[BUG] Sarif format not working
pragmaticivan opened this issue · comments
vulnerability-scanning:
runs-on: ubuntu-latest
name: Vulnerability Scanning
needs: [lint, test]
timeout-minutes: 5
permissions:
id-token: write
contents: write
actions: read
issues: write
pull-requests: write
steps:
- name: Code checkout
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.14.0
with:
scan-type: 'config'
scan-ref: ./
exit-code: '0'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
format: 'sarif'
output: 'trivy-config-scan.sarif'
- uses: actions/upload-artifact@v3
with:
name: trivy-config-scan.sarif
path: trivy-config-scan.sarif
- uses: reviewdog/action-setup@v1
with:
reviewdog_version: v0.15.0
- name: Run reviewdog
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
echo -n "$(cat trivy-config-scan.sarif)" | reviewdog -reporter=github-pr-review -f=sarif -level=info -diff="git diff FETCH_HEAD"
The command echo -n "$(cat trivy-config-scan.sarif)" | reviewdog -reporter=github-pr-review -f=sarif -level=info -diff="git diff FETCH_HEAD"
Doesn't produce anything, or even any log.
{
"id": "DS002",
"name": "Misconfiguration",
"shortDescription": {
"text": "Image user should not be \u0026#39;root\u0026#39;"
},
"fullDescription": {
"text": "Running containers with \u0026#39;root\u0026#39; user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a \u0026#39;USER\u0026#39; statement to the Dockerfile."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/ds002",
"help": {
"text": "Misconfiguration DS002\nType: Dockerfile Security Check\nSeverity: HIGH\nCheck: Image user should not be 'root'\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"markdown": "**Misconfiguration DS002**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|HIGH|Image user should not be 'root'|Specify at least 1 USER command in Dockerfile with non-root user as argument|[DS002](https://avd.aquasec.com/misconfig/ds002)|\n\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile."
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
}
There seems to be a problem with JSON Decoder on DS002\nType:
the /n
is not valid and it's breaking the decoder.
I've tested with a valid sarif file, still doesn't produce anything.
Command:
echo -n "$(cat ./trivy-config-terraform-module-scan.sarif)" | reviewdog -f=sarif -diff="git diff FETCH_HEAD"
no output produced