Use fsargs for helm scans, add debug, deprecate security checks and add scanners

README.md

@@ -25,7 +25,7 @@ step with the default plugin configuration parameters:
 steps:
   - command: ls
     plugins:
-      - equinixmetal-buildkite/trivy#v1.18.3:
+      - equinixmetal-buildkite/trivy#v1.18.4:
 ```
 
 ## Additional examples
@@ -36,7 +36,7 @@ Specify the `--exit-code` option as a plugin parameter in `pipeline.yml` to fail
 steps:
   - command: ls
     plugins:
-      - equinixmetal-buildkite/trivy#v1.18.3:
+      - equinixmetal-buildkite/trivy#v1.18.4:
           exit-code: 1
 ```
 
@@ -46,7 +46,7 @@ Specify the `--severity` option as a plugin parameter in `pipeline.yml` to scan
 steps:
   - command: ls
     plugins:
-      - equinixmetal-buildkite/trivy#v1.18.3:
+      - equinixmetal-buildkite/trivy#v1.18.4:
           severity: "CRITICAL"
 ```
 
@@ -69,9 +69,13 @@ Controls the severity of the vulnerabilities to be scanned. (Defaults to "UNKNOW
 
 Controls whether to display only fixed vulnerabilities. (Defaults to false)
 
-### `security-checks` (Optional, string)
+### `security-checks` (Optional, string) (DEPRECATED) 
 
-Controls the security checks to be performed. (Defaults to "vuln,config")
+Controls the security checks to be performed. This option is deprecated and may be removed in the future. Use `scanners` instead. (Defaults to "vuln,misconfig")
+
+### `scanners` (Optional, string)
+
+Controls the security scanners to be used. This replaced security-checks (Defaults to "vuln,misconfig")
 
 ### `skip-files` (Optional, string)
 
@@ -95,6 +99,9 @@ Controls the version of trivy to be used.
 
 To pass helm override values to trivy config scan
 
+### `debug` (Optional, boolean)
+
+Enable debug flag for trivy.
 
 ## Developing
 

hooks/post-command

@@ -72,6 +72,11 @@ final_exit_code="${BUILDKITE_PLUGIN_TRIVY_EXIT_CODE:-1}"
 args+=("--exit-code" "$final_exit_code")
 echo "using exit-code=$final_exit_code option while scanning"
 
+if [[ "${BUILDKITE_PLUGIN_TRIVY_DEBUG:-false}" == true ]] ; then
+  args+=("--debug")
+  echo "enabling debug output for trivy"
+fi
+
 if [[ -n "${BUILDKITE_PLUGIN_TRIVY_TIMEOUT:-}" ]] ; then
   args+=("--timeout" "${BUILDKITE_PLUGIN_TRIVY_TIMEOUT}")
   echo "using non-default timeout: '${BUILDKITE_PLUGIN_TRIVY_TIMEOUT}'"
@@ -93,21 +98,24 @@ if [[ -n "${BUILDKITE_PLUGIN_TRIVY_SKIP_DIRS:-}" ]] ; then
 fi
 
 if [[ -n "${BUILDKITE_PLUGIN_TRIVY_HELM_OVERRIDES_FILE:-}" ]]; then
+	fsargs+=("--helm-values" "${BUILDKITE_PLUGIN_TRIVY_HELM_OVERRIDES_FILE}")
 	echo "scanning with helm overrides"
-	trivy conf --helm-values "${BUILDKITE_PLUGIN_TRIVY_HELM_OVERRIDES_FILE}" "${args[@]}" "${fsargs[@]}" .
 fi
 
 if [[ "${BUILDKITE_PLUGIN_TRIVY_IGNORE_UNFIXED:-false}" == true ]] ; then
   args+=("--ignore-unfixed")
   echo "ignore-unfixed is set. Will ignore unfixed vulnerabilities"
 fi
 
-if [[ -n "${BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS:-}" ]] ; then
-  fsargs+=("--security-checks" "${BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS}")
-  echo "using $BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS security checks"
+if [[ -n "${BUILDKITE_PLUGIN_TRIVY_SCANNERS:-}" ]] ; then
+  fsargs+=("--scanners" "${BUILDKITE_PLUGIN_TRIVY_SCANNERS}")
+  echo "using $BUILDKITE_PLUGIN_TRIVY_SCANNERS scanners"
+elif [[ -n "${BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS:-}" ]] ; then
+  fsargs+=("--scanners" "${BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS}")
+  echo "using $BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS security checks - DEPRECATED, use scanners instead!"
 else
-  echo "using default security checks"
-  fsargs+=("--security-checks" "vuln,config")
+  echo "using default scanners"
+  fsargs+=("--scanners" "vuln,misconfig")
 fi
 
 echo "+++ scanning filesystem"

plugin.yml

@@ -18,6 +18,8 @@ configuration:
       type: boolean
     trivy-version:      
       type: string
+    scanners:
+      type: string
     security-checks:
       type: string
     image-ref:
@@ -28,4 +30,6 @@ configuration:
       type: string
     helm-overrides-file:
       type: string 
+    debug:
+      type: boolean
   additionalProperties: false

tests/post-command.bats

@@ -11,7 +11,7 @@ default_exit_code="--exit-code 1"
 
 @test "fs scan of a test app" {
   # TODO(jaosorior): Change the exit code if we change the default
-  stub trivy "fs $default_exit_code --security-checks vuln,config . : echo fs scan success"
+  stub trivy "fs $default_exit_code --scanners vuln,misconfig . : echo fs scan success"
   stub buildkite-agent "annotate --style success \"trivy didn't find any relevant vulnerabilities in the repository<br />\" --context trivy-fs-scan : echo fs scan success" \
     "annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \
 
@@ -29,7 +29,7 @@ default_exit_code="--exit-code 1"
 @test "fs scan of a test app with exit-code=1" {
   export BUILDKITE_PLUGIN_TRIVY_EXIT_CODE=1
 
-  stub trivy "fs --exit-code 1 --security-checks vuln,config . : echo fs scan success"
+  stub trivy "fs --exit-code 1 --scanners vuln,misconfig . : echo fs scan success"
   stub buildkite-agent "annotate --style success \"trivy didn't find any relevant vulnerabilities in the repository<br />\" --context trivy-fs-scan : echo fs scan success" \
     "annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \
 
@@ -47,7 +47,7 @@ default_exit_code="--exit-code 1"
 @test "fs scan of a test app with exit-code=0" {
   export BUILDKITE_PLUGIN_TRIVY_EXIT_CODE=0
 
-  stub trivy "fs --exit-code 0 --security-checks vuln,config . : echo fs scan success"
+  stub trivy "fs --exit-code 0 --scanners vuln,misconfig . : echo fs scan success"
   stub buildkite-agent "annotate --style success \"trivy didn't find any relevant vulnerabilities in the repository<br />\" --context trivy-fs-scan : echo fs scan success" \
     "annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \
 
@@ -65,7 +65,7 @@ default_exit_code="--exit-code 1"
 @test "fs scan of a test app with exit-code=1 with actual failure" {
   export BUILDKITE_PLUGIN_TRIVY_EXIT_CODE=1
 
-  stub trivy "fs --exit-code 1 --security-checks vuln,config . : exit 1"
+  stub trivy "fs --exit-code 1 --scanners vuln,misconfig . : exit 1"
   stub buildkite-agent "annotate --style error \"trivy found vulnerabilities in repository. See the job output for details.<br />\" --context trivy-fs-scan : echo fs scan failure" \
     "annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \
 
@@ -83,7 +83,7 @@ default_exit_code="--exit-code 1"
 @test "fs scan of test app with ignore-unfixed flag set" {
   export BUILDKITE_PLUGIN_TRIVY_IGNORE_UNFIXED=true
 
-  stub trivy "fs $default_exit_code --ignore-unfixed --security-checks vuln,config . : echo fs scan success with --ignore-unfixed"
+  stub trivy "fs $default_exit_code --ignore-unfixed --scanners vuln,misconfig . : echo fs scan success with --ignore-unfixed"
   stub buildkite-agent "annotate --style success \"trivy didn't find any relevant vulnerabilities in the repository<br />\" --context trivy-fs-scan : echo output success" \
     "annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \
 
@@ -103,7 +103,7 @@ default_exit_code="--exit-code 1"
   export BUILDKITE_PLUGIN_TRIVY_TIMEOUT="6h6m6s"
   export BUILDKITE_PLUGIN_TRIVY_EXIT_CODE=1
 
-  stub trivy "fs --exit-code 1 --timeout $BUILDKITE_PLUGIN_TRIVY_TIMEOUT --security-checks vuln,config . : echo fs scan success"
+  stub trivy "fs --exit-code 1 --timeout $BUILDKITE_PLUGIN_TRIVY_TIMEOUT --scanners vuln,misconfig . : echo fs scan success"
   stub buildkite-agent "annotate --style success \"trivy didn't find any relevant vulnerabilities in the repository<br />\" --context trivy-fs-scan : echo fs scan success" \
     "annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \
 
@@ -121,7 +121,7 @@ default_exit_code="--exit-code 1"
   export BUILDKITE_PLUGIN_TRIVY_SEVERITY="CRITICAL"
   export BUILDKITE_PLUGIN_TRIVY_EXIT_CODE=1
 
-  stub trivy "fs --exit-code 1 --severity $BUILDKITE_PLUGIN_TRIVY_SEVERITY --security-checks vuln,config . : echo fs scan success"
+  stub trivy "fs --exit-code 1 --severity $BUILDKITE_PLUGIN_TRIVY_SEVERITY --scanners vuln,misconfig . : echo fs scan success"
   stub buildkite-agent "annotate --style success \"trivy didn't find any relevant vulnerabilities in the repository<br />\" --context trivy-fs-scan : echo fs scan success" \
     "annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \
 
@@ -139,7 +139,7 @@ default_exit_code="--exit-code 1"
   export BUILDKITE_PLUGIN_TRIVY_SEVERITY="CRITICAL,HIGH"
   export BUILDKITE_PLUGIN_TRIVY_EXIT_CODE=1
 
-  stub trivy "fs --exit-code 1 --severity $BUILDKITE_PLUGIN_TRIVY_SEVERITY --security-checks vuln,config . : echo fs scan success"
+  stub trivy "fs --exit-code 1 --severity $BUILDKITE_PLUGIN_TRIVY_SEVERITY --scanners vuln,misconfig . : echo fs scan success"
   stub buildkite-agent "annotate --style success \"trivy didn't find any relevant vulnerabilities in the repository<br />\" --context trivy-fs-scan : echo fs scan success" \
     "annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \
 
@@ -157,7 +157,7 @@ default_exit_code="--exit-code 1"
   export BUILDKITE_PLUGIN_TRIVY_SEVERITY="CRITICAL,HIGH,MEDIUM"
   export BUILDKITE_PLUGIN_TRIVY_EXIT_CODE=1
 
-  stub trivy "fs --exit-code 1 --severity $BUILDKITE_PLUGIN_TRIVY_SEVERITY --security-checks vuln,config . : echo fs scan success"
+  stub trivy "fs --exit-code 1 --severity $BUILDKITE_PLUGIN_TRIVY_SEVERITY --scanners vuln,misconfig . : echo fs scan success"
   stub buildkite-agent "annotate --style success \"trivy didn't find any relevant vulnerabilities in the repository<br />\" --context trivy-fs-scan : echo fs scan success" \
     "annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \
 
@@ -171,57 +171,57 @@ default_exit_code="--exit-code 1"
   unstub buildkite-agent
 }
 
-@test "fs scan of a test app with only vulnerbility security check" {
-  export BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS="vuln"
-  stub trivy "fs $default_exit_code --security-checks $BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS . : echo fs scan success"
+@test "fs scan of a test app with only vulnerbility scanner" {
+  export BUILDKITE_PLUGIN_TRIVY_SCANNERS="vuln"
+  stub trivy "fs $default_exit_code --scanners $BUILDKITE_PLUGIN_TRIVY_SCANNERS . : echo fs scan success"
   stub buildkite-agent "annotate --style success \"trivy didn't find any relevant vulnerabilities in the repository<br />\" --context trivy-fs-scan : echo fs scan success" \
     "annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \
 
   run "$PWD/hooks/post-command"
 
   assert_success
   assert_output --partial "scanning filesystem"
-  assert_output --partial "using $BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS security checks"
+  assert_output --partial "using $BUILDKITE_PLUGIN_TRIVY_SCANNERS scanners"
 
   unstub trivy
   unstub buildkite-agent
 }
 
-@test "fs scan of a test app with vulnerbility and configuration security check" {
-  export BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS="vuln,config"
-  stub trivy "fs $default_exit_code --security-checks $BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS . : echo fs scan success"
+@test "fs scan of a test app with vulnerbility and configuration scanners" {
+  export BUILDKITE_PLUGIN_TRIVY_SCANNERS="vuln,misconfig"
+  stub trivy "fs $default_exit_code --scanners $BUILDKITE_PLUGIN_TRIVY_SCANNERS . : echo fs scan success"
   stub buildkite-agent "annotate --style success \"trivy didn't find any relevant vulnerabilities in the repository<br />\" --context trivy-fs-scan : echo fs scan success" \
     "annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \
 
   run "$PWD/hooks/post-command"
 
   assert_success
   assert_output --partial "scanning filesystem"
-  assert_output --partial "using $BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS security checks"
+  assert_output --partial "using $BUILDKITE_PLUGIN_TRIVY_SCANNERS scanners"
 
   unstub trivy
   unstub buildkite-agent
 }
 
-@test "fs scan of a test app with vulnerbility,secret and configuration security check" {
-  export BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS="vuln,secret,config"
-  stub trivy "fs $default_exit_code --security-checks $BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS . : echo fs scan success"
+@test "fs scan of a test app with vulnerbility,secret and configuration scanners" {
+  export BUILDKITE_PLUGIN_TRIVY_SCANNERS="vuln,secret,misconfig"
+  stub trivy "fs $default_exit_code --scanners $BUILDKITE_PLUGIN_TRIVY_SCANNERS . : echo fs scan success"
   stub buildkite-agent "annotate --style success \"trivy didn't find any relevant vulnerabilities in the repository<br />\" --context trivy-fs-scan : echo fs scan success" \
     "annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \
 
   run "$PWD/hooks/post-command"
 
   assert_success
   assert_output --partial "scanning filesystem"
-  assert_output --partial "using $BUILDKITE_PLUGIN_TRIVY_SECURITY_CHECKS security checks"
+  assert_output --partial "using $BUILDKITE_PLUGIN_TRIVY_SCANNERS scanners"
 
   unstub trivy
   unstub buildkite-agent
 }
 
 @test "fs scan of a test app skipping a file" {
   export BUILDKITE_PLUGIN_TRIVY_SKIP_FILES="test.txt"
-  stub trivy "fs $default_exit_code --skip-files $BUILDKITE_PLUGIN_TRIVY_SKIP_FILES --security-checks vuln,config . : echo fs scan success"
+  stub trivy "fs $default_exit_code --skip-files $BUILDKITE_PLUGIN_TRIVY_SKIP_FILES --scanners vuln,misconfig . : echo fs scan success"
   stub buildkite-agent "annotate --style success \"trivy didn't find any relevant vulnerabilities in the repository<br />\" --context trivy-fs-scan : echo fs scan success" \
     "annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \
 
@@ -234,7 +234,7 @@ default_exit_code="--exit-code 1"
 
 @test "fs scan of a test app skipping a dir" {
   export BUILDKITE_PLUGIN_TRIVY_SKIP_DIRS="test"
-  stub trivy "fs $default_exit_code --skip-dirs $BUILDKITE_PLUGIN_TRIVY_SKIP_DIRS --security-checks vuln,config . : echo fs scan success"
+  stub trivy "fs $default_exit_code --skip-dirs $BUILDKITE_PLUGIN_TRIVY_SKIP_DIRS --scanners vuln,misconfig . : echo fs scan success"
   stub buildkite-agent "annotate --style success \"trivy didn't find any relevant vulnerabilities in the repository<br />\" --context trivy-fs-scan : echo fs scan success" \
     "annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \
 
@@ -249,7 +249,7 @@ default_exit_code="--exit-code 1"
   export BUILDKITE_PLUGIN_TRIVY_IMAGE_REF="nginx:latest"
 
   stub trivy \
-    "fs $default_exit_code --security-checks vuln,config . : echo fs scan success" \
+    "fs $default_exit_code --scanners vuln,misconfig . : echo fs scan success" \
     "image $default_exit_code $BUILDKITE_PLUGIN_TRIVY_IMAGE_REF : echo container image scan success"
   stub docker \
     "images -q $BUILDKITE_PLUGIN_TRIVY_IMAGE_REF : echo ''" \
@@ -273,7 +273,7 @@ default_exit_code="--exit-code 1"
   export BUILDKITE_PLUGIN_TRIVY_IMAGE_REF="nginx:latest"
 
   stub trivy \
-    "fs $default_exit_code --security-checks vuln,config . : echo fs scan success" \
+    "fs $default_exit_code --scanners vuln,misconfig . : echo fs scan success" \
     "image $default_exit_code $BUILDKITE_PLUGIN_TRIVY_IMAGE_REF : echo container image scan success"
   stub docker \
     "images -q $BUILDKITE_PLUGIN_TRIVY_IMAGE_REF : echo 'Found image!'"
@@ -296,7 +296,7 @@ default_exit_code="--exit-code 1"
   export BUILDKITE_PLUGIN_TRIVY_IMAGE_REF="nginx:latest"
 
   stub trivy \
-    "fs $default_exit_code --security-checks vuln,config . : echo fs scan success" \
+    "fs $default_exit_code --scanners vuln,misconfig . : echo fs scan success" \
     "image $default_exit_code $BUILDKITE_PLUGIN_TRIVY_IMAGE_REF : exit 1"
   stub docker \
     "images -q $BUILDKITE_PLUGIN_TRIVY_IMAGE_REF : echo ''" \
@@ -324,7 +324,7 @@ default_exit_code="--exit-code 1"
   echo "$_TAGS_0" >> "$DOCKER_METADATA_DIR/tags"
 
   stub trivy \
-    "fs $default_exit_code --security-checks vuln,config . : echo fs scan success" \
+    "fs $default_exit_code --scanners vuln,misconfig . : echo fs scan success" \
     "image $default_exit_code $_TAGS_0 : echo container image scan success"
   stub docker \
     "images -q $_TAGS_0 : echo 'Found image!'"
@@ -350,7 +350,7 @@ default_exit_code="--exit-code 1"
   echo "$_TAGS_0" >> "$DOCKER_METADATA_DIR/tags"
 
   stub trivy \
-    "fs $default_exit_code --security-checks vuln,config . : echo fs scan success" \
+    "fs $default_exit_code --scanners vuln,misconfig . : echo fs scan success" \
     "image $default_exit_code $_TAGS_0 : echo container image scan success"
   stub docker \
     "images -q $_TAGS_0 : echo ''" \