Open huczas opened 1 year ago
In addition, when you use docker: true
and use a path like this example, there is no any way to add the path as a volume, and we can't scan local files using docker. It will be convenient to do it because we can use it all the time latest trivy version to scan our source codes.
Hi, we're facing the same issue. Azure DevOps task downloads v0.38.2 when tag is set to "latest".
Hello, Too late on the latest image, it's now the v0.48.3 Is there an other way to reference the last version of the trivy image ? I don't understand why Aquasec is not providing a tag latest for Trivy image.
I just ran into the same issue, here is my workaround:
# Store the latest version to the TRIVY_VERSION variable
- bash: |
version=$(curl --silent "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | jq -r .tag_name)
echo "latest version of trivy is $version"
echo "##vso[task.setvariable variable=TRIVY_VERSION;]$version"
# Actual scan
- task: trivy@1
inputs:
image: $(MY_IMAGE)
docker: false
version: $(TRIVY_VERSION)
I forked this (trivy-azure-pipelines-task
) and enabled container image scanning from containerized trivy. It is thus easy to always use the latest version without workarounds. I also added some more improvements and updated trivy. Feel free to give it a try or create a PR if you need more features. See https://marketplace.visualstudio.com/items?itemName=georg-jung.trivy-contrib and https://github.com/georg-jung/trivy-azure-pipelines-task.
In Azure DevOps task using Trivy binary and tag "latest" it's downloading hardcoded 0.38 version. It is not latest anymore, should be fixed:
https://github.com/aquasecurity/trivy-azure-pipelines-task/blob/7516cf958f694c0e8a98a593ac41af218a0a71eb/trivy-task/index.ts#L7C1-L7C37
For now, I'm using workaround in task writing fixed version v0.44.1.