Open krol3 opened 3 years ago
I have similar issue where a manual scan locally will shows CVE's, but if I tell it to output as sarif i get no results;
trivy fs --security-checks vuln,config --f template --template "@contrib/sarif.tpl" -o report.sarif --severity CRITICAL,HIGH,MEDIUM,LOW ~/path/to/repo
returns
{
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "Trivy",
"informationUri": "https://github.com/aquasecurity/trivy",
"fullName": "Trivy Vulnerability Scanner",
"version": "0.15.0",
"rules": []
}
},
"results": [],
"columnKind": "utf16CodeUnits",
"originalUriBaseIds": {
"ROOTPATH": {
"uri": "file:///"
}
}
}
]
}
Whereas trivy fs --security-checks vuln,config --severity CRITICAL,HIGH ~/path/to/repo
will give a detailed analysis
@detnon the trivy-action plugin was updated, I will try to test again.
Using the template sarif, I can't see the information about the misconfiguration details.
Github workflow: https://github.com/krol3/demo-trivy/blob/main/.github/workflows/trivy-missconfiguration.yaml
See the output of this workflow: https://github.com/krol3/demo-trivy/pull/2/checks?check_run_id=3705915823
In the trivy scanning, I see a total of 30 CVE, and in the sarif report only 2. Can you help me to understand the result in sarif template?