diff --git a/daggerverse/actions/generator/generator.go b/daggerverse/actions/generator/generator.go index c210538..48c6217 100644 --- a/daggerverse/actions/generator/generator.go +++ b/daggerverse/actions/generator/generator.go @@ -6,7 +6,7 @@ import ( "strings" ) -const DefaultRuntimeRef = "01999763545556511d53a8649fb66ffe4e977d8f" +const DefaultRuntimeRef = "c9b01b328a59ec6452eb451ebf0e9b2a1280a504" // ActionsGenerator generates dagger modules using Github Actions. type ActionsGenerator struct{} diff --git a/daggerverse/gha/actions/hello-world-javascript-action/README.md b/daggerverse/gha/actions/hello-world-javascript-action/README.md index 7a31047..6ad2deb 100644 --- a/daggerverse/gha/actions/hello-world-javascript-action/README.md +++ b/daggerverse/gha/actions/hello-world-javascript-action/README.md @@ -29,10 +29,10 @@ Replace `` with the local path or a git repo reference to the modul | Flag | Required | Description | | ------| ------| ------| +| --source | Conditional | The directory containing the repository source. Either `--source` or `--repo` must be provided; `--source` takes precedence. | +| --repo | Conditional | The name of the repository (owner/name). Either `--source` or `--repo` must be provided; `--source` takes precedence. | +| --tag | Conditional | Tag name to check out. Only works with `--repo`. Either `--tag` or `--branch` must be provided; `--tag` takes precedence. | | --branch | Conditional | Branch name to check out. Only works with `--repo`. Either `--tag` or `--branch` must be provided; `--tag` takes precedence. | | --runner-image | Optional | Image to use for the runner. | | --runner-debug | Optional | Enables debug mode. | | --token | Optional | GitHub token is optional for running the action. However, be aware that certain custom actions may require a token and could fail if it's not provided. | -| --source | Conditional | The directory containing the repository source. Either `--source` or `--repo` must be provided; `--source` takes precedence. | -| --repo | Conditional | The name of the repository (owner/name). Either `--source` or `--repo` must be provided; `--source` takes precedence. | -| --tag | Conditional | Tag name to check out. Only works with `--repo`. Either `--tag` or `--branch` must be provided; `--tag` takes precedence. | diff --git a/daggerverse/gha/actions/hello-world-javascript-action/dagger.json b/daggerverse/gha/actions/hello-world-javascript-action/dagger.json index e034fe7..29928d8 100644 --- a/daggerverse/gha/actions/hello-world-javascript-action/dagger.json +++ b/daggerverse/gha/actions/hello-world-javascript-action/dagger.json @@ -2,6 +2,6 @@ "name": "hello-world-javascript-action", "sdk": "go", "dependencies": [ - "github.com/aweris/gale/daggerverse/actions/runtime@01999763545556511d53a8649fb66ffe4e977d8f" + "github.com/aweris/gale/daggerverse/actions/runtime@c9b01b328a59ec6452eb451ebf0e9b2a1280a504" ] } diff --git a/daggerverse/gha/aquasecurity/trivy-action/README.md b/daggerverse/gha/aquasecurity/trivy-action/README.md index 943f49a..9e8f5b5 100644 --- a/daggerverse/gha/aquasecurity/trivy-action/README.md +++ b/daggerverse/gha/aquasecurity/trivy-action/README.md @@ -22,40 +22,40 @@ Replace `` with the local path or a git repo reference to the modul | Name | Required | Description | Default | | ------| ------| ------| ------| -| --with-timeout | false | timeout (default 5m0s) | | -| --with-scanners | false | comma-separated list of what security issues to detect | | -| --with-github-pat | false | GitHub Personal Access Token (PAT) for submitting SBOM to GitHub Dependency Snapshot API | | -| --with-format | false | output format (table, json, template) | table | -| --with-skip-dirs | false | comma separated list of directories where traversal is skipped | | -| --with-cache-dir | false | specify where the cache is stored | | -| --with-list-all-pkgs | false | output all packages regardless of vulnerability | false | -| --with-input | false | reference of tar file to scan | | -| --with-scan-ref | false | Scan reference | . | +| --with-output | false | writes results to a file with the specified file name | | +| --with-ignore-policy | false | filter vulnerabilities with OPA rego language | | +| --with-trivy-config | false | path to trivy.yaml config | | +| --with-limit-severities-for-sarif | false | limit severities for SARIF format | | | --with-exit-code | false | exit code when vulnerabilities were found | | +| --with-ignore-unfixed | false | ignore unfixed vulnerabilities | false | | --with-severity | false | severities of vulnerabilities to be displayed | UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL | +| --with-cache-dir | false | specify where the cache is stored | | +| --with-hide-progress | false | hide progress output | | | --with-artifact-type | false | input artifact type (image, fs, repo, archive) for SBOM generation | | -| --with-ignore-unfixed | false | ignore unfixed vulnerabilities | false | -| --with-vuln-type | false | comma-separated list of vulnerability types (os,library) | os,library | +| --with-input | false | reference of tar file to scan | | +| --with-scan-ref | false | Scan reference | . | | --with-template | false | use an existing template for rendering output (@/contrib/gitlab.tpl, @/contrib/junit.tpl, @/contrib/html.tpl) | | -| --with-output | false | writes results to a file with the specified file name | | -| --with-hide-progress | false | hide progress output | | -| --with-trivyignores | false | comma-separated list of relative paths in repository to one or more .trivyignore files | | -| --with-trivy-config | false | path to trivy.yaml config | | -| --with-limit-severities-for-sarif | false | limit severities for SARIF format | | -| --with-scan-type | false | Scan type to use for scanning vulnerability | image | +| --with-skip-dirs | false | comma separated list of directories where traversal is skipped | | +| --with-timeout | false | timeout (default 5m0s) | | +| --with-list-all-pkgs | false | output all packages regardless of vulnerability | false | | --with-image-ref | false | image reference(for backward compatibility) | | +| --with-vuln-type | false | comma-separated list of vulnerability types (os,library) | os,library | | --with-skip-files | false | comma separated list of files to be skipped | | -| --with-ignore-policy | false | filter vulnerabilities with OPA rego language | | +| --with-scanners | false | comma-separated list of what security issues to detect | | +| --with-trivyignores | false | comma-separated list of relative paths in repository to one or more .trivyignore files | | +| --with-github-pat | false | GitHub Personal Access Token (PAT) for submitting SBOM to GitHub Dependency Snapshot API | | +| --with-scan-type | false | Scan type to use for scanning vulnerability | image | +| --with-format | false | output format (table, json, template) | table | ### Action Runtime Inputs | Flag | Required | Description | | ------| ------| ------| +| --tag | Conditional | Tag name to check out. Only works with `--repo`. Either `--tag` or `--branch` must be provided; `--tag` takes precedence. | +| --branch | Conditional | Branch name to check out. Only works with `--repo`. Either `--tag` or `--branch` must be provided; `--tag` takes precedence. | | --runner-image | Optional | Image to use for the runner. | | --runner-debug | Optional | Enables debug mode. | | --token | Optional | GitHub token is optional for running the action. However, be aware that certain custom actions may require a token and could fail if it's not provided. | | --source | Conditional | The directory containing the repository source. Either `--source` or `--repo` must be provided; `--source` takes precedence. | | --repo | Conditional | The name of the repository (owner/name). Either `--source` or `--repo` must be provided; `--source` takes precedence. | -| --tag | Conditional | Tag name to check out. Only works with `--repo`. Either `--tag` or `--branch` must be provided; `--tag` takes precedence. | -| --branch | Conditional | Branch name to check out. Only works with `--repo`. Either `--tag` or `--branch` must be provided; `--tag` takes precedence. | diff --git a/daggerverse/gha/aquasecurity/trivy-action/dagger.json b/daggerverse/gha/aquasecurity/trivy-action/dagger.json index 0d9ae5c..2d6b159 100644 --- a/daggerverse/gha/aquasecurity/trivy-action/dagger.json +++ b/daggerverse/gha/aquasecurity/trivy-action/dagger.json @@ -2,6 +2,6 @@ "name": "trivy-action", "sdk": "go", "dependencies": [ - "github.com/aweris/gale/daggerverse/actions/runtime@01999763545556511d53a8649fb66ffe4e977d8f" + "github.com/aweris/gale/daggerverse/actions/runtime@c9b01b328a59ec6452eb451ebf0e9b2a1280a504" ] } diff --git a/daggerverse/gha/aquasecurity/trivy-action/go.mod b/daggerverse/gha/aquasecurity/trivy-action/go.mod index 14b7e44..cd206a7 100644 --- a/daggerverse/gha/aquasecurity/trivy-action/go.mod +++ b/daggerverse/gha/aquasecurity/trivy-action/go.mod @@ -1,6 +1,6 @@ module trivy-action -go 1.21.2 +go 1.21 require ( github.com/99designs/gqlgen v0.17.31 diff --git a/daggerverse/gha/aquasecurity/trivy-action/main.go b/daggerverse/gha/aquasecurity/trivy-action/main.go index 3506987..957f983 100644 --- a/daggerverse/gha/aquasecurity/trivy-action/main.go +++ b/daggerverse/gha/aquasecurity/trivy-action/main.go @@ -7,54 +7,54 @@ type TrivyAction struct{} // Runs the aquasecurity/trivy-action GitHub Action. func (m TrivyAction) Run( - // GitHub Personal Access Token (PAT) for submitting SBOM to GitHub Dependency Snapshot API - withGithubPat Optional[string], + // image reference(for backward compatibility) + withImageRef Optional[string], + // comma-separated list of vulnerability types (os,library) + withVulnType Optional[string], + // use an existing template for rendering output (@/contrib/gitlab.tpl, @/contrib/junit.tpl, @/contrib/html.tpl) + withTemplate Optional[string], + // comma separated list of directories where traversal is skipped + withSkipDirs Optional[string], // timeout (default 5m0s) withTimeout Optional[string], + // output all packages regardless of vulnerability + withListAllPkgs Optional[string], + // Scan type to use for scanning vulnerability + withScanType Optional[string], + // output format (table, json, template) + withFormat Optional[string], + // comma separated list of files to be skipped + withSkipFiles Optional[string], // comma-separated list of what security issues to detect withScanners Optional[string], + // comma-separated list of relative paths in repository to one or more .trivyignore files + withTrivyignores Optional[string], + // GitHub Personal Access Token (PAT) for submitting SBOM to GitHub Dependency Snapshot API + withGithubPat Optional[string], // exit code when vulnerabilities were found withExitCode Optional[string], - // severities of vulnerabilities to be displayed - withSeverity Optional[string], - // output format (table, json, template) - withFormat Optional[string], - // comma separated list of directories where traversal is skipped - withSkipDirs Optional[string], - // specify where the cache is stored - withCacheDir Optional[string], - // output all packages regardless of vulnerability - withListAllPkgs Optional[string], - // reference of tar file to scan - withInput Optional[string], - // Scan reference - withScanRef Optional[string], - // use an existing template for rendering output (@/contrib/gitlab.tpl, @/contrib/junit.tpl, @/contrib/html.tpl) - withTemplate Optional[string], - // writes results to a file with the specified file name - withOutput Optional[string], - // input artifact type (image, fs, repo, archive) for SBOM generation - withArtifactType Optional[string], // ignore unfixed vulnerabilities withIgnoreUnfixed Optional[string], - // comma-separated list of vulnerability types (os,library) - withVulnType Optional[string], - // comma separated list of files to be skipped - withSkipFiles Optional[string], + // writes results to a file with the specified file name + withOutput Optional[string], // filter vulnerabilities with OPA rego language withIgnorePolicy Optional[string], - // hide progress output - withHideProgress Optional[string], - // comma-separated list of relative paths in repository to one or more .trivyignore files - withTrivyignores Optional[string], // path to trivy.yaml config withTrivyConfig Optional[string], // limit severities for SARIF format withLimitSeveritiesForSarif Optional[string], - // Scan type to use for scanning vulnerability - withScanType Optional[string], - // image reference(for backward compatibility) - withImageRef Optional[string], + // reference of tar file to scan + withInput Optional[string], + // Scan reference + withScanRef Optional[string], + // severities of vulnerabilities to be displayed + withSeverity Optional[string], + // specify where the cache is stored + withCacheDir Optional[string], + // hide progress output + withHideProgress Optional[string], + // input artifact type (image, fs, repo, archive) for SBOM generation + withArtifactType Optional[string], // Directory containing the repository source. Takes precedence over `--repo`. source Optional[*Directory], // Repository name, format: owner/name. Takes precedence over `--source`. @@ -83,29 +83,29 @@ func (m TrivyAction) Run( return dag.ActionsRuntime(). Run("aquasecurity/trivy-action@master", opts). - WithInput("timeout", withTimeout.GetOr("")). - WithInput("scanners", withScanners.GetOr("")). - WithInput("github-pat", withGithubPat.GetOr("")). - WithInput("severity", withSeverity.GetOr("UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")). - WithInput("format", withFormat.GetOr("table")). - WithInput("skip-dirs", withSkipDirs.GetOr("")). WithInput("cache-dir", withCacheDir.GetOr("")). - WithInput("list-all-pkgs", withListAllPkgs.GetOr("false")). + WithInput("hide-progress", withHideProgress.GetOr("")). + WithInput("artifact-type", withArtifactType.GetOr("")). WithInput("input", withInput.GetOr("")). WithInput("scan-ref", withScanRef.GetOr(".")). - WithInput("exit-code", withExitCode.GetOr("")). - WithInput("output", withOutput.GetOr("")). - WithInput("artifact-type", withArtifactType.GetOr("")). - WithInput("ignore-unfixed", withIgnoreUnfixed.GetOr("false")). + WithInput("severity", withSeverity.GetOr("UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")). + WithInput("skip-dirs", withSkipDirs.GetOr("")). + WithInput("timeout", withTimeout.GetOr("")). + WithInput("list-all-pkgs", withListAllPkgs.GetOr("false")). + WithInput("image-ref", withImageRef.GetOr("")). WithInput("vuln-type", withVulnType.GetOr("os,library")). WithInput("template", withTemplate.GetOr("")). - WithInput("ignore-policy", withIgnorePolicy.GetOr("")). - WithInput("hide-progress", withHideProgress.GetOr("")). + WithInput("scanners", withScanners.GetOr("")). WithInput("trivyignores", withTrivyignores.GetOr("")). - WithInput("trivy-config", withTrivyConfig.GetOr("")). - WithInput("limit-severities-for-sarif", withLimitSeveritiesForSarif.GetOr("")). + WithInput("github-pat", withGithubPat.GetOr("")). WithInput("scan-type", withScanType.GetOr("image")). - WithInput("image-ref", withImageRef.GetOr("")). + WithInput("format", withFormat.GetOr("table")). WithInput("skip-files", withSkipFiles.GetOr("")). + WithInput("ignore-policy", withIgnorePolicy.GetOr("")). + WithInput("trivy-config", withTrivyConfig.GetOr("")). + WithInput("limit-severities-for-sarif", withLimitSeveritiesForSarif.GetOr("")). + WithInput("exit-code", withExitCode.GetOr("")). + WithInput("ignore-unfixed", withIgnoreUnfixed.GetOr("false")). + WithInput("output", withOutput.GetOr("")). Sync() } diff --git a/daggerverse/gha/trufflesecurity/trufflehog/README.md b/daggerverse/gha/trufflesecurity/trufflehog/README.md index 7358872..250203a 100644 --- a/daggerverse/gha/trufflesecurity/trufflehog/README.md +++ b/daggerverse/gha/trufflesecurity/trufflehog/README.md @@ -32,10 +32,10 @@ Replace `` with the local path or a git repo reference to the modul | Flag | Required | Description | | ------| ------| ------| -| --runner-image | Optional | Image to use for the runner. | -| --runner-debug | Optional | Enables debug mode. | | --token | Optional | GitHub token is optional for running the action. However, be aware that certain custom actions may require a token and could fail if it's not provided. | | --source | Conditional | The directory containing the repository source. Either `--source` or `--repo` must be provided; `--source` takes precedence. | | --repo | Conditional | The name of the repository (owner/name). Either `--source` or `--repo` must be provided; `--source` takes precedence. | | --tag | Conditional | Tag name to check out. Only works with `--repo`. Either `--tag` or `--branch` must be provided; `--tag` takes precedence. | | --branch | Conditional | Branch name to check out. Only works with `--repo`. Either `--tag` or `--branch` must be provided; `--tag` takes precedence. | +| --runner-image | Optional | Image to use for the runner. | +| --runner-debug | Optional | Enables debug mode. | diff --git a/daggerverse/gha/trufflesecurity/trufflehog/dagger.json b/daggerverse/gha/trufflesecurity/trufflehog/dagger.json index c01cb8a..acffa02 100644 --- a/daggerverse/gha/trufflesecurity/trufflehog/dagger.json +++ b/daggerverse/gha/trufflesecurity/trufflehog/dagger.json @@ -2,6 +2,6 @@ "name": "trufflehog", "sdk": "go", "dependencies": [ - "github.com/aweris/gale/daggerverse/actions/runtime@01999763545556511d53a8649fb66ffe4e977d8f" + "github.com/aweris/gale/daggerverse/actions/runtime@c9b01b328a59ec6452eb451ebf0e9b2a1280a504" ] } diff --git a/daggerverse/gha/trufflesecurity/trufflehog/main.go b/daggerverse/gha/trufflesecurity/trufflehog/main.go index 4293d01..b61d04f 100644 --- a/daggerverse/gha/trufflesecurity/trufflehog/main.go +++ b/daggerverse/gha/trufflesecurity/trufflehog/main.go @@ -7,14 +7,14 @@ type Trufflehog struct{} // Runs the trufflesecurity/trufflehog GitHub Action. func (m Trufflehog) Run( + // Repository path + withPath string, // Start scanning from here (usually main branch). withBase Optional[string], // Scan commits until here (usually dev branch). withHead Optional[string], // Extra args to be passed to the trufflehog cli. withExtraArgs Optional[string], - // Repository path - withPath string, // Directory containing the repository source. Takes precedence over `--repo`. source Optional[*Directory], // Repository name, format: owner/name. Takes precedence over `--source`. @@ -43,9 +43,9 @@ func (m Trufflehog) Run( return dag.ActionsRuntime(). Run("trufflesecurity/trufflehog@main", opts). + WithInput("path", withPath). WithInput("base", withBase.GetOr("")). WithInput("head", withHead.GetOr("")). WithInput("extra_args", withExtraArgs.GetOr("")). - WithInput("path", withPath). Sync() } diff --git a/go.work b/go.work index 2a03c27..bf3c3a4 100644 --- a/go.work +++ b/go.work @@ -6,6 +6,7 @@ use ( daggerverse/actions/runtime daggerverse/gale daggerverse/gha/actions/hello-world-javascript-action + daggerverse/gha/aquasecurity/trivy-action daggerverse/gha/trufflesecurity/trufflehog daggerverse/repo daggerverse/source