From d6443d4e5555d2dd1f6189a0cec5daed0b46208f Mon Sep 17 00:00:00 2001 From: guilherme_marz Date: Sat, 18 Feb 2023 18:37:50 -0300 Subject: [PATCH 1/9] feat: rename token input --- action.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/action.yaml b/action.yaml index f2dcc23..228c243 100644 --- a/action.yaml +++ b/action.yaml @@ -82,8 +82,8 @@ inputs: artifact-type: description: 'input artifact type (image, fs, repo, archive) for SBOM generation' required: false - github-pat: - description: 'GitHub Personal Access Token (PAT) for submitting SBOM to GitHub Dependency Snapshot API' + github-token: + description: 'Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN' required: false trivy-config: description: 'path to trivy.yaml config' @@ -116,6 +116,6 @@ runs: - '-r ${{ inputs.list-all-pkgs }}' - '-s ${{ inputs.security-checks }}' - '-t ${{ inputs.trivyignores }}' - - '-u ${{ inputs.github-pat }}' + - '-u ${{ inputs.github-token }}' - '-v ${{ inputs.trivy-config }}' - '-z ${{ inputs.limit-severities-for-sarif }}' From 914a0e310b674a24557fabd7878e31ba6aa8f2fd Mon Sep 17 00:00:00 2001 From: guilherme_marz Date: Sat, 18 Feb 2023 18:39:29 -0300 Subject: [PATCH 2/9] feat: renamed token input --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2c9d2b9..cfaca8b 100644 --- a/README.md +++ b/README.md @@ -327,7 +327,7 @@ jobs: format: 'github' output: 'dependency-results.sbom.json' image-ref: '.' - github-pat: '' + github-token: '' ``` ### Using Trivy to scan your private registry From 8fa0922c7215d646d27c44ff76642b987548df1e Mon Sep 17 00:00:00 2001 From: guilherme_marz Date: Sat, 18 Feb 2023 18:39:50 -0300 Subject: [PATCH 3/9] feat: renamed token input --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index cfaca8b..a932863 100644 --- a/README.md +++ b/README.md @@ -501,7 +501,7 @@ Following inputs can be used as `step.with` keys: | `security-checks` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) | | `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files | | `trivy-config` | String | | Path to trivy.yaml config | -| `github-pat` | String | | GitHub Personal Access Token (PAT) for sending SBOM scan results to GitHub Dependency Snapshots | +| `github-token` | String | | GitHub Personal Access Token (PAT) for sending SBOM scan results to GitHub Dependency Snapshots | | `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** | [release]: https://github.com/aquasecurity/trivy-action/releases/latest From bd9284cb591e855b7e90884aac04e5d519b4f174 Mon Sep 17 00:00:00 2001 From: guilherme_marz Date: Sat, 18 Feb 2023 18:41:42 -0300 Subject: [PATCH 4/9] feat: renamed token input --- test/data/repo.test | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/data/repo.test b/test/data/repo.test index b7bc4dc..59a448c 100644 --- a/test/data/repo.test +++ b/test/data/repo.test @@ -20,10 +20,10 @@ "Class": "secret", "Secrets": [ { - "RuleID": "github-pat", + "RuleID": "github-token", "Category": "GitHub", "Severity": "CRITICAL", - "Title": "GitHub Personal Access Token", + "Title": "GitHub Token (PAT or install acess token)", "StartLine": 5, "EndLine": 5, "Code": { From a55f6e902c7edabe674e229a3efa752367742df1 Mon Sep 17 00:00:00 2001 From: guilherme_marz Date: Sat, 18 Feb 2023 18:42:23 -0300 Subject: [PATCH 5/9] feat: update script --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index f265929..3c1ce49 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -191,7 +191,7 @@ if [[ "${format}" == "github" ]]; then printf "\n Uploading GitHub Dependency Snapshot" curl -H 'Accept: application/vnd.github+json' -H "Authorization: token $githubPAT" 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./$(echo $output | xargs) else - printf "\n Failing GitHub Dependency Snapshot. Missing github-pat" + printf "\n Failing GitHub Dependency Snapshot. Missing github-token" fi fi From 3475d3fc2efe38219b7daaebcc2c8cd073e26e6f Mon Sep 17 00:00:00 2001 From: guilherme_marz Date: Sat, 18 Feb 2023 18:44:20 -0300 Subject: [PATCH 6/9] feat: update script --- entrypoint.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 3c1ce49..f83ed6e 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -63,7 +63,7 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:" o; do export trivyIgnores=${OPTARG} ;; u) - export githubPAT=${OPTARG} + export githubToken=${OPTARG} ;; v) export trivyConfig=${OPTARG} @@ -187,9 +187,9 @@ else fi if [[ "${format}" == "github" ]]; then - if [[ "$(echo $githubPAT | xargs)" != "" ]]; then + if [[ "$(echo $githubToken | xargs)" != "" ]]; then printf "\n Uploading GitHub Dependency Snapshot" - curl -H 'Accept: application/vnd.github+json' -H "Authorization: token $githubPAT" 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./$(echo $output | xargs) + curl -H 'Accept: application/vnd.github+json' -H "Authorization: token $githubToken" 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./$(echo $output | xargs) else printf "\n Failing GitHub Dependency Snapshot. Missing github-token" fi From 93f1a94dae186610ec73391b1739f81ad212d902 Mon Sep 17 00:00:00 2001 From: guilherme_marz Date: Sat, 18 Feb 2023 18:59:30 -0300 Subject: [PATCH 7/9] feat: renamed token input in test file --- test/data/repo.test | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/data/repo.test b/test/data/repo.test index 59a448c..5935708 100644 --- a/test/data/repo.test +++ b/test/data/repo.test @@ -49,11 +49,11 @@ }, { "Number": 5, - "Content": "export GITHUB_PAT=****************************************", + "Content": "export GITHUB_TOKEN=****************************************", "IsCause": true, "Annotation": "", "Truncated": false, - "Highlighted": "export GITHUB_PAT=****************************************", + "Highlighted": "export GITHUB_TOKEN=****************************************", "FirstCause": true, "LastCause": true }, @@ -68,7 +68,7 @@ } ] }, - "Match": "export GITHUB_PAT=****************************************", + "Match": "export GITHUB_TOKEN=****************************************", "Layer": {} } ] From 5b16700f7613a3840b76f8072e68d15687b2eda3 Mon Sep 17 00:00:00 2001 From: Guilherme Marz Vazzolla <53506039+saerosV@users.noreply.github.com> Date: Mon, 20 Feb 2023 22:14:18 -0300 Subject: [PATCH 8/9] fix: typo Co-authored-by: Duncan Casteleyn <10881109+DuncanCasteleyn@users.noreply.github.com> --- test/data/repo.test | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/data/repo.test b/test/data/repo.test index 5935708..c794a18 100644 --- a/test/data/repo.test +++ b/test/data/repo.test @@ -23,7 +23,7 @@ "RuleID": "github-token", "Category": "GitHub", "Severity": "CRITICAL", - "Title": "GitHub Token (PAT or install acess token)", + "Title": "GitHub Token (PAT or install access token)", "StartLine": 5, "EndLine": 5, "Code": { From 91b73c981f1075d3d85e8fc06f112c0fa027de7d Mon Sep 17 00:00:00 2001 From: Guilherme Marz Vazzolla <53506039+saerosV@users.noreply.github.com> Date: Mon, 20 Feb 2023 22:19:06 -0300 Subject: [PATCH 9/9] feat: update input description in table --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a932863..62cf9b9 100644 --- a/README.md +++ b/README.md @@ -501,7 +501,7 @@ Following inputs can be used as `step.with` keys: | `security-checks` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) | | `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files | | `trivy-config` | String | | Path to trivy.yaml config | -| `github-token` | String | | GitHub Personal Access Token (PAT) for sending SBOM scan results to GitHub Dependency Snapshots | +| `github-token` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN | | `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** | [release]: https://github.com/aquasecurity/trivy-action/releases/latest