Error: Failed to execute Trivy command

[Yuga05]

Hi Guys,

Getting an error, while using this action.

looks like that is a PR open for this issue - can you merge it - #109

[jananathbanuka]

try using trivy_version: "0.22.0"

[lucasmellos]

Solved the problem @jananathbanuka

[ventz]

@jananathbanuka Seeing a similar issue with the latest version of Trivy:

Run lazy-actions/gitrivy@v3
Download URL: https://github.com/aquasecurity/trivy/releases/download/v0.37.3/trivy_0.37.3_Linux-64bit.tar.gz
Trivy Command Path: /home/runner/work/app/app/trivy
Error: Failed to execute Trivy command.
      exit code: 1
      stdout: 
      stderr: Error: unknown flag: --severity
Usage:
  trivy [global flags] command [flags] target
  trivy [command]

Examples:
  # Scan a container image
  $ trivy image python:3.4-alpine

  # Scan a container image from a tar archive
  $ trivy image --input ruby-3.1.tar

  # Scan local filesystem
  $ trivy fs .

  # Run in server mode
  $ trivy server
  ...etc...
  Use "trivy [command] --help" for more information about a command.

2023-02-25T21:41:26.836Z	FATAL	unknown flag: --severity

What is causing this? Clearly the --severity exists in v 0.37.3:

trivy image --severity HIGH,CRITICAL $image

[hwakabh]

@ventz Same above. In my case, Trivy version in used is v0.38.3 and official repo mentions --severity options as references, but gitrivy got the error...
https://github.com/aquasecurity/trivy/blob/main/docs/docs/references/cli/trivy_image.md?plain=1#L85

Run lazy-actions/gitrivy@v3
Download URL: https://github.com/aquasecurity/trivy/releases/download/v0.38.3/trivy_0.38.3_Linux-64bit.tar.gz
Trivy Command Path: /home/runner/work/glocalist-backend/glocalist-backend/trivy
Error: Failed to execute Trivy command.
exit code: 1
      stdout: 
      stderr: Error:
      unknown flag: --severity

Downloaded and extracted trivy binary from the link above, v0.38.3 do have the option for image scan:

$ wget https://github.com/aquasecurity/trivy/releases/download/v0.38.3/trivy_0.38.3_Linux-64bit.tar.gz
$ tar -xzvf ./trivy_0.38.3_Linux-64bit.tar.gz 
$ ./trivy --version
Version: 0.38.3
$ ./trivy image --help
Scan a container image

Usage:
  trivy image [flags] IMAGE_NAME

Aliases:
  image, i

Examples:
  # Scan a container image
  $ trivy image python:3.4-alpine

  # Scan a container image from a tar archive
  $ trivy image --input ruby-3.1.tar

  # Filter by severities
  $ trivy image --severity HIGH,CRITICAL alpine:3.15

  # Ignore unfixed/unpatched vulnerabilities
  $ trivy image --ignore-unfixed alpine:3.15

  # Scan a container image in client mode
  $ trivy image --server http://127.0.0.1:4954 alpine:latest

  # Generate json result
  $ trivy image --format json --output result.json alpine:3.15

  # Generate a report in the CycloneDX format
  $ trivy image --format cyclonedx --output result.cdx alpine:3.15

# (...)

Report Flags
      --compliance string      compliance report to generate (docker-cis)
      --dependency-tree        [EXPERIMENTAL] show dependency origin tree of vulnerable packages
      --exit-code int          specify exit code when any security issues are found
      --exit-on-eol int        exit with the specified code when the OS reaches end of service/life
  -f, --format string          format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
      --ignorefile string      specify .trivyignore file (default ".trivyignore")
      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
  -o, --output string          output file name
      --report string          specify a format for the compliance report. (default "summary")
  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
  -t, --template string        output template

# (...)

Seems this PR will fix this issue, but have not been merged yet...

[ventz]

@hwakabh Thank you for mentioning this!