Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: aquasecurity/trivy-action
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 0.29.0
Choose a base ref
...
head repository: aquasecurity/trivy-action
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 0.30.0
Choose a head ref
  • 4 commits
  • 9 files changed
  • 4 contributors

Commits on Jan 7, 2025

  1. fix: Update default trivy version in README (#444) 

    As part of PR #434 the default trivy version got bumped
but the readme didn't reflect it.
    @derrix060
    derrix060 authored Jan 7, 2025
    Loading
    Loading status checks…

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    levrik Levin Rickert
    GPG key ID: 782C90F936CC083C
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    a11da62 View commit details

Commits on Mar 12, 2025

  1. fix: typo in description of an input for action.yaml (#452)

    @yutatokoi
    yutatokoi authored Mar 12, 2025
    Loading
    Loading status checks…

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    GPG key ID: 4AEE18F83AFDEB23
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    ef1b561 View commit details

  2. Improve README/SBOM (#439) 

    * Improve README/SBOM

* Use logical workflow name
* Use modern ubuntu version

* Update README.md
    @AB-xdev
    AB-xdev authored Mar 12, 2025
    Loading
    Loading status checks…
    Copy the full SHA
    53e8848 View commit details

Commits on Mar 14, 2025

  1. chore: bump trivy to v0.60.0 (#453) 

    Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
    @nikpivkin
    nikpivkin authored Mar 14, 2025
    Loading
    Loading status checks…
    Copy the full SHA
    6c175e9 View commit details
2 changes: 1 addition & 1 deletion .github/workflows/test.yaml
View file
Original file line number Diff line number Diff line change
@@ -6,7 +6,7 @@ on:
workflow_dispatch:

env:
TRIVY_VERSION: 0.57.1
TRIVY_VERSION: 0.60.0
BATS_LIB_PATH: '/usr/lib/'

jobs:
18 changes: 8 additions & 10 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -215,7 +215,7 @@ jobs:
uses: aquasecurity/setup-trivy@v0.2.0
with:
cache: true
version: v0.57.1
version: v0.60.1
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
@@ -567,7 +567,7 @@ In order to send results to GitHub Dependency Graph, you will need to create a [

```yaml
---
name: Pull Request
name: Generate SBOM
on:
push:
branches:
@@ -578,9 +578,8 @@ permissions:
contents: write
jobs:
build:
name: Checks
runs-on: ubuntu-20.04
generate-sbom:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
@@ -601,7 +600,7 @@ You can upload the report as an artifact and download it, for instance using the

```yaml
---
name: Pull Request
name: Generate SBOM
on:
push:
branches:
@@ -612,9 +611,8 @@ permissions:
contents: write
jobs:
build:
name: Checks
runs-on: ubuntu-20.04
generate-sbom:
runs-on: ubuntu-latest
steps:
- name: Scan image in a private registry
uses: aquasecurity/trivy-action@0.28.0
@@ -849,7 +847,7 @@ Following inputs can be used as `step.with` keys:
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
| `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values |
| `version` | String | `v0.56.2` | Trivy version to use, e.g. `latest` or `v0.56.2` |
| `version` | String | `v0.60.0` | Trivy version to use, e.g. `latest` or `v0.60.0` |
| `skip-setup-trivy` | Boolean | false | Skip calling the `setup-trivy` action to install `trivy` |
| `token-setup-trivy` | Boolean | | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository |

4 changes: 2 additions & 2 deletions action.yaml
View file
Original file line number Diff line number Diff line change
@@ -8,7 +8,7 @@ inputs:
required: false
default: 'image'
image-ref:
description: 'image reference(for backward compatibility)'
description: 'image reference (for backward compatibility)'
required: false
input:
description: 'reference of tar file to scan'
@@ -98,7 +98,7 @@ inputs:
version:
description: 'Trivy version to use'
required: false
default: 'v0.57.1'
default: 'v0.60.0'
cache:
description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.'
required: false
2 changes: 1 addition & 1 deletion test/data/config-sarif-report/report.sarif
View file
Original file line number Diff line number Diff line change
@@ -205,7 +205,7 @@
"text": "S3 buckets should each define an aws_s3_bucket_public_access_block"
},
"fullDescription": {
"text": "The &#34;block public access&#34; settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.\n"
"text": "The \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.\n"
},
"defaultConfiguration": {
"level": "note"
30 changes: 21 additions & 9 deletions test/data/config-scan/report.json
View file
Original file line number Diff line number Diff line change
@@ -90,7 +90,8 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
},
{
@@ -150,7 +151,8 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
},
{
@@ -210,7 +212,8 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
},
{
@@ -271,7 +274,8 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
},
{
@@ -388,7 +392,11 @@
"EndLine": 18
}
}
]
],
"RenderedCause": {
"Raw": "resource \"aws_s3_bucket_versioning\" \"bucket_versioning\" {\n versioning_configuration {\n status = \"Disabled\"\n }\n}",
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket_versioning\"\u001b[0m \u001b[38;5;37m\"bucket_versioning\"\u001b[0m {\n versioning_configuration {\n \u001b[38;5;245mstatus\u001b[0m = \u001b[38;5;37m\"Disabled\"\n\u001b[0m }\n}"
}
}
},
{
@@ -448,7 +456,8 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
},
{
@@ -508,7 +517,8 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
},
{
@@ -568,7 +578,8 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
},
{
@@ -628,7 +639,8 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
}
]
12 changes: 12 additions & 0 deletions test/data/fs-scan/report
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@

Report Summary

┌────────┬──────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├────────┼──────┼─────────────────┼─────────┤
│ - │ - │ - │ - │
└────────┴──────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

14 changes: 14 additions & 0 deletions test/data/image-scan/report
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,18 @@

Report Summary

┌──────────────────────────────────────────┬────────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├──────────────────────────────────────────┼────────┼─────────────────┼─────────┤
│ knqyf263/vuln-image:1.2.3 (alpine 3.7.1) │ alpine │ 19 │ - │
├──────────────────────────────────────────┼────────┼─────────────────┼─────────┤
│ rust-app/Cargo.lock │ cargo │ 4 │ - │
└──────────────────────────────────────────┴────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


knqyf263/vuln-image:1.2.3 (alpine 3.7.1)
========================================
Total: 19 (CRITICAL: 19)
12 changes: 12 additions & 0 deletions test/data/rootfs-scan/report
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@

Report Summary

┌────────┬──────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├────────┼──────┼─────────────────┼─────────┤
│ - │ - │ - │ - │
└────────┴──────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

14 changes: 14 additions & 0 deletions test/data/with-ignore-files/report
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,18 @@

Report Summary

┌──────────────────────────────────────────┬────────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├──────────────────────────────────────────┼────────┼─────────────────┼─────────┤
│ knqyf263/vuln-image:1.2.3 (alpine 3.7.1) │ alpine │ 19 │ - │
├──────────────────────────────────────────┼────────┼─────────────────┼─────────┤
│ rust-app/Cargo.lock │ cargo │ 1 │ - │
└──────────────────────────────────────────┴────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


knqyf263/vuln-image:1.2.3 (alpine 3.7.1)
========================================
Total: 19 (CRITICAL: 19)