diff --git a/README.md b/README.md index 230e2d0..4b3a207 100644 --- a/README.md +++ b/README.md @@ -501,6 +501,7 @@ Following inputs can be used as `step.with` keys: | `security-checks` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) | | `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files | | `github-pat` | String | | GitHub Personal Access Token (PAT) for sending SBOM scan results to GitHub Dependency Snapshots | +| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** | [release]: https://github.com/aquasecurity/trivy-action/releases/latest [release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github diff --git a/action.yaml b/action.yaml index b9b7d8c..f2dcc23 100644 --- a/action.yaml +++ b/action.yaml @@ -88,6 +88,9 @@ inputs: trivy-config: description: 'path to trivy.yaml config' required: false + limit-severities-for-sarif: + description: 'limit severities for SARIF format' + required: false runs: using: 'docker' @@ -115,3 +118,4 @@ runs: - '-t ${{ inputs.trivyignores }}' - '-u ${{ inputs.github-pat }}' - '-v ${{ inputs.trivy-config }}' + - '-z ${{ inputs.limit-severities-for-sarif }}' diff --git a/entrypoint.sh b/entrypoint.sh index 2882612..f265929 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,6 +1,6 @@ #!/bin/bash set -e -while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" o; do +while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:" o; do case "${o}" in a) export scanType=${OPTARG} @@ -68,6 +68,9 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" o; do v) export trivyConfig=${OPTARG} ;; + z) + export limitSeveritiesForSARIF=${OPTARG} + ;; esac done @@ -81,8 +84,10 @@ input=$(echo $input | tr -d '\r') if [ $input ]; then artifactRef="--input $input" fi +#trim leading spaces for boolean params ignoreUnfixed=$(echo $ignoreUnfixed | tr -d '\r') hideProgress=$(echo $hideProgress | tr -d '\r') +limitSeveritiesForSARIF=$(echo $limitSeveritiesForSARIF | tr -d '\r') GLOBAL_ARGS="" if [ $cacheDir ];then @@ -164,7 +169,13 @@ if [ "$skipFiles" ];then fi trivyConfig=$(echo $trivyConfig | tr -d '\r') -if [ $trivyConfig ]; then +if [ "${format}" == "sarif" ] && [ "${limitSeveritiesForSARIF}" != "true" ]; then + # SARIF is special. We output all vulnerabilities, + # regardless of severity level specified in this report. + # This is a feature, not a bug :) + echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}" + trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef} +elif [ $trivyConfig ]; then echo "Running Trivy with trivy.yaml config from: " $trivyConfig trivy --config $trivyConfig ${scanType} ${artifactRef} returnCode=$? @@ -175,14 +186,6 @@ else returnCode=$? fi -# SARIF is special. We output all vulnerabilities, -# regardless of severity level specified in this report. -# This is a feature, not a bug :) -if [[ "${format}" == "sarif" ]]; then - echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}" - trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef} -fi - if [[ "${format}" == "github" ]]; then if [[ "$(echo $githubPAT | xargs)" != "" ]]; then printf "\n Uploading GitHub Dependency Snapshot"