[BUG] Sarif format not working

Question

[BUG] Sarif format not working

pragmaticivan opened this issue 7 months ago · comments

vulnerability-scanning:
    runs-on: ubuntu-latest
    name: Vulnerability Scanning
    needs: [lint, test]
    timeout-minutes: 5
    permissions:
      id-token: write
      contents: write
      actions: read
      issues: write
      pull-requests: write
    steps:
      - name: Code checkout
        uses: actions/checkout@v3

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@0.14.0
        with:
          scan-type: 'config'
          scan-ref: ./
          exit-code: '0'
          ignore-unfixed: true
          severity: 'CRITICAL,HIGH'
          format: 'sarif'
          output: 'trivy-config-scan.sarif'

      - uses: actions/upload-artifact@v3
        with:
          name: trivy-config-scan.sarif
          path: trivy-config-scan.sarif

      - uses: reviewdog/action-setup@v1
        with:
          reviewdog_version: v0.15.0

      - name: Run reviewdog
        env:
          REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          echo -n "$(cat trivy-config-scan.sarif)" | reviewdog -reporter=github-pr-review -f=sarif -level=info -diff="git diff FETCH_HEAD"

The command echo -n "$(cat trivy-config-scan.sarif)" | reviewdog -reporter=github-pr-review -f=sarif -level=info -diff="git diff FETCH_HEAD"

Doesn't produce anything, or even any log.

Ivan Santos · Answer 1 · Mon Nov 13 2023 10:30:41 GMT+0800 (China Standard Time)

{
    "id": "DS002",
    "name": "Misconfiguration",
    "shortDescription": {
      "text": "Image user should not be \u0026#39;root\u0026#39;"
    },
    "fullDescription": {
      "text": "Running containers with \u0026#39;root\u0026#39; user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a \u0026#39;USER\u0026#39; statement to the Dockerfile."
    },
    "defaultConfiguration": {
      "level": "error"
    },
    "helpUri": "https://avd.aquasec.com/misconfig/ds002",
    "help": {
      "text": "Misconfiguration DS002\nType: Dockerfile Security Check\nSeverity: HIGH\nCheck: Image user should not be 'root'\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
      "markdown": "**Misconfiguration DS002**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|HIGH|Image user should not be 'root'|Specify at least 1 USER command in Dockerfile with non-root user as argument|[DS002](https://avd.aquasec.com/misconfig/ds002)|\n\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile."
    },
    "properties": {
      "precision": "very-high",
      "security-severity": "8.0",
      "tags": [
        "misconfiguration",
        "security",
        "HIGH"
      ]
    }
  }

There seems to be a problem with JSON Decoder on DS002\nType: the /n is not valid and it's breaking the decoder.

Ivan Santos · Answer 2 · Mon Nov 13 2023 10:54:27 GMT+0800 (China Standard Time)

ref: aquasecurity/trivy#5559

Ivan Santos · Answer 3 · Sat Dec 09 2023 05:27:08 GMT+0800 (China Standard Time)

I've tested with a valid sarif file, still doesn't produce anything.

Ivan Santos · Answer 4 · Sat Dec 09 2023 05:27:44 GMT+0800 (China Standard Time)

Command:

echo -n "$(cat ./trivy-config-terraform-module-scan.sarif)" | reviewdog -f=sarif -diff="git diff FETCH_HEAD"

no output produced