fix(sarif): Add option to limit severities for sarif (aquasecurity#192)

README.md

@@ -501,6 +501,7 @@ Following inputs can be used as `step.with` keys:
 | `security-checks` | String  | `vuln,secret`                      | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`)               |
 | `trivyignores`    | String  |                                    | comma-separated list of relative paths in repository to one or more `.trivyignore` files        |
 | `github-pat`      | String  |                                    | GitHub Personal Access Token (PAT) for sending SBOM scan results to GitHub Dependency Snapshots |
+| `limit-severities-for-sarif`      | Boolean  | false                                   | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
 
 [release]: https://github.com/aquasecurity/trivy-action/releases/latest
 [release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github

action.yaml

@@ -88,6 +88,9 @@ inputs:
   trivy-config:
     description: 'path to trivy.yaml config'
     required: false
+  limit-severities-for-sarif:
+    description: 'limit severities for SARIF format'
+    required: false
 
 runs:
   using: 'docker'
@@ -115,3 +118,4 @@ runs:
     - '-t ${{ inputs.trivyignores }}'
     - '-u ${{ inputs.github-pat }}'
     - '-v ${{ inputs.trivy-config }}'
+    - '-z ${{ inputs.limit-severities-for-sarif }}'

entrypoint.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 set -e
-while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" o; do
+while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:" o; do
    case "${o}" in
        a)
          export scanType=${OPTARG}
@@ -68,6 +68,9 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" o; do
        v)
          export trivyConfig=${OPTARG}
        ;;
+       z)
+         export limitSeveritiesForSARIF=${OPTARG}
+       ;;
   esac
 done
 
@@ -81,8 +84,10 @@ input=$(echo $input | tr -d '\r')
 if [ $input ]; then
   artifactRef="--input $input"
 fi
+#trim leading spaces for boolean params
 ignoreUnfixed=$(echo $ignoreUnfixed | tr -d '\r')
 hideProgress=$(echo $hideProgress | tr -d '\r')
+limitSeveritiesForSARIF=$(echo $limitSeveritiesForSARIF | tr -d '\r')
 
 GLOBAL_ARGS=""
 if [ $cacheDir ];then
@@ -164,7 +169,13 @@ if [ "$skipFiles" ];then
 fi
 
 trivyConfig=$(echo $trivyConfig | tr -d '\r')
-if [ $trivyConfig ]; then
+if [ "${format}" == "sarif" ] && [ "${limitSeveritiesForSARIF}" != "true" ]; then
+  # SARIF is special. We output all vulnerabilities,
+  # regardless of severity level specified in this report.
+  # This is a feature, not a bug :)
+  echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
+  trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
+elif [ $trivyConfig ]; then
    echo "Running Trivy with trivy.yaml config from: " $trivyConfig
    trivy --config $trivyConfig ${scanType} ${artifactRef}
    returnCode=$?
@@ -175,14 +186,6 @@ else
    returnCode=$?
 fi
 
-# SARIF is special. We output all vulnerabilities,
-# regardless of severity level specified in this report.
-# This is a feature, not a bug :)
-if [[ "${format}" == "sarif" ]]; then
-  echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
-  trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
-fi
-
 if [[ "${format}" == "github" ]]; then
   if [[ "$(echo $githubPAT | xargs)" != "" ]]; then
     printf "\n Uploading GitHub Dependency Snapshot"