search

Azure / container-scan

A GitHub action to help you scan your docker image for vulnerabilities
MIT License
219 stars 42 forks source link

GitHub's action 'Convert Container Scan Report to SARIF' failed #147

Open michel-guillon opened 2 years ago

michel-guillon commented 2 years ago

Hi, We encountered an issue with github's action 'scan_and_push_container_images_to_registries' at the 'Convert Container Scan Report to SARIF' step, here's is the ouput: " Run rm3l/container-scan-to-sarif-action@v1.7.0 with: converter-version: 0.7.1 output-file: scanreport.sarif env: DOCKER_BUILDKIT: 1 GITHUB_TOKEN: JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.3-7/x64 GRADLE_BUILD_ACTION_SETUP_COMPLETED: true GRADLE_BUILD_ACTION_CACHE_RESTORED: true Run mkdir -p ~/.local/bin mkdir -p ~/.local/bin curl -L "https://github.com/rm3l/container-scan-to-sarif/releases/download/0.7.1/container-scan-to-sarif_0.7.1_Linux_x86_64.tar.gz" \ | tar zx -C ~/.local/bin --strip-components=1 chmod +x ~/.local/bin/container-scan-to-sarif shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0} env: DOCKER_BUILDKIT: 1 GITHUB_TOKEN: JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.3-7/x64 GRADLE_BUILD_ACTION_SETUP_COMPLETED: true GRADLE_BUILD_ACTION_CACHE_RESTORED: true % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 68 703k 68 479k 0 0 1028k 0 --:--:-- --:--:-- --:--:-- 1028k 100 703k 100 703k 0 0 1484k 0 --:--:-- --:--:-- --:--:-- 31.2M Run # Converter versions >= 0.6.0 dropped support for the "-output" CLI option.

Converter versions >= 0.6.0 dropped support for the "-output" CLI option.

Instead, they directly write the resulting SARIF to the standard output

if ~/.local/bin/container-scan-to-sarif --help | grep 'output string' > /dev/null; then \ ~/.local/bin/container-scan-to-sarif \ -input "" \ -output "scanreport.sarif"; \ else \ ~/.local/bin/container-scan-to-sarif \ -input "" \ | tee "scanreport.sarif"; \ fi echo "::set-output name=sarif-report-path::scanreport.sarif" shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0} env: DOCKER_BUILDKIT: 1 GITHUB_TOKEN: *** JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.3-7/x64 GRADLE_BUILD_ACTION_SETUP_COMPLETED: true GRADLE_BUILD_ACTION_CACHE_RESTORED: true Usage of /home/runner/.local/bin/container-scan-to-sarif: -input string path to the Container Scan JSON Report (default "./scanreport.json") 2022/07/08 09:53:11 open : no such file or directory " The next step 'Upload SARIF reports to GitHub Security tab' also failed with the following ouput: " Run github/codeql-action/upload-sarif@v2 Error: Input required and not supplied: sarif_file Error: Input required and not supplied: sarif_file at Object.getInput (/home/runner/work/_actions/github/codeql-action/v2/node_modules/@actions/core/lib/core.js:109:15) at Object.getRequiredInput (/home/runner/work/_actions/github/codeql-action/v2/lib/actions-util.js:47:17) at run (/home/runner/work/_actions/github/codeql-action/v2/lib/upload-sarif-action.js:52:77) at async runWrapper (/home/runner/work/_actions/github/codeql-action/v2/lib/upload-sarif-action.js:74:9) "

Thank in advance for the help Regards Michel

github-actions[bot] commented 2 years ago

This issue is idle because it has been open for 14 days with no activity.

rm3l commented 2 years ago

@mahkoCosmo I think this issue should be reported in the container-scan-to-sarif-action Action instead. ;-)

Or if you can share the output of the step before that runs the Azure/container-scan action (which produced the resulting scan report file in JSON), that would be helpful in determining what the issue could be.

github-actions[bot] commented 2 years ago

This issue is idle because it has been open for 14 days with no activity.