diff --git a/action.yaml b/action.yaml index 02bcd34..9b49414 100644 --- a/action.yaml +++ b/action.yaml @@ -94,6 +94,9 @@ inputs: limit-severities-for-sarif: description: 'limit severities for SARIF format' required: false + docker-host: + description: 'unix domain socket path to use for docker scanning' + required: false runs: using: 'docker' @@ -123,3 +126,4 @@ runs: - '-v ${{ inputs.trivy-config }}' - '-x ${{ inputs.tf-vars }}' - '-z ${{ inputs.limit-severities-for-sarif }}' + - '-y ${{ inputs.docker-host }}' \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh index 0b6f46c..6e8f71f 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,6 +1,6 @@ #!/bin/bash set -e -while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:x:z:" o; do +while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:x:y:z:" o; do case "${o}" in a) export scanType=${OPTARG} @@ -71,6 +71,9 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:x:z:" o; do x) export tfVars=${OPTARG} ;; + y) + export dockerHost=${OPTARG} + ;; z) export limitSeveritiesForSARIF=${OPTARG} ;; @@ -165,6 +168,9 @@ if [ "$hideProgress" == "true" ];then ARGS="$ARGS --quiet" SARIF_ARGS="$SARIF_ARGS --quiet" fi +if [ "$dockerHost" == "true" ];then + ARGS="$ARGS --docker-host $dockerHost" +fi listAllPkgs=$(echo $listAllPkgs | tr -d '\r') if [ "$listAllPkgs" == "true" ];then diff --git a/test/test.bats b/test/test.bats index 5301eab..0d10781 100644 --- a/test/test.bats +++ b/test/test.bats @@ -82,6 +82,14 @@ bats_load_library bats-file assert_files_equal yamlconfig.test ./test/data/yamlconfig.test } +@test "trivy image with custom docker-host" { + # trivy image --docker-host unix:///var/run/docker.sock --severity CRITICAL --output image.test knqyf263/vuln-image:1.2.3 + run ./entrypoint.sh '-y unix:///var/run/docker.sock' '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image.test' '-g CRITICAL' + run diff image.test ./test/data/image.test + echo "$output" + assert_files_equal image.test ./test/data/image.test +} + @test "trivy config with terraform variables" { # trivy config --format json --severity MEDIUM --output tfvars.test --tf-vars ./test/data/dev.tfvars ./test/data run ./entrypoint.sh "-a config" "-j ./test/data" "-h tfvars.test" "-g MEDIUM" "-x dev.tfvars" "-b json"