fix(sarif): Add option to limit severities for sarif (aquasecurity#192) (#198)

1 year ago · 1e0bef4613
parent 9ab158e859
commit 1e0bef4613
3 changed files with 18 additions and 10 deletions
--- a/README.md
+++ b/README.md
@ -501,6 +501,7 @@ Following inputs can be used as `step.with` keys:
 | `security-checks` | String  | `vuln,secret`                      | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`)               |
 | `trivyignores`    | String  |                                    | comma-separated list of relative paths in repository to one or more `.trivyignore` files        |
 | `github-pat`      | String  |                                    | GitHub Personal Access Token (PAT) for sending SBOM scan results to GitHub Dependency Snapshots |
+| `limit-severities-for-sarif`      | Boolean  | false                                   | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |

 [release]: https://github.com/aquasecurity/trivy-action/releases/latest
 [release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github
--- a/action.yaml
+++ b/action.yaml
@ -88,6 +88,9 @@ inputs:
  trivy-config:
    description: 'path to trivy.yaml config'
    required: false
+  limit-severities-for-sarif:
+    description: 'limit severities for SARIF format'
+    required: false

 runs:
  using: 'docker'
@ -115,3 +118,4 @@ runs:
    - '-t ${{ inputs.trivyignores }}'
    - '-u ${{ inputs.github-pat }}'
    - '-v ${{ inputs.trivy-config }}'
+    - '-z ${{ inputs.limit-severities-for-sarif }}'
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -1,6 +1,6 @@
 #!/bin/bash
 set -e
-while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" o; do
+while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:" o; do
   case "${o}" in
       a)
         export scanType=${OPTARG}
@ -68,6 +68,9 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" o; do
       v)
         export trivyConfig=${OPTARG}
       ;;
+       z)
+         export limitSeveritiesForSARIF=${OPTARG}
+       ;;
  esac
 done

@ -81,8 +84,10 @@ input=$(echo $input | tr -d '\r')
 if [ $input ]; then
  artifactRef="--input $input"
 fi
+#trim leading spaces for boolean params
 ignoreUnfixed=$(echo $ignoreUnfixed | tr -d '\r')
 hideProgress=$(echo $hideProgress | tr -d '\r')
+limitSeveritiesForSARIF=$(echo $limitSeveritiesForSARIF | tr -d '\r')

 GLOBAL_ARGS=""
 if [ $cacheDir ];then
@ -164,7 +169,13 @@ if [ "$skipFiles" ];then
 fi

 trivyConfig=$(echo $trivyConfig | tr -d '\r')
-if [ $trivyConfig ]; then
+if [ "${format}" == "sarif" ] && [ "${limitSeveritiesForSARIF}" != "true" ]; then
+  # SARIF is special. We output all vulnerabilities,
+  # regardless of severity level specified in this report.
+  # This is a feature, not a bug :)
+  echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
+  trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
+elif [ $trivyConfig ]; then
   echo "Running Trivy with trivy.yaml config from: " $trivyConfig
   trivy --config $trivyConfig ${scanType} ${artifactRef}
   returnCode=$?
@ -175,14 +186,6 @@ else
   returnCode=$?
 fi

-# SARIF is special. We output all vulnerabilities,
-# regardless of severity level specified in this report.
-# This is a feature, not a bug :)
-if [[ "${format}" == "sarif" ]]; then
-  echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
-  trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
-fi
-
 if [[ "${format}" == "github" ]]; then
  if [[ "$(echo $githubPAT | xargs)" != "" ]]; then
    printf "\n Uploading GitHub Dependency Snapshot"