search

Azure / container-scan

A GitHub action to help you scan your docker image for vulnerabilities
MIT License
219 stars 42 forks source link

Receiving error while scanning a image #133

Open gopurx opened 2 years ago

gopurx commented 2 years ago

Tried using both v0 and v0.1 and consistently receiving this error message while running the action.

Scanning for CIS and best practice violations...
Error: Table data must not contain control characters.

Any suggestions on what could be wrong here?

a-rhote commented 2 years ago

We've also been seeing this issue for the past few days. Any pointers on potential trouble shooting ideas, or paths forward would be much appreciated.

ronanbrowne commented 2 years ago

Also seeing this

ronanbrowne commented 2 years ago

After a bit of diffing it seems the issue is this breaking change https://github.com/aquasecurity/trivy/discussions/1515

Later versions need to use "trivy image"

e.g. the following works

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \ -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy image python:3.9-slim-buster

koushdey commented 2 years ago

@ronanbrowne We have already migrated the fix. Can you please verify?

koushdey commented 2 years ago

@gopurx Are you still facing this issue?

gopurx commented 2 years ago

@koushdey Yes, I am experiencing this error. Latest is yesterday. Observation is the image scan outputs when there are CVEs to respond and action error out when there are no CVE to respond.

gopurx commented 2 years ago

Any update on this issue, want to check if I am the only one receiving this error?

a-rhote commented 2 years ago

I'm also still seeing it on my scans.

koushdey commented 2 years ago

@gopurx @a-rhote Can you mention the versions you are running? So that I can verify if the fix is present on the version or not. This issue is not reported by many recently.

a-rhote commented 2 years ago 
name: Scan image
uses: Azure/container-scan@v0.1
env:
  DOCKER_CONTENT_TRUST: 1
with:
  image-name: <my image>:<tag>
  severity-threshold: HIGH
  run-quality-checks: true

This is what we're using in our ci action definition @koushdey

gopurx commented 2 years ago

@koushdey, I tried both v0 and v0.1.

  uses: Azure/container-scan@v0
  with:
      image-name: <my image>:<tag>
koushdey commented 2 years ago

Is it possible to share the image name and tag name used in the action? It's possible that we are getting the issue due to some chars in the input.

a-rhote commented 2 years ago

Is it possible to share the image name and tag name used in the action? It's possible that we are getting the issue due to some chars in the input.

@koushdey Sure it's dev_people_api:<git commit hash> or something like dev_people_sqs-consumer:<git commit hash>

github-actions[bot] commented 2 years ago

This issue is idle because it has been open for 14 days with no activity.

gopurx commented 2 years ago

Can anyone respond to this issue?

aneisch commented 2 years ago

I "fixed" this with by disabling quality checks:

      - name: Assess Vulnerability
        uses: Azure/container-scan@v0
        with:
          image-name: ${{ env.IMAGE_NAME }}
          run-quality-checks: false
gopurx commented 2 years ago

thanks @aneisch for the workaround. Hope we will have a fix for using CIS quality check

github-actions[bot] commented 2 years ago

This issue is idle because it has been open for 14 days with no activity.

KEINOS commented 2 years ago

Edit 2022/22/29: I just re-read my post and realized that my case and the OP's case are different. So I have edited it.

Case of Statuscode: 403, StatusMessage: Forbidden ```text Scanning for CIS and best practice violations... No best practice violations were detected in the container image Creating scan result. image_name: keinos/sqlite3:test, head_sha: eade3180e8211d727402f8e4618f96f73e57e7b7 Warning: An error occurred while creating the check run for container scan. Error: Error: An error occurred while creating scan result. Statuscode: 403, StatusMessage: Forbidden, head_sha: eade3180e8211d727402f8e4618f96f73e57e7b7 ``` Same here on both `v0` and `v0.1` but **fixed by removing the below from the workflow's YAML**. ```yaml permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results ``` In my case, **it was because I had mixed the steps with other Actions that set the permissions to "read" only**, such as [Snyk Docker Action](https://github.com/snyk/actions/tree/master/docker). Keeping YAML simple as below worked again. ```yaml name: Azure Container Scan on: push: branches: [ master ] pull_request: # The branches below must be a subset of the branches above branches: [ master ] jobs: vulnerability-check: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Pre pull alpine image for stability run : docker pull alpine:latest - name: Build a Docker image run: docker build -t keinos/sqlite3:test . - name: Run Azure container scan to check Docker image for vulnerabilities uses: Azure/container-scan@v0.1 env: DOCKER_CONTENT_TRUST: 1 with: image-name: keinos/sqlite3:test ``` ### Details My original YAML was as below. Combining both Snyk and Azure container scan actions. ```yaml name: Container Scan on: push: branches: [ master ] pull_request: branches: [ master ] schedule: - cron: '45 0 * * 0' permissions: contents: read jobs: vulnerability-check: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Pre pull alpine image for stability run : docker pull alpine:latest - name: Build a Docker image run: docker build -t keinos/sqlite3:test . - name: Run Azure container scan to check Docker image for vulnerabilities uses: Azure/container-scan@v0.1 env: DOCKER_CONTENT_TRUST: 1 with: image-name: keinos/sqlite3:test - name: Run Snyk to check Docker image for vulnerabilities continue-on-error: false uses: snyk/actions/docker@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: image: keinos/sqlite3:test args: --file=Dockerfile - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v2 with: sarif_file: snyk.sarif ``` I noticed that it warned with `Statuscode: 403` forbidden error. ```text Scanning for CIS and best practice violations... No best practice violations were detected in the container image Creating scan result. image_name: keinos/sqlite3:test, head_sha: eade3180e8211d727402f8e4618f96f73e57e7b7 Warning: An error occurred while creating the check run for container scan. Error: Error: An error occurred while creating scan result. Statuscode: 403, StatusMessage: Forbidden, head_sha: eade3180e8211d727402f8e4618f96f73e57e7b7 ``` There seemed to be a problem with the hash comparison of the images. But this image passes with [Snyk Docker Action](https://github.com/snyk/actions/tree/master/docker). Since the error code was '403', it was assumed that the cause was some sort of write or read access violation. Then I realized that I had set the "read" permission for the Snyk's configuration. ```yaml permissions: contents: read security-events: write ``` I belive this "read-only" permission was the cause.
github-actions[bot] commented 2 years ago

This issue is idle because it has been open for 14 days with no activity.

tripflex commented 2 years ago

Confirmed this is still an issue

tripflex commented 2 years ago 
  scan-public-images:
    runs-on: ubuntu-latest

    steps:
      - uses: Azure/container-scan@v0.1
        env:
          DOCKER_CONTENT_TRUST: 1
        with:
          image-name: redis:7.0.5-alpine
/usr/bin/tar xz --warning=no-unknown-keyword -C /home/runner/work/_temp/a58e3288-c559-4854-8845-261cc4d3e862 -f /home/runner/work/curally/curally/_temp/tools/trivy
Scanning for vulnerabilties in image: redis:7.0.5-alpine
No vulnerabilities were detected in the container image
/usr/bin/tar --version
tar (GNU tar) 1.30
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by John Gilmore and Jay Fenlason.
/usr/bin/tar xz --warning=no-unknown-keyword -C /home/runner/work/_temp/e36cbafa-9374-4e5a-9f[25](https://github.com/x/x/actions/runs/3463569325/jobs/5783987634#step:2:26)-46e115a[30](https://github.com/x/x/actions/runs/3463569325/jobs/5783987634#step:2:31)6ea -f /home/runner/work/x/x/_temp/tools/dockle
Scanning for CIS and best practice violations...
Error: Table data must not contain control characters.
github-actions[bot] commented 2 years ago

This issue is idle because it has been open for 14 days with no activity.

tripflex commented 2 years ago

Still a problem ...

github-actions[bot] commented 1 year ago

This issue is idle because it has been open for 14 days with no activity.