feat: support custom trivy image (#110)

* feat: support custom trivy image

add support for overriding the trivy docker image

* chore: tidy up input validation

error if there is a version specified (other than latest) and the
trivyImage is also specified.

trivy-task/task.json

@@ -8,7 +8,7 @@
   "helpUrl": "https://github.com/aquasecurity/trivy-azure-pipelines-task",
   "category": "Test",
   "author": "Aqua Security",
-  "version": { "Major":1,"Minor":11,"Patch":40 },
+  "version": { "Major":1,"Minor":11,"Patch":56 },
   "instanceNameFormat": "Echo trivy $(version)",
 
   "groups": [
@@ -63,6 +63,16 @@
       "groupName": "trivyRunner",
       "visibleRule": "docker = true"
     },
+    {
+    "name": "trivyImage",
+    "type": "string",
+    "label": "Image override with tag",
+    "defaultValue": "",
+    "required": false,
+    "helpMarkDown": "Override the default Trivy docker image. If this option is used, the 'version' option is ignored.",
+    "groupName": "trivyRunner",
+    "visibleRule": "docker = true"
+    },
     {
       "name": "useSystemInstallation",
       "type": "boolean",
@@ -79,7 +89,7 @@
       "label": "Trivy Version",
       "defaultValue": "latest",
       "required": false,
-      "helpMarkDown": "The version of Trivy to use",
+      "helpMarkDown": "The version of Trivy to use. Ignored when custom Trivy image is specified",
       "groupName": "trivyRunner",
       "visibleRule": "useSystemInstallation = false || docker = true"
     },

trivy-task/task.json.tmpl

@@ -63,6 +63,16 @@
       "groupName": "trivyRunner",
       "visibleRule": "docker = true"
     },
+    {
+    "name": "trivyImage",
+    "type": "string",
+    "label": "Image override with tag",
+    "defaultValue": "",
+    "required": false,
+    "helpMarkDown": "Override the default Trivy docker image. If this option is used, the 'version' option is ignored.",
+    "groupName": "trivyRunner",
+    "visibleRule": "docker = true"
+    },
     {
       "name": "useSystemInstallation",
       "type": "boolean",
@@ -79,7 +89,7 @@
       "label": "Trivy Version",
       "defaultValue": "latest",
       "required": false,
-      "helpMarkDown": "The version of Trivy to use",
+      "helpMarkDown": "The version of Trivy to use. Ignored when custom Trivy image is specified",
       "groupName": "trivyRunner",
       "visibleRule": "useSystemInstallation = false || docker = true"
     },

trivy-task/trivyLoader.ts

@@ -75,7 +75,13 @@ export async function createRunner(): Promise<ToolRunner> {
       runner.line('-e CSPM_URL=https://stage.api.cloudsploit.com/v2/tokens');
     }
   }
-  runner.line('aquasec/trivy:' + stripV(version));
+  let trivyImage = task.getInput('trivyImage', false) || 'aquasec/trivy';
+  if (trivyImage === 'aquasec/trivy') {
+    trivyImage = `${trivyImage}:${stripV(version)}`;
+  }
+  console.log(`Using Trivy image: ${trivyImage}`);
+  runner.line(trivyImage);
+
   return runner;
 }
 

vss-extension.dev.json

@@ -2,7 +2,7 @@
   "manifestVersion": 1,
   "id": "trivy-official-dev",
   "publisher": "AquaSecurityOfficial",
-  "version": "1.11.40",
+  "version": "1.11.56",
   "name": "trivy-dev",
   "description": "Trivy is the world’s most popular open source vulnerability and misconfiguration scanner. It is reliable, fast, extremely easy to use, and it works wherever you need it.",
   "repository": {