search

aquasecurity / trivy-action

Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities
Apache License 2.0
806 stars 234 forks source link

PR is not blocked although trivy found critical issues #171

Open Loki-Afro opened 2 years ago

Loki-Afro commented 2 years ago

Hi there,

we are using codeql already, and have Code scanning results / CodeQL in our repos. additionally with the following rule: Settings -> Code security and analysis -> Code Scanning -> Check Failure: High or higher / Only Errors

image this is described here: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#defining-the-severities-causing-pull-request-check-failure

so my thought was, when adding trivy, we can simply go the same path, let it scan report errors, and the checkbox mentioned above will block the pr, here my trivy action for that matter:

    - name: Build image
      uses: docker/build-push-action@v3
      with:
        push: false
        #tags: ghcr.io/${{ github.repository_owner }}/mail-drop:${{ github.sha }}
        tags: phi-test
    - name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@0.7.1
      with:
        image-ref: phi-test
        format: 'sarif'
        output: 'trivy-results.sarif'
        severity: 'CRITICAL,HIGH'
        ignore-unfixed: true
        # exit-code: 1 <---- this is intentionally commented out
    - name: Upload Trivy scan results to GitHub Security tab
      uses: github/codeql-action/upload-sarif@v2
      if: always() #cause trivy will exit with non-zero if it found something
      with:
        sarif_file: 'trivy-results.sarif'

since i wanted that the run is always successful no matter if issues were found or not, i removed the exit-code: 1 line - because why should i need it when following the github documentation mentioned above

with the above settings this leads to the following result: image trivy-verify ( the action itself> -> green - good codeql find not something new -> green - good Code scanning Results / Trivy found 1 high. several medium -> red - good

but i am able to merge without complaints - not good

now finally the question: why am i able to merge this pr?

you can find that pr here: https://github.com/kaffeekrone/mail-drop/pull/1

simar7 commented 2 years ago

hi, is this your config? https://github.com/kaffeekrone/mail-drop/blob/main/.github/workflows/trivy-analysis.yml#L41 if so I don't see an exit code stanza that should make it fail.

Loki-Afro commented 2 years ago

@simar7 i don't think that's an issue in my config, even though it is suggested by the documentation here. thing is https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#defining-the-severities-causing-pull-request-check-failure

is is supposed to fail either way, isn't it?

simar7 commented 2 years ago

@simar7 i don't think that's an issue in my config, even though it is suggested by the documentation here. thing is https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#defining-the-severities-causing-pull-request-check-failure

is is supposed to fail either way, isn't it?

yes but you need an exit-code param in your config for trivy to return a non zero exit code so it can fail the pipeline. it's documented here https://github.com/aquasecurity/trivy-action#scan-ci-pipeline