trivy usage

[GurayCetin]

Question

I could not figure out to use trivy with tfaction.
It's enabled in tfaction-root.yaml. added to aqua import as trivy.yaml.

Is there any way to specify config path for trivy.yaml? it's expecting it in running terraform folder.

Other one is when i changed timeout to 10m, it's giving me the outputs but not seeing them as comment. i have enabled reviewdog and added yaml to aqua imports.

Background of the question

No response

Example Code

GitHub Actions

tfaction-root.yaml

tfaction.yaml

Note

No response

[suzuki-shunsuke]

I'd really appreciate it if you separate discussions per question from the next time.

As of From tfaction v1, trivy is run by the test action by default.

tfaction/test/action.yaml

Lines 29 to 34 in 15be319

	- uses: suzuki-shunsuke/trivy-config-action@9cb8a8558fb82684e7f66b0cdfaecef033b264ac # v0.2.1
	if: fromJSON(steps.target-config.outputs.enable_trivy) && steps.target-config.outputs.destroy != 'true'
	with:
	github_token: ${{ inputs.github_token }}
	working_directory: ${{ steps.target-config.outputs.working_directory }}
	github_comment: "true"

Trivy is run on each working directory, so please add the file trivy.yaml on each working directory.

https://aquasecurity.github.io/trivy/v0.49/docs/configuration/

Is there any way to specify config path for trivy.yaml?

According to the document of Trivy, I think you can specify the path by the environment variable TRIVY_CONFIG.

https://aquasecurity.github.io/trivy/v0.49/docs/configuration/#environment-variables

[suzuki-shunsuke]

I am not sure how to specify TRIVY_CONFIG in which file?

You can set the environment variable in the GitHub Actions workflow.

e.g.

      - uses: suzuki-shunsuke/tfaction/[email protected]
        with:
          github_token: ${{steps.generate_token.outputs.token}}
          secrets: ${{steps.setup.outputs.secrets}}
        env:
          TRIVY_CONFIG: ${{ github.workspace }}/trivy.yaml

[GurayCetin]

It does not accept the TRIVY_CONFIG because it's set to --config trivy.yaml in trivy cli command as precedence.
So cli flags would be removed to assign environment variable to trivy command.
https://aquasecurity.github.io/trivy/v0.49/docs/configuration/

[suzuki-shunsuke]

Oh, I see. At trivy-config-action v0.2.1, the input config_path was added and the default value is trivy.yaml.
This setting overrides TRIVY_CONFIG.

tfaction/test/action.yaml

Lines 29 to 34 in 15be319

	- uses: suzuki-shunsuke/trivy-config-action@9cb8a8558fb82684e7f66b0cdfaecef033b264ac # v0.2.1
	if: fromJSON(steps.target-config.outputs.enable_trivy) && steps.target-config.outputs.destroy != 'true'
	with:
	github_token: ${{ inputs.github_token }}
	working_directory: ${{ steps.target-config.outputs.working_directory }}
	github_comment: "true"

https://github.com/suzuki-shunsuke/trivy-config-action?tab=readme-ov-file#optional-inputs

I didn't notice that.

I think we should change the behaviour of trivy-config-action so that we can pass TRIVY_CONFIG.

[suzuki-shunsuke]

I fixed trivy-config-action.

• fix: fix the issue that the environment variable TRIVY_CONFIG doesn't work trivy-config-action#135

[GurayCetin]

Thanks for quick fixing, will it refer to new version of trivy-config-action?

[suzuki-shunsuke]

Yes, I'll release the new version of trivy-config-action, update trivy-config-action of tfaction, and relese the new version of tfaction in near future.

[suzuki-shunsuke]

trivy-config-action v0.2.2 is out.
https://github.com/suzuki-shunsuke/trivy-config-action/releases/tag/v0.2.2

Updated trivy-config-action.

• chore(deps): update suzuki-shunsuke/trivy-config-action action to v0.2.2 #1538

[suzuki-shunsuke]

tfaction v1.1.1 is out 🎉
trivy-config-action is updated to v0.2.2, so you can specify the configuration file path by the environment variable TRIVY_CONFIG.
https://github.com/suzuki-shunsuke/tfaction/releases/tag/v1.1.1

[suzuki-shunsuke]

Other one is when i changed timeout to 10m, it's giving me the outputs but not seeing them as comment. i have enabled reviewdog and added yaml to aqua imports.

It looks strange. tfaction uses this action.
https://github.com/suzuki-shunsuke/trivy-config-action

This action should post a comment by github-comment and create a review by reviewdog if Terraform code violates any trivy policies.

Did the workflow exit by timeout? Was a comment posted by github-comment?

[suzuki-shunsuke]

I really appreciate it if you copy and paste the output as text from the next time so that we can copy and paste the text and can search with it.

Parsing trivy config result
Unexpected end of JSON input

Maybe this error means the stdout of trivy command was empty.

https://github.com/suzuki-shunsuke/trivy-config-action/blob/09d00e1065773ae386e99e68b53e06210a97f0ce/src/run.ts#L91-L92

We should improve the error handling of this action.

[GurayCetin]

Raw Output:
message:"Database instance does not require TLS for all connections."  location:{path:".terraform/modules/sql-db_postgresql-cdm-mailing-exporter/modules/mysql/main.tf"  range:{start:{line:52}  end:{line:204}}}  severity:ERROR  source:{name:"trivy"  url:"https://github.com/aquasecurity/trivy"}  code:{value:"AVD-GCP-0015"  url:"https://avd.aquasec.com/misconfig/avd-gcp-0015"}
Error: [trivy] reported by reviewdog 🐶
Database instance is granted a public internet address.

Raw Output:
message:"Database instance is granted a public internet address."  location:{path:".terraform/modules/sql-db_postgresql-cdm-mailing-exporter/modules/mysql/main.tf"  range:{start:{line:52}  end:{line:204}}}  severity:ERROR  source:{name:"trivy"  url:"https://github.com/aquasecurity/trivy"}  code:{value:"AVD-GCP-0017"  url:"https://avd.aquasec.com/misconfig/avd-gcp-0017"}
Error: [trivy] reported by reviewdog 🐶
Database instance does not require TLS for all connections.

Raw Output:
message:"Database instance does not require TLS for all connections."  location:{path:".terraform/modules/sql-db_postgresql-cdm-mailing-exporter/modules/postgresql/main.tf"  range:{start:{line:53}  end:{line:201}}}  severity:ERROR  source:{name:"trivy"  url:"https://github.com/aquasecurity/trivy"}  code:{value:"AVD-GCP-0015"  url:"https://avd.aquasec.com/misconfig/avd-gcp-0015"}
Error: [trivy] reported by reviewdog 🐶
Database instance is granted a public internet address.

Raw Output:
message:"Database instance is granted a public internet address."  location:{path:".terraform/modules/sql-db_postgresql-cdm-mailing-exporter/modules/postgresql/main.tf"  range:{start:{line:53}  end:{line:201}}}  severity:ERROR  source:{name:"trivy"  url:"https://github.com/aquasecurity/trivy"}  code:{value:"AVD-GCP-0017"  url:"https://avd.aquasec.com/misconfig/avd-gcp-0017"}
Warning: [trivy] reported by reviewdog 🐶
Database instance does not have backups enabled.

Raw Output:
message:"Database instance does not have backups enabled."  location:{path:".terraform/modules/sql-db_postgresql-cdm-mailing-exporter/modules/postgresql/main.tf"  range:{start:{line:53}  end:{line:201}}}  severity:WARNING  source:{name:"trivy"  url:"https://github.com/aquasecurity/trivy"}  code:{value:"AVD-GCP-0024"  url:"https://avd.aquasec.com/misconfig/avd-gcp-0024"}
Warning: [trivy] reported by reviewdog 🐶
Bucket has uniform bucket level access disabled.

Raw Output:
message:"Bucket has uniform bucket level access disabled."  location:{path:".terraform/modules/sql-db_postgresql-cdm-mailing-exporter/test/fixtures/mssql-public/main.tf"  range:{start:{line:30}  end:{line:35}}}  severity:WARNING  source:{name:"trivy"  url:"https://github.com/aquasecurity/trivy"}  code:{value:"AV
This step has been truncated due to its large size. Download the full logs from the  menu once the workflow run has completed.

When it finds the correct path of trivy.yaml, giving output but it's same that there is no any comment for errors or warnings.

[GurayCetin]

any comment for this? @suzuki-shunsuke

[suzuki-shunsuke]

#1537 (reply in thread)

reviewdog: GitHubActionLogWriter: reported too many annotation (N=2106)

https://github.com/reviewdog/reviewdog/blob/fad3e9d76ed7ed625b76b19146c25d04846b50f7/service/github/githubutils/comment_writer.go#L43

Maybe reviewdog can't create reviews because there are too many annotation.
And github-comment post may post an empty comment if the comment is too long.

[suzuki-shunsuke]

I think we should improve the error handling of trivy-config-action, but if your codes have a lot of trivy violation you need to resolve them.
You can install trivy by aqua and run trivy on your laptop.

trivy config .