docs: update documentation for v2 (#161)

* docs: update documentation for v2

Signed-off-by: Owen Rumney <[email protected]>

* chore: updates from review

Signed-off-by: Owen Rumney <[email protected]>

* docs/fix updates (#162)

* Fix connection endpoint URL and main readme

* fix urls on main readme

* Replace emoji with GH alerts. Update examples and platform config image

* Remove preview from v2

* Fix nested list an image position

* fix formatting

---------

Signed-off-by: Owen Rumney <[email protected]>
Co-authored-by: Dmytro Bondar <[email protected]>

Author: owenrumney

README.md

@@ -1,7 +1,33 @@
-# Trivy for Azure DevOps
+# Aqua Trivy
 
 An Azure DevOps Pipelines Task for [Trivy](https://github.com/aquasecurity/trivy), with an integrated UI.
 
-![Screenshot showing the Trivy extension in the Azure Devops UI](images/resultsview.png)
+![Screenshot showing the Trivy extension in the Azure DevOps UI](images/resultsview.png)
 
-Documentation and more information is available on the [Azure DevOps Marketplace](https://marketplace.visualstudio.com/items?itemName=AquaSecurityOfficial.trivy-official).
+## Installation
+
+1. Install the Trivy task in your Azure DevOps organisation (hit the `Get it free` button above).
+
+2. Add the task to your `azure-pipelines.yml` in a project where you'd like to run Trivy:
+
+## Agents Compatibility
+
+| Agent OS | Run binary | Scan FileSystem | Docker |
+| :------- | :--------: | :-------------: | :----: |
+| Linux    |     ✅     |       ✅        |   ✅   |
+| MacOS    |     ✅     |       ✅        |   🔴   |
+| Windows  |     ✅     |       ✅        |   🔴   |
+
+### Self-Hosted Agents
+
+Access to Docker Engine is required to run Trivy in docker container or scan docker images.
+
+While you can attempt to scan Docker images on Windows, running the task using a Docker image will mostly fail.
+
+## Configuration
+
+If new to the Trivy pipeline task, you should use the newer v2 version.
+
+[Trivy@1 Configuration](https://github.com/aquasecurity/trivy-azure-pipelines-task/blob/main/docs/trivyv1.md)
+
+[Trivy@2 Configuration](https://github.com/aquasecurity/trivy-azure-pipelines-task/blob/main/docs/trivyv2.md)

docs/connectedservice.md

@@ -0,0 +1,16 @@
+# Configuring Aqua Platform Service
+
+When using the Azure Pipeline Task with Aqua Platform, previously you would configure the `AQUA_KEY` and `AQUA_SECRET` as variables and reference them in the YAML for the task. This change moves the configuration of the Aqua Platform connection to the connected settings.
+
+## Configuring
+
+1. Go to `Project Settings`
+2. Choose `Service Connections`
+3. Choose `New Service Connection` button on the top right of the screen
+4. Select `Aqua Platform Configuration` from the list of available setups and configure with the details from your account:
+
+   - ensure you give the Connection a sensible name
+   - ensure that the URLs are correct regional URLs for your account
+   - see [Aqua Documentation](https://docs.aquasec.com/saas/getting-started/welcome/saas-regions/) for more information
+
+     ![Connected Service](../images/aquaPlatformConfig.png)

marketplace.md renamed to docs/trivyv1.md

@@ -1,44 +1,17 @@
-# Trivy
+# Trivy v1 Configuration
 
-An Azure DevOps Pipelines Task for [Trivy](https://github.com/aquasecurity/trivy), with an integrated UI.
-
-![Screenshot showing the Trivy extension in the Azure DevOps UI](images/resultsview.png)
-
-## Installation
-
-1. Install the Trivy task in your Azure DevOps organisation (hit the `Get it free` button above).
-
-2. Add the task to your `azure-pipelines.yml` in a project where you'd like to run Trivy:
-
-```yaml
-- task: trivy@1
-```
-
-## Agents Compatibility
-
-| Agent OS | Run binary | Scan FileSystem | Docker |
-| :------- | :--------: | :-------------: | :----: |
-| Linux    |     ✅     |       ✅        |   ✅   |
-| MacOS    |     ✅     |       ✅        |   🔴   |
-| Windows  |     ✅     |       ✅        |   🔴   |
-
-### Self-Hosted Agents
-
-At least, access to Docker Engine is required to run Trivy in docker container or scan docker images.
-
-While you can attempt to scan Docker images on Windows, running the task using a Docker image will mostly fail.
-
-## Configuration
+> [!IMPORTANT]
+> If you are new to the Trivy Azure Pipeline task, you would be better using the [Trivy v2 task](trivyv2.md)
 
 Configuring the task can be done directly editing the pipeline yaml or through the configuration pane on the right of the pipeline UI screen
 
 Select the Trivy task from the installed tasks
 
-![Select Trivy](images/trivytask.png)
+![Select Trivy](../images/trivytask.png)
 
 The input variables are grouped logically, expand the sections to make the required changes.
 
-![Pipeline settings](images/settings.png)
+![Pipeline settings](../images/settings.png)
 
 ## Input Variables
 

docs/trivyv2.md

@@ -0,0 +1,137 @@
+# Trivy v2 Configuration
+
+Configuring the task can be done directly editing the pipeline yaml or through the configuration pane on the right of the pipeline UI screen
+
+Select the Trivy task from the installed tasks
+
+![Select Trivy](../images/trivytask.png)
+
+The input variables are grouped logically, expand the sections to make the required changes.
+
+![Pipeline settings](../images/settingsv2.png)
+
+## Input Variables
+
+You can supply several inputs to customise the task.
+
+### Aqua Platform Integration
+
+For more information about creating the connected service, see [Configuring Aqua Connected Service](connectedservice.md)
+
+| Input          | Type                          | Defaults | Description                                           |
+| -------------- | ----------------------------- | -------- | ----------------------------------------------------- |
+| `aquaPlatform` | connectedService:AquaPlatform |          | Select the Aqua Security Platform service connection. |
+
+### Trivy Runner
+
+| Input     | Type     | Defaults | Description                                                                                                                                                                               |
+| --------- | -------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `method`  | pickList | install  | Specify how Trivy should be executed: `install` to download Trivy from GitHub releases, `docker` to run Trivy as a Docker container, or `system` to use a pre-installed Trivy executable. |
+| `image`   | string   |          | Specify a custom Trivy Docker image to use. If set, the `version` option is ignored. Visible only when `method = docker`.                                                                 |
+| `version` | string   | latest   | Specify the version of Trivy to use. Ignored if a custom Trivy Docker image is specified. Visible unless `method = system` or `image` is set.                                             |
+| `options` | string   |          | Provide additional command-line options to pass to the Trivy executable.                                                                                                                  |
+
+---
+
+### Scan Options
+
+| Input              | Type     | Defaults | Description                                                                                                                        |
+| ------------------ | -------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------- |
+| `type`             | pickList |          | The type of scan to perform. Options: `filesystem`, `image`, `repository`.                                                         |
+| `target`           | string   |          | The specified target will be scanned using the selected scan type.                                                                 |
+| `scanners`         | pickList |          | Choose which scanners to run. Options: `license`, `misconfig`, `secret`, `vuln`. Multi-select is supported.                        |
+| `severities`       | pickList |          | Severities of security issues to be displayed. Options: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`. Multi-select is supported. |
+| `ignoreUnfixed`    | boolean  | false    | Include only fixed vulnerabilities.                                                                                                |
+| `ignoreScanErrors` | boolean  | false    | Ignore scan errors and continue the pipeline with a `SucceededWithIssues` result.                                                  |
+
+---
+
+### Reports
+
+| Input       | Type     | Defaults | Description                                                                                                                                                                                                                       |
+| ----------- | -------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `reports`   | pickList |          | Select additional reports to generate. JSON report is always generated. Options: `asff`, `cosign`, `cyclonedx`, `github`, `html`, `junit`, `sarif`, `spdx`, `spdxjson`, `table`. Multi-select is supported.                       |
+| `publish`   | boolean  | false    | Publish generated reports as pipeline artifacts.                                                                                                                                                                                  |
+| `templates` | string   |          | Specify a custom directory containing templates for the ASFF, HTML, JUnit reports. If not set, will look up in the `contrib` directory of the Trivy installation. Visible only when `method = system` and `reports` is not empty. |
+
+## Examples
+
+### Scanning multiple targets and publish results as test run
+
+```yaml
+steps:
+  - task: trivy@2
+    name: TrivyCurrent
+    displayName: 'Scan current repository as filesystem'
+    inputs:
+      version: 'latest'
+      type: 'filesystem'
+      target: '.'
+      scanners: 'misconfig,vuln,secret'
+      ignoreUnfixed: true
+      ignoreScanErrors: true
+      reports: 'github, html, junit'
+      publish: true
+
+  - task: trivy@2
+    name: TrivyPrivate
+    displayName: 'Scan private GitHub repository'
+    inputs:
+      type: 'repository'
+      target: 'https://github.com/owner/repo'
+      scanners: 'secret,vuln,misconfig'
+      ignoreUnfixed: true
+      reports: 'github, junit, sarif'
+    env:
+      GITHUB_TOKEN: $(GITHUB_TOKEN)
+
+  - task: PublishTestResults@2
+    inputs:
+      testResultsFormat: 'JUnit'
+      testResultsFiles: |
+        $(TrivyCurrent.junitReport)
+        $(TrivyPrivate.junitReport)
+      searchFolder: '$(Agent.TempDirectory)'
+      testRunTitle: 'Trivy'
+      publishRunAttachments: false
+```
+
+### Scanning Images in Private Registries
+
+You can scan images in private registries by using the `image` input after completing a `docker login`. For example:
+
+```yaml
+steps:
+  - task: Docker@2
+    displayName: Login to container registry
+    inputs:
+      command: login
+      containerRegistry: containerRegistryServiceConnection
+
+  - task: trivy@2
+    inputs:
+      type: 'image'
+      image: my.private.registry/org/my-image:latest
+```
+
+### Scanning with Aqua Platform support
+
+Configure your Connected Service using the [service endpoint docs](connectedservice.md).
+
+> [!IMPORTANT]
+> Aqua Platform integration only works for `install` mode and does not support `image` scanning.
+
+```yaml
+steps:
+  - task: trivy@2
+    inputs:
+      aquaPlatform: 'Aqua Platform Connection'
+      version: 'latest'
+      type: 'filesystem'
+      target: '.'
+      scanners: 'misconfig,vuln,secret'
+      ignoreUnfixed: true
+      ignoreScanErrors: true
+      reports: 'github, html, junit'
+      publish: true
+```

images/aqua-logo.png

@@ -5,7 +5,7 @@
   "friendlyName": "Trivy",
   "description": "Trivy is the world's most popular open source vulnerability and misconfiguration scanner. It is reliable, fast, extremely easy to use, and it works wherever you need it.",
   "helpMarkDown": "[Learn more about this task](https://github.com/aquasecurity/trivy-azure-pipelines-task)",
-  "helpUrl": "https://github.com/aquasecurity/trivy-azure-pipelines-task",
+  "helpUrl": "https://github.com/aquasecurity/trivy-azure-pipelines-task/docs/trivyv1.md",
   "category": "Test",
   "author": "Aqua Security",
   "version": {

images/aquaPlatformConfig.png

@@ -79,6 +79,16 @@ function validateInputs(inputs: TaskInputs): void {
     });
   }
 
+  if (inputs.aquaKey && inputs.image) {
+    throw new Error('Aqua Platform is not supported for image scans.');
+  }
+
+  if (inputs.aquaKey && inputs.docker) {
+    throw new Error(
+      'Aqua Platform is not supported when running in Docker mode.'
+    );
+  }
+
   // validate image and path inputs
   if (!inputs.image && !inputs.scanPath) {
     throw new Error(

images/icon.png

@@ -26,11 +26,25 @@ async function run() {
 
   // configure the environment variables for Aqua Plugin
   if (inputs.hasAquaAccount) {
+    if (inputs.scanType === 'image') {
+      throw new Error(
+        'Aqua platform is not supported for image scan. Please use the filesystem scan.'
+      );
+    }
+
+    if (inputs.method === 'docker') {
+      throw new Error(
+        'Aqua platform is not supported for docker run. Please use the install method.'
+      );
+    }
+
     task.rmRF(assuranceFilePath);
     task.debug('Configuring Aqua environment variables...');
     env.AQUA_ASSURANCE_EXPORT = assuranceFilePath;
     env.AQUA_KEY = inputs.aquaKey;
     env.AQUA_SECRET = inputs.aquaSecret;
+    env.AQUA_URL = inputs.aquaUrl;
+    env.CSPM_URL = inputs.authUrl;
     env.OVERRIDE_BRANCH = task.getVariable('Build.SourceBranchName');
     env.OVERRIDE_REPOSITORY = task.getVariable('Build.Repository.Name');
     env.TRIVY_RUN_AS_PLUGIN = 'aqua';

images/resultsview.png

@@ -17,6 +17,8 @@ export type TaskInputs = {
   hasAquaAccount: boolean;
   aquaKey?: string;
   aquaSecret?: string;
+  aquaUrl?: string;
+  authUrl?: string;
 };
 
 /**
@@ -55,5 +57,11 @@ export function getTaskInputs(): TaskInputs {
       'aquaSecret',
       true
     ),
+    aquaUrl: task.getEndpointUrl(aquaPlatform, true),
+    authUrl: task.getEndpointAuthorizationParameter(
+      aquaPlatform,
+      'authUrl',
+      true
+    ),
   };
 }

images/settingsv2.png

@@ -41,17 +41,6 @@ async function dockerRunner(inputs: TaskInputs): Promise<ToolRunner> {
   runner.line(`-e TRIVY_CACHE_DIR=${tmpPath}`);
   runner.argIf(dockerConfig, ['-e', `DOCKER_CONFIG=${dockerConfig}`]);
 
-  if (inputs.hasAquaAccount) {
-    runner.argIf(process.env.AQUA_URL, ['-e', 'AQUA_URL']);
-    runner.argIf(process.env.CSPM_URL, ['-e', 'CSPM_URL']);
-    runner.line('-e AQUA_ASSURANCE_EXPORT');
-    runner.line('-e AQUA_KEY');
-    runner.line('-e AQUA_SECRET');
-    runner.line('-e OVERRIDE_BRANCH');
-    runner.line('-e OVERRIDE_REPOSITORY');
-    runner.line('-e TRIVY_RUN_AS_PLUGIN');
-  }
-
   const trivyImage =
     inputs.image === ''
       ? `aquasec/trivy:${stripV(inputs.version)}`

trivy-task/trivyV1/task.json

@@ -3,15 +3,14 @@
   "id": "8f9cb13f-f551-439c-83e4-fac6801c3fab",
   "name": "trivy",
   "friendlyName": "Trivy",
-  "preview": true,
   "description": "Trivy is the world's most popular open source vulnerability and misconfiguration scanner. It is reliable, fast, extremely easy to use, and it works wherever you need it.",
   "helpMarkDown": "[Learn more about this task](https://github.com/aquasecurity/trivy-azure-pipelines-task)",
-  "helpUrl": "https://github.com/aquasecurity/trivy-azure-pipelines-task",
+  "helpUrl": "https://github.com/aquasecurity/trivy-azure-pipelines-task/docs/trivyv2.md",
   "category": "Test",
   "author": "Aqua Security",
   "version": {
     "Major": 2,
-    "Minor": 0,
+    "Minor": 1,
     "Patch": 0
   },
   "instanceNameFormat": "Echo trivy $(version)",

trivy-task/trivyV1/utils.ts

@@ -38,7 +38,7 @@ module.exports = () => {
     ],
     content: {
       license: { path: 'LICENSE' },
-      details: { path: 'marketplace.md' },
+      details: { path: 'README.md' },
     },
     links: {
       home: { uri: 'https://www.aquasec.com/' },
@@ -68,14 +68,23 @@ module.exports = () => {
         targets: ['ms.vss-endpoint.endpoint-types'],
         properties: {
           name: 'AquaPlatform',
-          displayName: 'Aqua Security Platform',
-          icon: 'images/aqua-logo.png',
-          // URL is not used in task, but required for manifest validation.
-          url: { value: 'https://api.cloudsploit.com', isVisible: false },
+          displayName: 'Aqua Platform Configuration',
+          icon: 'images/icon.png',
+          url: { displayName: 'Aqua Platform URL' },
           authenticationSchemes: [
             {
               type: 'ms.vss-endpoint.endpoint-auth-scheme-none',
               inputDescriptors: [
+                {
+                  id: 'authUrl',
+                  name: 'Aqua Platform Authentication URL',
+                  inputMode: 'textbox',
+                  isConfidential: false,
+                  validation: {
+                    isRequired: true,
+                    dataType: 'string',
+                  },
+                },
                 {
                   id: 'aquaKey',
                   name: 'Aqua Platform API Key',