Open Yuga05 opened 2 years ago
try using trivy_version: "0.22.0"
Solved the problem @jananathbanuka
@jananathbanuka Seeing a similar issue with the latest version of Trivy:
Run lazy-actions/gitrivy@v3
Download URL: https://github.com/aquasecurity/trivy/releases/download/v0.37.3/trivy_0.37.3_Linux-64bit.tar.gz
Trivy Command Path: /home/runner/work/app/app/trivy
Error: Failed to execute Trivy command.
exit code: 1
stdout:
stderr: Error: unknown flag: --severity
Usage:
trivy [global flags] command [flags] target
trivy [command]
Examples:
# Scan a container image
$ trivy image python:3.4-alpine
# Scan a container image from a tar archive
$ trivy image --input ruby-3.1.tar
# Scan local filesystem
$ trivy fs .
# Run in server mode
$ trivy server
...etc...
Use "trivy [command] --help" for more information about a command.
2023-02-25T21:41:26.836Z FATAL unknown flag: --severity
What is causing this? Clearly the --severity
exists in v 0.37.3:
trivy image --severity HIGH,CRITICAL $image
@ventz Same above. In my case, Trivy version in used is v0.38.3
and official repo mentions --severity
options as references, but gitrivy got the error...
https://github.com/aquasecurity/trivy/blob/main/docs/docs/references/cli/trivy_image.md?plain=1#L85
Run lazy-actions/gitrivy@v3
Download URL: https://github.com/aquasecurity/trivy/releases/download/v0.38.3/trivy_0.38.3_Linux-64bit.tar.gz
Trivy Command Path: /home/runner/work/glocalist-backend/glocalist-backend/trivy
Error: Failed to execute Trivy command.
exit code: 1
stdout:
stderr: Error:
unknown flag: --severity
Downloaded and extracted trivy
binary from the link above, v0.38.3 do have the option for image scan:
$ wget https://github.com/aquasecurity/trivy/releases/download/v0.38.3/trivy_0.38.3_Linux-64bit.tar.gz
$ tar -xzvf ./trivy_0.38.3_Linux-64bit.tar.gz
$ ./trivy --version
Version: 0.38.3
$ ./trivy image --help
Scan a container image
Usage:
trivy image [flags] IMAGE_NAME
Aliases:
image, i
Examples:
# Scan a container image
$ trivy image python:3.4-alpine
# Scan a container image from a tar archive
$ trivy image --input ruby-3.1.tar
# Filter by severities
$ trivy image --severity HIGH,CRITICAL alpine:3.15
# Ignore unfixed/unpatched vulnerabilities
$ trivy image --ignore-unfixed alpine:3.15
# Scan a container image in client mode
$ trivy image --server http://127.0.0.1:4954 alpine:latest
# Generate json result
$ trivy image --format json --output result.json alpine:3.15
# Generate a report in the CycloneDX format
$ trivy image --format cyclonedx --output result.cdx alpine:3.15
# (...)
Report Flags
--compliance string compliance report to generate (docker-cis)
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--exit-code int specify exit code when any security issues are found
--exit-on-eol int exit with the specified code when the OS reaches end of service/life
-f, --format string format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
-o, --output string output file name
--report string specify a format for the compliance report. (default "summary")
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-t, --template string output template
# (...)
Seems this PR will fix this issue, but have not been merged yet...
@hwakabh Thank you for mentioning this!
Hi Guys,
Getting an error, while using this action.
looks like that is a PR open for this issue - can you merge it - https://github.com/lazy-actions/gitrivy/pull/109