search

aquasecurity / trivy-action

Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities
Apache License 2.0
793 stars 230 forks source link

trivy-action using config option and template sarif #65

Open krol3 opened 3 years ago

krol3 commented 3 years ago

Using the template sarif, I can't see the information about the misconfiguration details.

Github workflow: https://github.com/krol3/demo-trivy/blob/main/.github/workflows/trivy-missconfiguration.yaml

See the output of this workflow: https://github.com/krol3/demo-trivy/pull/2/checks?check_run_id=3705915823

In the trivy scanning, I see a total of 30 CVE, and in the sarif report only 2. Can you help me to understand the result in sarif template?

detnon commented 2 years ago

I have similar issue where a manual scan locally will shows CVE's, but if I tell it to output as sarif i get no results; trivy fs --security-checks vuln,config --f template --template "@contrib/sarif.tpl" -o report.sarif --severity CRITICAL,HIGH,MEDIUM,LOW ~/path/to/repo

returns 

{
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
  "version": "2.1.0",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "Trivy",
          "informationUri": "https://github.com/aquasecurity/trivy",
          "fullName": "Trivy Vulnerability Scanner",
          "version": "0.15.0",
          "rules": []
        }
      },
      "results": [],
      "columnKind": "utf16CodeUnits",
      "originalUriBaseIds": {
        "ROOTPATH": {
          "uri": "file:///"
        }
      }
    }
  ]
}

Whereas trivy fs --security-checks vuln,config --severity CRITICAL,HIGH ~/path/to/repo will give a detailed analysis

krol3 commented 2 years ago

@detnon the trivy-action plugin was updated, I will try to test again.