search

Azure / container-scan

A GitHub action to help you scan your docker image for vulnerabilities
MIT License
218 stars 42 forks source link

An error occurred while scanning container image: <TAG> for vulnerabilities #92

Closed mindflayer closed 3 years ago

mindflayer commented 3 years ago

Hi there, after replacing the base image I've started having this problem:

Run azure/container-scan@v0
Could not find allowedlist file.
/usr/bin/tar --version
tar (GNU tar) 1.30
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by John Gilmore and Jay Fenlason.
/usr/bin/tar xz --warning=no-unknown-keyword -C /home/runner/work/_temp/ee136a0f-930d-4460-946c-5350691898b7 -f /home/runner/work/kiwi-back/kiwi-back/_temp/tools/trivy
Scanning for vulnerabilties in image: <TAG>
Error: FATAL    scan error: image scan failed: failed analysis: analyze error: failed to analyze layer: sha256:1e286eeb0cc3ab35932b7e5b52c3a2b07f2e6a120ed5bb295a84303691dca2c9 : unable to get uncompressed layer sha256:1e286eeb0cc3ab35932b7e5b52c3a2b07f2e6a120ed5bb295a84303691dca2c9: failed to get the layer content (sha256:1e286eeb0cc3ab35932b7e5b52c3a2b07f2e6a120ed5bb295a84303691dca2c9): gzip: invalid header
Error: An error occurred while scanning container image: <TAG> for vulnerabilities.

The previous one was python:3.9-slim and the current one is ubuntu/ubuntu:impish-21.10_edge.

I am testing out a hardened Docker image from Canonical: https://ubuntu.com/security/docker-images I am assuming this is the root cause just because it is the only big thing I changed today.

The image I created works with our test suite, so I assume that is well-formed.

ajinkya599 commented 3 years ago

Hi @mindflayer, this action uses trivy underneath to scan the container images. The error seems to be coming from trivy. Can you please enable debug logs to get more details and open an issue on the trivy repo?

mindflayer commented 3 years ago

It's interesting because it does not happen if I install trivy locally (I tried to dpkg -i their deb file) and docker pull my image.

mindflayer commented 3 years ago

With the debug enabled it does not say much more, unfortunately. Screenshot from 2021-06-22 12-39-25

mindflayer commented 3 years ago

I found the problem. We are using docker/build-push-action@v2 for building and pushing our images. The settings load needs to be set to true to allow your action to scan properly. Also, since at the moment push and load cannot be both set to true due to

buildx call failed with: error: push and load may not be set together at the moment

I had to leave only load and "manually" push after the scan.