test

aquasecurity/trivy-action#399 (comment) Signed-off-by: knqyf263 <knqyf263@gmail.com>
knqyf263 · Oct 11, 2024 · e8dbe61 · e8dbe61
1 parent ce321d9
commit e8dbe61
Show file tree

Hide file tree

Showing 2 changed files with 103 additions and 0 deletions.
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -0,0 +1,26 @@
+name: Scan image
+on:
+  workflow_dispatch:
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Vulnerability scan (fixed and non-fixed)
+        uses: aquasecurity/trivy-action@0.25.0
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+        with:
+          image-ref: 'alpine:3.20.0'
+          format: 'template'
+          # Manually downloaded the template from the Trivy GitHub repo since it is somehow not found by default
+          template: '@/github/workspace/.github/workflows/trivy_html_template.tpl'
+          output: 'report.html'
+          severity: 'HIGH,CRITICAL'
+          timeout: '12m'
diff --git a/.github/workflows/trivy_markdown_template.tpl b/.github/workflows/trivy_markdown_template.tpl
@@ -0,0 +1,77 @@
+{{- if . }}
+{{- range . }}
+<h3>Target <code>{{ escapeXML .Target }}</code></h3>
+{{- if (and (eq (len .Vulnerabilities) 0) (eq (len .Misconfigurations) 0) (eq (len .Secrets) 0)) }}
+<h4>Nothing found</h4>
+{{- else }} 
+{{- if (gt (len .Vulnerabilities) 0) }}
+<h4>Vulnerabilities ({{ len .Vulnerabilities }})</h4>
+<table>
+    <tr>
+        <th>Package</th>
+        <th>ID</th>
+        <th>Severity</th>
+        <th>Installed Version</th>
+        <th>Fixed Version</th>
+    </tr>
+    {{- range .Vulnerabilities }}
+    <tr>
+        <td><code>{{ escapeXML .PkgName }}</code></td>
+        <td>{{ escapeXML .VulnerabilityID }}</td>
+        <td>{{ escapeXML .Severity }}</td>
+        <td>{{ escapeXML .InstalledVersion }}</td>
+        <td>{{ escapeXML .FixedVersion }}</td>
+    </tr>
+    {{- end }}
+</table>
+{{- end }}
+{{- if (gt (len .Misconfigurations ) 0) }}
+<h4>Misconfigurations ({{ len .Misconfigurations }})</h4>
+<table>
+    <tr>
+        <th>Type</th>
+        <th>ID</th>
+        <th>Check</th>
+        <th>Severity</th>
+        <th>Message</th>
+    </tr>
+    {{- range .Misconfigurations }}
+    <tr>
+        <td>{{ escapeXML .Type }}</td>
+        <td>{{ escapeXML .ID }}</td>
+        <td>{{ escapeXML .Title }}</td>
+        <td>{{ escapeXML .Severity }}</td>
+        <td>
+          {{ escapeXML .Message }}
+          <br><a href={{ escapeXML .PrimaryURL | printf "%q" }}>{{ escapeXML .PrimaryURL }}</a></br>
+        </td>
+    </tr>
+    {{- end }}
+</table>
+{{- end }}
+{{- if (gt (len .Secrets ) 0) }}
+<h4>Secrets ({{ len .Secrets }})</h4>
+<table>
+    <tr>
+        <th>Type</th>
+        <th>ID</th>
+        <th>Severity</th>
+        <th>Lines</th>
+        <th>Match</th>
+    </tr>
+    {{- range .Secrets }}
+    <tr>
+        <td>{{ escapeXML (toString .Category) }}</td>
+        <td>{{ escapeXML .RuleID }}</td>
+        <td>{{ escapeXML .Severity }}</td>
+        <td>{{ escapeXML (toString .StartLine) }}-{{ escapeXML (toString .EndLine) }}</td>
+        <td>{{ escapeXML .Match }}</td>
+    </tr>
+    {{- end }}
+</table>
+{{- end }}
+{{- end }}
+{{- end }}
+{{- else }}
+<h3>Trivy Returned Empty Report</h3>
+{{- end }}