Open huczas opened 1 year ago
PawelHaracz
commented
1 year ago In addition, when you use docker: true and use a path like this example, there is no any way to add the path as a volume, and we can't scan local files using docker. It will be convenient to do it because we can use it all the time latest trivy version to scan our source codes.
riccardo-giuffre
commented
11 months ago Hi, we're facing the same issue. Azure DevOps task downloads v0.38.2 when tag is set to "latest".
julienLemarie
commented
8 months ago Hello, Too late on the latest image, it's now the v0.48.3 Is there an other way to reference the last version of the trivy image ? I don't understand why Aquasec is not providing a tag latest for Trivy image.
corentinvds
commented
6 months ago I just ran into the same issue, here is my workaround:
# Store the latest version to the TRIVY_VERSION variable
- bash: |
version=$(curl --silent "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | jq -r .tag_name)
echo "latest version of trivy is $version"
echo "##vso[task.setvariable variable=TRIVY_VERSION;]$version"
# Actual scan
- task: trivy@1
inputs:
image: $(MY_IMAGE)
docker: false
version: $(TRIVY_VERSION)
georg-jung
commented
6 months ago I forked this (trivy-azure-pipelines-task) and enabled container image scanning from containerized trivy. It is thus easy to always use the latest version without workarounds. I also added some more improvements and updated trivy. Feel free to give it a try or create a PR if you need more features. See https://marketplace.visualstudio.com/items?itemName=georg-jung.trivy-contrib and https://github.com/georg-jung/trivy-azure-pipelines-task.
In Azure DevOps task using Trivy binary and tag "latest" it's downloading hardcoded 0.38 version. It is not latest anymore, should be fixed:
https://github.com/aquasecurity/trivy-azure-pipelines-task/blob/7516cf958f694c0e8a98a593ac41af218a0a71eb/trivy-task/index.ts#L7C1-L7C37
For now, I'm using workaround in task writing fixed version v0.44.1.