Skip to content

Commit

Permalink
update tests
Browse files Browse the repository at this point in the history
  • Loading branch information
nikpivkin committed Apr 12, 2024
1 parent 207cd40 commit 469f957
Show file tree
Hide file tree
Showing 26 changed files with 2,009 additions and 1,556 deletions.
28 changes: 0 additions & 28 deletions .github/workflows/build.yaml

This file was deleted.

30 changes: 30 additions & 0 deletions .github/workflows/sync-trivy-checks.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: Sync Trivy Checks

on:
workflow_dispatch:
env:
IMAGE_NAME: ${{ github.repository_owner }}/trivy-checks
REGISTRY: ghcr.io

jobs:
sync-trivy-checks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Pull Trivy Checks
run: |
oras pull ghcr.io/aquasecurity/trivy-checks:0
- name: Login to GitHub Packages Container registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Push Trivy Checks
run: |
oras push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest \
--config /dev/null:application/vnd.cncf.openpolicyagent.config.v1+json \
bundle.tar.gz:application/vnd.cncf.openpolicyagent.layer.v1.tar+gzip
30 changes: 30 additions & 0 deletions .github/workflows/sync-trivy-db.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: Sync Trivy DB

on:
workflow_dispatch:
env:
IMAGE_NAME: ${{ github.repository_owner }}/trivy-db
REGISTRY: ghcr.io

jobs:
sync-trivy-db:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Pull Trivy DB
run: |
oras pull ghcr.io/aquasecurity/trivy-db:2
- name: Login to GitHub Packages Container registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Push Trivy DB
run: |
oras push --artifact-type application/vnd.aquasec.trivy.config.v1+json \
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest \
db.tar.gz:application/vnd.aquasec.trivy.db.layer.v1.tar+gzip
29 changes: 29 additions & 0 deletions .github/workflows/sync-trivy-java-db.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
name: Sync Trivy Java DB

on:
workflow_dispatch:
env:
IMAGE_NAME: ${{ github.repository_owner }}/trivy-java-db
REGISTRY: ghcr.io

jobs:
sync-trivy-db:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Pull Trivy DB
run: oras pull ghcr.io/aquasecurity/trivy-java-db:1

- name: Login to GitHub Packages Container registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Push Trivy DB
run: |
oras push --artifact-type application/vnd.aquasec.trivy.config.v1+json \
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest \
javadb.tar.gz:application/vnd.aquasec.trivy.javadb.layer.v1.tar+gzip
29 changes: 29 additions & 0 deletions .github/workflows/test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
name: Test

on:
push:
pull_request:
workflow_dispatch:

env:
TRIVY_VERSION: 0.50.1
BATS_LIB_PATH: '/usr/lib/'

jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Setup Bats and bats libs
uses: bats-core/bats-action@2.0.0

- name: Install Trivy
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
trivy --version
- name: Test
run: |
chmod +x entrypoint.sh
bats -r -T .
File renamed without changes.
512 changes: 512 additions & 0 deletions test/data/config-sarif-report/report.sarif

Large diffs are not rendered by default.

620 changes: 0 additions & 620 deletions test/data/config-sarif.test

This file was deleted.

18 changes: 18 additions & 0 deletions test/data/config-scan/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# test data for trivy config with terraform variables

variable "bucket_versioning_enabled" {
type = string
default = "Disabled"
}

resource "aws_s3_bucket" "bucket" {
bucket = "trivy-action-bucket"
}

resource "aws_s3_bucket_versioning" "bucket_versioning" {
bucket = aws_s3_bucket.bucket.id

versioning_configuration {
status = var.bucket_versioning_enabled
}
}
76 changes: 6 additions & 70 deletions test/data/config.test → test/data/config-scan/report.json
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"CreatedAt": "2024-01-02T23:40:12.036390742Z",
"ArtifactName": ".",
"CreatedAt": "2024-04-12T16:53:35.5567541+03:00",
"ArtifactName": "test/data/config-scan",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
Expand All @@ -17,71 +17,7 @@
},
"Results": [
{
"Target": "Dockerfile",
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 24,
"Failures": 2,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Dockerfile Security Check",
"ID": "DS002",
"AVDID": "AVD-DS-0002",
"Title": "Image user should not be 'root'",
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
"Namespace": "builtin.dockerfile.DS002",
"Query": "data.builtin.dockerfile.DS002.deny",
"Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
"References": [
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
"https://avd.aquasec.com/misconfig/ds002"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"Code": {
"Lines": null
}
}
},
{
"Type": "Dockerfile Security Check",
"ID": "DS026",
"AVDID": "AVD-DS-0026",
"Title": "No HEALTHCHECK defined",
"Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
"Message": "Add HEALTHCHECK instruction in your Dockerfile",
"Namespace": "builtin.dockerfile.DS026",
"Query": "data.builtin.dockerfile.DS026.deny",
"Resolution": "Add HEALTHCHECK instruction in Dockerfile",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds026",
"References": [
"https://blog.aquasec.com/docker-security-best-practices",
"https://avd.aquasec.com/misconfig/ds026"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"Code": {
"Lines": null
}
}
}
]
},
{
"Target": "test/data",
"Target": ".",
"Class": "config",
"Type": "terraform",
"MisconfSummary": {
Expand All @@ -91,7 +27,7 @@
}
},
{
"Target": "test/data/main.tf",
"Target": "main.tf",
"Class": "config",
"Type": "terraform",
"MisconfSummary": {
Expand Down Expand Up @@ -436,15 +372,15 @@
"Occurrences": [
{
"Resource": "versioning_configuration",
"Filename": "test/data/main.tf",
"Filename": "main.tf",
"Location": {
"StartLine": 15,
"EndLine": 17
}
},
{
"Resource": "aws_s3_bucket_versioning.bucket_versioning",
"Filename": "test/data/main.tf",
"Filename": "main.tf",
"Location": {
"StartLine": 12,
"EndLine": 18
Expand Down
File renamed without changes.
Loading

0 comments on commit 469f957

Please sign in to comment.