search

Azure / container-scan

A GitHub action to help you scan your docker image for vulnerabilities
MIT License
218 stars 41 forks source link

Vulnerability Scanner not showing vulnerabilities #143

Open sjgupta19 opened 2 years ago

sjgupta19 commented 2 years ago

Hi, We are using this in our ci workflow for looking at vulnerable packages. We have remediated all the packages and currently there is no vulnerability but it is still throwing an error "Vulnerabilities were detected in the container image" and giving no information on the vulnerability.

image

Also tried v0 and v0.1

zifeo commented 2 years ago

@sjgupta19 What happens if you run Trivy locally? Is the failing case a "secret" issue?

sjgupta19 commented 2 years ago

It runs fine locally and detects no vulnerability but one secret.

scottwestover commented 2 years ago

I also started running into this issue today, and I think the issue is tied to the latest version of trivy: 0.29.2.

Here are a few screenshots of the issue that I am seeing:

Screen Shot 2022-06-23 at 4 26 02 PM Screen Shot 2022-06-23 at 4 26 15 PM Screen Shot 2022-06-23 at 4 26 34 PM

When I run Trivy locally, I am seeing no vulnerabilities and no secrets, however when I run this action, I am getting the failure message.

However, if I update the action to use the previous version of trivy: 0.29.1, the scan works and passes successfully. Example configuration:

      - name: Scan Docker Image
        uses: azure/container-scan@v0.1
        with:
          image-name: test_docker_for_scan
          username: USER
          password: ${{ secrets.GITHUB_TOKEN }}
          trivy-version: "0.29.1"
github-actions[bot] commented 1 year ago

This issue is idle because it has been open for 14 days with no activity.

Souheil-Yazji commented 1 year ago

Hello,

It seems like we are encountering a similar issue where the container-scan step fails with Error: Vulnerabilities were detected in the container image but produces no output

image

image

This is a major pain point and blocker for us since the images cannot be pushed to the remote repository if the container-scan does not pass.

jwasserman731 commented 1 year ago

What is the path forward to address this issue?

github-actions[bot] commented 1 year ago

This issue is idle because it has been open for 14 days with no activity.

TAAGECH9 commented 1 year ago

Hi There. Currently experiencing the same issue. Have any solutions be found yet for this issue? Would also be happy with a specific trivy version where this is not an issue. But as others this is a major pain point for me as well.

github-actions[bot] commented 1 year ago

This issue is idle because it has been open for 14 days with no activity.