trivy-action icon indicating copy to clipboard operation
trivy-action copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

Incorporate issue creation mode

Open simar7 opened this issue 2 years ago • 8 comments

@knqyf263 has created https://github.com/knqyf263/trivy-issue-action which can create issues by running trivy with GH Action. As we already have Trivy Action, we can incorporate that functionality here.

simar7 avatar May 06 '22 19:05 simar7

I find this action works better.

https://github.com/CemitDigital/trivy-report-issue-action

The downside is that if there is no 'Results' key found in the json file it will fail. I created an issue and a pull request on their repo but haven't seen any activity. I may just fork the repository and edit this myself :-).

james-luther avatar May 09 '22 15:05 james-luther

hi @b34rd-tek - is there something missing in https://github.com/knqyf263/trivy-issue-action that we can add?

simar7 avatar May 09 '22 20:05 simar7

When I attempted to use the action you linked it wouldn't authenticate to gh to create the issues.

@simar7 Here is the output of it running: image

If I just run the trivy-action with 'table' format: image

The action I suggested doesn't create issues for found secrets either. Perhaps that's why it isn't working as expected.

I used an e-mail action to send myself the raw json and it looks like the issue creation actions just don't parse this section of json.

{
  "SchemaVersion": 2,
  "ArtifactName": ".",
  "ArtifactType": "filesystem",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  },
  "Results": [
    {
      "Target": "MacOS/MacOS-Vanta-Agent-Install.sh",
      "Class": "secret",
      "Secrets": [
        {
          "RuleID": "aws-secret-access-key",
          "Category": "AWS",
          "Severity": "CRITICAL",
          "Title": "AWS Secret Access Key",
          "StartLine": 98,
          "EndLine": 98,
          "Match": "ser E-Mail\"\n        VANTA_KEY=*****h5m0czpmace0\" bash -"
        },
        {
          "RuleID": "aws-secret-access-key",
          "Category": "AWS",
          "Severity": "CRITICAL",
          "Title": "AWS Secret Access Key",
          "StartLine": 102,
          "EndLine": 102,
          "Match": "MAIL=$email\n        VANTA_KEY=*****h5m0czpmace0\" bash -"
        }
      ]
    }
  ]
}

The action https://github.com/knqyf263/trivy-issue-action only runs in 'fs' mode also. It would be nice to be able to specify which scan. The action https://github.com/CemitDigital/trivy-report-issue-action will take input from any scan and can generate issues for vulnerabilities. I have forked this repo and am going to add in the abilitiy to create issues for Secrets. That action can be found here: https://github.com/chili-piper/trivy-report-issue-action/

james-luther avatar May 09 '22 20:05 james-luther

@simar7 @b34rd-tek

I think the features added by this PR (related issue) could partially (if not fully) replace the need for trivy-report-issue-action, with the added benefit of not needing to use an external Action/tool.

saerosV avatar Dec 07 '22 04:12 saerosV

I ended up re-writing the way Trivy was used after updating the action attached. The action from Aquasec is what I use now and I submit the reports to DefectDojo for tracking. I also have the action configured to generate SBOMs.

james-luther avatar Dec 07 '22 17:12 james-luther

Thanks for the follow-up, @b34rd-tek. DefectDojo seems to be one of the best ways of visualizing the reports.

The action from Aquasec

Just to confirm, the action mentioned is Trivy Action, right?

saerosV avatar Dec 12 '22 16:12 saerosV

Correct. I use that action to generate everything and add a step to post the results to defectdodjo.

james-luther avatar Dec 12 '22 16:12 james-luther

Got it, thanks again!

saerosV avatar Dec 12 '22 16:12 saerosV