Closed jplimack closed 2 years ago
@jplimack thanks for your report! We're working on a new sarif template right now, and will study your suggestion. thanks a lot!
@afdesk I should mention that i bumped the version to aquasec/trivy:0.21.3
within my github/action-trivy
and as I noted, needed to fix the output slightly
jq < trivy-results.sarif ".runs[].results[].locations[].physicalLocation.artifactLocation.uri = \"./\""> trivy-results-fixed.sarif
@jplimack thanks again. we'll check it too.
@afdesk mind cutting a new release and I'll test it out and report back?
@jplimack I forgot to write you, that we released new versions.
now the current trivy
v0.24.2 supports sarif format:
$ trivy image --format sarif --output result.sarif alpine:lates
Please feel free to reopen it if you still have any issues.
Description
Severity level is set as a
tag
, but thelevel
field is set toerror
. This causes the github security dashboard to mark a repo as clear despite containing numerous CVEs at multiple levels.What did you expect to happen?
the
problem.severity
element should be populated to sayHIGH
or whatever the actual severity isWhat happened instead?
no severites appear on the github security dashboard, and it says the repo is
clear
, allowing pull requests to be merged and ignoring all severity of issueThis is what the trivy github action produces, though I did have to fix it a little
Output of
trivy -v
:Additional details (base image name, container registry info...):