Version 0.32.0 crashes on the `TRIVY_SECURITY_CHECKS` environment variable

[trevor-vaughan]

Description

TRIVY_SECURITY_CHECKS=vuln,secret trivy --debug rootfs $PWD
2022-09-20T10:40:48.409-0400    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-09-20T10:40:48.409-0400    FATAL   flag error:
    github.com/aquasecurity/trivy/pkg/commands.NewRootfsCommand.func2
        /home/runner/work/trivy/trivy/pkg/commands/app.go:372
  - scan flag error:
    github.com/aquasecurity/trivy/pkg/flag.(*Flags).ToOptions
        /home/runner/work/trivy/trivy/pkg/flag/options.go:366
  - unable to parse security checks:
    github.com/aquasecurity/trivy/pkg/flag.(*ScanFlagGroup).ToOptions
        /home/runner/work/trivy/trivy/pkg/flag/scan_flags.go:103
  - unknown security check: vuln,secret:
    github.com/aquasecurity/trivy/pkg/flag.parseSecurityCheck
        /home/runner/work/trivy/trivy/pkg/flag/scan_flags.go:127

What did you expect to happen?

A scan should occur

What happened instead?

trivy crashed

Output of trivy -v:

trivy -v
Version: 0.32.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-09-20 12:08:53.045849991 +0000 UTC
  NextUpdate: 2022-09-20 18:08:53.045849691 +0000 UTC
  DownloadedAt: 2022-09-20 14:16:59.487552987 +0000 UTC

[DmitriyLewen]

Hello @trevor-vaughan Thanks for your report!

We will solve your problem as soon as possible.

Until that, if you don't want to use --security-checks flag - you can try using Trivy config file.

Regards, Dmitriy

[naortalmor1]

Hey @DmitriyLewen, When do you plan to release the fixed version?

[DmitriyLewen]

Hello @naortalmor1 Next release is planned for October 15.

@trevor-vaughan Hey, I found way, how you can use envs: You need to separate args with space. e.g.:

TRIVY_SECURITY_CHECKS="license secret" trivy fs .