trivy-azure-pipelines-task icon indicating copy to clipboard operation
trivy-azure-pipelines-task copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

Not a latest image, code bug

Open huczas opened this issue 10 months ago • 5 comments

In Azure DevOps task using Trivy binary and tag "latest" it's downloading hardcoded 0.38 version. It is not latest anymore, should be fixed:

https://github.com/aquasecurity/trivy-azure-pipelines-task/blob/7516cf958f694c0e8a98a593ac41af218a0a71eb/trivy-task/index.ts#L7C1-L7C37

For now, I'm using workaround in task writing fixed version v0.44.1.

      - task: trivy@1
        displayName: Trivy Repository Scan
        inputs:
          version: "v0.44.1"
          docker: false
          path: ${{ variables.DIRECTORY }}
          severities: ${{ variables.SEVERITIES }}
          options: "--timeout 10m"
          exitCode: ${{ variables.EXITCODE }}

huczas avatar Aug 23 '23 09:08 huczas

In addition, when you use docker: true and use a path like this example, there is no any way to add the path as a volume, and we can't scan local files using docker. It will be convenient to do it because we can use it all the time latest trivy version to scan our source codes.

PawelHaracz avatar Aug 23 '23 09:08 PawelHaracz

Hi, we're facing the same issue. Azure DevOps task downloads v0.38.2 when tag is set to "latest".

trivy_version

riccardo-giuffre avatar Oct 25 '23 11:10 riccardo-giuffre

Hello, Too late on the latest image, it's now the v0.48.3 Is there an other way to reference the last version of the trivy image ? I don't understand why Aquasec is not providing a tag latest for Trivy image.

julienLemarie avatar Jan 17 '24 18:01 julienLemarie

I just ran into the same issue, here is my workaround:

    # Store the latest version to the TRIVY_VERSION variable
    - bash: |
        version=$(curl --silent "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | jq -r .tag_name)
        echo "latest version of trivy is $version"
        echo "##vso[task.setvariable variable=TRIVY_VERSION;]$version"
        
    # Actual scan
    - task: trivy@1
      inputs:
        image: $(MY_IMAGE)
        docker: false
        version: $(TRIVY_VERSION)

corentinvds avatar Mar 16 '24 20:03 corentinvds

I forked this (trivy-azure-pipelines-task) and enabled container image scanning from containerized trivy. It is thus easy to always use the latest version without workarounds. I also added some more improvements and updated trivy. Feel free to give it a try or create a PR if you need more features. See https://marketplace.visualstudio.com/items?itemName=georg-jung.trivy-contrib and https://github.com/georg-jung/trivy-azure-pipelines-task.

georg-jung avatar Mar 28 '24 07:03 georg-jung