
name: 'autorelease: pending'
});

57
.github/workflows/release.yaml vendored
View File

@@ -1,57 +0,0 @@
name: Release
on:
push:
tags:
- "v*"
jobs:
release:
name: Release
uses: ./.github/workflows/reusable-release.yaml
with:
goreleaser_config: goreleaser.yml
goreleaser_options: '--clean --timeout 90m'
secrets: inherit
deploy-packages:
name: Deploy rpm/dep packages
needs: release # run this job after 'release' job completes
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@v4.1.6
with:
fetch-depth: 0
- name: Restore Trivy binaries from cache
uses: actions/cache@v4.0.2
with:
path: dist/
key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
- name: Install dependencies
run: |
sudo apt-get -y update
sudo apt-get -y install rpm reprepro createrepo-c distro-info
- name: Checkout trivy-repo
uses: actions/checkout@v4.1.6
with:
repository: ${{ github.repository_owner }}/trivy-repo
path: trivy-repo
fetch-depth: 0
token: ${{ secrets.ORG_REPO_TOKEN }}
- name: Setup git settings
run: |
git config --global user.email "knqyf263@gmail.com"
git config --global user.name "Teppei Fukuda"
- name: Create rpm repository
run: ci/deploy-rpm.sh
- name: Import GPG key
run: echo -e "${{ secrets.GPG_KEY }}" | gpg --import
- name: Create deb repository
run: ci/deploy-deb.sh

129
.github/workflows/reusable-release.yaml vendored
View File

@@ -1,129 +0,0 @@
name: Reusable release
on:
workflow_call:
inputs:
goreleaser_config:
description: 'file path to GoReleaser config'
required: true
type: string
goreleaser_options:
description: 'GoReleaser options separated by spaces'
default: ''
required: false
type: string
env:
GH_USER: "aqua-bot"
GO_VERSION: '1.22'
jobs:
release:
name: Release
runs-on: ubuntu-latest-m
env:
DOCKER_CLI_EXPERIMENTAL: "enabled"
permissions:
id-token: write # For cosign
packages: write # For GHCR
contents: read # Not required for public repositories, but for clarity
steps:
- name: Cosign install
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v3
- name: Show available Docker Buildx platforms
run: echo ${{ steps.buildx.outputs.platforms }}
- name: Login to docker.io registry
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to ghcr.io registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ env.GH_USER }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to ECR
uses: docker/login-action@v3
with:
registry: public.ecr.aws
username: ${{ secrets.ECR_ACCESS_KEY_ID }}
password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
- name: Checkout code
uses: actions/checkout@v4.1.6
with:
fetch-depth: 0
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: false # Disable cache to avoid free space issues during `Post Setup Go` step.
- name: Generate SBOM
uses: CycloneDX/gh-gomod-generate-sbom@v2
with:
args: mod -licenses -json -output bom.json
version: ^v1
- name: "save gpg key"
env:
GPG_KEY: ${{ secrets.GPG_KEY }}
run: |
echo "$GPG_KEY" > gpg.key
# Create tmp dir for GoReleaser
- name: "create tmp dir"
run: |
mkdir tmp
- name: GoReleaser
uses: goreleaser/goreleaser-action@v6
with:
version: v2.1.0
args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}}
env:
GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
GPG_FILE: "gpg.key"
TMPDIR: "tmp"
- name: "remove gpg key"
run: |
rm gpg.key
# Push images to registries (only for canary build)
# The custom Dockerfile.canary is necessary
# because GoReleaser Free doesn't support pushing images with the `--snapshot` flag.
- name: Build and push
if: ${{ inputs.goreleaser_config == 'goreleaser-canary.yml' }}
uses: docker/build-push-action@v6
with:
platforms: linux/amd64, linux/arm64
file: ./Dockerfile.canary # path to Dockerfile
context: .
push: true
tags: |
aquasec/trivy:canary
ghcr.io/aquasecurity/trivy:canary
public.ecr.aws/aquasecurity/trivy:canary
- name: Cache Trivy binaries
uses: actions/cache@v4.0.2
with:
path: dist/
# use 'github.sha' to create a unique cache folder for each run.
# use 'github.workflow' to create a unique cache folder if some runs have same commit sha.
# e.g. build and release runs
key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}

79
.github/workflows/roadmap.yaml vendored
View File

@@ -1,79 +0,0 @@
name: Add issues to the roadmap project
on:
issues:
types:
- labeled
jobs:
add-issue-to-roadmap-project:
name: Add issue to the roadmap project
runs-on: ubuntu-latest
steps:
# 'kind/feature' AND 'priority/backlog' labels -> 'Backlog' column
- uses: actions/add-to-project@v1.0.2 # add new issue to project
with:
project-url: https://github.com/orgs/aquasecurity/projects/25
github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
labeled: kind/feature, priority/backlog
label-operator: AND
id: add-backlog-issue
- uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
if: ${{ steps.add-backlog-issue.outputs.itemId }}
with:
project-url: https://github.com/orgs/aquasecurity/projects/25
github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
item-id: ${{ steps.add-backlog-issue.outputs.itemId }} # Use the item-id output of the previous step
field-keys: Priority
field-values: Backlog
# 'kind/feature' AND 'priority/important-longterm' labels -> 'Important (long-term)' column
- uses: actions/add-to-project@v1.0.2 # add new issue to project
with:
project-url: https://github.com/orgs/aquasecurity/projects/25
github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
labeled: kind/feature, priority/important-longterm
label-operator: AND
id: add-longterm-issue
- uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
if: ${{ steps.add-longterm-issue.outputs.itemId }}
with:
project-url: https://github.com/orgs/aquasecurity/projects/25
github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
item-id: ${{ steps.add-longterm-issue.outputs.itemId }} # Use the item-id output of the previous step
field-keys: Priority
field-values: Important (long-term)
# 'kind/feature' AND 'priority/important-soon' labels -> 'Important (soon)' column
- uses: actions/add-to-project@v1.0.2 # add new issue to project
with:
project-url: https://github.com/orgs/aquasecurity/projects/25
github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
labeled: kind/feature, priority/important-soon
label-operator: AND
id: add-soon-issue
- uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
if: ${{ steps.add-soon-issue.outputs.itemId }}
with:
project-url: https://github.com/orgs/aquasecurity/projects/25
github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
item-id: ${{ steps.add-soon-issue.outputs.itemId }} # Use the item-id output of the previous step
field-keys: Priority
field-values: Important (soon)
# 'kind/feature' AND 'priority/critical-urgent' labels -> 'Urgent' column
- uses: actions/add-to-project@v1.0.2 # add new issue to project
with:
project-url: https://github.com/orgs/aquasecurity/projects/25
github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
labeled: kind/feature, priority/critical-urgent
label-operator: AND
id: add-urgent-issue
- uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
if: ${{ steps.add-urgent-issue.outputs.itemId }}
with:
project-url: https://github.com/orgs/aquasecurity/projects/25
github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
item-id: ${{ steps.add-urgent-issue.outputs.itemId }} # Use the item-id output of the previous step
field-keys: Priority
field-values: Urgent

23
.github/workflows/scan.yaml vendored
View File

@@ -1,23 +0,0 @@
name: Scan vulnerabilities
on:
schedule:
- cron: '0 0 * * *'
workflow_dispatch:
jobs:
build:
name: Scan Go vulnerabilities
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4.1.6
- name: Run Trivy vulnerability scanner and create GitHub issues
uses: knqyf263/trivy-issue-action@v0.0.6
with:
assignee: knqyf263
severity: CRITICAL
skip-dirs: integration,examples,pkg
label: kind/security
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

107
.github/workflows/semantic-pr.yaml vendored
View File

@@ -1,107 +0,0 @@
name: "Lint PR title"
on:
pull_request_target:
types:
- opened
- edited
- synchronize
jobs:
main:
name: Validate PR title
runs-on: ubuntu-latest
steps:
- uses: amannn/action-semantic-pull-request@v5
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
types: |
feat
fix
docs
style
refactor
perf
test
build
ci
chore
revert
release
scopes: |
vuln
misconf
secret
license
image
fs
repo
sbom
server
k8s
aws
vm
plugin
alpine
wolfi
chainguard
redhat
alma
rocky
mariner
oracle
debian
ubuntu
amazon
suse
photon
distroless
windows
ruby
php
python
nodejs
rust
dotnet
java
go
c
c\+\+
elixir
dart
swift
bitnami
conda
julia
os
lang
kubernetes
dockerfile
terraform
cloudformation
docker
podman
containerd
oci
cli
flag
cyclonedx
spdx
purl
vex
helm
report
db
parser
deps

19
.github/workflows/stale-issues.yaml vendored
View File

@@ -1,19 +0,0 @@
name: "Stale PR's"
on:
schedule:
- cron: '0 0 * * *'
jobs:
stale:
timeout-minutes: 1
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v9
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-pr-message: 'This PR is stale because it has been labeled with inactivity.'
exempt-pr-labels: 'lifecycle/active'
stale-pr-label: 'lifecycle/stale'
days-before-stale: 60
days-before-issue-stale: '-1'
days-before-close: 20
days-before-issue-close: '-1'

29
.github/workflows/test-docs.yaml vendored
View File

@@ -1,29 +0,0 @@
name: Test docs
on:
pull_request:
paths:
- 'docs/**'
- 'mkdocs.yml'
jobs:
build-documents:
name: Documentation Test
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4.1.6
with:
fetch-depth: 0
persist-credentials: true
- uses: actions/setup-python@v5
with:
python-version: 3.x
- name: Install dependencies
run: |
python -m pip install --upgrade pip setuptools wheel
pip install -r docs/build/requirements.txt
- name: Configure the git user
run: |
git config user.name "knqyf263"
git config user.email "knqyf263@gmail.com"
- name: Deploy the dev documents
run: mike deploy test

182
.github/workflows/test.yaml vendored
View File

@@ -1,182 +0,0 @@
name: Test
on:
pull_request:
paths-ignore:
- '**.md'
- 'docs/**'
- 'mkdocs.yml'
- 'LICENSE'
- '.release-please-manifest.json' ## don't run tests for release-please PRs
merge_group:
env:
GO_VERSION: '1.22'
jobs:
test:
name: Test
runs-on: ${{ matrix.operating-system }}
strategy:
matrix:
operating-system: [ubuntu-latest, windows-latest, macos-latest]
steps:
- uses: actions/checkout@v4.1.6
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
- name: go mod tidy
run: |
go mod tidy
if [ -n "$(git status --porcelain)" ]; then
echo "Run 'go mod tidy' and push it"
exit 1
fi
if: matrix.operating-system == 'ubuntu-latest'
- name: Lint
id: lint
uses: golangci/golangci-lint-action@v6.0.1
with:
version: v1.59
args: --verbose --out-format=line-number
if: matrix.operating-system == 'ubuntu-latest'
- name: Check if linter failed
run: |
echo "Linter failed, running 'mage lint:fix' might help to correct some errors"
exit 1
if: ${{ failure() && steps.lint.conclusion == 'failure' }}
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
aqua_opts: ""
- name: Check if CLI references are up-to-date
run: |
mage docs:generate
if [ -n "$(git status --porcelain)" ]; then
echo "Run 'mage docs:generate' and push it"
exit 1
fi
if: matrix.operating-system == 'ubuntu-latest'
- name: Run unit tests
run: mage test:unit
integration:
name: Integration Test
runs-on: ubuntu-latest
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v4.1.6
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: Run integration tests
run: mage test:integration
k8s-integration:
name: K8s Integration Test
runs-on: ubuntu-latest
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v4.1.6
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: Run k8s integration tests
run: mage test:k8s
module-test:
name: Module Integration Test
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4.1.6
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: Run module integration tests
shell: bash
run: |
mage test:module
vm-test:
name: VM Integration Test
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4.1.6
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: Run vm integration tests
run: |
mage test:vm
build-test:
name: Build Test
runs-on: ${{ matrix.operating-system }}
strategy:
matrix:
operating-system: [ubuntu-latest, windows-latest, macos-latest]
env:
DOCKER_CLI_EXPERIMENTAL: "enabled"
steps:
- name: Checkout
uses: actions/checkout@v4.1.6
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
- name: Determine GoReleaser ID
id: goreleaser_id
shell: bash
run: |
if [ "${{ matrix.operating-system }}" == "windows-latest" ]; then
echo "id=--id build-windows" >> $GITHUB_OUTPUT
elif [ "${{ matrix.operating-system }}" == "macos-latest" ]; then
echo "id=--id build-macos --id build-bsd" >> $GITHUB_OUTPUT
else
echo "id=--id build-linux" >> $GITHUB_OUTPUT
fi
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v6
with:
version: v2.1.0
args: build --snapshot --clean --timeout 90m ${{ steps.goreleaser_id.outputs.id }}

16
.github/workflows/triage.yaml vendored
View File

@@ -1,16 +0,0 @@
name: Triage Discussion
on:
discussion:
types: [created]
workflow_dispatch:
inputs:
discussion_num:
required: true
jobs:
label:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/trivy-triage
with:
discussion_num: ${{ github.event.inputs.discussion_num }}

27
.gitignore vendored
View File

@@ -4,10 +4,6 @@
*.dll
*.so
*.dylib
/trivy
## chart release
.cr-release-packages
# Test binary, build with `go test -c`
*.test
@@ -16,26 +12,3 @@
*.out
.idea
.vscode
# Directory Cache Files
.DS_Store
thumbs.db
# test fixtures
coverage.txt
integration/testdata/fixtures/images
integration/testdata/fixtures/vm-images
# SBOMs generated during CI
/bom.json
# goreleaser output
dist
# WebAssembly
*.wasm
# Signing
gpg.key
cmd/trivy/trivy

142
.golangci.yaml
View File

@@ -1,142 +0,0 @@
linters-settings:
depguard:
rules:
main:
list-mode: lax
deny:
# Cannot use gomodguard, which examines go.mod, as "golang.org/x/exp/slices" is not a module and doesn't appear in go.mod.
- pkg: "golang.org/x/exp/slices"
desc: "Use 'slices' instead"
- pkg: "golang.org/x/exp/maps"
desc: "Use 'maps' or 'github.com/samber/lo' instead"
dupl:
threshold: 100
errcheck:
check-type-assertions: true
check-blank: true
gci:
sections:
- standard
- default
- prefix(github.com/aquasecurity/)
- blank
- dot
goconst:
min-len: 3
min-occurrences: 3
gocritic:
disabled-checks:
- appendAssign
- unnamedResult
- whyNoLint
- indexAlloc
- octalLiteral
- hugeParam
- rangeValCopy
- regexpSimplify
- sloppyReassign
- commentedOutCode
enabled-tags:
- diagnostic
- style
- performance
- experimental
- opinionated
settings:
ruleguard:
failOn: all
rules: '${configDir}/misc/lint/rules.go'
gocyclo:
min-complexity: 20
gofmt:
simplify: false
rewrite-rules:
- pattern: 'interface{}'
replacement: 'any'
gomodguard:
blocked:
modules:
- github.com/hashicorp/go-version:
recommendations:
- github.com/aquasecurity/go-version
reason: "`aquasecurity/go-version` is designed for our use-cases"
- github.com/Masterminds/semver:
recommendations:
- github.com/aquasecurity/go-version
reason: "`aquasecurity/go-version` is designed for our use-cases"
gosec:
excludes:
- G101
- G114
- G204
- G304
- G402
govet:
check-shadowing: false
misspell:
locale: US
ignore-words:
- behaviour
- licence
- optimise
- simmilar
revive:
ignore-generated-header: true
testifylint:
enable-all: true
linters:
disable-all: true
enable:
- bodyclose
- depguard
- gci
- goconst
- gocritic
- gocyclo
- gofmt
- gomodguard
- gosec
- govet
- ineffassign
- misspell
- revive
- tenv
- testifylint
- typecheck
- unconvert
- unused
run:
go: '1.22'
timeout: 30m
issues:
exclude-files:
- "mock_*.go$"
- "examples/*"
exclude-dirs:
- "pkg/iac/scanners/terraform/parser/funcs" # copies of Terraform functions
exclude-rules:
- path: ".*_test.go$"
linters:
- goconst
- gosec
- unused
- path: ".*_test.go$"
linters:
- govet
text: "copylocks:"
- path: ".*_test.go$"
linters:
- gocritic
text: "commentFormatting:"
- path: ".*_test.go$"
linters:
- gocritic
text: "exitAfterDefer:"
- path: ".*_test.go$"
linters:
- gocritic
text: "importShadow:"
exclude-use-default: false
max-same-issues: 0

1
.release-please-manifest.json
View File

@@ -1 +0,0 @@
{".":"0.54.1"}

145
.vex/oci.openvex.json
View File

@@ -1,145 +0,0 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://openvex.dev/docs/public/vex-8e30ed756ae8e4196af93bf43edf68360f396a98c0268787453a3443b26e7d6c",
"author": "Aqua Security",
"timestamp": "2024-07-10T12:17:44.60495+04:00",
"version": 1,
"statements": [
{
"vulnerability": {
"name": "CVE-2023-42363"
},
"products": [
{
"@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/busybox"},
{"@id": "pkg:apk/alpine/busybox-binsh"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
},
{
"@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/busybox"},
{"@id": "pkg:apk/alpine/busybox-binsh"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
},
{
"@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/busybox"},
{"@id": "pkg:apk/alpine/busybox-binsh"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_cannot_be_controlled_by_adversary",
"impact_statement": "awk is not used"
},
{
"vulnerability": {
"name": "CVE-2023-42364"
},
"products": [
{
"@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/busybox"},
{"@id": "pkg:apk/alpine/busybox-binsh"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
},
{
"@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/busybox"},
{"@id": "pkg:apk/alpine/busybox-binsh"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
},
{
"@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/busybox"},
{"@id": "pkg:apk/alpine/busybox-binsh"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_cannot_be_controlled_by_adversary",
"impact_statement": "awk is not used"
},
{
"vulnerability": {
"name": "CVE-2023-42365"
},
"products": [
{
"@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/busybox"},
{"@id": "pkg:apk/alpine/busybox-binsh"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
},
{
"@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/busybox"},
{"@id": "pkg:apk/alpine/busybox-binsh"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
},
{
"@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/busybox"},
{"@id": "pkg:apk/alpine/busybox-binsh"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_cannot_be_controlled_by_adversary",
"impact_statement": "awk is not used"
},
{
"vulnerability": {
"name": "CVE-2023-42366"
},
"products": [
{
"@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/busybox"},
{"@id": "pkg:apk/alpine/busybox-binsh"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
},
{
"@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/busybox"},
{"@id": "pkg:apk/alpine/busybox-binsh"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
},
{
"@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/busybox"},
{"@id": "pkg:apk/alpine/busybox-binsh"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_cannot_be_controlled_by_adversary",
"impact_statement": "awk is not used"
}
]
}

458
.vex/trivy.openvex.json
View File

@@ -1,458 +0,0 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "aquasecurity/trivy:613fd55abbc2857b5ca28b07a26f3cd4c8b0ddc4c8a97c57497a2d4c4880d7fc",
"author": "Aqua Security",
"timestamp": "2024-07-09T11:38:00.115697+04:00",
"version": 1,
"tooling": "https://github.com/aquasecurity/trivy/tree/main/magefiles/vex.go",
"statements": [
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2024-2575",
"name": "GO-2024-2575",
"description": "Helm's Missing YAML Content Leads To Panic in helm.sh/helm/v3",
"aliases": [
"CVE-2024-26147",
"GHSA-r53h-jv2g-vpx6"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/helm.sh/helm/v3",
"identifiers": {
"purl": "pkg:golang/helm.sh/helm/v3"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2023-1765",
"name": "GO-2023-1765",
"description": "Leaked shared secret and weak blinding in github.com/cloudflare/circl",
"aliases": [
"CVE-2023-1732",
"GHSA-2q89-485c-9j2x"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/github.com/cloudflare/circl",
"identifiers": {
"purl": "pkg:golang/github.com/cloudflare/circl"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2024-2512",
"name": "GO-2024-2512",
"description": "Classic builder cache poisoning in github.com/docker/docker",
"aliases": [
"CVE-2024-24557",
"GHSA-xw73-rw38-6vjc"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/github.com/docker/docker",
"identifiers": {
"purl": "pkg:golang/github.com/docker/docker"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2024-2453",
"name": "GO-2024-2453",
"description": "Timing side channel in github.com/cloudflare/circl",
"aliases": [
"GHSA-9763-4f94-gfch"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/github.com/cloudflare/circl",
"identifiers": {
"purl": "pkg:golang/github.com/cloudflare/circl"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2023-2048",
"name": "GO-2023-2048",
"description": "Paths outside of the rootfs could be produced on Windows in github.com/cyphar/filepath-securejoin",
"aliases": [
"GHSA-6xv5-86q9-7xr8"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/github.com/cyphar/filepath-securejoin",
"identifiers": {
"purl": "pkg:golang/github.com/cyphar/filepath-securejoin"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2024-2497",
"name": "GO-2024-2497",
"description": "Privilege escalation in github.com/moby/buildkit",
"aliases": [
"CVE-2024-23653",
"GHSA-wr6v-9f75-vh2g"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/github.com/moby/buildkit",
"identifiers": {
"purl": "pkg:golang/github.com/moby/buildkit"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2023-2102",
"name": "GO-2023-2102",
"description": "HTTP/2 rapid reset can cause excessive work in net/http",
"aliases": [
"CVE-2023-39325",
"GHSA-4374-p667-p6c8"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/golang.org/x/net",
"identifiers": {
"purl": "pkg:golang/golang.org/x/net"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2024-2493",
"name": "GO-2024-2493",
"description": "Host system file access in github.com/moby/buildkit",
"aliases": [
"CVE-2024-23651",
"GHSA-m3r6-h7wv-7xxv"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/github.com/moby/buildkit",
"identifiers": {
"purl": "pkg:golang/github.com/moby/buildkit"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2024-2491",
"name": "GO-2024-2491",
"description": "Container breakout through process.cwd trickery and leaked fds in github.com/opencontainers/runc",
"aliases": [
"CVE-2024-21626",
"GHSA-xr7r-f8xq-vfvv"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/github.com/opencontainers/runc",
"identifiers": {
"purl": "pkg:golang/github.com/opencontainers/runc"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2024-2494",
"name": "GO-2024-2494",
"description": "Host system modification in github.com/moby/buildkit",
"aliases": [
"CVE-2024-23652",
"GHSA-4v98-7qmw-rqr8"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/github.com/moby/buildkit",
"identifiers": {
"purl": "pkg:golang/github.com/moby/buildkit"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2023-2412",
"name": "GO-2023-2412",
"description": "RAPL accessibility in github.com/containerd/containerd",
"aliases": [
"GHSA-7ww5-4wqc-m92c"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/github.com/containerd/containerd",
"identifiers": {
"purl": "pkg:golang/github.com/containerd/containerd"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2023-1988",
"name": "GO-2023-1988",
"description": "Improper rendering of text nodes in golang.org/x/net/html",
"aliases": [
"CVE-2023-3978",
"GHSA-2wrh-6pvc-2jm9"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/golang.org/x/net",
"identifiers": {
"purl": "pkg:golang/golang.org/x/net"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2024-2492",
"name": "GO-2024-2492",
"description": "Panic in github.com/moby/buildkit",
"aliases": [
"CVE-2024-23650",
"GHSA-9p26-698r-w4hx"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/github.com/moby/buildkit",
"identifiers": {
"purl": "pkg:golang/github.com/moby/buildkit"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2022-0646",
"name": "GO-2022-0646",
"description": "Use of risky cryptographic algorithm in github.com/aws/aws-sdk-go",
"aliases": [
"CVE-2020-8911",
"CVE-2020-8912",
"GHSA-7f33-f4f5-xwgw",
"GHSA-f5pg-7wfw-84q9"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/github.com/aws/aws-sdk-go",
"identifiers": {
"purl": "pkg:golang/github.com/aws/aws-sdk-go"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2023-2153",
"name": "GO-2023-2153",
"description": "Denial of service from HTTP/2 Rapid Reset in google.golang.org/grpc",
"aliases": [
"GHSA-m425-mq94-257g"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/google.golang.org/grpc",
"identifiers": {
"purl": "pkg:golang/google.golang.org/grpc"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
}
]
}

158
CHANGELOG.md
View File

@@ -1,158 +0,0 @@
# Changelog
## [0.54.1](https://github.com/aquasecurity/trivy/compare/v0.54.0...v0.54.1) (2024-07-31)
### Bug Fixes
* **flag:** incorrect behavior for deprected flag `--clear-cache` [backport: release/v0.54] ([#7285](https://github.com/aquasecurity/trivy/issues/7285)) ([334a1c2](https://github.com/aquasecurity/trivy/commit/334a1c293bb3d490af2a6d80732f399efaac22f7))
* **java:** Return error when trying to find a remote pom to avoid segfault [backport: release/v0.54] ([#7283](https://github.com/aquasecurity/trivy/issues/7283)) ([f61725c](https://github.com/aquasecurity/trivy/commit/f61725c28b56d80fb46395479842a2ab0c517c5f))
* **plugin:** do not call GitHub content API for releases and tags [backport: release/v0.54] ([#7279](https://github.com/aquasecurity/trivy/issues/7279)) ([a7b7117](https://github.com/aquasecurity/trivy/commit/a7b7117fe2c9608e990b42e702cc83675c48f888))
## [0.54.0](https://github.com/aquasecurity/trivy/compare/v0.53.0...v0.54.0) (2024-07-30)
### Features
* add `log.FilePath()` function for logger ([#7080](https://github.com/aquasecurity/trivy/issues/7080)) ([1f5f348](https://github.com/aquasecurity/trivy/commit/1f5f34895823fae81bf521fc939bee743a50e304))
* add openSUSE tumbleweed detection and scanning ([#6965](https://github.com/aquasecurity/trivy/issues/6965)) ([17b5dbf](https://github.com/aquasecurity/trivy/commit/17b5dbfa12180414b87859c6c46bfe6cc5ecf7ba))
* **cli:** rename `--vuln-type` flag to `--pkg-types` flag ([#7104](https://github.com/aquasecurity/trivy/issues/7104)) ([7cbdb0a](https://github.com/aquasecurity/trivy/commit/7cbdb0a0b5dff33e506e1c1f3119951fa241b432))
* **mariner:** Add support for Azure Linux ([#7186](https://github.com/aquasecurity/trivy/issues/7186)) ([5cbc452](https://github.com/aquasecurity/trivy/commit/5cbc452a09822d1bf300ead88f0d613d4cf0349a))
* **misconf:** enabled China configuration for ACRs ([#7156](https://github.com/aquasecurity/trivy/issues/7156)) ([d1ec89d](https://github.com/aquasecurity/trivy/commit/d1ec89d1db4b039f0e31076ccd1ca969fb15628e))
* **nodejs:** add license parser to pnpm analyser ([#7036](https://github.com/aquasecurity/trivy/issues/7036)) ([03ac93d](https://github.com/aquasecurity/trivy/commit/03ac93dc208f1b40896f3fa11fa1d45293176dca))
* **sbom:** add image labels into `SPDX` and `CycloneDX` reports ([#7257](https://github.com/aquasecurity/trivy/issues/7257)) ([4a2f492](https://github.com/aquasecurity/trivy/commit/4a2f492c6e685ff577fb96a7006cd0c43755baf4))
* **sbom:** add vulnerability support for SPDX formats ([#7213](https://github.com/aquasecurity/trivy/issues/7213)) ([efb1f69](https://github.com/aquasecurity/trivy/commit/efb1f6938321eec3529ef4fea6608261f6771ae0))
* share build-in rules ([#7207](https://github.com/aquasecurity/trivy/issues/7207)) ([bff317c](https://github.com/aquasecurity/trivy/commit/bff317c77bf4a5f615a80d9875d129213bd52f6d))
* **vex:** retrieve VEX attestations from OCI registries ([#7249](https://github.com/aquasecurity/trivy/issues/7249)) ([c2fd2e0](https://github.com/aquasecurity/trivy/commit/c2fd2e0d89567a0ccd996dda8790f3c3305ea6f7))
* **vex:** VEX Repository support ([#7206](https://github.com/aquasecurity/trivy/issues/7206)) ([88ba460](https://github.com/aquasecurity/trivy/commit/88ba46047c93e6046292523ae701de774dfdc4dc))
* **vuln:** add `--pkg-relationships` ([#7237](https://github.com/aquasecurity/trivy/issues/7237)) ([5c37361](https://github.com/aquasecurity/trivy/commit/5c37361600d922db27dd594b2a80c010a19b3a6e))
### Bug Fixes
* Add dependencyManagement exclusions to the child exclusions ([#6969](https://github.com/aquasecurity/trivy/issues/6969)) ([dc68a66](https://github.com/aquasecurity/trivy/commit/dc68a662a701980d6529f61a65006f1e4728a3e5))
* add missing platform and type to spec ([#7149](https://github.com/aquasecurity/trivy/issues/7149)) ([c8a7abd](https://github.com/aquasecurity/trivy/commit/c8a7abd3b508975fcf10c254d13d1a2cd42da657))
* **cli:** error on missing config file ([#7154](https://github.com/aquasecurity/trivy/issues/7154)) ([7fa5e7d](https://github.com/aquasecurity/trivy/commit/7fa5e7d0ab67f20d434b2922725988695e32e6af))
* close file when failed to open gzip ([#7164](https://github.com/aquasecurity/trivy/issues/7164)) ([2a577a7](https://github.com/aquasecurity/trivy/commit/2a577a7bae37e5731dceaea8740683573b6b70a5))
* **dotnet:** don't include non-runtime libraries into report for `*.deps.json` files ([#7039](https://github.com/aquasecurity/trivy/issues/7039)) ([5bc662b](https://github.com/aquasecurity/trivy/commit/5bc662be9a8f072599f90abfd3b400c8ab055ed6))
* **dotnet:** show `nuget package dir not found` log only when checking `nuget` packages ([#7194](https://github.com/aquasecurity/trivy/issues/7194)) ([d76feba](https://github.com/aquasecurity/trivy/commit/d76febaee107c645e864da0f4d74a8f6ae4ad232))
* ignore nodes when listing permission is not allowed ([#7107](https://github.com/aquasecurity/trivy/issues/7107)) ([25f8143](https://github.com/aquasecurity/trivy/commit/25f8143f120965c636c5ea8386398b211b082398))
* **java:** avoid panic if deps from `pom` in `it` dir are not found ([#7245](https://github.com/aquasecurity/trivy/issues/7245)) ([4e54a7e](https://github.com/aquasecurity/trivy/commit/4e54a7e84c33c1be80c52c6db78c634bc3911715))
* **java:** use `go-mvn-version` to remove `Package` duplicates ([#7088](https://github.com/aquasecurity/trivy/issues/7088)) ([a7a304d](https://github.com/aquasecurity/trivy/commit/a7a304d53e1ce230f881c28c4f35885774cf3b9a))
* **misconf:** do not evaluate TF when a load error occurs ([#7109](https://github.com/aquasecurity/trivy/issues/7109)) ([f27c236](https://github.com/aquasecurity/trivy/commit/f27c236d6e155cb366aeef619b6ea96d20fb93da))
* **nodejs:** detect direct dependencies when using `latest` version for files `yarn.lock` + `package.json` ([#7110](https://github.com/aquasecurity/trivy/issues/7110)) ([54bb8bd](https://github.com/aquasecurity/trivy/commit/54bb8bdfb934d114b5570005853bf4bc0d40c609))
* **report:** hide empty table when all secrets/license/misconfigs are ignored ([#7171](https://github.com/aquasecurity/trivy/issues/7171)) ([c3036de](https://github.com/aquasecurity/trivy/commit/c3036de6d7719323d306a9666ccc8d928d936f9a))
* **secret:** skip regular strings contain secret patterns ([#7182](https://github.com/aquasecurity/trivy/issues/7182)) ([174b1e3](https://github.com/aquasecurity/trivy/commit/174b1e3515a6394cf8d523216d6267c1aefb820a))
* **secret:** trim excessively long lines ([#7192](https://github.com/aquasecurity/trivy/issues/7192)) ([92b13be](https://github.com/aquasecurity/trivy/commit/92b13be668bd20f8e9dac2f0cb8e5a2708b9b3b5))
* **secret:** update length of `hugging-face-access-token` ([#7216](https://github.com/aquasecurity/trivy/issues/7216)) ([8c87194](https://github.com/aquasecurity/trivy/commit/8c87194f0a6b194bc5d340c8a65bd99a3132d973))
* **server:** pass license categories to options ([#7203](https://github.com/aquasecurity/trivy/issues/7203)) ([9d52018](https://github.com/aquasecurity/trivy/commit/9d5201808da89607ae43570bdf1f335b482a6b79))
### Performance Improvements
* **debian:** use `bytes.Index` in `emptyLineSplit` to cut allocation ([#7065](https://github.com/aquasecurity/trivy/issues/7065)) ([acbec05](https://github.com/aquasecurity/trivy/commit/acbec053c985388a26d899e73b4b7f5a6d1fa210))
## [0.53.0](https://github.com/aquasecurity/trivy/compare/v0.52.0...v0.53.0) (2024-07-01)
### ⚠ BREAKING CHANGES
* **k8s:** node-collector dynamic commands support ([#6861](https://github.com/aquasecurity/trivy/issues/6861))
* add clean subcommand ([#6993](https://github.com/aquasecurity/trivy/issues/6993))
* **aws:** Remove aws subcommand ([#6995](https://github.com/aquasecurity/trivy/issues/6995))
### Features
* add clean subcommand ([#6993](https://github.com/aquasecurity/trivy/issues/6993)) ([8d0ae1f](https://github.com/aquasecurity/trivy/commit/8d0ae1f5de72d92a043dcd6b7c164d30e51b6047))
* Add local ImageID to SARIF metadata ([#6522](https://github.com/aquasecurity/trivy/issues/6522)) ([f144e91](https://github.com/aquasecurity/trivy/commit/f144e912d34234f00b5a13b7a11a0019fa978b27))
* add memory cache backend ([#7048](https://github.com/aquasecurity/trivy/issues/7048)) ([55ccd06](https://github.com/aquasecurity/trivy/commit/55ccd06df43f6ff28685f46d215ccb70f55916d2))
* **aws:** Remove aws subcommand ([#6995](https://github.com/aquasecurity/trivy/issues/6995)) ([979e118](https://github.com/aquasecurity/trivy/commit/979e118a9e0ca8943bef9143f492d7eb1fd4d863))
* **conda:** add licenses support for `environment.yml` files ([#6953](https://github.com/aquasecurity/trivy/issues/6953)) ([654217a](https://github.com/aquasecurity/trivy/commit/654217a65485ca0a07771ea61071977894eb4920))
* **dart:** use first version of constraint for dependencies using SDK version ([#6239](https://github.com/aquasecurity/trivy/issues/6239)) ([042d6b0](https://github.com/aquasecurity/trivy/commit/042d6b08c283105c258a3dda98983b345a5305c3))
* **image:** Set User-Agent header for Trivy container registry requests ([#6868](https://github.com/aquasecurity/trivy/issues/6868)) ([9b31697](https://github.com/aquasecurity/trivy/commit/9b31697274c8743d6e5a8f7a1a05daf60cd15910))
* **java:** add support for `maven-metadata.xml` files for remote snapshot repositories. ([#6950](https://github.com/aquasecurity/trivy/issues/6950)) ([1f8fca1](https://github.com/aquasecurity/trivy/commit/1f8fca1fc77b989bb4e3ba820b297464dbdd825f))
* **java:** add support for sbt projects using sbt-dependency-lock ([#6882](https://github.com/aquasecurity/trivy/issues/6882)) ([f18d035](https://github.com/aquasecurity/trivy/commit/f18d035ae13b281c96aa4ed69ca32e507d336e66))
* **k8s:** node-collector dynamic commands support ([#6861](https://github.com/aquasecurity/trivy/issues/6861)) ([8d618e4](https://github.com/aquasecurity/trivy/commit/8d618e48a2f1b60c2e4c49cdd9deb8eb45c972b0))
* **misconf:** add metadata to Cloud schema ([#6831](https://github.com/aquasecurity/trivy/issues/6831)) ([02d5404](https://github.com/aquasecurity/trivy/commit/02d540478d495416b50d7e8b187ff9f5bba41f45))
* **misconf:** add support for AWS::EC2::SecurityGroupIngress/Egress ([#6755](https://github.com/aquasecurity/trivy/issues/6755)) ([55fa610](https://github.com/aquasecurity/trivy/commit/55fa6109cd0463fd3221aae41ca7b1d8c44ad430))
* **misconf:** API Gateway V1 support for CloudFormation ([#6874](https://github.com/aquasecurity/trivy/issues/6874)) ([8491469](https://github.com/aquasecurity/trivy/commit/8491469f0b35bd9df706a433669f5b62239d4ef3))
* **misconf:** support of selectors for all providers for Rego ([#6905](https://github.com/aquasecurity/trivy/issues/6905)) ([bc3741a](https://github.com/aquasecurity/trivy/commit/bc3741ae2c68cdd00fc0aef7e51985568b2eb78a))
* **php:** add installed.json file support ([#4865](https://github.com/aquasecurity/trivy/issues/4865)) ([edc556b](https://github.com/aquasecurity/trivy/commit/edc556b85e3554c31e19b1ece189effb9ba2be12))
* **plugin:** add support for nested archives ([#6845](https://github.com/aquasecurity/trivy/issues/6845)) ([622c67b](https://github.com/aquasecurity/trivy/commit/622c67b7647f94d0a0ca3acf711d8f847cdd8d98))
* **sbom:** migrate to `CycloneDX v1.6` ([#6903](https://github.com/aquasecurity/trivy/issues/6903)) ([09e50ce](https://github.com/aquasecurity/trivy/commit/09e50ce6a82073ba62f1732d5aa0cd2701578693))
### Bug Fixes
* **c:** don't skip conan files from `file-patterns` and scan `.conan2` cache dir ([#6949](https://github.com/aquasecurity/trivy/issues/6949)) ([38b35dd](https://github.com/aquasecurity/trivy/commit/38b35dd3c804027e7a6e6a9d3c87b7ac333896c5))
* **cli:** show info message only when --scanners is available ([#7032](https://github.com/aquasecurity/trivy/issues/7032)) ([e9fc3e3](https://github.com/aquasecurity/trivy/commit/e9fc3e3397564512038ddeca2adce0efcb3f93c5))
* **cyclonedx:** trim non-URL info for `advisory.url` ([#6952](https://github.com/aquasecurity/trivy/issues/6952)) ([417212e](https://github.com/aquasecurity/trivy/commit/417212e0930aa52a27ebdc1b9370d2943ce0f8fa))
* **debian:** take installed files from the origin layer ([#6849](https://github.com/aquasecurity/trivy/issues/6849)) ([089b953](https://github.com/aquasecurity/trivy/commit/089b953462260f01c40bdf588b2568ae0ef658bc))
* **image:** parse `image.inspect.Created` field only for non-empty values ([#6948](https://github.com/aquasecurity/trivy/issues/6948)) ([0af5730](https://github.com/aquasecurity/trivy/commit/0af5730cbe56686417389c2fad643c1bdbb33999))
* **license:** return license separation using separators `,`, `or`, etc. ([#6916](https://github.com/aquasecurity/trivy/issues/6916)) ([52f7aa5](https://github.com/aquasecurity/trivy/commit/52f7aa54b520a90a19736703f8ea63cc20fab104))
* **misconf:** fix caching of modules in subdirectories ([#6814](https://github.com/aquasecurity/trivy/issues/6814)) ([0bcfedb](https://github.com/aquasecurity/trivy/commit/0bcfedbcaa9bbe30ee5ecade5b98e9ce3cc54c9b))
* **misconf:** fix parsing of engine links and frameworks ([#6937](https://github.com/aquasecurity/trivy/issues/6937)) ([ec68c9a](https://github.com/aquasecurity/trivy/commit/ec68c9ab4580d057720179173d58734402c92af4))
* **misconf:** handle source prefix to ignore ([#6945](https://github.com/aquasecurity/trivy/issues/6945)) ([c3192f0](https://github.com/aquasecurity/trivy/commit/c3192f061d7e84eaf38df8df7c879dc00b4ca137))
* **misconf:** parsing numbers without fraction as int ([#6834](https://github.com/aquasecurity/trivy/issues/6834)) ([8141a13](https://github.com/aquasecurity/trivy/commit/8141a137ba50b553a9da877d95c7ccb491d041c6))
* **nodejs:** fix infinite loop when package link from `package-lock.json` file is broken ([#6858](https://github.com/aquasecurity/trivy/issues/6858)) ([cf5aa33](https://github.com/aquasecurity/trivy/commit/cf5aa336e660e4c98481ebf8d15dd4e54c38581e))
* **nodejs:** fix infinity loops for `pnpm` with cyclic imports ([#6857](https://github.com/aquasecurity/trivy/issues/6857)) ([7d083bc](https://github.com/aquasecurity/trivy/commit/7d083bc890eccc3bf32765c6d7e922cab2e2ef94))
* **plugin:** respect `--insecure` ([#7022](https://github.com/aquasecurity/trivy/issues/7022)) ([3d02a31](https://github.com/aquasecurity/trivy/commit/3d02a31b44924f9e2495aae087f7ca9de3314db4))
* **purl:** add missed os types ([#6955](https://github.com/aquasecurity/trivy/issues/6955)) ([2d85a00](https://github.com/aquasecurity/trivy/commit/2d85a003b22298d1101f84559f7c6b470f2b3909))
* **python:** compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase ([#6852](https://github.com/aquasecurity/trivy/issues/6852)) ([faa9d92](https://github.com/aquasecurity/trivy/commit/faa9d92cfeb8d924deda2dac583b6c97099c08d9))
* **sbom:** don't overwrite `srcEpoch` when decoding SBOM files ([#6866](https://github.com/aquasecurity/trivy/issues/6866)) ([04af59c](https://github.com/aquasecurity/trivy/commit/04af59c2906bcfc7f7970b4e8f45a90f04313170))
* **sbom:** fix panic when scanning SBOM file without root component into SBOM format ([#7051](https://github.com/aquasecurity/trivy/issues/7051)) ([3d4ae8b](https://github.com/aquasecurity/trivy/commit/3d4ae8b5be94cd9b00badeece8d86c2258b2cd90))
* **sbom:** take pkg name from `purl` for maven pkgs ([#7008](https://github.com/aquasecurity/trivy/issues/7008)) ([a76e328](https://github.com/aquasecurity/trivy/commit/a76e3286c413de3dec55394fb41dd627dfee37ae))
* **sbom:** use `purl` for `bitnami` pkg names ([#6982](https://github.com/aquasecurity/trivy/issues/6982)) ([7eabb92](https://github.com/aquasecurity/trivy/commit/7eabb92ec2e617300433445718be07ac74956454))
* **sbom:** use package UIDs for uniqueness ([#7042](https://github.com/aquasecurity/trivy/issues/7042)) ([14d71ba](https://github.com/aquasecurity/trivy/commit/14d71ba63c39e51dd4179ba2d6002b46e1816e90))
* **secret:** `Asymmetric Private Key` shouldn't start with space ([#6867](https://github.com/aquasecurity/trivy/issues/6867)) ([bb26445](https://github.com/aquasecurity/trivy/commit/bb26445e3df198df77930329f532ac5ab7a67af2))
* **suse:** Add SLES 15.6 and Leap 15.6 ([#6964](https://github.com/aquasecurity/trivy/issues/6964)) ([5ee4e9d](https://github.com/aquasecurity/trivy/commit/5ee4e9d30ea814f60fd5705361cabf2e83a47a78))
* use embedded when command path not found ([#7037](https://github.com/aquasecurity/trivy/issues/7037)) ([137c916](https://github.com/aquasecurity/trivy/commit/137c9164238ffd989a0c5ed24f23a55bbf341f6e))
## [0.52.0](https://github.com/aquasecurity/trivy/compare/v0.51.1...v0.52.0) (2024-06-03)
### Features
* Add Julia language analyzer support ([#5635](https://github.com/aquasecurity/trivy/issues/5635)) ([fecafb1](https://github.com/aquasecurity/trivy/commit/fecafb1fc5bb129c7485342a0775f0dd8bedd28e))
* add support for plugin index ([#6674](https://github.com/aquasecurity/trivy/issues/6674)) ([26faf8f](https://github.com/aquasecurity/trivy/commit/26faf8f3f04b1c5f9f81c03ffc6b2008732207e2))
* **misconf:** Add support for deprecating a check ([#6664](https://github.com/aquasecurity/trivy/issues/6664)) ([88702cf](https://github.com/aquasecurity/trivy/commit/88702cfd5918b093defc5b5580f7cbf16f5f2417))
* **misconf:** add Terraform 'removed' block to schema ([#6640](https://github.com/aquasecurity/trivy/issues/6640)) ([b7a0a13](https://github.com/aquasecurity/trivy/commit/b7a0a131a03ed49c08d3b0d481bc9284934fd6e1))
* **misconf:** register builtin Rego funcs from trivy-checks ([#6616](https://github.com/aquasecurity/trivy/issues/6616)) ([7c22ee3](https://github.com/aquasecurity/trivy/commit/7c22ee3df5ee51beb90e44428a99541b3d19ab98))
* **misconf:** resolve tf module from OpenTofu compatible registry ([#6743](https://github.com/aquasecurity/trivy/issues/6743)) ([ac74520](https://github.com/aquasecurity/trivy/commit/ac7452009bf7ca0fa8ee1de8807c792eabad405a))
* **misconf:** support for VPC resources for inbound/outbound rules ([#6779](https://github.com/aquasecurity/trivy/issues/6779)) ([349caf9](https://github.com/aquasecurity/trivy/commit/349caf96bc3dd81551d488044f1adfdb947f39fb))
* **misconf:** support symlinks inside of Helm archives ([#6621](https://github.com/aquasecurity/trivy/issues/6621)) ([4eae37c](https://github.com/aquasecurity/trivy/commit/4eae37c52b035b3576361c12f70d3d9517d0a73c))
* **nodejs:** add v9 pnpm lock file support ([#6617](https://github.com/aquasecurity/trivy/issues/6617)) ([1e08648](https://github.com/aquasecurity/trivy/commit/1e0864842e32a709941d4b4e8f521602bcee684d))
* **plugin:** specify plugin version ([#6683](https://github.com/aquasecurity/trivy/issues/6683)) ([d6dc567](https://github.com/aquasecurity/trivy/commit/d6dc56732babbc9d7f788c280a768d8648aa093d))
* **python:** add license support for `requirement.txt` files ([#6782](https://github.com/aquasecurity/trivy/issues/6782)) ([29615be](https://github.com/aquasecurity/trivy/commit/29615be85e8bfeaf5a0cd51829b1898c55fa4274))
* **python:** add line number support for `requirement.txt` files ([#6729](https://github.com/aquasecurity/trivy/issues/6729)) ([2bc54ad](https://github.com/aquasecurity/trivy/commit/2bc54ad2752aba5de4380cb92c13b09c0abefd73))
* **report:** Include licenses and secrets filtered by rego to ModifiedFindings ([#6483](https://github.com/aquasecurity/trivy/issues/6483)) ([fa3cf99](https://github.com/aquasecurity/trivy/commit/fa3cf993eace4be793f85907b42365269c597b91))
* **vex:** improve relationship support in CSAF VEX ([#6735](https://github.com/aquasecurity/trivy/issues/6735)) ([a447f6b](https://github.com/aquasecurity/trivy/commit/a447f6ba94b6f8b14177dc5e4369a788e2020d90))
* **vex:** support non-root components for products in OpenVEX ([#6728](https://github.com/aquasecurity/trivy/issues/6728)) ([9515695](https://github.com/aquasecurity/trivy/commit/9515695d45e9b5c20890e27e21e3ab45bfd4ce5f))
### Bug Fixes
* clean up golangci lint configuration ([#6797](https://github.com/aquasecurity/trivy/issues/6797)) ([62de6f3](https://github.com/aquasecurity/trivy/commit/62de6f3feba6e4c56ad3922441d5b0f150c3d6b7))
* **cli:** always output fatal errors to stderr ([#6827](https://github.com/aquasecurity/trivy/issues/6827)) ([c2b9132](https://github.com/aquasecurity/trivy/commit/c2b9132a7e933a68df4cc0eb86aab23719ded1b5))
* close APKINDEX archive file ([#6672](https://github.com/aquasecurity/trivy/issues/6672)) ([5caf437](https://github.com/aquasecurity/trivy/commit/5caf4377f3a7fcb1f6e1a84c67136ae62d100be3))
* close settings.xml ([#6768](https://github.com/aquasecurity/trivy/issues/6768)) ([9c3e895](https://github.com/aquasecurity/trivy/commit/9c3e895fcb0852c00ac03ed21338768f76b5273b))
* close testfile ([#6830](https://github.com/aquasecurity/trivy/issues/6830)) ([aa0c413](https://github.com/aquasecurity/trivy/commit/aa0c413814e8915b38d2285c6a8ba5bc3f0705b4))
* **conda:** add support `pip` deps for `environment.yml` files ([#6675](https://github.com/aquasecurity/trivy/issues/6675)) ([150a773](https://github.com/aquasecurity/trivy/commit/150a77313e980cd63797a89a03afcbc97b285f38))
* **go:** add only non-empty root modules for `gobinaries` ([#6710](https://github.com/aquasecurity/trivy/issues/6710)) ([c96f2a5](https://github.com/aquasecurity/trivy/commit/c96f2a5b3de820da37e14594dd537c3b0949ae9c))
* **go:** include only `.version`|`.ver` (no prefixes) ldflags for `gobinaries` ([#6705](https://github.com/aquasecurity/trivy/issues/6705)) ([afb4f9d](https://github.com/aquasecurity/trivy/commit/afb4f9dc4730671ba004e1734fa66422c4c86dad))
* Golang version parsing from binaries w/GOEXPERIMENT ([#6696](https://github.com/aquasecurity/trivy/issues/6696)) ([696f2ae](https://github.com/aquasecurity/trivy/commit/696f2ae0ecdd4f90303f41249924a09ace70dd78))
* include packages unless it is not needed ([#6765](https://github.com/aquasecurity/trivy/issues/6765)) ([56dbe1f](https://github.com/aquasecurity/trivy/commit/56dbe1f6768fe67fbc1153b74fde0f83eaa1b281))
* **misconf:** don't shift ignore rule related to code ([#6708](https://github.com/aquasecurity/trivy/issues/6708)) ([39a746c](https://github.com/aquasecurity/trivy/commit/39a746c77837f873e87b81be40676818030f44c5))
* **misconf:** skip Rego errors with a nil location ([#6638](https://github.com/aquasecurity/trivy/issues/6638)) ([a2c522d](https://github.com/aquasecurity/trivy/commit/a2c522ddb229f049999c4ce74ef75a0e0f9fdc62))
* **misconf:** skip Rego errors with a nil location ([#6666](https://github.com/aquasecurity/trivy/issues/6666)) ([a126e10](https://github.com/aquasecurity/trivy/commit/a126e1075a44ef0e40c0dc1e214d1c5955f80242))
* node-collector high and critical cves ([#6707](https://github.com/aquasecurity/trivy/issues/6707)) ([ff32deb](https://github.com/aquasecurity/trivy/commit/ff32deb7bf9163c06963f557228260b3b8c161ed))
* **plugin:** initialize logger ([#6836](https://github.com/aquasecurity/trivy/issues/6836)) ([728e77a](https://github.com/aquasecurity/trivy/commit/728e77a7261dc3fcda1e61e79be066c789bbba0c))
* **python:** add package name and version validation for `requirements.txt` files. ([#6804](https://github.com/aquasecurity/trivy/issues/6804)) ([ea3a124](https://github.com/aquasecurity/trivy/commit/ea3a124fc7162c30c7f1a59bdb28db0b3c8bb86d))
* **report:** hide empty tables if all vulns has been filtered ([#6352](https://github.com/aquasecurity/trivy/issues/6352)) ([3d388d8](https://github.com/aquasecurity/trivy/commit/3d388d8552ef42d4d54176309a38c1879008527b))
* **sbom:** fix panic for `convert` mode when scanning json file derived from sbom file ([#6808](https://github.com/aquasecurity/trivy/issues/6808)) ([f92ea09](https://github.com/aquasecurity/trivy/commit/f92ea096856c7c262b05bd4d31c62689ebafac82))
* use of specified context to obtain cluster name ([#6645](https://github.com/aquasecurity/trivy/issues/6645)) ([39ebed4](https://github.com/aquasecurity/trivy/commit/39ebed45f8c218509d264bd3f3ca548fc33d2b3a))
### Performance Improvements
* **misconf:** parse rego input once ([#6615](https://github.com/aquasecurity/trivy/issues/6615)) ([67c6b1d](https://github.com/aquasecurity/trivy/commit/67c6b1d473999003d682bdb42657bbf3a4a69a9c))

1
CONTRIBUTING.md
View File

@@ -1 +0,0 @@
See [Issues](https://aquasecurity.github.io/trivy/latest/community/contribute/issue/) and [Pull Requests](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/)

5
Dockerfile
View File

@@ -1,5 +0,0 @@
FROM alpine:3.20.0
RUN apk --no-cache add ca-certificates git
COPY trivy /usr/local/bin/trivy
COPY contrib/*.tpl contrib/
ENTRYPOINT ["trivy"]

11
Dockerfile.canary
View File

@@ -1,11 +0,0 @@
FROM alpine:3.20.0
RUN apk --no-cache add ca-certificates git
# binaries were created with GoReleaser
# need to copy binaries from folder with correct architecture
# example architecture folder: dist/trivy_canary_build_linux_arm64/trivy
# GoReleaser adds _v* to the folder name, but only when GOARCH is amd64
ARG TARGETARCH
COPY "dist/trivy_canary_build_linux_${TARGETARCH}*/trivy" /usr/local/bin/trivy
COPY contrib/*.tpl contrib/
ENTRYPOINT ["trivy"]

20
Dockerfile.protoc
View File

@@ -1,20 +0,0 @@
FROM --platform=linux/amd64 golang:1.22
# Set environment variable for protoc
ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip
# Install unzip for protoc installation and clean up cache
RUN apt-get update && apt-get install -y unzip && rm -rf /var/lib/apt/lists/*
# Download and install protoc
RUN curl --retry 5 -OL https://github.com/protocolbuffers/protobuf/releases/download/v3.19.4/$PROTOC_ZIP \
&& unzip -o $PROTOC_ZIP -d /usr/local bin/protoc \
&& unzip -o $PROTOC_ZIP -d /usr/local 'include/*' \
&& rm -f $PROTOC_ZIP
# Install Go tools
RUN go install github.com/twitchtv/twirp/protoc-gen-twirp@v8.1.0
RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.34.0
RUN go install github.com/magefile/mage@v1.15.0
ENV TRIVY_PROTOC_CONTAINER=true

214
LICENSE
View File

@@ -1,201 +1,21 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
MIT License
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
Copyright (c) 2019 Teppei Fukuda
1. Definitions.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

4
NOTICE
View File

@@ -1,4 +0,0 @@
Trivy
Copyright 2019-2020 Aqua Security Software Ltd.
This product includes software developed by Aqua Security (https://aquasec.com).

230
README.md
View File

@@ -1,150 +1,144 @@
<div align="center">
<img src="docs/imgs/logo.png" width="200">
# trivy
[![GitHub Release][release-img]][release]
[![Test][test-img]][test]
[![Go Report Card][go-report-img]][go-report]
[![License: Apache-2.0][license-img]][license]
[![GitHub Downloads][github-downloads-img]][release]
![Docker Pulls][docker-pulls]
[![GitHub release](https://img.shields.io/github/release/knqyf263/trivy.svg)](https://github.com/knqyf263/trivy/releases/latest)
[![CircleCI](https://circleci.com/gh/knqyf263/trivy.svg?style=svg)](https://circleci.com/gh/knqyf263/trivy)
[![Go Report Card](https://goreportcard.com/badge/github.com/knqyf263/trivy)](https://goreportcard.com/report/github.com/knqyf263/trivy)
[![MIT License](http://img.shields.io/badge/license-MIT-blue.svg?style=flat)](https://github.com/knqyf263/trivy/blob/master/LICENSE)
[📖 Documentation][docs]
</div>
# Abstract
Scan containers
Trivy ([pronunciation][pronunciation]) is a comprehensive and versatile security scanner.
Trivy has *scanners* that look for security issues, and *targets* where it can find those issues.
# Features
Targets (what Trivy can scan):
# Installation
- Container Image
- Filesystem
- Git Repository (remote)
- Virtual Machine Image
- Kubernetes
- AWS
## RHEL/CentOS
Scanners (what Trivy can find there):
Add repository setting to `/etc/yum.repos.d`.
- OS packages and software dependencies in use (SBOM)
- Known vulnerabilities (CVEs)
- IaC issues and misconfigurations
- Sensitive information and secrets
- Software licenses
Trivy supports most popular programming languages, operating systems, and platforms. For a complete list, see the [Scanning Coverage] page.
To learn more, go to the [Trivy homepage][homepage] for feature highlights, or to the [Documentation site][docs] for detailed information.
## Quick Start
### Get Trivy
Trivy is available in most common distribution channels. The full list of installation options is available in the [Installation] page. Here are a few popular examples:
- `brew install trivy`
- `docker run aquasec/trivy`
- Download binary from <https://github.com/aquasecurity/trivy/releases/latest/>
- See [Installation] for more
Trivy is integrated with many popular platforms and applications. The complete list of integrations is available in the [Ecosystem] page. Here are a few popular examples:
- [GitHub Actions](https://github.com/aquasecurity/trivy-action)
- [Kubernetes operator](https://github.com/aquasecurity/trivy-operator)
- [VS Code plugin](https://github.com/aquasecurity/trivy-vscode-extension)
- See [Ecosystem] for more
### Canary builds
There are canary builds ([Docker Hub](https://hub.docker.com/r/aquasec/trivy/tags?page=1&name=canary), [GitHub](https://github.com/aquasecurity/trivy/pkgs/container/trivy/75776514?tag=canary), [ECR](https://gallery.ecr.aws/aquasecurity/trivy#canary) images and [binaries](https://github.com/aquasecurity/trivy/actions/workflows/canary.yaml)) as generated every push to main branch.
Please be aware: canary builds might have critical bugs, it's not recommended for use in production.
### General usage
```bash
trivy <target> [--scanners <scanner1,scanner2>] <subject>
```
$ sudo vim /etc/yum.repos.d/trivy.repo
[trivy]
name=Trivy repository
baseurl=https://knqyf263.github.io/trivy-repo/rpm/releases/$releasever/$basearch/
gpgcheck=0
enabled=1
$ sudo yum -y update
$ sudo yum -y install trivy
```
Examples:
## Debian/Ubuntu
```bash
trivy image python:3.4-alpine
Replace `[CODE_NAME]` with your code name
CODE_NAME: wheezy, jessie, stretch, buster, trusty, xenial, bionic
```
$ sudo apt-get install apt-transport-https gnupg
$ wget -qO - https://knqyf263.github.io/trivy-repo/deb/public.key | sudo apt-key add -
$ echo deb https://knqyf263.github.io/trivy-repo/deb [CODE_NAME] main | sudo tee -a /etc/apt/sources.list
$ sudo apt-get update
$ sudo apt-get install trivy
```
<details>
<summary>Result</summary>
https://user-images.githubusercontent.com/1161307/171013513-95f18734-233d-45d3-aaf5-d6aec687db0e.mov
</details>
```bash
trivy fs --scanners vuln,secret,misconfig myproject/
## Mac OS X / Homebrew
You can use homebrew on OS X.
```
$ brew tap knqyf263/trivy
$ brew install knqyf263/trivy/trivy
```
<details>
<summary>Result</summary>
## Binary (Including Windows)
Go to [the releases page](https://github.com/knqyf263/trivy/releases), find the version you want, and download the zip file. Unpack the zip file, and put the binary to somewhere you want (on UNIX-y systems, /usr/local/bin or the like). Make sure it has execution bits turned on.
https://user-images.githubusercontent.com/1161307/171013917-b1f37810-f434-465c-b01a-22de036bd9b3.mov
## From source
</details>
```bash
trivy k8s --report summary cluster
```sh
$ go get -u github.com/knqyf263/trivy
```
<details>
<summary>Result</summary>
# Examples
![k8s summary](docs/imgs/trivy-k8s.png)
# Usage
</details>
```
$ trivy -h
NAME:
trivy - A simple and comprehensive vulnerability scanner for containers
USAGE:
main [options] image_name
VERSION:
0.0.1
OPTIONS:
--format value, -f value format (table, json) (default: "table")
--input value, -i value input file path instead of image name
--severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN")
--output value, -o value output file name
--skip-update skip db update
--clean, -c clean all cache
--debug, -d debug mode
--help, -h show help
--version, -v print the version
```
## FAQ
# Q&A
## Homebrew
### Error: Your macOS keychain GitHub credentials do not have sufficient scope!
### How to pronounce the name "Trivy"?
```
$ brew tap knqyf263/trivy
Error: Your macOS keychain GitHub credentials do not have sufficient scope!
Scopes they need: none
Scopes they have:
Create a personal access token:
https://github.com/settings/tokens/new?scopes=gist,public_repo&description=Homebrew
echo 'export HOMEBREW_GITHUB_API_TOKEN=your_token_here' >> ~/.zshrc
```
`tri` is pronounced like **tri**gger, `vy` is pronounced like en**vy**.
Try:
```
$ printf "protocol=https\nhost=github.com\n" | git credential-osxkeychain erase
```
## Want more? Check out Aqua
### Error: knqyf263/trivy/trivy 64 already installed
If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.
You can find a high level comparison table specific to Trivy users [here](https://github.com/aquasecurity/resources/blob/main/trivy-aqua.md).
In addition check out the <https://aquasec.com> website for more information about our products and services.
If you'd like to contact Aqua or request a demo, please use this form: <https://www.aquasec.com/demo>
```
$ brew upgrade
...
Error: knqyf263/trivy/trivy 64 already installed
```
## Community
Try:
Trivy is an [Aqua Security][aquasec] open source project.
Learn about our open source work and portfolio [here][oss].
Contact us about any matter by opening a GitHub Discussion [here][discussions]
Join our [Slack community][slack] to stay up to date with community efforts.
```
$ brew unlink trivy && brew uninstall trivy
($ rm -rf /usr/local/Cellar/trivy/64)
$ brew install knqyf263/trivy/trivy
```
Please ensure to abide by our [Code of Conduct][code-of-conduct] during all interactions.
## Others
### Unknown error
Try again with `--clean` option
[test]: https://github.com/aquasecurity/trivy/actions/workflows/test.yaml
[test-img]: https://github.com/aquasecurity/trivy/actions/workflows/test.yaml/badge.svg
[go-report]: https://goreportcard.com/report/github.com/aquasecurity/trivy
[go-report-img]: https://goreportcard.com/badge/github.com/aquasecurity/trivy
[release]: https://github.com/aquasecurity/trivy/releases
[release-img]: https://img.shields.io/github/release/aquasecurity/trivy.svg?logo=github
[github-downloads-img]: https://img.shields.io/github/downloads/aquasecurity/trivy/total?logo=github
[docker-pulls]: https://img.shields.io/docker/pulls/aquasec/trivy?logo=docker&label=docker%20pulls%20%2F%20trivy
[license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE
[license-img]: https://img.shields.io/badge/License-Apache%202.0-blue.svg
[homepage]: https://trivy.dev
[docs]: https://aquasecurity.github.io/trivy
[pronunciation]: #how-to-pronounce-the-name-trivy
[slack]: https://slack.aquasec.com
[code-of-conduct]: https://github.com/aquasecurity/community/blob/main/CODE_OF_CONDUCT.md
```
$ trivy --clean alpine:3.8
```
[Installation]:https://aquasecurity.github.io/trivy/latest/getting-started/installation/
[Ecosystem]: https://aquasecurity.github.io/trivy/latest/ecosystem/
[Scanning Coverage]: https://aquasecurity.github.io/trivy/latest/docs/coverage/
# Contribute
[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
[rego]: https://www.openpolicyagent.org/docs/latest/#rego
[sigstore]: https://www.sigstore.dev/
1. fork a repository: github.com/knqyf263/trivy to github.com/you/repo
2. get original code: `go get github.com/knqyf263/trivy`
3. work on original code
4. add remote to your repo: git remote add myfork https://github.com/you/repo.git
5. push your changes: git push myfork
6. create a new Pull Request
[aquasec]: https://aquasec.com
[oss]: https://www.aquasec.com/products/open-source-projects/
[discussions]: https://github.com/aquasecurity/trivy/discussions
- see [GitHub and Go: forking, pull requests, and go-getting](http://blog.campoy.cat/2014/03/github-and-go-forking-pull-requests-and.html)
----
# License
MIT
# Author
Teppei Fukuda (knqyf263)

10
SECURITY.md
View File

@@ -1,10 +0,0 @@
# Security Policy
## Supported Versions
This is an open source project that is provided as-is without warrenty or liability.
As such no supportability commitment. The maintainers will do the best they can to address any report promptly and responsibly.
## Reporting a Vulnerability
Please use the "Private vulnerability reporting" feature in the GitHub repository (under the "Security" tab).

10
aqua.yaml
View File

@@ -1,10 +0,0 @@
---
# aqua - Declarative CLI Version Manager
# https://aquaproj.github.io/
registries:
- type: standard
ref: v3.157.0 # renovate: depName=aquaproj/aqua-registry
packages:
- name: tinygo-org/tinygo@v0.31.1
- name: WebAssembly/binaryen@version_112
- name: magefile/mage@v1.14.0

BIN
brand/Trivy-OSS-Logo-Color-Horizontal-RGB.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 44 KiB

85
brand/Trivy-OSS-Logo-Color-Horizontal-RGB.svg
View File

@@ -1,85 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Generator: Adobe Illustrator 28.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
viewBox="0 0 1920 891" style="enable-background:new 0 0 1920 891;" xml:space="preserve">
<style type="text/css">
.st0{fill:#031730;}
.st1{fill:#08B1D5;}
.st2{fill:#1904DA;}
.st3{fill:#FFC900;}
.st4{fill:#FF0036;}
</style>
<g>
<g>
<g>
<g>
<g>
<path class="st0" d="M1437.8,277.53h-46.05c-25.39,0-46.05-20.66-46.05-46.05c0-25.39,20.66-46.05,46.05-46.05
c25.39,0,46.05,20.66,46.05,46.05V277.53z M1391.75,204.13c-15.08,0-27.35,12.27-27.35,27.35c0,15.08,12.27,27.35,27.35,27.35
h27.35v-27.35C1419.1,216.4,1406.84,204.13,1391.75,204.13z"/>
</g>
</g>
<g>
<g>
<path class="st0" d="M1746.82,277.53h-46.05c-25.39,0-46.05-20.66-46.05-46.05c0-25.39,20.66-46.05,46.05-46.05
c25.39,0,46.05,20.66,46.05,46.05V277.53z M1700.77,204.13c-15.08,0-27.35,12.27-27.35,27.35c0,15.08,12.27,27.35,27.35,27.35
h27.35v-27.35C1728.12,216.4,1715.85,204.13,1700.77,204.13z"/>
</g>
</g>
<g>
<path class="st0" d="M1597.76,277.55c-25.4,0-46.07-20.66-46.07-46.07v-43.22h18.71v43.22c0,15.09,12.28,27.36,27.36,27.36
s27.36-12.28,27.36-27.36v-43.22h18.71v43.22C1643.83,256.88,1623.16,277.55,1597.76,277.55z"/>
</g>
<g>
<path class="st0" d="M1494.75,185.43c-25.39,0-46.05,20.66-46.05,46.05c0,25.39,20.66,46.05,46.05,46.05l18.7-18.7h-18.7
c-15.08,0-27.35-12.27-27.35-27.35c0-15.08,12.27-27.35,27.35-27.35s27.35,12.27,27.35,27.35v90h18.7v-90
C1540.8,206.09,1520.14,185.43,1494.75,185.43z"/>
</g>
</g>
</g>
<g>
<g>
<path class="st0" d="M968.09,578.05v45.38c-30.92,0-58.76-11.12-80.72-29.55c-27.59-23.17-45.14-57.93-45.14-96.78V269.82h45.14
v103.14h80.72v45.68h-80.72v79.6C887.98,542.42,923.77,578.05,968.09,578.05z"/>
<path class="st0" d="M1128.93,372.97v45.08c-42.79,0.09-77.63,34.03-79.2,76.45v128.94h-45.21V372.96h45.21v28.59
C1071.24,383.73,1098.84,373.01,1128.93,372.97z"/>
<path class="st0" d="M1157.94,347.93v-39.5h45.14v39.5H1157.94z M1157.94,623.44V372.96h45.14v250.48H1157.94z"/>
<path class="st0" d="M1479.86,372.96l-125.14,250.48l-125.3-250.48h51.3l73.99,147.93l73.84-147.93H1479.86z"/>
<path class="st0" d="M1750.5,372.96c0,0,0,273.85,0,291.97c0,69.91-57.37,125.75-125.32,125.69
c-31.84,0.03-61.33-12.05-83.7-32.11l32.45-32.45c13.85,11.74,31.73,18.85,51.25,18.82c43.98,0,79.58-35.97,79.58-79.95v-69.99
c-21.82,18.06-49.68,28.52-79.58,28.49c-68.1,0.06-125.44-54.9-125.44-125.35c0-1.49,0-125.13,0-125.13h45.73
c0,0,0.02,121.79,0.02,125.13c0,43.8,35.68,80,79.69,79.96c43.98,0,79.58-35.97,79.58-79.96V372.96H1750.5z"/>
</g>
</g>
<g>
<g>
<g>
<path class="st1" d="M463.95,358.89c0.04,0,0.08,0,0.12,0c6.43,0.01,11.75-4.93,11.75-11.36V134.47l-11.99-6.7l-11.94,6.67
v213.1c0,6.43,5.32,11.38,11.75,11.35C463.73,358.89,463.84,358.89,463.95,358.89z"/>
<path class="st2" d="M392.02,455.6L194.35,588.27v15.11l11.26,6.17L405.34,475.5c5.13-3.44,6.41-10.31,3.09-15.52
c-0.14-0.22-0.28-0.44-0.42-0.67C404.58,453.78,397.42,451.98,392.02,455.6z"/>
<path class="st3" d="M522.51,475.6l199.56,133.93l11.23-6.15v-15.14L535.83,455.71c-5.4-3.62-12.56-1.83-16,3.69
c-0.13,0.21-0.26,0.42-0.4,0.63C516.09,465.26,517.36,472.15,522.51,475.6z"/>
<path class="st0" d="M757.23,277.9V264.2l-12.26-6.85l-0.91-0.48L475.5,106.89l-11.68-6.51l-11.63,6.51L183.58,256.88
l-0.91,0.48l-12.25,6.85v13.69l-0.91,0.53l0.91,0.48v13.64v325.01l12.45,6.8l261.62,143.33l3.3,1.82l16.08,8.81l16.04-8.81
l3.3-1.82l261.62-143.33l12.4-6.8V292.55v-13.6l0.96-0.53L757.23,277.9z M476.11,744.33V502.51c0-6.59-5.39-11.98-11.98-11.97
l-0.18,0l-0.12,0c-6.59-0.01-11.98,5.38-11.98,11.97v241.81L205.61,609.55l-11.26-6.17v-15.11V290.06l196.06,107.42
c5.66,3.1,12.84,1.02,15.97-4.63l0.14-0.25c3.16-5.71,1.06-12.96-4.67-16.1L208.33,270.47l243.55-136.03l11.94-6.67l11.99,6.7
l243.5,136.01L525.64,376.58c-5.7,3.12-7.48,10.25-4.32,15.92c0.05,0.1,0.11,0.19,0.16,0.29c3.1,5.62,10.02,7.85,15.65,4.77
l196.16-107.5v298.19v15.14l-11.23,6.15L476.11,744.33z"/>
</g>
<circle class="st4" cx="463.95" cy="424.72" r="34.73"/>
</g>
<path class="st1" d="M649.35,258.97L461.77,153.83c-5.77-3.23-7.82-10.53-4.59-16.29v0c3.23-5.77,10.53-7.82,16.29-4.59
l187.58,105.15c5.77,3.23,7.82,10.53,4.59,16.29v0C662.41,260.15,655.12,262.2,649.35,258.97z"/>
<path class="st1" d="M567.15,267.09l-105.38-59.07c-5.77-3.23-7.82-10.53-4.59-16.29v0c3.23-5.77,10.53-7.82,16.29-4.59
l105.38,59.07c5.77,3.23,7.82,10.53,4.59,16.29l0,0C580.21,268.26,572.92,270.32,567.15,267.09z"/>
<path class="st1" d="M601.67,286.44L601.67,286.44c-5.77-3.23-7.82-10.53-4.59-16.29v0c3.23-5.77,10.53-7.82,16.29-4.59l0,0
c5.77,3.23,7.82,10.53,4.59,16.29v0C614.73,287.61,607.44,289.67,601.67,286.44z"/>
<path class="st1" d="M497.04,283.82l-35-19.62c-5.77-3.23-7.82-10.53-4.59-16.29v0c3.23-5.77,10.53-7.82,16.29-4.59l35,19.62
c5.77,3.23,7.82,10.53,4.59,16.29l0,0C510.1,284.99,502.8,287.05,497.04,283.82z"/>
<path class="st1" d="M549.85,316.05l-20.26-11.36c-5.77-3.23-7.82-10.53-4.59-16.29h0c3.23-5.77,10.53-7.82,16.29-4.59
l20.26,11.36c5.77,3.23,7.82,10.53,4.59,16.29v0C562.91,317.23,555.61,319.28,549.85,316.05z"/>
</g>
</g>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 5.3 KiB

BIN
brand/Trivy-OSS-Logo-Color-Stacked-RGB.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 29 KiB

3206
brand/Trivy-OSS-Logo-Color-Stacked-RGB.svg
View File

File diff suppressed because it is too large Load Diff
Side by Side

Before

Width:  |  Height:  |  Size: 233 KiB

BIN
brand/Trivy-OSS-Logo-White-Horizontal-RGB.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 44 KiB

69
brand/Trivy-OSS-Logo-White-Horizontal-RGB.svg
View File

@@ -1,69 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Generator: Adobe Illustrator 28.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
viewBox="0 0 1920 891" style="enable-background:new 0 0 1920 891;" xml:space="preserve">
<style type="text/css">
.st0{fill:#FFFFFF;}
.st1{fill:#50F0FF;}
.st2{fill:#0744DD;}
.st3{fill:#FFC900;}
.st4{fill:#FF0036;}
</style>
<g>
<g>
<path class="st0" d="M1421.86,281.92h-46.97c-25.9,0-46.97-21.07-46.97-46.97c0-25.9,21.07-46.97,46.97-46.97
c25.9,0,46.97,21.07,46.97,46.97V281.92z M1374.89,207.05c-15.38,0-27.9,12.52-27.9,27.9c0,15.38,12.52,27.9,27.9,27.9h27.9v-27.9
C1402.79,219.57,1390.28,207.05,1374.89,207.05z"/>
<path class="st0" d="M1737.06,281.92h-46.97c-25.9,0-46.97-21.07-46.97-46.97c0-25.9,21.07-46.97,46.97-46.97
c25.9,0,46.97,21.07,46.97,46.97V281.92z M1690.09,207.05c-15.38,0-27.9,12.52-27.9,27.9c0,15.38,12.52,27.9,27.9,27.9h27.9v-27.9
C1717.98,219.57,1705.47,207.05,1690.09,207.05z"/>
<path class="st0" d="M1585.02,281.94c-25.91,0-46.99-21.08-46.99-46.99v-44.08h19.08v44.08c0,15.39,12.52,27.91,27.91,27.91
c15.39,0,27.91-12.52,27.91-27.91v-44.08h19.09v44.08C1632.01,260.86,1610.92,281.94,1585.02,281.94z"/>
<path class="st0" d="M1479.94,187.98c-25.9,0-46.97,21.07-46.97,46.97c0,25.9,21.07,46.97,46.97,46.97l19.07-19.07h-19.07
c-15.38,0-27.9-12.52-27.9-27.9c0-15.38,12.52-27.9,27.9-27.9c15.38,0,27.9,12.52,27.9,27.9v91.8h19.07v-91.8
C1526.91,209.05,1505.84,187.98,1479.94,187.98z"/>
</g>
<g>
<path class="st0" d="M942.76,588.45v46.29c-31.53,0-59.94-11.34-82.34-30.14c-28.15-23.63-46.04-59.08-46.04-98.71V274.06h46.04
v105.2h82.34v46.59h-82.34v81.19C861.05,552.1,897.55,588.45,942.76,588.45z"/>
<path class="st0" d="M1106.82,379.26v45.98c-43.65,0.1-79.18,34.71-80.78,77.98v131.52h-46.12V379.26h46.12v29.16
C1047.97,390.24,1076.12,379.3,1106.82,379.26z"/>
<path class="st0" d="M1136.4,353.72v-40.29h46.05v40.29H1136.4z M1136.4,634.74V379.26h46.05v255.48H1136.4z"/>
<path class="st0" d="M1464.76,379.26l-127.64,255.48l-127.8-255.48h52.33l75.47,150.88l75.31-150.88H1464.76z"/>
<path class="st0" d="M1740.81,379.26c0,0,0,279.32,0,297.8c0,71.31-58.52,128.26-127.83,128.2
c-32.47,0.03-62.55-12.29-85.37-32.76l33.1-33.09c14.13,11.97,32.36,19.22,52.28,19.2c44.86,0,81.17-36.69,81.17-81.55v-71.39
c-22.26,18.42-50.67,29.09-81.17,29.06c-69.46,0.06-127.95-56-127.95-127.85c0-1.51,0-127.64,0-127.64h46.64
c0,0,0.02,124.23,0.02,127.64c0,44.67,36.39,81.6,81.28,81.55c44.86,0,81.17-36.69,81.17-81.55V379.26H1740.81z"/>
</g>
<g>
<g>
<g>
<path class="st1" d="M428.54,364.9c0.04,0,0.08,0,0.12,0c6.56,0.01,11.98-5.03,11.98-11.58V135.99l-12.23-6.83l-12.18,6.8
v217.36c0,6.56,5.43,11.61,11.98,11.58C428.32,364.9,428.43,364.9,428.54,364.9z"/>
<path class="st2" d="M355.18,463.55L153.55,598.87v15.41l11.49,6.29l203.73-136.73c5.23-3.51,6.53-10.52,3.15-15.84
c-0.14-0.23-0.29-0.45-0.43-0.68C367.99,461.7,360.68,459.86,355.18,463.55z"/>
<path class="st3" d="M488.27,483.95l203.55,136.61l11.45-6.28v-15.44L501.86,463.66c-5.51-3.7-12.82-1.87-16.32,3.76
c-0.13,0.21-0.27,0.43-0.4,0.64C481.73,473.4,483.02,480.43,488.27,483.95z"/>
<path class="st0" d="M727.69,282.29v-13.96l-12.5-6.98l-0.93-0.49L440.33,107.87l-11.92-6.64l-11.87,6.64L142.56,260.86
l-0.93,0.49l-12.5,6.98v13.96l-0.93,0.54l0.93,0.49v13.92v331.5l12.69,6.94l266.85,146.2l3.37,1.85l16.41,8.98l16.36-8.98
l3.37-1.85l266.85-146.2l12.65-6.94v-331.5v-13.87l0.98-0.54L727.69,282.29z M440.95,758.05V511.4c0-6.72-5.5-12.22-12.22-12.21
l-0.19,0l-0.13,0c-6.72-0.01-12.22,5.49-12.22,12.21v246.64L165.04,620.57l-11.49-6.29v-15.41V294.7l199.98,109.56
c5.77,3.16,13.1,1.04,16.28-4.72l0.14-0.26c3.22-5.83,1.08-13.22-4.76-16.42L167.81,274.72l248.42-138.75l12.18-6.8l12.23,6.83
l248.37,138.73L491.47,382.95c-5.81,3.18-7.63,10.45-4.41,16.24c0.05,0.1,0.11,0.2,0.16,0.29c3.16,5.73,10.22,8.01,15.96,4.86
L703.27,294.7v304.15v15.44l-11.45,6.28L440.95,758.05z"/>
</g>
<circle class="st4" cx="428.54" cy="432.05" r="35.42"/>
</g>
<path class="st1" d="M617.65,262.99L426.32,155.74c-5.88-3.3-7.98-10.74-4.68-16.62v0c3.3-5.88,10.74-7.98,16.62-4.68
l191.33,107.25c5.88,3.3,7.98,10.74,4.68,16.62l0,0C630.97,264.19,623.53,266.29,617.65,262.99z"/>
<path class="st1" d="M533.81,271.27l-107.48-60.25c-5.88-3.3-7.98-10.74-4.68-16.62v0c3.3-5.88,10.74-7.98,16.62-4.68
l107.48,60.25c5.88,3.3,7.98,10.74,4.68,16.62v0C547.13,272.47,539.69,274.56,533.81,271.27z"/>
<path class="st1" d="M569.02,291L569.02,291c-5.88-3.3-7.98-10.74-4.68-16.62l0,0c3.3-5.88,10.74-7.98,16.62-4.68v0
c5.88,3.3,7.98,10.74,4.68,16.62v0C582.34,292.2,574.9,294.3,569.02,291z"/>
<path class="st1" d="M462.29,288.33l-35.7-20.01c-5.88-3.3-7.98-10.74-4.68-16.62v0c3.3-5.88,10.74-7.98,16.62-4.68l35.7,20.01
c5.88,3.3,7.98,10.74,4.68,16.62v0C475.61,289.53,468.17,291.63,462.29,288.33z"/>
<path class="st1" d="M516.16,321.21l-20.67-11.58c-5.88-3.3-7.98-10.74-4.68-16.62v0c3.3-5.88,10.74-7.98,16.62-4.68l20.67,11.58
c5.88,3.3,7.98,10.74,4.68,16.62v0C529.48,322.41,522.04,324.51,516.16,321.21z"/>
</g>
</g>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 5.1 KiB

BIN
brand/Trivy-OSS-Logo-White-Stacked-RGB.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 28 KiB

3179
brand/Trivy-OSS-Logo-White-Stacked-RGB.svg
View File

File diff suppressed because it is too large Load Diff
Side by Side

Before

Width:  |  Height:  |  Size: 232 KiB

2
brand/readme.md
View File

@@ -1,2 +0,0 @@
This directory contains media assets, such as the Trivy logo.
Assets under this directory are provided under the Creative Commons - BY 4.0 License. For more details, see here: <https://creativecommons.org/licenses/by/4.0/>

20
ci/Dockerfile Normal file
View File

@@ -0,0 +1,20 @@
FROM bepsays/ci-goreleaser:1.12-2
RUN apt-get -y update \
&& apt-get -y install vim rpm reprepro createrepo \
&& wget https://dl.bintray.com/homebrew/mirror/berkeley-db-18.1.32.tar.gz \
# Berkeley DB
&& tar zxvf berkeley-db-18.1.32.tar.gz \
&& cd db-18.1.32/build_unix \
# Linux
&& ../dist/configure --prefix=/usr/local --host=x86_64-linux \
&& make \
&& make install \
# Darwin
&& make clean \
&& ../dist/configure --prefix=/usr/local --host=x86_64-apple-darwin15 \
&& make \
&& make install

17
ci/deploy-deb.sh
View File

@@ -1,24 +1,17 @@
#!/bin/bash
DEBIAN_RELEASES=$(debian-distro-info --supported)
UBUNTU_RELEASES=$(sort -u <(ubuntu-distro-info --supported-esm) <(ubuntu-distro-info --supported))
RELEASES=(wheezy jessie stretch buster trusty xenial bionic)
cd trivy-repo/deb
for release in generic ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
echo "Removing deb package of $release"
for release in ${RELEASES[@]}; do
echo "Adding deb package to $release"
reprepro -A i386 remove $release trivy
reprepro -A amd64 remove $release trivy
reprepro -A arm64 remove $release trivy
done
for release in generic ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
echo "Adding deb package to $release"
reprepro includedeb $release ../../dist/*Linux-32bit.deb
reprepro includedeb $release ../../dist/*Linux-64bit.deb
reprepro includedeb $release ../../dist/*Linux-ARM64.deb
reprepro includedeb $release ../../dist/*Linux-32bit.deb
done
git add .
git commit -m "Update deb packages"
git push origin main
git push origin master

57
ci/deploy-rpm.sh
View File

@@ -1,51 +1,20 @@
#!/bin/bash
#!/bin/sh
TRIVY_VERSION=$(find dist/ -type f -name "*64bit.rpm" -printf "%f\n" | head -n1 | sed -nre 's/^[^0-9]*(([0-9]+\.)*[0-9]+).*/\1/p')
function create_common_rpm_repo () {
rpm_path=$1
ARCHES=("x86_64" "aarch64")
for arch in ${ARCHES[@]}; do
prefix=$arch
if [ "$arch" == "x86_64" ]; then
prefix="64bit"
elif [ "$arch" == "aarch64" ]; then
prefix="ARM64"
fi
mkdir -p $rpm_path/$arch
cp ../dist/*${prefix}.rpm ${rpm_path}/$arch/
createrepo_c -u https://github.com/aquasecurity/trivy/releases/download/ --location-prefix="v"$TRIVY_VERSION --update $rpm_path/$arch
rm ${rpm_path}/$arch/*${prefix}.rpm
done
}
function create_rpm_repo () {
version=$1
rpm_path=rpm/releases/${version}/x86_64
mkdir -p $rpm_path
cp ../dist/*64bit.rpm ${rpm_path}/
createrepo_c -u https://github.com/aquasecurity/trivy/releases/download/ --location-prefix="v"$TRIVY_VERSION --update $rpm_path
rm ${rpm_path}/*64bit.rpm
}
echo "Create RPM releases for Trivy v$TRIVY_VERSION"
RPM_EL6=$(find dist/ -type f -name "*64bit.rpm" -printf "%f\n" | head -n1 | sed -e 's/_/-/g' -e 's/-Linux/.el6/' -e 's/-64bit/.x86_64/')
RPM_EL7=$(find dist/ -type f -name "*64bit.rpm" -printf "%f\n" | head -n1 | sed -e 's/_/-/g' -e 's/-Linux/.el7/' -e 's/-64bit/.x86_64/')
cd trivy-repo
mkdir -p rpm/releases/6/x86_64
mkdir -p rpm/releases/7/x86_64
echo "Processing common repository for RHEL/CentOS..."
create_common_rpm_repo rpm/releases
cd rpm
cp ../../dist/*64bit.rpm releases/6/x86_64/${RPM_EL6}
cp ../../dist/*64bit.rpm releases/7/x86_64/${RPM_EL7}
VERSIONS=(5 6 7 8 9)
for version in ${VERSIONS[@]}; do
echo "Processing RHEL/CentOS $version..."
create_rpm_repo $version
done
createrepo --update releases/6/x86_64/
createrepo --update releases/7/x86_64/
git add .
git commit -m "Update rpm packages for Trivy v$TRIVY_VERSION"
git push origin main
git commit -m "Update rpm packages"
git push origin master

67
cmd/remic/main.go Normal file
View File

@@ -0,0 +1,67 @@
package main
import (
"os"
"strings"
"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
"github.com/knqyf263/trivy/pkg/remic"
"github.com/urfave/cli"
"github.com/knqyf263/trivy/pkg/log"
)
func main() {
cli.AppHelpTemplate = `NAME:
{{.Name}}{{if .Usage}} - {{.Usage}}{{end}}
USAGE:
{{if .UsageText}}{{.UsageText}}{{else}}{{.HelpName}} {{if .VisibleFlags}}[options]{{end}} {{if .ArgsUsage}}{{.ArgsUsage}}{{else}}[arguments...]{{end}}{{end}}{{if .Version}}{{if not .HideVersion}}
VERSION:
{{.Version}}{{end}}{{end}}{{if .Description}}
DESCRIPTION:
{{.Description}}{{end}}{{if len .Authors}}
AUTHOR{{with $length := len .Authors}}{{if ne 1 $length}}S{{end}}{{end}}:
{{range $index, $author := .Authors}}{{if $index}}
{{end}}{{$author}}{{end}}{{end}}{{if .VisibleCommands}}
OPTIONS:
{{range $index, $option := .VisibleFlags}}{{if $index}}
{{end}}{{$option}}{{end}}{{end}}
`
app := cli.NewApp()
app.Name = "remic"
app.Version = "0.0.1"
app.ArgsUsage = "file"
app.Usage = "A simple and fast tool for detecting vulnerabilities in application dependencies"
app.Flags = []cli.Flag{
cli.StringFlag{
Name: "format, f",
Value: "table",
Usage: "format (table, json)",
},
cli.StringFlag{
Name: "severity, s",
Value: strings.Join(vulnerability.SeverityNames, ","),
Usage: "severity of vulnerabilities to be displayed",
},
cli.StringFlag{
Name: "output, o",
Usage: "output file name",
},
cli.BoolFlag{
Name: "debug, d",
Usage: "debug mode",
},
}
app.Action = func(c *cli.Context) error {
return remic.Run(c)
}
err := app.Run(os.Args)
if err != nil {
log.Logger.Fatal(err)
}
}

97
cmd/trivy/main.go
View File

@@ -1,43 +1,84 @@
package main
import (
"context"
"errors"
"os"
"strings"
"golang.org/x/xerrors"
"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/commands"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/plugin"
"github.com/aquasecurity/trivy/pkg/types"
"github.com/urfave/cli"
_ "modernc.org/sqlite" // sqlite driver for RPM DB and Java DB
"github.com/knqyf263/trivy/pkg"
"github.com/knqyf263/trivy/pkg/log"
)
var (
version = "dev"
)
func main() {
if err := run(); err != nil {
var exitError *types.ExitError
if errors.As(err, &exitError) {
os.Exit(exitError.Code)
}
log.Fatal("Fatal error", log.Err(err))
}
}
cli.AppHelpTemplate = `NAME:
{{.Name}}{{if .Usage}} - {{.Usage}}{{end}}
USAGE:
{{if .UsageText}}{{.UsageText}}{{else}}{{.HelpName}} {{if .VisibleFlags}}[options]{{end}} {{if .ArgsUsage}}{{.ArgsUsage}}{{else}}[arguments...]{{end}}{{end}}{{if .Version}}{{if not .HideVersion}}
VERSION:
{{.Version}}{{end}}{{end}}{{if .Description}}
DESCRIPTION:
{{.Description}}{{end}}{{if len .Authors}}
AUTHOR{{with $length := len .Authors}}{{if ne 1 $length}}S{{end}}{{end}}:
{{range $index, $author := .Authors}}{{if $index}}
{{end}}{{$author}}{{end}}{{end}}{{if .VisibleCommands}}
OPTIONS:
{{range $index, $option := .VisibleFlags}}{{if $index}}
{{end}}{{$option}}{{end}}{{end}}
`
app := cli.NewApp()
app.Name = "trivy"
app.Version = version
app.ArgsUsage = "image_name"
func run() error {
// Trivy behaves as the specified plugin.
if runAsPlugin := os.Getenv("TRIVY_RUN_AS_PLUGIN"); runAsPlugin != "" {
log.InitLogger(false, false)
if err := plugin.Run(context.Background(), runAsPlugin, plugin.Options{Args: os.Args[1:]}); err != nil {
return xerrors.Errorf("plugin error: %w", err)
}
return nil
app.Usage = "A simple and comprehensive vulnerability scanner for containers"
app.Flags = []cli.Flag{
cli.StringFlag{
Name: "format, f",
Value: "table",
Usage: "format (table, json)",
},
cli.StringFlag{
Name: "input, i",
Value: "",
Usage: "input file path instead of image name",
},
cli.StringFlag{
Name: "severity, s",
Value: strings.Join(vulnerability.SeverityNames, ","),
Usage: "severities of vulnerabilities to be displayed (comma separated)",
},
cli.StringFlag{
Name: "output, o",
Usage: "output file name",
},
cli.BoolFlag{
Name: "skip-update",
Usage: "skip db update",
},
cli.BoolFlag{
Name: "clean, c",
Usage: "clean all cache",
},
cli.BoolFlag{
Name: "debug, d",
Usage: "debug mode",
},
}
app := commands.NewApp()
if err := app.Execute(); err != nil {
return err
app.Action = func(c *cli.Context) error {
return pkg.Run(c)
}
err := app.Run(os.Args)
if err != nil {
log.Logger.Fatal(err)
}
return nil
}

29
contrib/Trivy.gitlab-ci.yml
View File

@@ -1,29 +0,0 @@
Trivy_container_scanning:
stage: test
image:
name: alpine:3.11
variables:
# Override the GIT_STRATEGY variable in your `.gitlab-ci.yml` file and set it to `fetch` if you want to provide a `clair-whitelist.yml`
# file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
# for details
GIT_STRATEGY: none
IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
allow_failure: true
before_script:
- export TRIVY_VERSION=${TRIVY_VERSION:-v0.19.2}
- apk add --no-cache curl docker-cli
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
- curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${TRIVY_VERSION}
- curl -sSL -o /tmp/trivy-gitlab.tpl https://github.com/aquasecurity/trivy/raw/${TRIVY_VERSION}/contrib/gitlab.tpl
script:
- trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/tmp/trivy-gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
cache:
paths:
- .trivycache/
artifacts:
reports:
container_scanning: gl-container-scanning-report.json
dependencies: []
only:
refs:
- branches

161
contrib/asff.tpl
View File

@@ -1,161 +0,0 @@
{
"Findings": [
{{- $t_first := true -}}
{{- range . -}}
{{- $target := .Target -}}
{{- $image := .Target -}}
{{- if gt (len $image) 127 -}}
{{- $image = $image | regexFind ".{124}$" | printf "...%v" -}}
{{- end}}
{{- range .Vulnerabilities -}}
{{- if $t_first -}}
{{- $t_first = false -}}
{{- else -}}
,
{{- end -}}
{{- $severity := .Severity -}}
{{- if eq $severity "UNKNOWN" -}}
{{- $severity = "INFORMATIONAL" -}}
{{- end -}}
{{- $description := .Description -}}
{{- if gt (len $description ) 512 -}}
{{- $description = (substr 0 512 $description) | printf "%v .." -}}
{{- end}}
{
"SchemaVersion": "2018-10-08",
"Id": "{{ $target }}/{{ .VulnerabilityID }}",
"ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
"GeneratorId": "Trivy/{{ .VulnerabilityID }}",
"AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
"Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
"CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
"UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
"Severity": {
"Label": "{{ $severity }}"
},
"Title": "Trivy found a vulnerability to {{ .VulnerabilityID }} in container {{ $target }}, related to {{ .PkgName }}",
"Description": {{ escapeString $description | printf "%q" }},
{{ if not (empty .PrimaryURL) -}}
"Remediation": {
"Recommendation": {
"Text": "More information on this vulnerability is provided in the hyperlink",
"Url": "{{ .PrimaryURL }}"
}
},
{{ end -}}
"ProductFields": { "Product Name": "Trivy" },
"Resources": [
{
"Type": "Container",
"Id": "{{ $target }}",
"Partition": "aws",
"Region": "{{ env "AWS_REGION" }}",
"Details": {
"Container": { "ImageName": "{{ $image }}" },
"Other": {
"CVE ID": "{{ .VulnerabilityID }}",
"CVE Title": {{ .Title | printf "%q" }},
"PkgName": "{{ .PkgName }}",
"Installed Package": "{{ .InstalledVersion }}",
"Patched Package": "{{ .FixedVersion }}",
"NvdCvssScoreV3": "{{ (index .CVSS (sourceID "nvd")).V3Score }}",
"NvdCvssVectorV3": "{{ (index .CVSS (sourceID "nvd")).V3Vector }}",
"NvdCvssScoreV2": "{{ (index .CVSS (sourceID "nvd")).V2Score }}",
"NvdCvssVectorV2": "{{ (index .CVSS (sourceID "nvd")).V2Vector }}"
}
}
}
],
"RecordState": "ACTIVE"
}
{{- end -}}
{{- range .Misconfigurations -}}
{{- if $t_first -}}{{- $t_first = false -}}{{- else -}},{{- end -}}
{{- $severity := .Severity -}}
{{- if eq $severity "UNKNOWN" -}}
{{- $severity = "INFORMATIONAL" -}}
{{- end -}}
{{- $description := .Description -}}
{{- if gt (len $description ) 512 -}}
{{- $description = (substr 0 512 $description) | printf "%v .." -}}
{{- end}}
{
"SchemaVersion": "2018-10-08",
"Id": "{{ $target }}/{{ .ID }}",
"ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
"GeneratorId": "Trivy/{{ .ID }}",
"AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
"Types": [ "Software and Configuration Checks" ],
"CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
"UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
"Severity": {
"Label": "{{ $severity }}"
},
"Title": "Trivy found a misconfiguration in {{ $target }}: {{ escapeString .Title }}",
"Description": {{ escapeString $description | printf "%q" }},
"Remediation": {
"Recommendation": {
"Text": "{{ .Resolution }}",
"Url": "{{ .PrimaryURL }}"
}
},
"ProductFields": { "Product Name": "Trivy" },
"Resources": [
{
"Type": "Other",
"Id": "{{ $target }}",
"Partition": "aws",
"Region": "{{ env "AWS_REGION" }}",
"Details": {
"Other": {
"Message": "{{ .Message }}",
"Filename": "{{ $target }}",
"StartLine": "{{ .CauseMetadata.StartLine }}",
"EndLine": "{{ .CauseMetadata.EndLine }}"
}
}
}
],
"RecordState": "ACTIVE"
}
{{- end -}}
{{- range .Secrets -}}
{{- if $t_first -}}{{- $t_first = false -}}{{- else -}},{{- end -}}
{{- $severity := .Severity -}}
{{- if eq $severity "UNKNOWN" -}}
{{- $severity = "INFORMATIONAL" -}}
{{- end -}}
{
"SchemaVersion": "2018-10-08",
"Id": "{{ $target }}",
"ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
"GeneratorId": "Trivy",
"AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
"Types": [ "Sensitive Data Identifications" ],
"CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
"UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
"Severity": {
"Label": "{{ $severity }}"
},
"Title": "Trivy found a secret in {{ $target }}: {{ .Title }}",
"Description": "Trivy found a secret in {{ $target }}: {{ .Title }}",
"ProductFields": { "Product Name": "Trivy" },
"Resources": [
{
"Type": "Other",
"Id": "{{ $target }}",
"Partition": "aws",
"Region": "{{ env "AWS_REGION" }}",
"Details": {
"Other": {
"Filename": "{{ $target }}"
}
}
}
],
"RecordState": "ACTIVE"
}
{{- end -}}
{{- end }}
]
}

106
contrib/example_policy/advanced.rego
View File

@@ -1,106 +0,0 @@
package trivy
import data.lib.trivy
default ignore = false
nvd_v3_vector = v {
v := input.CVSS.nvd.V3Vector
}
redhat_v3_vector = v {
v := input.CVSS.redhat.V3Vector
}
# Ignore a vulnerability which requires high privilege
ignore {
nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
nvd_cvss_vector.PrivilegesRequired == "High"
# Check against RedHat scores as well as NVD
redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
redhat_cvss_vector.PrivilegesRequired == "High"
}
# Ignore a vulnerability which requires user interaction
ignore {
nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
nvd_cvss_vector.UserInteraction == "Required"
# Check against RedHat scores as well as NVD
redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
redhat_cvss_vector.UserInteraction == "Required"
}
ignore {
input.PkgName == "openssl"
# Split CVSSv3 vector
nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
# Evaluate Attack Vector
ignore_attack_vectors := {"Physical", "Local"}
nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]
}
ignore {
input.PkgName == "openssl"
# Evaluate severity
input.Severity == {"LOW", "MEDIUM", "HIGH"}[_]
# Evaluate CWE-ID
deny_cwe_ids := {
"CWE-119", # Improper Restriction of Operations within the Bounds of a Memory Buffer
"CWE-200", # Exposure of Sensitive Information to an Unauthorized Actor
}
count({x | x := input.CweIDs[_]; x == deny_cwe_ids[_]}) == 0
}
ignore {
input.PkgName == "bash"
# Split CVSSv3 vector
nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
# Evaluate Attack Vector
ignore_attack_vectors := {"Physical", "Local", "Adjacent"}
nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]
# Evaluate severity
input.Severity == {"LOW", "MEDIUM", "HIGH"}[_]
}
ignore {
input.PkgName == "django"
# Split CVSSv3 vector
nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
# Evaluate Attack Vector
ignore_attack_vectors := {"Physical", "Local"}
nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]
# Evaluate severity
input.Severity == {"LOW", "MEDIUM"}[_]
# Evaluate CWE-ID
deny_cwe_ids := {
"CWE-89", # SQL Injection
"CWE-78", # OS Command Injection
}
count({x | x := input.CweIDs[_]; x == deny_cwe_ids[_]}) == 0
}
ignore {
input.PkgName == "jquery"
# Split CVSSv3 vector
nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
# Evaluate CWE-ID
deny_cwe_ids := {"CWE-79"} # XSS
count({x | x := input.CweIDs[_]; x == deny_cwe_ids[_]}) == 0
}

76
contrib/example_policy/basic.rego
View File

@@ -1,76 +0,0 @@
package trivy
import data.lib.trivy
default ignore = false
ignore_pkgs := {"bash", "bind-license", "rpm", "vim", "vim-minimal"}
ignore_severities := {"LOW", "MEDIUM"}
nvd_v3_vector = v {
v := input.CVSS.nvd.V3Vector
}
redhat_v3_vector = v {
v := input.CVSS.redhat.V3Vector
}
ignore {
input.PkgName == ignore_pkgs[_]
}
ignore {
input.Severity == ignore_severities[_]
}
# Ignore a vulnerability which is not remotely exploitable
ignore {
nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
nvd_cvss_vector.AttackVector != "Network"
redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
redhat_cvss_vector.AttackVector != "Network"
}
# Ignore a vulnerability which requires high privilege
ignore {
nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
nvd_cvss_vector.PrivilegesRequired == "High"
redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
redhat_cvss_vector.PrivilegesRequired == "High"
}
# Ignore a vulnerability which requires user interaction
ignore {
nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
nvd_cvss_vector.UserInteraction == "Required"
redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
redhat_cvss_vector.UserInteraction == "Required"
}
# Ignore CSRF
ignore {
# https://cwe.mitre.org/data/definitions/352.html
input.CweIDs[_] == "CWE-352"
}
# Ignore a license
ignore {
input.PkgName == "alpine-baselayout"
input.Name == "GPL-2.0"
}
# Ignore loose file license
ignore {
input.Name == "AGPL-3.0"
input.FilePath == "/usr/share/grafana/LICENSE"
}
# Ignore secret
ignore {
input.RuleID == "aws-access-key-id"
input.Match == "AWS_ACCESS_KEY_ID=\"********************\""
}

103
contrib/gitlab-codequality.tpl
View File

@@ -1,103 +0,0 @@
{{- /* Template based on https://github.com/codeclimate/platform/blob/master/spec/analyzers/SPEC.md#data-types */ -}}
[
{{- $t_first := true }}
{{- range . }}
{{- $target := .Target }}
{{- range .Vulnerabilities -}}
{{- if $t_first -}}
{{- $t_first = false -}}
{{ else -}}
,
{{- end }}
{
"type": "issue",
"check_name": "container_scanning",
"categories": [ "Security" ],
"description": {{ list .VulnerabilityID .PkgName .InstalledVersion .Title | join " - " | printf "%q" }},
"fingerprint": "{{ list .VulnerabilityID .PkgName .InstalledVersion $target | join "" | sha1sum }}",
"content": {{ .Description | printf "%q" }},
"severity": {{ if eq .Severity "LOW" -}}
"info"
{{- else if eq .Severity "MEDIUM" -}}
"minor"
{{- else if eq .Severity "HIGH" -}}
"major"
{{- else if eq .Severity "CRITICAL" -}}
"critical"
{{- else -}}
"info"
{{- end }},
"location": {
"path": "{{ $target }}",
"lines": {
"begin": 0
}
}
}
{{- end -}}
{{- range .Misconfigurations -}}
{{- if $t_first -}}
{{- $t_first = false -}}
{{ else -}}
,
{{- end }}
{
"type": "issue",
"check_name": "container_scanning",
"categories": [ "Security" ],
"description": {{ list "Misconfig" .ID .Title | join " - " | printf "%q" }},
"fingerprint": "{{ list .ID .Title $target | join "" | sha1sum }}",
"content": {{ .Description | printf "%q" }},
"severity": {{ if eq .Severity "LOW" -}}
"info"
{{- else if eq .Severity "MEDIUM" -}}
"minor"
{{- else if eq .Severity "HIGH" -}}
"major"
{{- else if eq .Severity "CRITICAL" -}}
"critical"
{{- else -}}
"info"
{{- end }},
"location": {
"path": "{{ $target }}",
"lines": {
"begin": {{ .CauseMetadata.StartLine }}
}
}
}
{{- end -}}
{{- range .Secrets -}}
{{- if $t_first -}}
{{- $t_first = false -}}
{{ else -}}
,
{{- end }}
{
"type": "issue",
"check_name": "container_scanning",
"categories": [ "Security" ],
"description": {{ list "Secret" .RuleID .Title | join " - " | printf "%q" }},
"fingerprint": "{{ list .RuleID .Title $target | join "" | sha1sum }}",
"content": {{ .Title | printf "%q" }},
"severity": {{ if eq .Severity "LOW" -}}
"info"
{{- else if eq .Severity "MEDIUM" -}}
"minor"
{{- else if eq .Severity "HIGH" -}}
"major"
{{- else if eq .Severity "CRITICAL" -}}
"critical"
{{- else -}}
"info"
{{- end }},
"location": {
"path": "{{ $target }}",
"lines": {
"begin": {{ .StartLine }}
}
}
}
{{- end -}}
{{- end }}
]

105
contrib/gitlab.tpl
View File

@@ -1,105 +0,0 @@
{{- /* Template based on https://docs.gitlab.com/ee/user/application_security/container_scanning/#reports-json-format */ -}}
{
"version": "15.0.7",
"scan": {
"analyzer": {
"id": "trivy",
"name": "Trivy",
"vendor": {
"name": "Aqua Security"
},
"version": "{{ appVersion }}"
},
"end_time": "{{ now | date "2006-01-02T15:04:05" }}",
"scanner": {
"id": "trivy",
"name": "Trivy",
"url": "https://github.com/aquasecurity/trivy/",
"vendor": {
"name": "Aqua Security"
},
"version": "{{ appVersion }}"
},
"start_time": "{{ now | date "2006-01-02T15:04:05" }}",
"status": "success",
"type": "container_scanning"
},
"vulnerabilities": [
{{- $t_first := true }}
{{- range . }}
{{- $target := .Target }}
{{- $image := $target | regexFind "[^\\s]+" }}
{{- range .Vulnerabilities -}}
{{- if $t_first -}}
{{- $t_first = false -}}
{{ else -}}
,
{{- end }}
{
"id": "{{ .VulnerabilityID }}",
"name": {{ .Title | printf "%q" }},
"description": {{ .Description | printf "%q" }},
"severity": {{ if eq .Severity "UNKNOWN" -}}
"Unknown"
{{- else if eq .Severity "LOW" -}}
"Low"
{{- else if eq .Severity "MEDIUM" -}}
"Medium"
{{- else if eq .Severity "HIGH" -}}
"High"
{{- else if eq .Severity "CRITICAL" -}}
"Critical"
{{- else -}}
"{{ .Severity }}"
{{- end }},
"solution": {{ if .FixedVersion -}}
"Upgrade {{ .PkgName }} to {{ .FixedVersion }}"
{{- else -}}
"No solution provided"
{{- end }},
"location": {
"dependency": {
"package": {
"name": "{{ .PkgName }}"
},
"version": "{{ .InstalledVersion }}"
},
{{- /* TODO: No mapping available - https://github.com/aquasecurity/trivy/issues/332 */}}
"operating_system": "Unknown",
"image": "{{ $image }}"
},
"identifiers": [
{
{{- /* TODO: Type not extractable - https://github.com/aquasecurity/trivy-db/pull/24 */}}
"type": "cve",
"name": "{{ .VulnerabilityID }}",
"value": "{{ .VulnerabilityID }}"
{{- /* cf. https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/e3d280d7f0862ca66a1555ea8b24016a004bb914/dist/container-scanning-report-format.json#L157-179 */}}
{{- if .PrimaryURL | regexMatch "^(https?|ftp)://.+" -}},
"url": "{{ .PrimaryURL }}"
{{- end }}
}
],
"links": [
{{- $l_first := true -}}
{{- range .References -}}
{{- if $l_first -}}
{{- $l_first = false }}
{{- else -}}
,
{{- end -}}
{{- if . | regexMatch "^(https?|ftp)://.+" -}}
{
"url": "{{ . }}"
}
{{- else -}}
{{- $l_first = true }}
{{- end -}}
{{- end }}
]
}
{{- end -}}
{{- end }}
],
"remediations": []
}

148
contrib/html.tpl
View File

@@ -1,148 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
{{- if . }}
<style>
* {
font-family: Arial, Helvetica, sans-serif;
}
h1 {
text-align: center;
}
.group-header th {
font-size: 200%;
}
.sub-header th {
font-size: 150%;
}
table, th, td {
border: 1px solid black;
border-collapse: collapse;
white-space: nowrap;
padding: .3em;
}
table {
margin: 0 auto;
}
.severity {
text-align: center;
font-weight: bold;
color: #fafafa;
}
.severity-LOW .severity { background-color: #5fbb31; }
.severity-MEDIUM .severity { background-color: #e9c600; }
.severity-HIGH .severity { background-color: #ff8800; }
.severity-CRITICAL .severity { background-color: #e40000; }
.severity-UNKNOWN .severity { background-color: #747474; }
.severity-LOW { background-color: #5fbb3160; }
.severity-MEDIUM { background-color: #e9c60060; }
.severity-HIGH { background-color: #ff880060; }
.severity-CRITICAL { background-color: #e4000060; }
.severity-UNKNOWN { background-color: #74747460; }
table tr td:first-of-type {
font-weight: bold;
}
.links a,
.links[data-more-links=on] a {
display: block;
}
.links[data-more-links=off] a:nth-of-type(1n+5) {
display: none;
}
a.toggle-more-links { cursor: pointer; }
</style>
<title>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ now }} </title>
<script>
window.onload = function() {
document.querySelectorAll('td.links').forEach(function(linkCell) {
var links = [].concat.apply([], linkCell.querySelectorAll('a'));
[].sort.apply(links, function(a, b) {
return a.href > b.href ? 1 : -1;
});
links.forEach(function(link, idx) {
if (links.length > 3 && 3 === idx) {
var toggleLink = document.createElement('a');
toggleLink.innerText = "Toggle more links";
toggleLink.href = "#toggleMore";
toggleLink.setAttribute("class", "toggle-more-links");
linkCell.appendChild(toggleLink);
}
linkCell.appendChild(link);
});
});
document.querySelectorAll('a.toggle-more-links').forEach(function(toggleLink) {
toggleLink.onclick = function() {
var expanded = toggleLink.parentElement.getAttribute("data-more-links");
toggleLink.parentElement.setAttribute("data-more-links", "on" === expanded ? "off" : "on");
return false;
};
});
};
</script>
</head>
<body>
<h1>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ now }}</h1>
<table>
{{- range . }}
<tr class="group-header"><th colspan="6">{{ .Type | toString | escapeXML }}</th></tr>
{{- if (eq (len .Vulnerabilities) 0) }}
<tr><th colspan="6">No Vulnerabilities found</th></tr>
{{- else }}
<tr class="sub-header">
<th>Package</th>
<th>Vulnerability ID</th>
<th>Severity</th>
<th>Installed Version</th>
<th>Fixed Version</th>
<th>Links</th>
</tr>
{{- range .Vulnerabilities }}
<tr class="severity-{{ escapeXML .Vulnerability.Severity }}">
<td class="pkg-name">{{ escapeXML .PkgName }}</td>
<td>{{ escapeXML .VulnerabilityID }}</td>
<td class="severity">{{ escapeXML .Vulnerability.Severity }}</td>
<td class="pkg-version">{{ escapeXML .InstalledVersion }}</td>
<td>{{ escapeXML .FixedVersion }}</td>
<td class="links" data-more-links="off">
{{- range .Vulnerability.References }}
<a href={{ escapeXML . | printf "%q" }}>{{ escapeXML . }}</a>
{{- end }}
</td>
</tr>
{{- end }}
{{- end }}
{{- if (eq (len .Misconfigurations ) 0) }}
<tr><th colspan="6">No Misconfigurations found</th></tr>
{{- else }}
<tr class="sub-header">
<th>Type</th>
<th>Misconf ID</th>
<th>Check</th>
<th>Severity</th>
<th>Message</th>
</tr>
{{- range .Misconfigurations }}
<tr class="severity-{{ escapeXML .Severity }}">
<td class="misconf-type">{{ escapeXML .Type }}</td>
<td>{{ escapeXML .ID }}</td>
<td class="misconf-check">{{ escapeXML .Title }}</td>
<td class="severity">{{ escapeXML .Severity }}</td>
<td class="link" data-more-links="off" style="white-space:normal;">
{{ escapeXML .Message }}
<br>
<a href={{ escapeXML .PrimaryURL | printf "%q" }}>{{ escapeXML .PrimaryURL }}</a>
</br>
</td>
</tr>
{{- end }}
{{- end }}
{{- end }}
</table>
{{- else }}
</head>
<body>
<h1>Trivy Returned Empty Report</h1>
{{- end }}
</body>
</html>

422
contrib/install.sh
View File

@@ -1,422 +0,0 @@
#!/bin/sh
set -e
# Code generated by godownloader on 2020-01-14T10:03:29Z. DO NOT EDIT.
#
usage() {
this=$1
cat <<EOF
$this: download go binaries for aquasecurity/trivy
Usage: $this [-b] bindir [-d] [tag]
-b sets bindir or installation directory, Defaults to ./bin
-d turns on debug logging
[tag] is a tag from
https://github.com/aquasecurity/trivy/releases
If tag is missing, then the latest will be used.
Generated by godownloader
https://github.com/goreleaser/godownloader
EOF
exit 2
}
parse_args() {
#BINDIR is ./bin unless set be ENV
# over-ridden by flag below
BINDIR=${BINDIR:-./bin}
while getopts "b:dh?x" arg; do
case "$arg" in
b) BINDIR="$OPTARG" ;;
d) log_set_priority 10 ;;
h | \?) usage "$0" ;;
x) set -x ;;
esac
done
shift $((OPTIND - 1))
TAG=$1
}
# this function wraps all the destructive operations
# if a curl|bash cuts off the end of the script due to
# network, either nothing will happen or will syntax error
# out preventing half-done work
execute() {
tmpdir=$(mktemp -d)
log_debug "downloading files into ${tmpdir}"
http_download "${tmpdir}/${TARBALL}" "${TARBALL_URL}"
http_download "${tmpdir}/${CHECKSUM}" "${CHECKSUM_URL}"
hash_sha256_verify "${tmpdir}/${TARBALL}" "${tmpdir}/${CHECKSUM}"
srcdir="${tmpdir}"
(cd "${tmpdir}" && untar "${TARBALL}")
test ! -d "${BINDIR}" && install -d "${BINDIR}"
for binexe in $BINARIES; do
if [ "$OS" = "windows" ]; then
binexe="${binexe}.exe"
fi
install "${srcdir}/${binexe}" "${BINDIR}/"
log_info "installed ${BINDIR}/${binexe}"
done
rm -rf "${tmpdir}"
}
get_binaries() {
case "$PLATFORM" in
darwin/386) BINARIES="trivy" ;;
darwin/amd64) BINARIES="trivy" ;;
darwin/arm64) BINARIES="trivy" ;;
darwin/armv7) BINARIES="trivy" ;;
freebsd/386) BINARIES="trivy" ;;
freebsd/amd64) BINARIES="trivy" ;;
freebsd/arm64) BINARIES="trivy" ;;
freebsd/armv7) BINARIES="trivy" ;;
linux/386) BINARIES="trivy" ;;
linux/amd64) BINARIES="trivy" ;;
linux/ppc64le) BINARIES="trivy" ;;
linux/arm64) BINARIES="trivy" ;;
linux/armv7) BINARIES="trivy" ;;
linux/s390x) BINARIES="trivy" ;;
openbsd/386) BINARIES="trivy" ;;
openbsd/amd64) BINARIES="trivy" ;;
openbsd/arm64) BINARIES="trivy" ;;
openbsd/armv7) BINARIES="trivy" ;;
windows/amd64) BINARIES="trivy" ;;
*)
log_crit "platform $PLATFORM is not supported. Make sure this script is up-to-date and file request at https://github.com/${PREFIX}/issues/new"
exit 1
;;
esac
}
tag_to_version() {
if [ -z "${TAG}" ]; then
log_info "checking GitHub for latest tag"
else
log_info "checking GitHub for tag '${TAG}'"
fi
REALTAG=$(github_release "$OWNER/$REPO" "${TAG}") && true
if test -z "$REALTAG"; then
log_crit "unable to find '${TAG}' - use 'latest' or see https://github.com/${PREFIX}/releases for details"
exit 1
fi
# if version starts with 'v', remove it
TAG="$REALTAG"
VERSION=${TAG#v}
}
adjust_format() {
# change format (tar.gz or zip) based on OS
case ${OS} in
windows) FORMAT=zip ;;
esac
true
}
adjust_os() {
# adjust archive name based on OS
case ${OS} in
386) OS=32bit ;;
amd64) OS=64bit ;;
arm) OS=ARM ;;
arm64) OS=ARM64 ;;
ppc64le) OS=Linux ;;
s390x) OS=Linux ;;
darwin) OS=macOS ;;
dragonfly) OS=DragonFlyBSD ;;
freebsd) OS=FreeBSD ;;
linux) OS=Linux ;;
netbsd) OS=NetBSD ;;
openbsd) OS=OpenBSD ;;
esac
true
}
adjust_arch() {
# adjust archive name based on ARCH
case ${ARCH} in
386) ARCH=32bit ;;
amd64) ARCH=64bit ;;
arm) ARCH=ARM ;;
armv7) ARCH=ARM ;;
arm64) ARCH=ARM64 ;;
ppc64le) ARCH=PPC64LE ;;
s390x) ARCH=s390x ;;
darwin) ARCH=macOS ;;
dragonfly) ARCH=DragonFlyBSD ;;
freebsd) ARCH=FreeBSD ;;
linux) ARCH=Linux ;;
netbsd) ARCH=NetBSD ;;
openbsd) ARCH=OpenBSD ;;
esac
true
}
cat /dev/null <<EOF
------------------------------------------------------------------------
https://github.com/client9/shlib - portable posix shell functions
Public domain - http://unlicense.org
https://github.com/client9/shlib/blob/master/LICENSE.md
but credit (and pull requests) appreciated.
------------------------------------------------------------------------
EOF
is_command() {
command -v "$1" >/dev/null
}
echoerr() {
echo "$@" 1>&2
}
log_prefix() {
echo "$0"
}
_logp=6
log_set_priority() {
_logp="$1"
}
log_priority() {
if test -z "$1"; then
echo "$_logp"
return
fi
[ "$1" -le "$_logp" ]
}
log_tag() {
case $1 in
0) echo "emerg" ;;
1) echo "alert" ;;
2) echo "crit" ;;
3) echo "err" ;;
4) echo "warning" ;;
5) echo "notice" ;;
6) echo "info" ;;
7) echo "debug" ;;
*) echo "$1" ;;
esac
}
log_debug() {
log_priority 7 || return 0
echo "$(log_prefix)" "$(log_tag 7)" "$@"
}
log_info() {
log_priority 6 || return 0
echo "$(log_prefix)" "$(log_tag 6)" "$@"
}
log_err() {
log_priority 3 || return 0
echoerr "$(log_prefix)" "$(log_tag 3)" "$@"
}
log_crit() {
log_priority 2 || return 0
echoerr "$(log_prefix)" "$(log_tag 2)" "$@"
}
uname_os() {
os=$(uname -s | tr '[:upper:]' '[:lower:]')
case "$os" in
cygwin_nt*) os="windows" ;;
mingw*) os="windows" ;;
msys_nt*) os="windows" ;;
esac
echo "$os"
}
uname_arch() {
arch=$(uname -m)
case $arch in
x86_64) arch="amd64" ;;
x86) arch="386" ;;
i686) arch="386" ;;
i386) arch="386" ;;
ppc64le) arch="ppc64le" ;;
aarch64) arch="arm64" ;;
armv5*) arch="armv5" ;;
armv6*) arch="armv6" ;;
armv7*) arch="armv7" ;;
s390*) arch="s390x" ;;
esac
echo ${arch}
}
uname_os_check() {
os=$(uname_os)
case "$os" in
darwin) return 0 ;;
dragonfly) return 0 ;;
freebsd) return 0 ;;
linux) return 0 ;;
android) return 0 ;;
nacl) return 0 ;;
netbsd) return 0 ;;
openbsd) return 0 ;;
plan9) return 0 ;;
solaris) return 0 ;;
windows) return 0 ;;
esac
log_crit "uname_os_check '$(uname -s)' got converted to '$os' which is not a GOOS value. Please file bug at https://github.com/client9/shlib"
return 1
}
uname_arch_check() {
arch=$(uname_arch)
case "$arch" in
386) return 0 ;;
amd64) return 0 ;;
arm64) return 0 ;;
armv5) return 0 ;;
armv6) return 0 ;;
armv7) return 0 ;;
ppc64) return 0 ;;
ppc64le) return 0 ;;
mips) return 0 ;;
mipsle) return 0 ;;
mips64) return 0 ;;
mips64le) return 0 ;;
s390x) return 0 ;;
amd64p32) return 0 ;;
esac
log_crit "uname_arch_check '$(uname -m)' got converted to '$arch' which is not a GOARCH value. Please file bug report at https://github.com/client9/shlib"
return 1
}
untar() {
tarball=$1
case "${tarball}" in
*.tar.gz | *.tgz) tar --no-same-owner -xzf "${tarball}" ;;
*.tar) tar --no-same-owner -xf "${tarball}" ;;
*.zip) unzip "${tarball}" ;;
*)
log_err "untar unknown archive format for ${tarball}"
return 1
;;
esac
}
http_download_curl() {
local_file=$1
source_url=$2
header=$3
if [ -z "$header" ]; then
code=$(curl -w '%{http_code}' -sL -o "$local_file" "$source_url")
else
code=$(curl -w '%{http_code}' -sL -H "$header" -o "$local_file" "$source_url")
fi
if [ "$code" != "200" ]; then
log_debug "http_download_curl received HTTP status $code"
return 1
fi
return 0
}
http_download_wget() {
local_file=$1
source_url=$2
header=$3
if [ -z "$header" ]; then
wget -q -O "$local_file" "$source_url"
else
wget -q --header "$header" -O "$local_file" "$source_url"
fi
}
http_download() {
log_debug "http_download $2"
if is_command curl; then
http_download_curl "$@"
return
elif is_command wget; then
http_download_wget "$@"
return
fi
log_crit "http_download unable to find wget or curl"
return 1
}
http_copy() {
tmp=$(mktemp)
http_download "${tmp}" "$1" "$2" || return 1
body=$(cat "$tmp")
rm -f "${tmp}"
echo "$body"
}
github_release() {
owner_repo=$1
version=$2
test -z "$version" && version="latest"
giturl="https://github.com/${owner_repo}/releases/${version}"
json=$(http_copy "$giturl" "Accept:application/json")
test -z "$json" && return 1
version=$(echo "$json" | tr -s '\n' ' ' | sed 's/.*"tag_name":"//' | sed 's/".*//')
test -z "$version" && return 1
echo "$version"
}
hash_sha256() {
TARGET=${1:-/dev/stdin}
if is_command gsha256sum; then
hash=$(gsha256sum "$TARGET") || return 1
echo "$hash" | cut -d ' ' -f 1
elif is_command sha256sum; then
hash=$(sha256sum "$TARGET") || return 1
echo "$hash" | cut -d ' ' -f 1
elif is_command shasum; then
hash=$(shasum -a 256 "$TARGET" 2>/dev/null) || return 1
echo "$hash" | cut -d ' ' -f 1
elif is_command openssl; then
hash=$(openssl -dst openssl dgst -sha256 "$TARGET") || return 1
echo "$hash" | cut -d ' ' -f a
else
log_crit "hash_sha256 unable to find command to compute sha-256 hash"
return 1
fi
}
hash_sha256_verify() {
TARGET=$1
checksums=$2
if [ -z "$checksums" ]; then
log_err "hash_sha256_verify checksum file not specified in arg2"
return 1
fi
BASENAME=${TARGET##*/}
want=$(grep "${BASENAME}" "${checksums}" 2>/dev/null | tr '\t' ' ' | cut -d ' ' -f 1)
if [ -z "$want" ]; then
log_err "hash_sha256_verify unable to find checksum for '${TARGET}' in '${checksums}'"
return 1
fi
got=$(hash_sha256 "$TARGET")
if [ "$want" != "$got" ]; then
log_err "hash_sha256_verify checksum for '$TARGET' did not verify ${want} vs $got"
return 1
fi
}
cat /dev/null <<EOF
------------------------------------------------------------------------
End of functions from https://github.com/client9/shlib
------------------------------------------------------------------------
EOF
PROJECT_NAME="trivy"
OWNER=aquasecurity
REPO="trivy"
BINARY=trivy
FORMAT=tar.gz
OS=$(uname_os)
ARCH=$(uname_arch)
PREFIX="$OWNER/$REPO"
# use in logging routines
log_prefix() {
echo "$PREFIX"
}
PLATFORM="${OS}/${ARCH}"
GITHUB_DOWNLOAD=https://github.com/${OWNER}/${REPO}/releases/download
uname_os_check "$OS"
uname_arch_check "$ARCH"
parse_args "$@"
get_binaries
tag_to_version
adjust_format
adjust_os
adjust_arch
log_info "found version: ${VERSION} for ${TAG}/${OS}/${ARCH}"
NAME=${PROJECT_NAME}_${VERSION}_${OS}-${ARCH}
TARBALL=${NAME}.${FORMAT}
TARBALL_URL=${GITHUB_DOWNLOAD}/${TAG}/${TARBALL}
CHECKSUM=${PROJECT_NAME}_${VERSION}_checksums.txt
CHECKSUM_URL=${GITHUB_DOWNLOAD}/${TAG}/${CHECKSUM}
execute

37
contrib/junit.tpl
View File

@@ -1,37 +0,0 @@
<?xml version="1.0" ?>
<testsuites name="trivy">
{{- range . -}}
{{- $failures := len .Vulnerabilities }}
<testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{ .Target }}" errors="0" skipped="0" time="">
{{- if not (eq .Type "") }}
<properties>
<property name="type" value="{{ .Type }}"></property>
</properties>
{{- end -}}
{{ range .Vulnerabilities }}
<testcase classname="{{ .PkgName }}-{{ .InstalledVersion }}" name="[{{ .Vulnerability.Severity }}] {{ .VulnerabilityID }}" time="">
<failure message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</failure>
</testcase>
{{- end }}
</testsuite>
{{- if .MisconfSummary }}
<testsuite tests="{{ add .MisconfSummary.Successes .MisconfSummary.Failures }}" failures="{{ .MisconfSummary.Failures }}" name="{{ .Target }}" errors="0" skipped="{{ .MisconfSummary.Exceptions }}" time="">
{{- else }}
<testsuite tests="0" failures="0" name="{{ .Target }}" errors="0" skipped="0" time="">
{{- end }}
{{- if not (eq .Type "") }}
<properties>
<property name="type" value="{{ .Type }}"></property>
</properties>
{{- end -}}
{{ range .Misconfigurations }}
<testcase classname="{{ .Type }}" name="[{{ .Severity }}] {{ .ID }}" time="">
{{- if (eq .Status "FAIL") }}
<failure message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</failure>
{{- end }}
</testcase>
{{- end }}
</testsuite>
{{- end }}
</testsuites>

10
docs/build/Dockerfile vendored
View File

@@ -1,10 +0,0 @@
FROM squidfunk/mkdocs-material:9.4.6
## If you want to see exactly the same version as is published to GitHub pages
## use a private image for insiders, which requires authentication.
# docker login -u ${GITHUB_USERNAME} -p ${GITHUB_TOKEN} ghcr.io
# FROM ghcr.io/squidfunk/mkdocs-material-insiders
COPY requirements.txt .
RUN pip install -r requirements.txt

30
docs/build/requirements.txt vendored
View File

@@ -1,30 +0,0 @@
click==8.1.2
csscompressor==0.9.5
ghp-import==2.0.2
htmlmin==0.1.12
importlib-metadata==4.11.3
Jinja2==3.1.1
jsmin==3.0.1
Markdown==3.3.6
MarkupSafe==2.1.1
mergedeep==1.3.4
mike==1.1.2
mkdocs==1.3.0
mkdocs-macros-plugin==0.7.0
mkdocs-material==8.3.9
mkdocs-material-extensions==1.0.3
mkdocs-minify-plugin==0.5.0
mkdocs-redirects==1.0.4
packaging==21.3
Pygments==2.12.0
pymdown-extensions==9.5
pyparsing==3.0.8
python-dateutil==2.8.2
PyYAML==6.0.1
pyyaml-env-tag==0.1
six==1.16.0
termcolor==1.1.0
verspec==0.1.0
watchdog==2.1.7
zipp==3.8.0

130
docs/community/contribute/checks/overview.md
View File

@@ -1,130 +0,0 @@
# Contribute Rego Checks
The following guide provides an overview of contributing checks to the default checks in Trivy.
All of the checks in Trivy can be found in the [trivy-checks](https://github.com/aquasecurity/trivy-checks/tree/main) repository on GitHub. Before you begin writing a check, ensure:
1. The check does not already exist as part of the default checks in the [trivy-checks](https://github.com/aquasecurity/trivy-checks/tree/main) repository.
2. The pull requests in the [trivy-checks](https://github.com/aquasecurity/trivy-checks/pulls) repository to see whether someone else is already contributing the check that you wanted to add.
3. The [issues in Trivy](https://github.com/aquasecurity/trivy/issues) to see whether any specific checks are missing in Trivy that you can contribute.
If anything is unclear, please [start a discussion](https://github.com/aquasecurity/trivy/discussions/new) and we will do our best to help.
## Check structure
Checks are written in Rego and follow a particular structure in Trivy. Below is an example check for AWS:
```rego
# METADATA
# title: "RDS IAM Database Authentication Disabled"
# description: "Ensure IAM Database Authentication is enabled for RDS database instances to manage database access"
# scope: package
# schemas:
# - input: schema["aws"]
# related_resources:
# - https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth.html
# custom:
# id: AVD-AWS-0176
# avd_id: AVD-AWS-0176
# provider: aws
# service: rds
# severity: MEDIUM
# short_code: enable-iam-auth
# recommended_action: "Modify the PostgreSQL and MySQL type RDS instances to enable IAM database authentication."
# input:
# selector:
# - type: cloud
# subtypes:
# - service: rds
# provider: aws
package builtin.aws.rds.aws0176
deny[res] {
instance := input.aws.rds.instances[_]
instance.engine.value == ["postgres", "mysql"][_]
not instance.iamauthenabled.value
res := result.new("Instance does not have IAM Authentication enabled", instance.iamauthenabled)
}
```
## Verify the provider and service exists
Every check for a cloud service references a cloud provider. The list of providers are found in the [Trivy](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/providers) repository.
Before writing a new check for a cloud provider, you need to verify if the cloud provider or resource type that your check targets is supported by Trivy. If it's not, you'll need to add support for it. Additionally, if the provider that you want to target exists, you need to check whether the service your policy will target is supported. As a reference you can take a look at the AWS provider [here](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/providers/aws/aws.go).
???+ note
New Kubernetes and Dockerfile checks do not require any additional provider definitions. You can find an example of a Dockerfile check [here](https://github.com/aquasecurity/trivy-checks/blob/main/checks/docker/add_instead_of_copy.rego) and a Kubernetes check [here](https://github.com/aquasecurity/trivy-checks/blob/main/checks/kubernetes/general/CPU_not_limited.rego).
### Add Support for a New Service in an existing Provider
[Please reference the documentation on adding Support for a New Service](./service-support.md).
This guide also showcases how to add new properties for an existing Service.
## Create a new .rego file
The following directory in the trivy-checks repository contains all of our custom checks. Depending on what type of check you want to create, you will need to nest a new `.rego` file in either of the [subdirectories](https://github.com/aquasecurity/trivy-checks/tree/main/checks):
* cloud: All checks related to cloud providers and their services
* docker: Docker specific checks
* kubernetes: Kubernetes specific checks
## Check Package name
Have a look at the existing package names in the [built in checks](https://github.com/aquasecurity/trivy-checks/tree/main/checks).
The package name should be in the format `builtin.PROVIDER.SERVICE.ID`, e.g. `builtin.aws.rds.aws0176`.
## Generating an ID
Every check has a custom ID that is referenced throughout the metadata of the check to uniquely identify the check. If you plan to contribue your check back into the [trivy-checks](https://github.com/aquasecurity/trivy-checks) repository, it will require a valid ID.
Running `make id` in the root of the trivy-checks repository will provide you with the next available _ID_ for your rule.
## Check Schemas
Rego Checks for Trivy can utilise Schemas to map the input to specific objects. The schemas available are listed [here.](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/rego/schemas).
More information on using the builtin schemas is provided in the [main documentation.](../../../docs/scanner/misconfiguration/custom/schema.md)
## Check Metadata
The metadata is the top section that starts with `# METADATA`, and has to be placed on top of the check. You can copy and paste from another check as a starting point. This format is effectively _yaml_ within a Rego comment, and is [defined as part of Rego itself](https://www.openpolicyagent.org/docs/latest/policy-language/#metadata).
For detailed information on each component of the Check Metadata, please refer to the [main documentation.](../../../docs/scanner/misconfiguration/custom/index.md)
Note that while the Metadata is optional in your own custom checks for Trivy, if you are contributing your check to the Trivy builtin checks, the Metadata section will be required.
## Writing Rego Rules
Rules are defined using _OPA Rego_. You can find a number of examples in the `checks` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/checks)). The [OPA documentation](https://www.openpolicyagent.org/docs/latest/policy-language/) is a great place to start learning Rego. You can also check out the [Rego Playground](https://play.openpolicyagent.org/) to experiment with Rego, and [join the OPA Slack](https://slack.openpolicyagent.org/).
```rego
deny[res] {
instance := input.aws.rds.instances[_]
instance.engine.value == ["postgres", "mysql"][_]
not instance.iamauthenabled.value
res := result.new("Instance does not have IAM Authentication enabled", instance.iamauthenabled)
}
```
The rule should return a result, which can be created using `result.new`. This function does not need to be imported, it is defined internally and provided at runtime. The first argument is the message to display and the second argument is the resource that the issue was detected on.
It is possible to pass any rego variable that references a field of the input document.
## Generate docs
Finally, you'll want to generate documentation for your newly added rule. Please run `make docs` in the [trivy-checks](https://github.com/aquasecurity/trivy-checks) directory to generate the documentation for your new policy and submit a PR for us to take a look at.
## Adding Tests
All Rego checks need to have tests. There are many examples of these in the `checks` directory for each check ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/checks)). More information on how to write tests for Rego checks is provided in the [custom misconfiguration](../../../docs/scanner/misconfiguration/custom/testing.md) section of the docs.
## Example PR
You can see a full example PR for a new rule being added here: [https://github.com/aquasecurity/defsec/pull/1000](https://github.com/aquasecurity/defsec/pull/1000).

69
docs/community/contribute/checks/service-support.md
View File

@@ -1,69 +0,0 @@
# Add Service Support
A service refers to a service by a cloud provider. This section details how to add a new service to an existing provider. All contributions need to be made to the [trivy repository](https://github.com/aquasecurity/trivy/).
## Prerequisites
Before you begin, verify that the [provider](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/providers) does not already have the service that you plan to add.
## Adding a new service to an existing provider
Adding a new service involves two steps. The service will need a data structure to store information about the required resources that will be scanned. Additionally, the service will require one or more adapters to convert the scan targetes as input(s) into the aforementioned data structure.
### Create a new file in the provider directory
In this example, we are adding the CodeBuild service to the AWS provider.
First, create a new directory and file for your new service under the provider directory: e.g. [aws/codebuild/codebuild.go](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/providers/aws/codebuild/codebuild.go)
The CodeBuild service will require a structure `struct` to hold the information on the input that is scanned. The input is the CodeBuild resource that a user configured and wants to scan for misconfiguration.
```
type CodeBuild struct {
Projects []Project
}
```
The CodeBuild service manages `Project` resources. The `Project` struct has been added to hold information about each Project resources; `Project` Resources in turn manage `ArtifactSettings`:
```
type Project struct {
Metadata iacTypes.Metadata
ArtifactSettings ArtifactSettings
SecondaryArtifactSettings []ArtifactSettings
}
type ArtifactSettings struct {
Metadata iacTypes.Metadata
EncryptionEnabled iacTypes.BoolValue
}
```
The `iacTypes.Metadata` struct is embedded in all of the Trivy types and provides a common set of metadata for all resources. This includes the file and line number where the resource was defined and the name of the resource.
A resource in this example `Project` can have a name and can optionally be encrypted. Instead of using raw string and bool types respectively, we use the trivy types `iacTypes.Metadata` and `iacTypes.BoolValue`. These types wrap the raw values and provide additional metadata about the value. For instance, whether it was set by the user and the file and line number where the resource was defined.
Have a look at the other providers and services in the [`iac/providers`](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/providers) directory in Trivy.
Next you'll need to add a reference to your new service struct in the [provider struct](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/providers/aws/aws.go) at `pkg/iac/providers/aws/aws.go`:
```
type AWS struct {
...
CodeBuild codebuild.CodeBuild
...
}
```
### Update Adapters
Now you'll need to update all of the [adapters](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/adapters) which populate the struct of the provider that you have been using. Following the example above, if you want to add support for CodeBuild in Terraform, you'll need to update the Terraform AWS adatper as shown here: [`trivy/pkg/iac/adapters/terraform/aws/codebuild/adapt.go`](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/adapters/terraform/aws/codebuild/adapt.go).
Another example for updating the adapters is provided in the [following PR.](https://github.com/aquasecurity/defsec/pull/1000/files) Additionally, please refer to the respective Terraform documentation on the provider to which you are adding the service. For instance, the Terraform documentation for AWS CodeBuild is provided [here.](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project)
## Create a new Schema for your provider
Once the new service has been added to the provider, you need to create the schema for the service as part of the provider schema.
This process has been automated with mage commands. In the Trivy root directory run `mage schema:generate` to generate the schema for your new service and `mage schema:verify`.

49
docs/community/contribute/discussion.md
View File

@@ -1,49 +0,0 @@
# Discussions
Thank you for taking interest in contributing to Trivy!
Trivy uses [GitHub Discussion](https://github.com/aquasecurity/trivy/discussions) for bug reports, feature requests, and questions.
If maintainers decide to accept a new feature or confirm that it is a bug, they will close the discussion and create a [GitHub Issue](https://github.com/aquasecurity/trivy/issues) associated with that discussion.
- Feel free to open discussions for any reason. When you open a new discussion, you'll have to select a discussion category as described below.
- Please spend a small amount of time giving due diligence to the issue/discussion tracker. Your discussion might be a duplicate. If it is, please add your comment to the existing issue/discussion.
- Remember that users might search for your issue/discussion in the future, so please give it a meaningful title to help others.
- The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information.
There are 4 categories:
- 💡 [Ideas](https://github.com/aquasecurity/trivy/discussions/categories/ideas)
- Share ideas for new features
- 🔎 [False Detection](https://github.com/aquasecurity/trivy/discussions/categories/false-detection)
- Report false positives/negatives
- 🐛 [Bugs](https://github.com/aquasecurity/trivy/discussions/categories/bugs)
- Report something that is not working as expected
- 🙏 [Q&A](https://github.com/aquasecurity/trivy/discussions/categories/q-a)
- Ask the community for help
!!! note
If you find any false positives or false negatives, please make sure to report them under the "False Detection" category, not "Bugs".
## False detection
Trivy depends on [multiple data sources](https://aquasecurity.github.io/trivy/latest/docs/scanner/vulnerability/#data-sources).
Sometime these databases contain mistakes.
If Trivy can't detect any CVE-IDs or shows false positive result, at first please follow the next steps:
1. Run Trivy with `-f json` that shows data sources.
2. According to the shown data source, make sure that the security advisory in the data source is correct.
If the data source is correct and Trivy shows wrong results, please raise an issue on Trivy.
### GitHub Advisory Database
Visit [here](https://github.com/advisories) and search CVE-ID.
If you find a problem, it'll be nice to fix it: [How to contribute to a GitHub security advisory](https://github.blog/2022-02-22-github-advisory-database-now-open-to-community-contributions/)
### GitLab Advisory Database
Visit [here](https://advisories.gitlab.com/) and search CVE-ID.
If you find a problem, it'll be nice to fix it: [Create an issue to GitLab Advisory Database](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues/new)
### Red Hat CVE Database
Visit [here](https://access.redhat.com/security/security-updates/?cwe=476#/cve) and search CVE-ID.

7
docs/community/contribute/issue.md
View File

@@ -1,7 +0,0 @@
# Issues
Thank you for taking interest in contributing to Trivy!
Trivy uses [GitHub Discussion](./discussion.md) for bug reports, feature requests, and questions.
!!! warning
Issues created by non-maintainers will be immediately closed.

227
docs/community/contribute/pr.md
View File

@@ -1,227 +0,0 @@
Thank you for taking interest in contributing to Trivy!
1. Every Pull Request should have an associated GitHub issue link in the PR description. Note that issues are created by Trivy maintainers based on feedback provided in a GitHub discussion. Please refer to the [issue](./issue.md) and [discussion](./discussion.md) pages for explanation about this process. If you think your change is trivial enough, you can skip the issue and instead add justification and explanation in the PR description.
1. Your PR is more likely to be accepted if it focuses on just one change.
1. There's no need to add or tag reviewers.
1. If a reviewer commented on your code or asked for changes, please remember to respond with comment. Do not mark discussion as resolved. It's up to reviewer to mark it resolved (in case if suggested fix addresses problem properly). PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
1. Please include a comment with the results before and after your change.
1. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
1. If your PR affects the user experience in some way, please update the README.md and the CLI help accordingly.
## Development
Install the necessary tools for development by following their respective installation instructions.
- [Go](https://go.dev/doc/install)
- [Mage](https://magefile.org/)
### Build
After making changes to the Go source code, build the project with the following command:
```shell
$ mage build
$ ./trivy -h
```
### Lint
You must pass the linter checks:
```shell
$ mage lint:run
```
Additionally, you need to have run `go mod tidy`, so execute the following command as well:
```shell
$ mage tidy
```
To autofix linters use the following command:
```shell
$ mage lint:fix
```
### Unit tests
Your PR must pass all the unit tests. You can test it as below.
```
$ mage test:unit
```
### Integration tests
Your PR must pass all the integration tests. You can test it as below.
```
$ mage test:integration
```
### Documentation
If you update CLI flags, you need to generate the CLI references.
The test will fail if they are not up-to-date.
```shell
$ mage docs:generate
```
You can build the documents as below and view it at http://localhost:8000.
```
$ mage docs:serve
```
## Title
It is not that strict, but we use the title conventions in this repository.
Each commit message doesn't have to follow the conventions as long as it is clear and descriptive since it will be squashed and merged.
### Format of the title
```
<type>(<scope>): <subject>
```
The `type` and `scope` should always be lowercase as shown below.
**Allowed `<type>` values:**
- **feat** for a new feature for the user, not a new feature for build script. Such commit will trigger a release bumping a MINOR version.
- **fix** for a bug fix for the user, not a fix to a build script. Such commit will trigger a release bumping a PATCH version.
- **perf** for performance improvements. Such commit will trigger a release bumping a PATCH version.
- **docs** for changes to the documentation.
- **style** for formatting changes, missing semicolons, etc.
- **refactor** for refactoring production code, e.g. renaming a variable.
- **test** for adding missing tests, refactoring tests; no production code change.
- **build** for updating build configuration, development tools or other changes irrelevant to the user.
- **chore** for updates that do not apply to the above, such as dependency updates.
- **ci** for changes to CI configuration files and scripts
- **revert** for revert to a previous commit
**Allowed `<scope>` values:**
checks:
- vuln
- misconf
- secret
- license
mode:
- image
- fs
- repo
- sbom
- k8s
- server
- aws
- vm
- plugin
os:
- alpine
- redhat
- alma
- rocky
- azure
- oracle
- debian
- ubuntu
- amazon
- suse
- photon
- distroless
language:
- ruby
- php
- python
- nodejs
- rust
- dotnet
- java
- go
- elixir
- dart
- julia
vuln:
- os
- lang
config:
- kubernetes
- dockerfile
- terraform
- cloudformation
container
- docker
- podman
- containerd
- oci
cli:
- cli
- flag
SBOM:
- cyclonedx
- spdx
- purl
others:
- helm
- report
- db
- parser
- deps
The `<scope>` can be empty (e.g. if the change is a global or difficult to assign to a single component), in which case the parentheses are omitted.
**Breaking changes**
A PR, introducing a breaking API change, needs to append a `!` after the type/scope.
### Example titles
```
feat(alma): add support for AlmaLinux
```
```
feat(vuln)!: delete the existing CLI flag
```
```
fix(oracle): handle advisories with ksplice versions
```
```
docs(misconf): add comparison with Conftest and TFsec
```
```
chore(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0
```
**NOTE**: please do not use `chore(deps): update fanal` and something like that if you add new features or fix bugs in Trivy-related projects.
The PR title should describe what the PR adds or fixes even though it just updates the dependency in Trivy.
## Commits
## Understand where your pull request belongs
Trivy is composed of several repositories that work together:
- [Trivy](https://github.com/aquasecurity/trivy) is the client-side, user-facing, command line tool.
- [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerability database, aggregated from different sources, and normalized for easy consumption. Think of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo**
- [vuln-list-update](https://github.com/aquasecurity/vuln-list-update) is the code that maintains the vuln-list database.
- [trivy-db](https://github.com/aquasecurity/trivy-db) maintains the vulnerability database pulled by Trivy CLI.
- [go-dep-parser](https://github.com/aquasecurity/go-dep-parser) is a library for parsing lock files such as package-lock.json and Gemfile.lock.

59
docs/community/maintainer/backporting.md
View File

@@ -1,59 +0,0 @@
# Backporting Process
This document outlines the backporting process for Trivy, including when to create patch releases and how to perform the backporting.
## When to Create Patch Releases
In general, small changes should not be backported and should be included in the next minor release.
However, patch releases should be made in the following cases:
* Fixes for HIGH or CRITICAL vulnerabilities in Trivy itself or Trivy's dependencies
* Fixes for bugs that cause panic during Trivy execution or otherwise interfere with normal usage
In these cases, the fixes should be backported using the procedure [described below](#backporting-procedure).
At the maintainer's discretion, other bug fixes may be included in the patch release containing these hotfixes.
## Versioning
Trivy follows [Semantic Versioning](https://semver.org/), using version numbers in the format MAJOR.MINOR.PATCH.
When creating a patch release, the PATCH part of the version number is incremented.
For example, if a fix is being distributed for v0.50.0, the patch release would be v0.50.1.
## Backporting Procedure
1. A release branch (e.g., `release/v0.50`) is automatically created when a new minor version is released.
1. Create a pull request (PR) against the main branch with the necessary fixes. If the fixes are already merged into the main branch, skip this step.
1. Once the PR with the fixes is merged, comment `@aqua-bot backport <release-branch>` on the PR (e.g., `@aqua-bot backport release/v0.50`). This will trigger the automated backporting process using GitHub Actions.
1. The automated process will create a new PR with the backported changes. Ensure that all tests pass for this PR.
1. Once the tests pass, merge the automatically created PR into the release branch.
1. Merge [a release PR](release-flow.md) on the release branch and release the patch version.
!!! note
Even if a conflict occurs, a PR is created by forceful commit, in which case the conflict should be resolved manually.
If you want to re-run a backport of the same PR, close the existing PR, delete the branch and re-run it.
### Example
To better understand the backporting procedure, let's walk through an example using the releases of v0.50.
```mermaid
gitGraph:
commit id:"Feature 1"
commit id:"v0.50.0 release" tag:"v0.50.0"
branch "release/v0.50"
checkout main
commit id:"Bugfix 1"
checkout "release/v0.50"
cherry-pick id:"Bugfix 1"
checkout main
commit id:"Feature 2"
commit id:"Bugfix 2"
commit id:"Feature 3"
checkout "release/v0.50"
cherry-pick id:"Bugfix 2"
commit id:"v0.50.1 release" tag:"v0.50.1"
```

78
docs/community/maintainer/help-wanted.md
View File

@@ -1,78 +0,0 @@
# Overview
We use two labels [help wanted](#help-wanted) and [good first
issue](#good-first-issue) to identify issues that have been specially groomed
for new contributors. The `good first issue` label is a subset of `help wanted`
label, indicating that members have committed to providing extra assistance for
new contributors. All `good first issue` items also have the `help wanted`
label.
## Help Wanted
Items marked with the `help wanted` label need to ensure that they are:
- **Low Barrier to Entry**
It should be tractable for new contributors. Documentation on how that type of
change should be made should already exist.
- **Clear Task**
The task is agreed upon and does not require further discussions in the
community. Call out if that area of code is untested and requires new
fixtures.
API / CLI behavior is decided and included in the OP issue, for example: "The
new command syntax is `trivy --format yaml IMAGE_NAME`"_ with
expected validations called out.
- **Goldilocks priority**
Not too high that a core contributor should do it, but not too low that it
isn't useful enough for a core contributor to spend time to review it, answer
questions, help get it into a release, etc.
- **Up-To-Date**
Often these issues become obsolete and have already been done, are no longer
desired, no longer make sense, have changed priority or difficulty , etc.
## Good First Issue
Items marked with the `good first issue` label are intended for _first-time
contributors_. It indicates that members will keep an eye out for these pull
requests and shepherd it through our processes.
These items need to ensure that they follow the guidelines for `help wanted`
labels (above) in addition to meeting the following criteria:
- **No Barrier to Entry**
The task is something that a new contributor can tackle without advanced
setup, or domain knowledge.
- **Solution Explained**
The recommended solution is clearly described in the issue.
- **Provides Context**
If background knowledge is required, this should be explicitly mentioned and a
list of suggested readings included.
- **Gives Examples**
Link to examples of similar implementations so new contributors have a
reference guide for their changes.
- **Identifies Relevant Code**
The relevant code and tests to be changed should be linked in the issue.
- **Ready to Test**
There should be existing tests that can be modified, or existing test cases
fit to be copied. If the area of code doesn't have tests, before labeling the
issue, add a test fixture. This prep often makes a great `help wanted` task!

83
docs/community/maintainer/release-flow.md
View File

@@ -1,83 +0,0 @@
# Release Flow
## Overview
Trivy adopts [conventional commit messages][conventional-commits], and [Release Please][release-please] automatically creates a [release PR](https://github.com/googleapis/release-please?tab=readme-ov-file#whats-a-release-pr) based on the messages of the merged commits.
This release PR is automatically updated every time a new commit is added to the release branch.
If a commit has the prefix `feat:`, a PR is automatically created to increment the minor version, and if a commit has the prefix `fix:`, a PR is created to increment the patch version.
When the PR is merged, GitHub Actions automatically creates a version tag and the release is performed.
For detailed behavior, please refer to [the GitHub Actions configuration][workflows].
!!! note
Commits with prefixes like `chore` or `build` are not considered releasable, and no release PR is created.
To include such commits in a release, you need to either include commits with `feat` or `fix` prefixes or perform a manual release as described [below](#manual-release).
## Flow
The release flow consists of the following main steps:
1. Creating the release PR (automatically or manually)
1. Drafting the release notes in GitHub Discussions
1. Merging the release PR
1. Updating the release notes in GitHub Discussions
1. Navigating to the release notes in GitHub Releases page
### Automatic Release PR Creation
When a releasable commit (a commit with `feat` or `fix` prefix) is merged, a release PR is automatically created.
These Release PRs are kept up-to-date as additional work is merged.
When it's ready to tag a release, simply merge the release PR.
See the [Release Please documentation][release-please] for more information.
The title of the PR will be in the format `release: v${version} [${branch}]` (e.g., `release: v0.51.0 [main]`).
The format of the PR title is important for identifying the release commit, so it should not be changed.
The `release/vX.Y` release branches are also subject to automatic release PR creation for patch releases.
The PR title will be like `release: v0.51.1 [release/v0.51]`.
### Manual Release PR Creation
If you want to release commits like `chore`, a release PR is not automatically created, so you need to manually trigger the creation of a release PR.
The [Release Please workflow](https://github.com/aquasecurity/trivy/actions/workflows/release-please.yaml) supports `workflow_dispatch` and can be triggered manually.
Click "Run workflow" in the top right corner and specify the release branch.
In Trivy, the following branches are the release branches.
- `main`
- `release/vX.Y` (e.g. `release/v0.51`)
Specify the release version (without the `v` prefix) and click "Run workflow" to create a release PR for the specified version.
### Drafting the Release Notes
Next, create release notes for this version.
Draft a new post in GitHub Discussions, and maintainers edit these release notes (e.g., https://github.com/aquasecurity/trivy/discussions/6605).
Currently, the creation of this draft is done manually.
For patch version updates, this step can be skipped since they only involve bug fixes.
### Merging the Release PR
Once the draft of the release notes is complete, merge the release PR.
When the PR is merged, a tag is automatically created, and [GoReleaser][goreleaser] releases binaries, container images, etc.
### Updating the Release Notes
If the release completes without errors, a page for the release notes is created in GitHub Discussions (e.g., https://github.com/aquasecurity/trivy/discussions/6622).
Copy the draft release notes, adjust the formatting, and finalize the release notes.
### Navigating to the Release Notes
To navigate to the release highlights and summary in GitHub Discussions, place a link in the GitHub Releases page as below:
```
## ⚡Release highlights and summary⚡
👉 https://github.com/aquasecurity/trivy/discussions/6838
## Changelog
https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0520-2024-06-03
```
Replace URLs with appropriate ones.
Example: https://github.com/aquasecurity/trivy/releases/tag/v0.52.0
The release is now complete.
[conventional-commits]: https://www.conventionalcommits.org/en/v1.0.0/
[release-please]: https://github.com/googleapis/release-please
[goreleaser]: https://goreleaser.com/
[workflows]: https://github.com/aquasecurity/trivy/tree/main/.github/workflows

198
docs/community/maintainer/triage.md
View File

@@ -1,198 +0,0 @@
# Triage
Triage is an important part of maintaining the health of the trivy repo.
A well organized repo allows maintainers to prioritize feature requests, fix bugs, and respond to users facing difficulty with the tool as quickly as possible.
Triage includes:
- Labeling issues
- Responding to issues
- Closing issues
# Daily Triage
Daily triage has two goals:
1. Responsiveness for new issues
1. Responsiveness when explicitly requested information was provided
It covers:
1. Issues without a `kind/` or `triage/` label
1. Issues without a `priority/` label
1. `triage/needs-information` issues which the user has followed up on, and now require a response.
## Categorization
The most important level of categorizing the issue is defining what type it is.
We typically want at least one of the following labels on every issue, and some issues may fall into multiple categories:
- `triage/support` - The default for most incoming issues
- `kind/bug` - When its a bug or we arent delivering the best user experience
Other possibilities:
- `kind/feature`- Identify new feature requests
- `kind/testing` - Update or fix unit/integration tests
- `kind/cleanup` - Cleaning up/refactoring the codebase
- `kind/documentation` - Updates or additions to trivy documentation
If the issue is specific to a driver for OS packages or libraries:
**co/[driver for OS packages]**
- `co/alpine`
- `co/amazon`
- `co/debian`
- `co/oracle`
- `co/photon`
- `co/redhat`
- `co/suse`
- `co/ubuntu`
**co/[driver for libraries of programming languages]**
- `co/bundler`
- `co/cargo`
- `co/composer`
- `co/npm`
- `co/yarn`
- `co/pipenv`
- `co/poetry`
**Help wanted?**
`Good First Issue` - bug has a proposed solution, can be implemented w/o further discussion.
`Help wanted` - if the bug could use help from a contributor
## Prioritization
If the issue is not `triage/support`, it needs a priority label.
`priority/critical-urgent` - someones top priority ASAP, such as security issue, user-visible bug, or build breakage. Rarely used.
`priority/important-soon`: in time for the next two releases. It should be attached to a milestone.
`priority/important-longterm`: 2-4 releases from now
`priority/backlog`: agreed that this would be good to have, but no one is available at the moment. Consider tagging as `help wanted`
`priority/awaiting-more-evidence`: may be useful, but there is not yet enough support.
# Weekly Triage
Weekly triage has three goals:
1. Catching up on unresponded issues
1. Reviewing and closing PRs
1. Closing stale issues
## Post-Release Triage
Post-release triage occurs after a major release (around every 4-6 weeks).
It focuses on:
1. Closing bugs that have been resolved by the release
1. Reprioritizing bugs that have not been resolved by the release
1. Letting users know if we believe that there is still an issue
This includes reviewing:
1. Every issue that hasnt been touched in the last 2 days
1. Re-evaluation of long-term issues
1. Re-evaluation of short-term issues
## Responding to Issues
### Needs More Information
A sample response to ask for more info:
> I dont yet have a clear way to replicate this issue. Do you mind adding some additional details. Here is additional information that would be helpful:
>
> \* The exact `trivy` command line used
>
> \* The exact image you want to scan
>
> \* The full output of the `trivy` command, preferably with `--debug` for extra logging.
>
>
> Thank you for sharing your experience!
Then: Label with `triage/needs-information`.
### Issue might be resolved
If you think a release may have resolved an issue, ask the author to see if their issue has been resolved:
> Could you please check to see if trivy <x> addresses this issue? We've made some changes with how this is handled, and improved the trivy logs output to help us debug tricky cases like this.
Then: Label with `triage/needs-information`.
## Closing with Care
Issues typically need to be closed for the following reasons:
- The issue has been addressed
- The issue is a duplicate of an existing issue
- There has been a lack of information over a long period of time
In any of these situations, we aim to be kind when closing the issue, and offer the author action items should they need to reopen their issue or still require a solution.
Samples responses for these situations include:
### Issue has been addressed
>@author: I believe this issue is now addressed by trivy v1.0.0, as it <reason>. If you still see this issue with trivy v1.0 or higher, please reopen this issue.
>
>Thank you for reporting this issue!
Then: Close the issue
### Duplicate Issue
>This issue appears to be a duplicate of #X, do you mind if we move the conversation there?
>
>This way we can centralize the content relating to the issue. If you feel that this issue is not in fact a duplicate, please re-open it. If you have additional information to share, please add it to the new issue.
>
>Thank you for reporting this!
Then: Label with `triage/duplicate` and close the issue.
### Lack of Information
If an issue hasn't been active for more than four weeks, and the author has been pinged at least once, then the issue can be closed.
>Hey @author -- hopefully it's OK if I close this - there wasn't enough information to make it actionable, and some time has already passed. If you are able to provide additional details, you may reopen it at any point.
>
>Here is additional information that may be helpful to us:
>
>\* Whether the issue occurs with the latest trivy release
>
>\* The exact `trivy` command line used
>
>\* The exact image you want to scan
>
>\* The full output of the `trivy` command, preferably with `--debug` for extra logging.
>
>
>Thank you for sharing your experience!
Then: Close the issue.
## Help Wanted issues
We use two labels [help wanted](https://github.com/aquasecurity/trivy/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22)
and [good first issue](https://github.com/aquasecurity/trivy/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)
to identify issues that have been specially groomed for new contributors.
We have specific [guidelines](/docs/community/maintainer/help-wanted.md)
for how to use these labels. If you see an issue that satisfies these
guidelines, you can add the `help wanted` label and the `good first issue` label.
Please note that adding the `good first issue` label must also
add the `help wanted` label.
If an issue has these labels but does not satisfy the guidelines, please
ask for more details to be added to the issue or remove the labels.

53
docs/community/principles.md
View File

@@ -1,53 +0,0 @@
# Trivy Project Principles
This document outlines the guiding principles and governance framework for the Trivy project.
## Core Principles
Trivy is a security scanner focused on static analysis and designed with simplicity and security at its core.
All new proposals to the project must adhere to the following principles.
### Static Analysis (No Runtime Required)
Trivy operates without requiring container or VM image startups, eliminating the need for Docker or similar runtimes, except for scanning images stored within a container runtime.
This approach enhances security and efficiency by minimizing dependencies.
### External Dependency Free (Single Binary)
Operating as a single binary, Trivy is independent of external environments and avoids executing external OS commands or processes.
If specific functionality, like Maven's, is needed, Trivy opts for internal reimplementations or processing outputs of the tool without direct execution of external tools.
This approach obviously requires more effort but significantly reduces security risks associated with executing OS commands and dependency errors due to external environment versions.
Simplifying the scanner's use by making it operational immediately upon binary download facilitates easier initiation of scans.
### No Setup Required
Trivy must be ready to use immediately after installation.
It's unacceptable for Trivy not to function without setting up a database or writing configuration files by default.
Such setups should only be necessary for users requiring specific customizations.
Security often isn't a top priority for many organizations and can be easily deferred.
Trivy aims to lower the barrier to entry by simplifying the setup process, making it easier for users to start securing their projects.
### Security Focus
Trivy prioritizes the identification of security issues, excluding features unrelated to security, such as performance metrics or content listings of container images.
It can, however, produce and output intermediate representations like SBOMs for comprehensive security assessments.
Trivy serves as a tool with opinions on security, used to warn users about potential issues.
### Detecting Unintended States
Trivy is designed to detect unintended vulnerable states in projects, such as the use of vulnerable versions of dependencies or misconfigurations in Infrastructure as Code (IaC) that may unintentionally expose servers to the internet.
The focus is on identifying developer mistakes or undesirable states, not on detecting intentional attacks, such as malicious images and malware.
## Out of Scope Features
Aqua Security offers a premium version with several features not available in the open-source Trivy project.
While detailed information can be found [here][trivy-aqua], it's beneficial to highlight specific functionalities frequently inquired about:
### Runtime Security
As mentioned in [the Core Principles](#static-analysis-no-runtime-required), Trivy is a static analysis security scanner, making runtime security outside its scope.
Runtime security needs are addressed by [Tracee][tracee] or [the commercial version of Aqua Security]().
### Intentional Attacks
As mentioned in [the Core Principles](#detecting-unintended-states), detection of intentional attacks, such as malware or malicious container images, is not covered by Trivy and is supported in [the commercial version][aqua].
### User Interface
Trivy primarily operates via CLI for displaying results, with a richer UI available in [the commercial version][aqua].
[trivy-aqua]: https://github.com/aquasecurity/resources/blob/main/trivy-aqua.md
[tracee]: https://github.com/aquasecurity/tracee
[aqua]: https://www.aquasec.com/

142
docs/docs/advanced/air-gap.md
View File

@@ -1,142 +0,0 @@
# Air-Gapped Environment
Trivy can be used in air-gapped environments. Note that an allowlist is [here][allowlist].
## Air-Gapped Environment for vulnerabilities
### Download the vulnerability database
At first, you need to download the vulnerability database for use in air-gapped environments.
=== "Trivy"
```
TRIVY_TEMP_DIR=$(mktemp -d)
trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
rm -rf $TRIVY_TEMP_DIR
```
=== "oras >= v0.13.0"
Please follow [oras installation instruction][oras].
Download `db.tar.gz`:
```
$ oras pull ghcr.io/aquasecurity/trivy-db:2
```
=== "oras < v0.13.0"
Please follow [oras installation instruction][oras].
Download `db.tar.gz`:
```
$ oras pull -a ghcr.io/aquasecurity/trivy-db:2
```
### Download the Java index database[^1]
Java users also need to download the Java index database for use in air-gapped environments.
!!! note
You container image may contain JAR files even though you don't use Java directly.
In that case, you also need to download the Java index database.
=== "Trivy"
```
TRIVY_TEMP_DIR=$(mktemp -d)
trivy --cache-dir $TRIVY_TEMP_DIR image --download-java-db-only
tar -cf ./javadb.tar.gz -C $TRIVY_TEMP_DIR/java-db metadata.json trivy-java.db
rm -rf $TRIVY_TEMP_DIR
```
=== "oras >= v0.13.0"
Please follow [oras installation instruction][oras].
Download `javadb.tar.gz`:
```
$ oras pull ghcr.io/aquasecurity/trivy-java-db:1
```
=== "oras < v0.13.0"
Please follow [oras installation instruction][oras].
Download `javadb.tar.gz`:
```
$ oras pull -a ghcr.io/aquasecurity/trivy-java-db:1
```
### Transfer the DB files into the air-gapped environment
The way of transfer depends on the environment.
=== "Vulnerability db"
```
$ rsync -av -e ssh /path/to/db.tar.gz [user]@[host]:dst
```
=== "Java index db[^1]"
```
$ rsync -av -e ssh /path/to/javadb.tar.gz [user]@[host]:dst
```
### Put the DB files in Trivy's cache directory
You have to know where to put the DB files. The following command shows the default cache directory.
```
$ ssh user@host
$ trivy -h | grep cache
--cache-dir value cache directory (default: "/home/myuser/.cache/trivy") [$TRIVY_CACHE_DIR]
```
=== "Vulnerability db"
Put the DB file in the cache directory + `/db`.
```
$ mkdir -p /home/myuser/.cache/trivy/db
$ cd /home/myuser/.cache/trivy/db
$ tar xvf /path/to/db.tar.gz -C /home/myuser/.cache/trivy/db
x trivy.db
x metadata.json
$ rm /path/to/db.tar.gz
```
=== "Java index db[^1]"
Put the DB file in the cache directory + `/java-db`.
```
$ mkdir -p /home/myuser/.cache/trivy/java-db
$ cd /home/myuser/.cache/trivy/java-db
$ tar xvf /path/to/javadb.tar.gz -C /home/myuser/.cache/trivy/java-db
x trivy-java.db
x metadata.json
$ rm /path/to/javadb.tar.gz
```
In an air-gapped environment it is your responsibility to update the Trivy databases on a regular basis, so that the scanner can detect recently-identified vulnerabilities.
### Run Trivy with the specific flags.
In an air-gapped environment, you have to specify `--skip-db-update` and `--skip-java-db-update`[^1] so that Trivy doesn't attempt to download the latest database files.
In addition, if you want to scan `pom.xml` dependencies, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.
```
$ trivy image --skip-db-update --skip-java-db-update --offline-scan alpine:3.12
```
## Air-Gapped Environment for misconfigurations
No special measures are required to detect misconfigurations in an air-gapped environment.
### Run Trivy with `--skip-check-update` option
In an air-gapped environment, specify `--skip-check-update` so that Trivy doesn't attempt to download the latest misconfiguration checks.
```
$ trivy conf --skip-policy-update /path/to/conf
```
[allowlist]: ../references/troubleshooting.md
[oras]: https://oras.land/docs/installation
[^1]: This is only required to scan `jar` files. More information about `Java index db` [here](../coverage/language/java.md)

28
docs/docs/advanced/container/embed-in-dockerfile.md
View File

@@ -1,28 +0,0 @@
# Embed in Dockerfile
Scan your image as part of the build process by embedding Trivy in the
Dockerfile. This approach can be used to update Dockerfiles currently using
Aquas [Microscanner][microscanner].
```bash
$ cat Dockerfile
FROM alpine:3.7
RUN apk add curl \
&& curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin \
&& trivy rootfs --exit-code 1 --no-progress /
$ docker build -t vulnerable-image .
```
Alternatively you can use Trivy in a multistage build. Thus avoiding the
insecure `curl | sh`. Also the image is not changed.
```bash
[...]
# Run vulnerability scan on build image
FROM build AS vulnscan
COPY --from=aquasec/trivy:latest /usr/local/bin/trivy /usr/local/bin/trivy
RUN trivy rootfs --exit-code 1 --no-progress /
[...]
```
[microscanner]: https://github.com/aquasecurity/microscanner

116
docs/docs/advanced/container/unpacked-filesystem.md
View File

@@ -1,116 +0,0 @@
# Unpacked Filesystem
Scan an unpacked container image filesystem.
In this case, Trivy works the same way when scanning containers
```bash
$ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf -
$ trivy rootfs /tmp/rootfs
```
<details>
<summary>Result</summary>
```bash
2021-03-08T05:22:26.378Z INFO Need to update DB
2021-03-08T05:22:26.380Z INFO Downloading DB...
20.37 MiB / 20.37 MiB [-------------------------------------------------------------------------------------------------------------------------------------] 100.00% 8.24 MiB p/s 2s
2021-03-08T05:22:30.134Z INFO Detecting Alpine vulnerabilities...
/tmp/rootfs (alpine 3.10.2)
===========================
Total: 20 (UNKNOWN: 0, LOW: 2, MEDIUM: 10, HIGH: 8, CRITICAL: 0)
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libcrypto1.1 | CVE-2020-1967 | HIGH | 1.1.1c-r0 | 1.1.1g-r0 | openssl: Segmentation |
| | | | | | fault in SSL_check_chain |
| | | | | | causes denial of service |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-1967 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2021-23839 | | | 1.1.1j-r0 | openssl: incorrect SSLv2 |
| | | | | | rollback protection |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23839 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-23840 | | | | openssl: integer |
| | | | | | overflow in CipherUpdate |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-23841 | | | | openssl: NULL pointer dereference |
| | | | | | in X509_issuer_and_serial_hash() |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 |
+ +------------------+----------+ +---------------+---------------------------------------+
| | CVE-2019-1547 | MEDIUM | | 1.1.1d-r0 | openssl: side-channel weak |
| | | | | | encryption vulnerability |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1547 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2019-1549 | | | | openssl: information |
| | | | | | disclosure in fork() |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1549 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2019-1551 | | | 1.1.1d-r2 | openssl: Integer overflow in RSAZ |
| | | | | | modular exponentiation on x86_64 |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1551 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2020-1971 | | | 1.1.1i-r0 | openssl: EDIPARTYNAME |
| | | | | | NULL pointer de-reference |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-1971 |
+ +------------------+----------+ +---------------+---------------------------------------+
| | CVE-2019-1563 | LOW | | 1.1.1d-r0 | openssl: information |
| | | | | | disclosure in PKCS7_dataDecode |
| | | | | | and CMS_decrypt_set1_pkey |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1563 |
+--------------+------------------+----------+ +---------------+---------------------------------------+
| libssl1.1 | CVE-2020-1967 | HIGH | | 1.1.1g-r0 | openssl: Segmentation |
| | | | | | fault in SSL_check_chain |
| | | | | | causes denial of service |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-1967 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2021-23839 | | | 1.1.1j-r0 | openssl: incorrect SSLv2 |
| | | | | | rollback protection |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23839 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-23840 | | | | openssl: integer |
| | | | | | overflow in CipherUpdate |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-23841 | | | | openssl: NULL pointer dereference |
| | | | | | in X509_issuer_and_serial_hash() |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 |
+ +------------------+----------+ +---------------+---------------------------------------+
| | CVE-2019-1547 | MEDIUM | | 1.1.1d-r0 | openssl: side-channel weak |
| | | | | | encryption vulnerability |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1547 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2019-1549 | | | | openssl: information |
| | | | | | disclosure in fork() |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1549 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2019-1551 | | | 1.1.1d-r2 | openssl: Integer overflow in RSAZ |
| | | | | | modular exponentiation on x86_64 |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1551 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2020-1971 | | | 1.1.1i-r0 | openssl: EDIPARTYNAME |
| | | | | | NULL pointer de-reference |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-1971 |
+ +------------------+----------+ +---------------+---------------------------------------+
| | CVE-2019-1563 | LOW | | 1.1.1d-r0 | openssl: information |
| | | | | | disclosure in PKCS7_dataDecode |
| | | | | | and CMS_decrypt_set1_pkey |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1563 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| musl | CVE-2020-28928 | MEDIUM | 1.1.22-r3 | 1.1.22-r4 | In musl libc through 1.2.1, |
| | | | | | wcsnrtombs mishandles particular |
| | | | | | combinations of destination buffer... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-28928 |
+--------------+ + + + + +
| musl-utils | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
```
</details>

358
docs/docs/advanced/modules.md
View File

@@ -1,358 +0,0 @@
# Modules
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
Trivy provides a module feature to allow others to extend the Trivy CLI without the need to change the Trivy code base.
It changes the behavior during scanning by WebAssembly.
## Overview
Trivy modules are add-on tools that integrate seamlessly with Trivy.
They provide a way to extend the core feature set of Trivy, but without updating the Trivy binary.
- They can be added and removed from a Trivy installation without impacting the core Trivy tool.
- They can be written in any programming language supporting WebAssembly.
- It supports only [TinyGo][tinygo] at the moment.
You can write your own detection logic.
- Evaluate complex vulnerability conditions like [Spring4Shell][spring4shell]
- Detect a shell script communicating with malicious domains
- Detect malicious python install script (setup.py)
- Even detect misconfigurations in WordPress setting
- etc.
Then, you can update the scan result however you want.
- Change a severity
- Remove a vulnerability
- Add a new vulnerability
- etc.
Modules should be distributed in OCI registries like GitHub Container Registry.
!!! warning
WebAssembly doesn't allow file access and network access by default.
Modules can read required files only, but cannot overwrite them.
WebAssembly is sandboxed and secure by design, but Trivy modules available in public are not audited for security.
You should install and run third-party modules at your own risk even though
Under the hood Trivy leverages [wazero][wazero] to run WebAssembly modules without CGO.
## Installing a Module
A module can be installed using the `trivy module install` command.
This command takes an url. It will download the module and install it in the module cache.
Trivy adheres to the XDG specification, so the location depends on whether XDG_DATA_HOME is set.
Trivy will now search XDG_DATA_HOME for the location of the Trivy modules cache.
The preference order is as follows:
- XDG_DATA_HOME if set and .trivy/plugins exists within the XDG_DATA_HOME dir
- $HOME/.trivy/plugins
For example, to download the WebAssembly module, you can execute the following command:
```bash
$ trivy module install ghcr.io/aquasecurity/trivy-module-spring4shell
```
## Using Modules
Once the module is installed, Trivy will load all available modules in the cache on the start of the next Trivy execution.
The modules may inject custom logic into scanning and change the result.
You can run Trivy as usual and modules are loaded automatically.
You will see the log messages about WASM modules.
```shell
$ trivy image ghcr.io/aquasecurity/trivy-test-images:spring4shell-jre8
2022-06-12T12:57:13.210+0300 INFO Loading ghcr.io/aquasecurity/trivy-module-spring4shell/spring4shell.wasm...
2022-06-12T12:57:13.596+0300 INFO Registering WASM module: spring4shell@v1
...
2022-06-12T12:57:14.865+0300 INFO Module spring4shell: Java Version: 8, Tomcat Version: 8.5.77
2022-06-12T12:57:14.865+0300 INFO Module spring4shell: change CVE-2022-22965 severity from CRITICAL to LOW
Java (jar)
Total: 9 (UNKNOWN: 1, LOW: 3, MEDIUM: 2, HIGH: 3, CRITICAL: 0)
┌──────────────────────────────────────────────────────────────┬─────────────────────┬──────────┬───────────────────┬────────────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼────────────────────────────────────────────────────────────┤
│ org.springframework.boot:spring-boot (helloworld.war) │ CVE-2022-22965 │ LOW │ 2.6.3 │ 2.5.12, 2.6.6 │ spring-framework: RCE via Data Binding on JDK 9+ │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-22965 │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼────────────────────────────────────────────────────────────┤
...(snip)...
```
In the above example, the Spring4Shell module changed the severity from CRITICAL to LOW because the application doesn't satisfy one of conditions.
## Uninstalling Modules
Specify a module repository with `trivy module uninstall` command.
```bash
$ trivy module uninstall ghcr.io/aquasecurity/trivy-module-spring4shell
```
## Building Modules
It supports TinyGo only at the moment.
### TinyGo
Trivy provides Go SDK including three interfaces.
Your own module needs to implement either or both `Analyzer` and `PostScanner` in addition to `Module`.
```go
type Module interface {
Version() int
Name() string
}
type Analyzer interface {
RequiredFiles() []string
Analyze(filePath string) (*serialize.AnalysisResult, error)
}
type PostScanner interface {
PostScanSpec() serialize.PostScanSpec
PostScan(serialize.Results) (serialize.Results, error)
}
```
In the following tutorial, it creates a WordPress module that detects a WordPress version and a critical vulnerability accordingly.
!!! tips
You can use logging functions such as `Debug` and `Info` for debugging.
See [examples](#examples) for the detail.
#### Initialize your module
Replace the repository name with yours.
```
$ go mod init github.com/aquasecurity/trivy-module-wordpress
```
#### Module interface
`Version()` returns your module version and should be incremented after updates.
`Name()` returns your module name.
```go
package main
const (
version = 1
name = "wordpress-module"
)
type WordpressModule struct{
// Cannot define fields as modules can't keep state.
}
func (WordpressModule) Version() int {
return version
}
func (WordpressModule) Name() string {
return name
}
```
!!! info
A struct cannot have any fields. Each method invocation is performed in different states.
#### Analyzer interface
If you implement the `Analyzer` interface, `Analyze` method is called when the file path is matched to file patterns returned by `RequiredFiles()`.
A file pattern must be a regular expression. The syntax detail is [here][regexp].
`Analyze` takes the matched file path, then the file can be opened by `os.Open()`.
```go
const typeWPVersion = "wordpress-version"
func (WordpressModule) RequiredFiles() []string {
return []string{
`wp-includes\/version.php`,
}
}
func (WordpressModule) Analyze(filePath string) (*serialize.AnalysisResult, error) {
f, err := os.Open(filePath) // e.g. filePath: /usr/src/wordpress/wp-includes/version.php
if err != nil {
return nil, err
}
defer f.Close()
var wpVersion string
scanner := bufio.NewScanner(f)
for scanner.Scan() {
line := scanner.Text()
if !strings.HasPrefix(line, "$wp_version=") {
continue
}
ss := strings.Split(line, "=")
if len(ss) != 2 {
return nil, fmt.Errorf("invalid wordpress version: %s", line)
}
// NOTE: it is an example; you actually need to handle comments, etc
ss[1] = strings.TrimSpace(ss[1])
wpVersion = strings.Trim(ss[1], `";`)
}
if err = scanner.Err(); err != nil {
return nil, err
}
return &serialize.AnalysisResult{
CustomResources: []serialize.CustomResource{
{
Type: typeWPVersion,
FilePath: filePath,
Data: wpVersion,
},
},
}, nil
}
```
!!! tips
Trivy caches analysis results according to the module version.
We'd recommend cleaning the cache or changing the module version every time you update `Analyzer`.
#### PostScanner interface
`PostScan` is called after scanning and takes the scan result as an argument from Trivy.
In post scanning, your module can perform one of three actions:
- Insert
- Add a new security finding
- e.g. Add a new vulnerability and misconfiguration
- Update
- Update the detected vulnerability and misconfiguration
- e.g. Change a severity
- Delete
- Delete the detected vulnerability and misconfiguration
- e.g. Remove Spring4Shell because it is not actually affected.
`PostScanSpec()` returns which action the module does.
If it is `Update` or `Delete`, it also needs to return IDs such as CVE-ID and misconfiguration ID, which your module wants to update or delete.
`serialize.Results` contains the filtered results matching IDs you specified.
Also, it includes `CustomResources` with the values your `Analyze` returns, so you can modify the scan result according to the custom resources.
```go
func (WordpressModule) PostScanSpec() serialize.PostScanSpec {
return serialize.PostScanSpec{
Action: api.ActionInsert, // Add new vulnerabilities
}
}
func (WordpressModule) PostScan(results serialize.Results) (serialize.Results, error) {
// e.g. results
// [
// {
// "Target": "",
// "Class": "custom",
// "CustomResources": [
// {
// "Type": "wordpress-version",
// "FilePath": "/usr/src/wordpress/wp-includes/version.php",
// "Layer": {
// "DiffID": "sha256:057649e61046e02c975b84557c03c6cca095b8c9accd3bd20eb4e432f7aec887"
// },
// "Data": "5.7.1"
// }
// ]
// }
// ]
var wpVersion int
for _, result := range results {
if result.Class != types.ClassCustom {
continue
}
for _, c := range result.CustomResources {
if c.Type != typeWPVersion {
continue
}
wpVersion = c.Data.(string)
wasm.Info(fmt.Sprintf("WordPress Version: %s", wpVersion))
...snip...
if affectedVersion.Check(ver) {
vulnerable = true
}
break
}
}
if vulnerable {
// Add CVE-2020-36326
results = append(results, serialize.Result{
Target: wpPath,
Class: types.ClassLangPkg,
Type: "wordpress",
Vulnerabilities: []types.DetectedVulnerability {
{
VulnerabilityID: "CVE-2020-36326",
PkgName: "wordpress",
InstalledVersion: wpVersion,
FixedVersion: "5.7.2",
Vulnerability: dbTypes.Vulnerability{
Title: "PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname.",
Severity: "CRITICAL",
},
},
},
})
}
return results, nil
}
```
The new vulnerability will be added to the scan results.
This example shows how the module inserts a new finding.
If you are interested in `Update`, you can see an example of [Spring4Shell][trivy-module-spring4shell].
In the `Delete` action, `PostScan` needs to return results you want to delete.
If `PostScan` returns an empty, Trivy will not delete anything.
#### Build
Follow [the install guide][tinygo-installation] and install TinyGo.
```bash
$ tinygo build -o wordpress.wasm -scheduler=none -target=wasi --no-debug wordpress.go
```
Put the built binary to the module directory that is under the home directory by default.
```bash
$ mkdir -p ~/.trivy/modules
$ cp wordpress.wasm ~/.trivy/modules
```
## Distribute Your Module
You can distribute your own module in OCI registries. Please follow [the oras installation instruction][oras].
```bash
oras push ghcr.io/aquasecurity/trivy-module-wordpress:latest wordpress.wasm:application/vnd.module.wasm.content.layer.v1+wasm
Uploading 3daa3dac086b wordpress.wasm
Pushed ghcr.io/aquasecurity/trivy-module-wordpress:latest
Digest: sha256:6416d0199d66ce52ced19f01d75454b22692ff3aa7737e45f7a189880840424f
```
## Examples
- [Spring4Shell][trivy-module-spring4shell]
- [WordPress][trivy-module-wordpress]
[regexp]: https://github.com/google/re2/wiki/Syntax
[tinygo]: https://tinygo.org/
[spring4shell]: https://blog.aquasec.com/zero-day-rce-vulnerability-spring4shell
[wazero]: https://github.com/tetratelabs/wazero
[trivy-module-spring4shell]: https://github.com/aquasecurity/trivy/tree/main/examples/module/spring4shell
[trivy-module-wordpress]: https://github.com/aquasecurity/trivy-module-wordpress
[tinygo-installation]: https://tinygo.org/getting-started/install/
[oras]: https://oras.land/cli/

27
docs/docs/advanced/private-registries/acr.md
View File

@@ -1,27 +0,0 @@
# Requirements
None, Trivy uses Azure SDK for Go. You don't need to install `az` command.
# Privileges
Service principal must have the `AcrPull` permissions.
## Creation of a service principal
```bash
export SP_DATA=$(az ad sp create-for-rbac --name TrivyTest --role AcrPull --scope "/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.ContainerRegistry/registries/<registry_name>")
```
# Usage
```bash
# must set TRIVY_USERNAME empty char
export AZURE_CLIENT_ID=$(echo $SP_DATA | jq -r '.appId')
export AZURE_CLIENT_SECRET=$(echo $SP_DATA | jq -r '.password')
export AZURE_TENANT_ID=$(echo $SP_DATA | jq -r '.tenant')
```
# Testing
You can test credentials in the following manner.
```bash
docker run -it --rm -v /tmp:/tmp \
-e AZURE_CLIENT_ID -e AZURE_CLIENT_SECRET -e AZURE_TENANT_ID \
aquasec/trivy image your_special_project.azurecr.io/your_special_image:your_special_tag
```

2
docs/docs/advanced/private-registries/docker-hub.md
View File

@@ -1,2 +0,0 @@
See [here](./index.md) for the detail.
You don't need to provide a credential when download from public repository.

35
docs/docs/advanced/private-registries/ecr.md
View File

@@ -1,35 +0,0 @@
Trivy uses AWS SDK. You don't need to install `aws` CLI tool.
You can use [AWS CLI's ENV Vars][env-var].
[env-var]: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
### AWS private registry permissions
You may need to grant permissions to allow Trivy to pull images from private ECR.
It depends on how you want to provide AWS Role to trivy.
- [IAM Role Service account](https://github.com/aws/amazon-eks-pod-identity-webhook)
- [Kube2iam](https://github.com/jtblin/kube2iam) or [Kiam](https://github.com/uswitch/kiam)
#### IAM Role Service account
Add the AWS role in trivy's service account annotations:
```yaml
trivy:
serviceAccount:
annotations: {}
# eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME
```
#### Kube2iam or Kiam
Add the AWS role to pod's annotations:
```yaml
podAnnotations: {}
## kube2iam/kiam annotation
# iam.amazonaws.com/role: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME
```

40
docs/docs/advanced/private-registries/gcr.md
View File

@@ -1,40 +0,0 @@
# Requirements
None, Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.
# Privileges
Credential file must have the `roles/storage.objectViewer` permissions.
More information can be found in [Google's documentation](https://cloud.google.com/container-registry/docs/access-control)
## JSON File Format
The JSON file specified should have the following format provided by google's service account mechanisms:
```json
{
"type": "service_account",
"project_id": "your_special_project",
"private_key_id": "XXXXXXXXXXXXXXXXXXXXxx",
"private_key": "-----BEGIN PRIVATE KEY-----\nNONONONO\n-----END PRIVATE KEY-----\n",
"client_email": "somedude@your_special_project.iam.gserviceaccount.com",
"client_id": "1234567890",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/somedude%40your_special_project.iam.gserviceaccount.com"
}
```
# Usage
If you want to use target project's repository, you can set them via `GOOGLE_APPLICATION_CREDENTIALS`.
```bash
# must set TRIVY_USERNAME empty char
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential.json
```
# Testing
You can test credentials in the following manner (assuming they are in `/tmp` on host machine).
```bash
docker run -it --rm -v /tmp:/tmp\
-e GOOGLE_APPLICATION_CREDENTIALS=/tmp/service_account.json\
aquasec/trivy image gcr.io/your_special_project/your_special_image:your_special_tag
```

Some files were not shown because too many files have changed in this diff Show More