update tests

.github/workflows/sync-trivy-checks.yaml

@@ -0,0 +1,30 @@
+name: Sync Trivy Checks
+
+on:
+  workflow_dispatch:
+env:
+  IMAGE_NAME: ${{ github.repository_owner }}/trivy-checks
+  REGISTRY: ghcr.io
+
+jobs:
+  sync-trivy-checks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Pull Trivy Checks
+        run: |
+          oras pull ghcr.io/aquasecurity/trivy-checks:0
+
+      - name: Login to GitHub Packages Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push Trivy Checks
+        run: |
+          oras push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest \
+            --config /dev/null:application/vnd.cncf.openpolicyagent.config.v1+json \
+            bundle.tar.gz:application/vnd.cncf.openpolicyagent.layer.v1.tar+gzip

.github/workflows/sync-trivy-db.yaml

@@ -0,0 +1,30 @@
+name: Sync Trivy DB
+
+on:
+  workflow_dispatch:
+env:
+  IMAGE_NAME: ${{ github.repository_owner }}/trivy-db
+  REGISTRY: ghcr.io
+
+jobs:
+  sync-trivy-db:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Pull Trivy DB
+        run: |
+          oras pull ghcr.io/aquasecurity/trivy-db:2
+
+      - name: Login to GitHub Packages Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push Trivy DB
+        run: |
+          oras push --artifact-type application/vnd.aquasec.trivy.config.v1+json \
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest \
+            db.tar.gz:application/vnd.aquasec.trivy.db.layer.v1.tar+gzip

.github/workflows/sync-trivy-java-db.yaml

@@ -0,0 +1,29 @@
+name: Sync Trivy Java DB
+
+on:
+  workflow_dispatch:
+env:
+  IMAGE_NAME: ${{ github.repository_owner }}/trivy-java-db
+  REGISTRY: ghcr.io
+
+jobs:
+  sync-trivy-db:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Pull Trivy DB
+        run: oras pull ghcr.io/aquasecurity/trivy-java-db:1
+
+      - name: Login to GitHub Packages Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push Trivy DB
+        run: |
+          oras push --artifact-type application/vnd.aquasec.trivy.config.v1+json \
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest \
+            javadb.tar.gz:application/vnd.aquasec.trivy.javadb.layer.v1.tar+gzip

.github/workflows/test.yaml

@@ -0,0 +1,29 @@
+name: Test
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+
+env:
+  TRIVY_VERSION: 0.50.1
+  BATS_LIB_PATH: '/usr/lib/'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Bats and bats libs
+        uses: bats-core/bats-action@2.0.0
+
+      - name: Install Trivy
+        run: |
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
+          trivy --version
+
+      - name: Test
+        run: |
+          chmod +x entrypoint.sh 
+          bats -r -T .

test/data/config-scan/main.tf

@@ -0,0 +1,18 @@
+# test data for trivy config with terraform variables
+
+variable "bucket_versioning_enabled" {
+  type    = string
+  default = "Disabled"
+}
+
+resource "aws_s3_bucket" "bucket" {
+  bucket = "trivy-action-bucket"
+}
+
+resource "aws_s3_bucket_versioning" "bucket_versioning" {
+  bucket = aws_s3_bucket.bucket.id
+
+  versioning_configuration {
+    status = var.bucket_versioning_enabled
+  }
+}

test/data/config.test → test/data/config-scan/report.json

@@ -1,7 +1,7 @@
 {
   "SchemaVersion": 2,
-  "CreatedAt": "2024-01-02T23:40:12.036390742Z",
-  "ArtifactName": ".",
+  "CreatedAt": "2024-04-12T16:53:35.5567541+03:00",
+  "ArtifactName": "test/data/config-scan",
   "ArtifactType": "filesystem",
   "Metadata": {
     "ImageConfig": {
@@ -17,71 +17,7 @@
   },
   "Results": [
     {
-      "Target": "Dockerfile",
-      "Class": "config",
-      "Type": "dockerfile",
-      "MisconfSummary": {
-        "Successes": 24,
-        "Failures": 2,
-        "Exceptions": 0
-      },
-      "Misconfigurations": [
-        {
-          "Type": "Dockerfile Security Check",
-          "ID": "DS002",
-          "AVDID": "AVD-DS-0002",
-          "Title": "Image user should not be 'root'",
-          "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
-          "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
-          "Namespace": "builtin.dockerfile.DS002",
-          "Query": "data.builtin.dockerfile.DS002.deny",
-          "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
-          "Severity": "HIGH",
-          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
-          "References": [
-            "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
-            "https://avd.aquasec.com/misconfig/ds002"
-          ],
-          "Status": "FAIL",
-          "Layer": {},
-          "CauseMetadata": {
-            "Provider": "Dockerfile",
-            "Service": "general",
-            "Code": {
-              "Lines": null
-            }
-          }
-        },
-        {
-          "Type": "Dockerfile Security Check",
-          "ID": "DS026",
-          "AVDID": "AVD-DS-0026",
-          "Title": "No HEALTHCHECK defined",
-          "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
-          "Message": "Add HEALTHCHECK instruction in your Dockerfile",
-          "Namespace": "builtin.dockerfile.DS026",
-          "Query": "data.builtin.dockerfile.DS026.deny",
-          "Resolution": "Add HEALTHCHECK instruction in Dockerfile",
-          "Severity": "LOW",
-          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026",
-          "References": [
-            "https://blog.aquasec.com/docker-security-best-practices",
-            "https://avd.aquasec.com/misconfig/ds026"
-          ],
-          "Status": "FAIL",
-          "Layer": {},
-          "CauseMetadata": {
-            "Provider": "Dockerfile",
-            "Service": "general",
-            "Code": {
-              "Lines": null
-            }
-          }
-        }
-      ]
-    },
-    {
-      "Target": "test/data",
+      "Target": ".",
       "Class": "config",
       "Type": "terraform",
       "MisconfSummary": {
@@ -91,7 +27,7 @@
       }
     },
     {
-      "Target": "test/data/main.tf",
+      "Target": "main.tf",
       "Class": "config",
       "Type": "terraform",
       "MisconfSummary": {
@@ -436,15 +372,15 @@
             "Occurrences": [
               {
                 "Resource": "versioning_configuration",
-                "Filename": "test/data/main.tf",
+                "Filename": "main.tf",
                 "Location": {
                   "StartLine": 15,
                   "EndLine": 17
                 }
               },
               {
                 "Resource": "aws_s3_bucket_versioning.bucket_versioning",
-                "Filename": "test/data/main.tf",
+                "Filename": "main.tf",
                 "Location": {
                   "StartLine": 12,
                   "EndLine": 18