chore: bump trivy to v0.60.0 (#453)

nikpivkin · web-flow · commit 6c175e9c4083 · 2025-03-13T20:58:00.000-06:00
Signed-off-by: Nikita Pivkin &lt;nikita.pivkin@smartforce.io&gt;
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -6,7 +6,7 @@ on:
   workflow_dispatch:
 
 env:
-  TRIVY_VERSION: 0.57.1
+  TRIVY_VERSION: 0.60.0
   BATS_LIB_PATH: '/usr/lib/'
 
 jobs:
diff --git a/README.md b/README.md
@@ -215,7 +215,7 @@ jobs:
       uses: aquasecurity/setup-trivy@v0.2.0
       with:
         cache: true
-        version: v0.57.1
+        version: v0.60.1
 
     - name: Run Trivy vulnerability scanner in repo mode
       uses: aquasecurity/trivy-action@master
@@ -847,7 +847,7 @@ Following inputs can be used as `step.with` keys:
 | `github-pat`                 | String  |                                    | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN        |
 | `limit-severities-for-sarif` | Boolean | false                              | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
 | `docker-host`                | String  |                                    | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values                                      |
-| `version`                    | String  | `v0.57.1`                          | Trivy version to use, e.g. `latest` or `v0.57.1`                                                                                                               |
+| `version`                    | String  | `v0.60.0`                          | Trivy version to use, e.g. `latest` or `v0.60.0`                                                                                                               |
 | `skip-setup-trivy`           | Boolean | false                              | Skip calling the `setup-trivy` action to install `trivy`                                                                                                       |
 | `token-setup-trivy`          | Boolean |                                    | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository                                                                              |
 
diff --git a/action.yaml b/action.yaml
@@ -98,7 +98,7 @@ inputs:
   version:
     description: 'Trivy version to use'
     required: false
-    default: 'v0.57.1'
+    default: 'v0.60.0'
   cache:
     description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.'
     required: false
diff --git a/test/data/config-sarif-report/report.sarif b/test/data/config-sarif-report/report.sarif
@@ -205,7 +205,7 @@
                 "text": "S3 buckets should each define an aws_s3_bucket_public_access_block"
               },
               "fullDescription": {
-                "text": "The &#34;block public access&#34; settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.\n"
+                "text": "The \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.\n"
               },
               "defaultConfiguration": {
                 "level": "note"
diff --git a/test/data/config-scan/report.json b/test/data/config-scan/report.json
@@ -90,7 +90,8 @@
                   "LastCause": true
                 }
               ]
-            }
+            },
+            "RenderedCause": {}
           }
         },
         {
@@ -150,7 +151,8 @@
                   "LastCause": true
                 }
               ]
-            }
+            },
+            "RenderedCause": {}
           }
         },
         {
@@ -210,7 +212,8 @@
                   "LastCause": true
                 }
               ]
-            }
+            },
+            "RenderedCause": {}
           }
         },
         {
@@ -271,7 +274,8 @@
                   "LastCause": true
                 }
               ]
-            }
+            },
+            "RenderedCause": {}
           }
         },
         {
@@ -388,7 +392,11 @@
                   "EndLine": 18
                 }
               }
-            ]
+            ],
+            "RenderedCause": {
+              "Raw": "resource \"aws_s3_bucket_versioning\" \"bucket_versioning\" {\n  versioning_configuration {\n    status = \"Disabled\"\n  }\n}",
+              "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket_versioning\"\u001b[0m \u001b[38;5;37m\"bucket_versioning\"\u001b[0m {\n  versioning_configuration {\n    \u001b[38;5;245mstatus\u001b[0m = \u001b[38;5;37m\"Disabled\"\n\u001b[0m  }\n}"
+            }
           }
         },
         {
@@ -448,7 +456,8 @@
                   "LastCause": true
                 }
               ]
-            }
+            },
+            "RenderedCause": {}
           }
         },
         {
@@ -508,7 +517,8 @@
                   "LastCause": true
                 }
               ]
-            }
+            },
+            "RenderedCause": {}
           }
         },
         {
@@ -568,7 +578,8 @@
                   "LastCause": true
                 }
               ]
-            }
+            },
+            "RenderedCause": {}
           }
         },
         {
@@ -628,7 +639,8 @@
                   "LastCause": true
                 }
               ]
-            }
+            },
+            "RenderedCause": {}
           }
         }
       ]
diff --git a/test/data/fs-scan/report b/test/data/fs-scan/report
@@ -0,0 +1,12 @@
+
+Report Summary
+
+┌────────┬──────┬─────────────────┬─────────┐
+│ Target │ Type │ Vulnerabilities │ Secrets │
+├────────┼──────┼─────────────────┼─────────┤
+│   -    │  -   │        -        │    -    │
+└────────┴──────┴─────────────────┴─────────┘
+Legend:
+- '-': Not scanned
+- '0': Clean (no security findings detected)
+
diff --git a/test/data/image-scan/report b/test/data/image-scan/report
@@ -1,4 +1,18 @@
 
+Report Summary
+
+┌──────────────────────────────────────────┬────────┬─────────────────┬─────────┐
+│                  Target                  │  Type  │ Vulnerabilities │ Secrets │
+├──────────────────────────────────────────┼────────┼─────────────────┼─────────┤
+│ knqyf263/vuln-image:1.2.3 (alpine 3.7.1) │ alpine │       19        │    -    │
+├──────────────────────────────────────────┼────────┼─────────────────┼─────────┤
+│ rust-app/Cargo.lock                      │ cargo  │        4        │    -    │
+└──────────────────────────────────────────┴────────┴─────────────────┴─────────┘
+Legend:
+- '-': Not scanned
+- '0': Clean (no security findings detected)
+
+
 knqyf263/vuln-image:1.2.3 (alpine 3.7.1)
 ========================================
 Total: 19 (CRITICAL: 19)
diff --git a/test/data/rootfs-scan/report b/test/data/rootfs-scan/report
@@ -0,0 +1,12 @@
+
+Report Summary
+
+┌────────┬──────┬─────────────────┬─────────┐
+│ Target │ Type │ Vulnerabilities │ Secrets │
+├────────┼──────┼─────────────────┼─────────┤
+│   -    │  -   │        -        │    -    │
+└────────┴──────┴─────────────────┴─────────┘
+Legend:
+- '-': Not scanned
+- '0': Clean (no security findings detected)
+
diff --git a/test/data/with-ignore-files/report b/test/data/with-ignore-files/report
@@ -1,4 +1,18 @@
 
+Report Summary
+
+┌──────────────────────────────────────────┬────────┬─────────────────┬─────────┐
+│                  Target                  │  Type  │ Vulnerabilities │ Secrets │
+├──────────────────────────────────────────┼────────┼─────────────────┼─────────┤
+│ knqyf263/vuln-image:1.2.3 (alpine 3.7.1) │ alpine │       19        │    -    │
+├──────────────────────────────────────────┼────────┼─────────────────┼─────────┤
+│ rust-app/Cargo.lock                      │ cargo  │        1        │    -    │
+└──────────────────────────────────────────┴────────┴─────────────────┴─────────┘
+Legend:
+- '-': Not scanned
+- '0': Clean (no security findings detected)
+
+
 knqyf263/vuln-image:1.2.3 (alpine 3.7.1)
 ========================================
 Total: 19 (CRITICAL: 19)

Original file line number	Diff line number	Diff line change
`@@ -90,7 +90,8 @@`
`90`	`90`	`"LastCause": true`
`91`	`91`	`}`
`92`	`92`	`]`
`93`		`- }`
	`93`	`+ },`
	`94`	`+ "RenderedCause": {}`
`94`	`95`	`}`
`95`	`96`	`},`
`96`	`97`	`{`
`@@ -150,7 +151,8 @@`
`150`	`151`	`"LastCause": true`
`151`	`152`	`}`
`152`	`153`	`]`
`153`		`- }`
	`154`	`+ },`
	`155`	`+ "RenderedCause": {}`
`154`	`156`	`}`
`155`	`157`	`},`
`156`	`158`	`{`
`@@ -210,7 +212,8 @@`
`210`	`212`	`"LastCause": true`
`211`	`213`	`}`
`212`	`214`	`]`
`213`		`- }`
	`215`	`+ },`
	`216`	`+ "RenderedCause": {}`
`214`	`217`	`}`
`215`	`218`	`},`
`216`	`219`	`{`
`@@ -271,7 +274,8 @@`
`271`	`274`	`"LastCause": true`
`272`	`275`	`}`
`273`	`276`	`]`
`274`		`- }`
	`277`	`+ },`
	`278`	`+ "RenderedCause": {}`
`275`	`279`	`}`
`276`	`280`	`},`
`277`	`281`	`{`
`@@ -388,7 +392,11 @@`
`388`	`392`	`"EndLine": 18`
`389`	`393`	`}`
`390`	`394`	`}`
`391`		`- ]`
	`395`	`+ ],`
	`396`	`+ "RenderedCause": {`
	`397`	`+ "Raw": "resource \"aws_s3_bucket_versioning\" \"bucket_versioning\" {\n versioning_configuration {\n status = \"Disabled\"\n }\n}",`
	`398`	`+ "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket_versioning\"\u001b[0m \u001b[38;5;37m\"bucket_versioning\"\u001b[0m {\n versioning_configuration {\n \u001b[38;5;245mstatus\u001b[0m = \u001b[38;5;37m\"Disabled\"\n\u001b[0m }\n}"`
	`399`	`+ }`
`392`	`400`	`}`
`393`	`401`	`},`
`394`	`402`	`{`
`@@ -448,7 +456,8 @@`
`448`	`456`	`"LastCause": true`
`449`	`457`	`}`
`450`	`458`	`]`
`451`		`- }`
	`459`	`+ },`
	`460`	`+ "RenderedCause": {}`
`452`	`461`	`}`
`453`	`462`	`},`
`454`	`463`	`{`
`@@ -508,7 +517,8 @@`
`508`	`517`	`"LastCause": true`
`509`	`518`	`}`
`510`	`519`	`]`
`511`		`- }`
	`520`	`+ },`
	`521`	`+ "RenderedCause": {}`
`512`	`522`	`}`
`513`	`523`	`},`
`514`	`524`	`{`
`@@ -568,7 +578,8 @@`
`568`	`578`	`"LastCause": true`
`569`	`579`	`}`
`570`	`580`	`]`
`571`		`- }`
	`581`	`+ },`
	`582`	`+ "RenderedCause": {}`
`572`	`583`	`}`
`573`	`584`	`},`
`574`	`585`	`{`
`@@ -628,7 +639,8 @@`
`628`	`639`	`"LastCause": true`
`629`	`640`	`}`
`630`	`641`	`]`
`631`		`- }`
	`642`	`+ },`
	`643`	`+ "RenderedCause": {}`
`632`	`644`	`}`
`633`	`645`	`}`
`634`	`646`	`]`