chore(deps): Update to use Trivy v0.30.2

Signed-off-by: Simar <simar@linux.com>

.github/workflows/build.yaml

@@ -1,7 +1,8 @@
 name: "build"
 on: [push, pull_request]
 env:
-  TRIVY_VERSION: 0.30.0
+  TRIVY_VERSION: 0.30.2
+  BATS_LIB_PATH: '/usr/lib/'
 jobs:
   build:
     name: build
@@ -11,7 +12,7 @@ jobs:
       - name: Setup BATS
         uses: mig4/setup-bats@v1
         with:
-          bats-version: 1.2.1
+          bats-version: 1.7.0
 
       - name: Setup Bats libs
         uses: brokenpip3/setup-bats-libs@0.1.0
@@ -24,10 +25,4 @@ jobs:
           curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
 
       - name: Test
-        run: bats --recursive --timing .
-
-      - name: Debug show artifacts
-        if: always()
-        run: |
-          cat ./config.test
-          cat ./fs-scheck.test
+        run: BATS_LIB_PATH=${{ env.BATS_LIB_PATH }} bats --recursive --timing .

Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/aquasecurity/trivy:0.30.0
+FROM ghcr.io/aquasecurity/trivy:0.30.2
 COPY entrypoint.sh /
 RUN apk --no-cache add bash curl
 RUN chmod +x /entrypoint.sh

README.md

@@ -19,6 +19,36 @@
 
 ## Usage
 
+### Scan CI Pipeline
+
+```yaml
+name: build
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Build an image from Dockerfile
+        run: |
+          docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+```
+
 ### Scan CI Pipeline (w/ Trivy Config)
 
 ```yaml

test/data/config-sarif.test

@@ -37,7 +37,7 @@
               }
             }
           ],
-          "version": "0.30.0"
+          "version": "0.30.2"
         }
       },
       "results": [

test/data/repo.test

@@ -1,18 +1,76 @@
-
-env (secrets)
-=============
-Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)
-
-CRITICAL: GitHub (github-pat)
-═══════════════════════════════════════════════════════════════════
-GitHub Personal Access Token
-───────────────────────────────────────────────────────────────────
- env:5
-───────────────────────────────────────────────────────────────────
-   3   export AWS_ACCESS_KEY_ID=1234567
-   4   
-   5 [ export GITHUB_PAT=****************************************
-   6   
-───────────────────────────────────────────────────────────────────
-
-
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "https://github.com/krol3/demo-trivy/",
+  "ArtifactType": "repository",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
+  "Results": [
+    {
+      "Target": "env",
+      "Class": "secret",
+      "Secrets": [
+        {
+          "RuleID": "github-pat",
+          "Category": "GitHub",
+          "Severity": "CRITICAL",
+          "Title": "GitHub Personal Access Token",
+          "StartLine": 5,
+          "EndLine": 5,
+          "Code": {
+            "Lines": [
+              {
+                "Number": 3,
+                "Content": "export AWS_ACCESS_KEY_ID=1234567",
+                "IsCause": false,
+                "Annotation": "",
+                "Truncated": false,
+                "Highlighted": "export AWS_ACCESS_KEY_ID=1234567",
+                "FirstCause": false,
+                "LastCause": false
+              },
+              {
+                "Number": 4,
+                "Content": "",
+                "IsCause": false,
+                "Annotation": "",
+                "Truncated": false,
+                "FirstCause": false,
+                "LastCause": false
+              },
+              {
+                "Number": 5,
+                "Content": "export GITHUB_PAT=****************************************",
+                "IsCause": true,
+                "Annotation": "",
+                "Truncated": false,
+                "Highlighted": "export GITHUB_PAT=****************************************",
+                "FirstCause": true,
+                "LastCause": true
+              },
+              {
+                "Number": 6,
+                "Content": "",
+                "IsCause": false,
+                "Annotation": "",
+                "Truncated": false,
+                "FirstCause": false,
+                "LastCause": false
+              }
+            ]
+          },
+          "Match": "export GITHUB_PAT=****************************************"
+        }
+      ]
+    }
+  ]
+}

test/test.bats

@@ -1,61 +1,71 @@
 #!/usr/bin/env bats
-load '/usr/lib/bats-support/load.bash'
-load '/usr/lib/bats-assert/load.bash'
+bats_load_library bats-support
+bats_load_library bats-assert
+bats_load_library bats-file
+
+@test "trivy repo with securityCheck secret only" {
+  # trivy repo --format json --output repo.test --security-checks=secret https://github.com/krol3/demo-trivy/
+  run ./entrypoint.sh '-b json' '-h repo.test' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
+  run diff repo.test ./test/data/repo.test
+  echo "$output"
+  assert_files_equal repo.test ./test/data/repo.test
+}
 
 @test "trivy image" {
   # trivy image --severity CRITICAL --output image.test knqyf263/vuln-image:1.2.3
-  ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image.test' '-g CRITICAL'
-  result="$(diff ./test/data/image.test image.test)"
-  [ "$result" == '' ]
+  run ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image.test' '-g CRITICAL'
+  run diff image.test ./test/data/image.test
+  echo "$output"
+  assert_files_equal image.test ./test/data/image.test
 }
 
 @test "trivy config sarif report" {
   # trivy config --format sarif --output  config-sarif.test .
-  ./entrypoint.sh '-a config' '-b sarif' '-h config-sarif.test' '-j .'
-  result="$(diff ./test/data/config-sarif.test config-sarif.test)"
-  [ "$result" == '' ]
+  run ./entrypoint.sh '-a config' '-b sarif' '-h config-sarif.test' '-j .'
+  run diff config-sarif.test ./test/data/config-sarif.test
+  echo "$output"
+  assert_files_equal config-sarif.test ./test/data/config-sarif.test
 }
 
 @test "trivy config" {
   # trivy config --format json --output config.test .
-  ./entrypoint.sh '-a config' '-b json' '-j .' '-h config.test'
-  result="$(diff ./test/data/config.test config.test)"
-  [ "$result" == '' ]
+  run ./entrypoint.sh '-a config' '-b json' '-j .' '-h config.test'
+  run diff config.test ./test/data/config.test
+  echo "$output"
+  assert_files_equal config.test ./test/data/config.test
 }
 
 @test "trivy rootfs" {
   # trivy rootfs --output rootfs.test .
-  ./entrypoint.sh '-a rootfs' '-j .' '-h rootfs.test'
-  result="$(diff ./test/data/rootfs.test rootfs.test)"
-  [ "$result" == '' ]
+  run ./entrypoint.sh '-a rootfs' '-j .' '-h rootfs.test'
+  run diff rootfs.test ./test/data/rootfs.test
+  echo "$output"
+  assert_files_equal rootfs.test ./test/data/rootfs.test
 }
 
 @test "trivy fs" {
   # trivy fs --output fs.test .
-  ./entrypoint.sh '-a fs' '-j .' '-h fs.test'
-  result="$(diff ./test/data/fs.test fs.test)"
-  [ "$result" == '' ]
+  run ./entrypoint.sh '-a fs' '-j .' '-h fs.test'
+  run diff fs.test ./test/data/fs.test
+  echo "$output"
+  assert_files_equal fs.test ./test/data/fs.test
 }
 
 @test "trivy fs with securityChecks option" {
   # trivy fs --format json --security-checks=vuln,config --output fs-scheck.test .
-  ./entrypoint.sh '-a fs' '-b json' '-j .' '-s vuln,config,secret' '-h fs-scheck.test'
-  result="$(diff ./test/data/fs-scheck.test fs-scheck.test)"
-  [ "$result" == '' ]
+  run ./entrypoint.sh '-a fs' '-b json' '-j .' '-s vuln,config,secret' '-h fs-scheck.test'
+  run diff fs-scheck.test ./test/data/fs-scheck.test
+  echo "$output"
+  assert_files_equal fs-scheck.test ./test/data/fs-scheck.test
 }
 
-@test "trivy repo with securityCheck secret only" {
-  # trivy repo --output repo.test --security-checks=secret https://github.com/krol3/demo-trivy/
-  ./entrypoint.sh '-h repo.test' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
-  result="$(diff ./test/data/repo.test repo.test)"
-  [ "$result" == '' ]
-}
 
 @test "trivy image with trivyIgnores option" {
   # cat ./test/data/.trivyignore1 ./test/data/.trivyignore2 > ./trivyignores ; trivy image --severity CRITICAL  --output image-trivyignores.test --ignorefile ./trivyignores knqyf263/vuln-image:1.2.3
-  ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image-trivyignores.test' '-g CRITICAL' '-t ./test/data/.trivyignore1,./test/data/.trivyignore2'
-  result="$(diff ./test/data/image-trivyignores.test image-trivyignores.test)"
-  [ "$result" == '' ]
+  run ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image-trivyignores.test' '-g CRITICAL' '-t ./test/data/.trivyignore1,./test/data/.trivyignore2'
+  run diff image-trivyignores.test ./test/data/image-trivyignores.test
+  echo "$output"
+  assert_files_equal image-trivyignores.test ./test/data/image-trivyignores.test
 }
 
 @test "trivy image with sbom output" {
@@ -67,6 +77,7 @@ load '/usr/lib/bats-assert/load.bash'
 @test "trivy repo with trivy.yaml config" {
   # trivy --config=./data/trivy.yaml fs --security-checks=config,secret --output=yamlconfig.test .
   run ./entrypoint.sh "-a fs" "-j ." "-s config,secret" "-v ./test/data/trivy.yaml" "-h yamlconfig.test"
-  result="$(diff ./test/data/yamlconfig.test yamlconfig.test)"
-  [ "$result" == '' ]
+  run diff yamlconfig.test ./test/data/yamlconfig.test
+  echo "$output"
+  assert_files_equal yamlconfig.test ./test/data/yamlconfig.test
 }