Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug] sarif format doesn't support "tf-var" arg #310

Open
antigenius0910 opened this issue Feb 16, 2024 · 1 comment · May be fixed by #311
Open

[bug] sarif format doesn't support "tf-var" arg #310

antigenius0910 opened this issue Feb 16, 2024 · 1 comment · May be fixed by #311

Comments

@antigenius0910
Copy link

antigenius0910 commented Feb 16, 2024
edited
Loading

Hi team, thanks for the awesome project. we follow you from tf-sec to here and would love to contribute and make this codebase as awesome as possible.

We really want to use the sarif and codeql function so we can integrate all the GitHub code scan result to JIRA.

when we use below setting, everything works as expected.

      - name: Run Trivy vulnerability scanner in IaC mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: config
          hide-progress: false
          tf-vars: ${{ inputs.working-directory }}/terraform.tfvars.json
          format: table
          exit-code: 1
          ignore-unfixed: false
          severity: CRITICAL,HIGH,MEDIUM

result looks great vun misconfig has been found!

Running trivy with options: trivy config  --format table --exit-code  1 --severity  CRITICAL,HIGH,MEDIUM --tf-vars  ./terraform/terraform.tfvars.json .
Global options:  
2024-02-16T15:42:06.213Z	INFO	Misconfiguration scanning is enabled
2024-02-16T15:42:06.213Z	INFO	Need to update the built-in policies
2024-02-16T15:42:06.213Z	INFO	Downloading the built-in policies...
45.79 KiB / 45.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-02-16T15:42:07.417Z	INFO	Detected config files: 2

Then we switch to the format you suggested on README here https://github.com/aquasecurity/trivy-action/blob/master/README.md?plain=1#L286-L300

      - name: Run Trivy vulnerability scanner in IaC mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'config'
          hide-progress: false
          tf-vars: ${{ inputs.working-directory }}/terraform.tfvars.json
          format: 'sarif'
          output: 'trivy-results.sarif'
          exit-code: '1'
          ignore-unfixed: false
          severity: CRITICAL,HIGH,MEDIUM

seems like nothing has been scanned

Building SARIF report with options:  --exit-code  1 .

can you take a look on this discrepancy and point out what we might config wrongly? thanks.
@antigenius0910 antigenius0910 linked a pull request Feb 17, 2024 that will close this issue
Open
@antigenius0910 antigenius0910 changed the title [bug] sarif format doesn't support "scanners" arg [bug] sarif format doesn't support "tf-var" arg Feb 17, 2024
@antigenius0910
Copy link
Author

PR here #311 for fixing the bug. thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Fix 'tf-var' arg not passing when using 'sarif' format antigenius0910/trivy-action
1 participant
@antigenius0910