From a7a829a4345428ddd92ca57b18257440f6a18c90 Mon Sep 17 00:00:00 2001
From: Oran Moshai <12291998+oranmoshai@users.noreply.github.com>
Date: Thu, 3 Feb 2022 01:19:51 +0200
Subject: [PATCH] chore: update trivy version Dockerfile (#96)

* chore: update trivy version Dockerfile

* Update readme for sarif deprecate
https://github.com/aquasecurity/trivy/discussions/1571

* docs: revert template and remove sarif.tpl

* fix: update condition to use format variable

Co-authored-by: oranmoshai <oran.moshai@aquasec.com>
Co-authored-by: knqyf263 <knqyf263@gmail.com>
---
 Dockerfile    |  2 +-
 README.md     | 28 ++++++++++------------------
 entrypoint.sh |  4 ++--
 3 files changed, 13 insertions(+), 21 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index ae68cd7..3662b60 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM aquasec/trivy:0.22.0
+FROM aquasec/trivy:0.23.0
 COPY entrypoint.sh /
 RUN apk --no-cache add bash
 RUN chmod +x /entrypoint.sh
diff --git a/README.md b/README.md
index 3452f92..28f7840 100644
--- a/README.md
+++ b/README.md
@@ -76,8 +76,7 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
+          format: 'sarif'
           output: 'trivy-results.sarif'
 
       - name: Upload Trivy scan results to GitHub Security tab
@@ -112,8 +111,7 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
+          format: 'sarif'
           output: 'trivy-results.sarif'
 
       - name: Upload Trivy scan results to GitHub Security tab
@@ -149,8 +147,7 @@ jobs:
         with:
           scan-type: 'fs'
           ignore-unfixed: true
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
+          format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL'
 
@@ -185,8 +182,7 @@ jobs:
           scan-type: 'rootfs'
           scan-ref: 'rootfs-example-binary'
           ignore-unfixed: true
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
+          format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL'
 
@@ -256,8 +252,7 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
+          format: 'sarif'
           output: 'trivy-results.sarif'
         env:
           TRIVY_USERNAME: Username
@@ -293,8 +288,7 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}'
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
+          format: 'sarif'
           output: 'trivy-results.sarif'
         env:
           AWS_ACCESS_KEY_ID: key_id
@@ -330,8 +324,7 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
+          format: 'sarif'
           output: 'trivy-results.sarif'
         env:
           GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json
@@ -364,8 +357,7 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
+          format: 'sarif'
           output: 'trivy-results.sarif'
         env:
           TRIVY_USERNAME: Username
@@ -389,8 +381,8 @@ Following inputs can be used as `step.with` keys:
 | `input`          | String  |                                    | Tar reference, e.g. `alpine-latest.tar` |
 | `image-ref`      | String  |                                    | Image reference, e.g. `alpine:3.10.2`         |
 | `scan-ref`       | String  | `/github/workspace/`               | Scan reference, e.g. `/github/workspace/` or `.`|
-| `format`         | String  | `table`                            | Output format (`table`, `json`, `template`)   |
-| `template`       | String  |                                    | Output template (`@/contrib/sarif.tpl`, `@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`)|
+| `format`         | String  | `table`                            | Output format (`table`, `json`, `sarif`)   |
+| `template`       | String  |                                    | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`)|
 | `output`         | String  |                                    | Save results to a file                        |
 | `exit-code`      | String  | `0`                                | Exit code when specified vulnerabilities are found     |
 | `ignore-unfixed` | Boolean | false                              | Ignore unpatched/unfixed vulnerabilities      |
diff --git a/entrypoint.sh b/entrypoint.sh
index f551372..e718829 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -138,9 +138,9 @@ returnCode=$?
 # SARIF is special. We output all vulnerabilities,
 # regardless of severity level specified in this report.
 # This is a feature, not a bug :)
-if [[ ${template} == *"sarif"* ]]; then
+if [[ "${format}" == "sarif" ]]; then
   echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
-  trivy --quiet ${scanType} --format template --template ${template} --output ${output} $SARIF_ARGS ${artifactRef}
+  trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
 fi
 
 exit $returnCode