Giter VIP home page Giter VIP logo

fatihtokus / scan2html Goto Github PK

View Code? Open in Web Editor NEW
31.0 4.0 5.0 3.45 MB

A Trivy plugin that scans and outputs the results (vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more) to an interactive html file.

License: Apache License 2.0

Shell 0.24% HTML 98.22% JavaScript 0.22% CSS 0.03% TypeScript 1.28% Dockerfile 0.01%
cloud misconfiguration opensource report sbom scan security trivy vulnerability containers devops devsecops iac secops

scan2html's Introduction

scan2html

GitHub Latest Release GitHub All Releases License: Apache-2.0 OpenSSF Scorecard

Before moving on, please consider giving us a GitHub star ⭐️. Thank you!

About scan2html

A Trivy plugin that scans and outputs the results (vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more) to an interactive html file.

Install

trivy plugin install github.com/fatihtokus/scan2html

Uninstall

trivy plugin uninstall scan2html

Usage

Scan a local folder

trivy scan2html fs --scanners vuln,secret,misconfig . interactive_report.html
Result

result

Scan a k8s cluster

trivy scan2html k8s cluster interactive_report.html
Result

result

Scan a k8s cluster all

trivy scan2html k8s --report=all interactive_report.html
Result

result

Scan a k8s cluster summary

trivy scan2html k8s --report summary cluster interactive_report.html
Result

result

Scan and generate SBOM(spdx) report

trivy scan2html image --format spdx alpine:3.15 interactive_report.html
Result

result

Help

$ trivy scan2html -h

Usage: trivy scan2html [-h,--help] command target filename
 A Trivy plugin that scans and outputs the results to an interactive html file.
Options:
  -h, --help    Show usage.
Examples:
   # Scan an image
  trivy scan2html image alpine:latest interactive_report.html

  # Scan a local folder
  trivy scan2html fs --scanners vuln,secret,misconfig . interactive_report.html

  # Scan a k8s cluster
  trivy scan2html k8s cluster interactive_report.html

  # Scan a k8s cluster all
  trivy scan2html k8s --report=all all interactive_report.html

  # Scan a k8s cluster summary
  trivy scan2html k8s --report summary cluster interactive_report.html

  # Scan and generate SBOM(spdx) report
  trivy scan2html image --format spdx alpine:3.15 interactive_report.html

scan2html's People

Contributors

dependabot[bot] avatar fatihtokus avatar gulyengineer avatar yavuzdeveloper avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

yavuzdeveloper korallo159 iyildiz robs68 gulyengineer

scan2html's Issues

Scan2html k8s display fails

trivy scan2html k8s --report=all all -n my-namespace resultnew.html

Json is inside html, but page is empty (no vulnerabilities) only filters and search bar.

Uncaught TypeError: Cannot read properties of undefined (reading 'forEach')
at vulnerabilitiesForK8s (result3.html:470:32)
at vulnerabilities (result3.html:465:12)
at initializeReportTitle (result3.html:410:89)
at initTheReportDetails (result3.html:383:5)
at result3.html:13248:1

Feature Request:

Hi Team,

I'm running Trivy commands twice in pipeline: is there any way to combine the output html and show single file? or I need to display in 2x different html? additionally, if it's not possible to display the combine html - is it possible to configure the left side menu to show exactly what we want to show?

  1. first run to capture the vulnerabilities on my code and dependent packages
  2. find secrets in my code

trivy scan2html rootfs --exit-code 1 . --skip-files "*.deb" --ignore-unfixed --scanners vuln --severity CRITICAL,HIGH,MEDIUM output.html

trivy scan2html rootfs --exit-code 0 . --skip-files "*.deb" --skip-dirs "venv" --scanners secrets --severity CRITICAL,HIGH,MEDIUM output1.html

trivy scan fs report is empty if generated inside alpine based image

Hi Fatih,
I hope you are doing well !

Recently I created a job to perfom trivy scan image and trivy scan filesystem which is running fine inside opensuse.
As the step zypper refresh takes time, and also after last issue due to the absence of bash and git I have decided to run the same job inside alpine and aquasec/trivy docker image.

I could notice that the generated html file inside alpine (also aquasec/trivy) is giving me empty page, even tho the file has content.
When i run the command in my wsl ubuntu the report fine also the same in opensuse docker images.
trivy scan2html fs --scanners vuln,misconfig --exit-code 0 . interactive_fs_scan_report.html

I tried to compare the two html files, I could see some differences but unable to figure it out ( I'm not a react expert :)), I attached them bellow
reports.zip

I should mention that I don't have any issue for trivy image scanning when I execute the scan in opensuse nor alpine (aquasec/trivy).

Can you please support in this matter ?

Thank you !

[CI/CD] Gitlab runner issue

Hi,
First thanks you for this plugin, it helps a lot !

I'm facing to an issue. When I run the plugin install command inside a Gitlab runner job I got this error :

$ trivy plugin -d install github.com/fatihtokus/scan2html
2024-05-06T14:56:39Z	INFO	Installing the plugin...	url="github.com/fatihtokus/scan2html"
2024-05-06T14:56:41Z	INFO	Loading the plugin metadata...
2024-05-06T14:56:41Z	DEBUG	Installing the plugin...	path="/root/.trivy/plugins/scan2html"
2024-05-06T14:56:41Z	DEBUG	Downloading the execution file...	uri="https://github.com/fatihtokus/scan2html/releases/download/v0.2.8/scan2html.tar.gz"
$ trivy -d  plugin list
Installed Plugins:
  Name:    scan2html
  Version: 0.2.8
$ trivy -d  scan2html image ${IMAGE} "index.html"
2024-05-06T14:56:44Z	FATAL	Fatal error	plugin error: plugin exec: fork/exec /root/.trivy/plugins/scan2html/scan2html: no such file or directory

PS: I also tried to move basic directory of trivy next to my procject folder by changing XDG_DATA_HOME variable.
Can you help me to debug this ?
I use a docker:dind image based on alpine system.

There is some error when I run "trivy scan2html image"

oot@ubuntu-server:/home/chenwei# trivy scan2html image proxy:v2.4.0 result.html
/root/snap/trivy/215/.trivy/plugins/scan2html/scan2html: line 24: trivy: command not found
Error: plugin error: plugin exec: exit status 127
Usage:
trivy scan2html [flags]

Flags:
-h, --help help for scan2html

Global Flags:
--cache-dir string cache directory (default "/root/snap/trivy/215/.cache/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version

2023-07-15T23:51:22.381+0800 FATAL plugin error: plugin exec: exit status 127

Support for SBOM

Hi,

I really like this plugin for Trivy as it fits perfectly in my project for visualizing Trivy reports.

I would like to ask if it could be possible to support SBOMs as well. Specifically in spdx format but cyclonedx would also be fine. The command would be something like:
trivy scan2html image --format spdx ghcr.io/zalando/spilo-15:3.0-p1

Add OpenSSF scorecard score badge

Discussed in #70

Originally posted by huornlmj July 17, 2024
Hi @fatihtokus . Many thanks for this brilliant Trivy module! in passing, I ran an OpenSSF (https://openssf.org) scorecard check on the repo as a method to encourage my colleagues to use your module. I don't know if you know of the scorecard but here is the current report of the repository. A high-scoring ossf scorecard badge could help you further garner more widespread usage.

$ scorecard --repo https://github.com/fatihtokus/scan2html

RESULTS
-------
Aggregate score: 4.5 / 10

Check scores:
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|  SCORE  |          NAME          |             REASON             |                                               DOCUMENTATION/REMEDIATION                                               |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts       | no binaries found in the repo  | https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#binary-artifacts       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 6 / 10  | Branch-Protection      | branch protection is not       | https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#branch-protection      |
|         |                        | maximal on development and all |                                                                                                                       |
|         |                        | release branches               |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | CI-Tests               | 0 out of 11 merged PRs         | https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#ci-tests               |
|         |                        | checked by a CI test -- score  |                                                                                                                       |
|         |                        | normalized to 0                |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | CII-Best-Practices     | no effort to earn an OpenSSF   | https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#cii-best-practices     |
|         |                        | best practices badge detected  |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Code-Review            | found 29 unreviewed changesets | https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#code-review            |
|         |                        | out of 30 -- score normalized  |                                                                                                                       |
|         |                        | to 0                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 3 / 10  | Contributors           | 1 different organizations      | https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#contributors           |
|         |                        | found -- score normalized to 3 |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow     | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#dangerous-workflow     |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Dependency-Update-Tool | no update tool detected        | https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#dependency-update-tool |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Fuzzing                | project is not fuzzed          | https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#fuzzing                |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License                | license file detected          | https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#license                |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained             | 30 commit(s) out of 30 and 23  | https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#maintained             |
|         |                        | issue activity out of 30 found |                                                                                                                       |
|         |                        | in the last 90 days -- score   |                                                                                                                       |
|         |                        | normalized to 10               |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Packaging              | no published package detected  | https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#packaging              |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Pinned-Dependencies    | dependency not pinned by hash  | https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#pinned-dependencies    |
|         |                        | detected -- score normalized   |                                                                                                                       |
|         |                        | to 0                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | SAST                   | SAST tool is not run on all    | https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#sast                   |
|         |                        | commits -- score normalized to |                                                                                                                       |
|         |                        | 0                              |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Security-Policy        | security policy file not       | https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#security-policy        |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Signed-Releases        | 0 out of 5 artifacts are       | https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#signed-releases        |
|         |                        | signed or have provenance      |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 9 / 10  | Token-Permissions      | detected GitHub workflow       | https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#token-permissions      |
|         |                        | tokens with excessive          |                                                                                                                       |
|         |                        | permissions                    |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 7 / 10  | Vulnerabilities        | 3 existing vulnerabilities     | https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#vulnerabilities        |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

```</div>

Feature Request:

Hi Team,

Is there a plan to develop a simple management page? I have scan result reports for multiple K8s clusters, and I would like to quickly navigate to the scan results of different clusters within the management page (both HTML and JSON loading are acceptable).

Exit code is not capturing properly

Hi Team,

exit code is not getting capture properly:

trivy scan2html rootfs --exit-code 1 . --scanners vuln --severity CRITICAL,HIGH,MEDIUM test.html
echo $?
the above code is printing 0
trivy rootfs --exit-code 1 . --scanners vuln --severity CRITICAL,HIGH,MEDIUM
echo $?
the above code is printing 1

Secrets are not displaying in UI

I have generated the HTML however, the secrets are not being displayed in the UI.

Command used: trivy scan2html fs --scanners vuln,secret,misconfig . interactive_report.html

Trivy version : 0.51 & 0.52

Expected behaviour: secrets should also display

Improvements

  1. Add a header with the link to repo
  2. Fix filtering on the tables
  3. Fix sorting by severity

html report not readable

i run a trivy scan on my cluster k8s with the plugin scan2html, i got a report not readable on browsers
i tested it on https://codepen.io/ and i got a javascript error "Uncaught TypeError: Cannot read properties of undefined (reading 'forEach')"

trivy version: 0.52.2
scan2html version : latest

any solution please

Not able to find vulnerabilities in packages.json

When using the Trivy plugin as a task in Azure DevOps pipelines, It is able to detect packages.json and find vulnerabilities. When using this plugin, the vulnerabilities are 0.

Trivy in Azure DevOps:

image

Scan2html results:

image

EDIT:

I just had to use trivy scan2html fs instead of trivy scan2html config

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.