Update readme and marketplace description

georg-jung · Jan 16, 2024 · e9a49f6 · e9a49f6
1 parent 8823c6f
commit e9a49f6
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 6 deletions.
diff --git a/LICENSE b/LICENSE
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2022 Aqua Security
+Copyright (c) 2024 Georg Jung
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

diff --git a/README.md b/README.md
@@ -1,7 +1,14 @@
-# Trivy for Azure DevOps
+# trivy-contrib for Azure DevOps
 
 An Azure DevOps Pipelines Task for [Trivy](https://github.com/aquasecurity/trivy), with an integrated UI.
 
 ![Screenshot showing the Trivy extension in the Azure Devops UI](screenshot.png)
 
-Documentation and more information is available on the [Azure DevOps Marketplace](https://marketplace.visualstudio.com/items?itemName=AquaSecurityOfficial.trivy-official).
+Documentation and more information is available on the [Azure DevOps Marketplace](https://marketplace.visualstudio.com/items?itemName=georg-jung.trivy-contrib).
+
+This is a fork of the official extension by Aqua Security:
+
+* <https://marketplace.visualstudio.com/items?itemName=AquaSecurityOfficial.trivy-official>
+* <https://github.com/aquasecurity/trivy-azure-pipelines-task>
+
+I'm not affiliated to Aqua Security in any way.
diff --git a/marketplace.md b/marketplace.md
@@ -2,6 +2,18 @@
 
 An Azure DevOps Pipelines Task for [Trivy](https://github.com/aquasecurity/trivy), with an integrated UI.
 
+This fork of Aqua Security's [official extension](https://marketplace.visualstudio.com/items?itemName=AquaSecurityOfficial.trivy-official) includes some improvements:
+
+* [Mount docker.sock](https://github.com/aquasecurity/trivy-azure-pipelines-task/pull/57) to scan docker images from a containerized trivy instance.
+* [Update obsolete usage of --security-checks to --scanners](https://github.com/aquasecurity/trivy-azure-pipelines-task/pull/47).
+* [Mount a consistent cache dir](https://aquasecurity.github.io/trivy/v0.48/getting-started/installation/#use-container-image) so that multiple runs using docker only download the vulnerability db once.
+* Use a recent version of trivy if not using the trivy docker image.
+  * Due to the other changes above it should be possible to just use the docker-based execution in most cases, which always automatically uses the latest trivy version and does not require updates to this extension.
+* It can be installed in parallel to the official trivy extension.
+* This is a drop-in replacement, just change `- task: trivy@1` to `- task: trivy-contrib@1` after installing this extension.
+
+You're welcome to star this fork on GitHub or [contribute](https://github.com/georg-jung/trivy-azure-pipelines-task) if you need further improvements.
+
 ![Screenshot showing the trivy extension in the Azure Devops UI](screenshot.png)
 
 ## Installation
@@ -45,12 +57,12 @@ pool:
 jobs:
 - job: Scan the local project
   steps:
-  - task: trivy@1
+  - task: trivy-contrib@1
     inputs:
       path: .
 - job: Scan the ubuntu image
   steps:
-  - task: trivy@1
+  - task: trivy-contrib@1
     inputs:
       image: ubuntu
 ```
@@ -66,7 +78,7 @@ steps:
   inputs:
     command: login
     containerRegistry: dockerRegistryServiceConnection1
-- task: trivy@1
+- task: trivy-contrib@1
   inputs:
     image: my.registry/org/my-image:latest
 ```