search

aquasecurity / trivy-action

Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities
Apache License 2.0
807 stars 234 forks source link

Trivy failed to download ARM architecture node despite running on ARM GHA runner #188

Open kewei5zhang opened 1 year ago

kewei5zhang commented 1 year ago

Behaviour

Steps to reproduce this issue

  1. Build a arm architecture only docker image and push to ECR
  2. Use trivy to download and scan the image

Expected behaviour

Trivy should perform the requested security scan

Actual behaviour

Trivy tried to pull down the amd64 image even tho its running on an ARM runner.

2023-01-11T03:31:03.726Z    FATAL   image scan error: scan error: unable to initialize a scanner: unable to initialize a docker scanner: 4 errors occurred:
* unable to inspect the image (***.dkr.ecr.***.amazonaws.com/image:tag): Error: No such image: ***.dkr.ecr.***.amazonaws.com/image:tag
* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
* containerd socket not found: /run/containerd/containerd.sock
* no child with platform {Architecture:amd64 OS:linux OSVersion: OSFeatures:[] Variant: Features:[]} in index ***.dkr.ecr.***.amazonaws.com/image:tag

Configuration

runs:
  using: "composite"
  steps:
    - uses: actions/checkout@v3
    - uses: docker/setup-buildx-action@v2
    - uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: '${{ inputs.AWS_ACCESS_KEY_ID }}'
        aws-secret-access-key: '${{ inputs.AWS_SECRET_ACCESS_KEY }}'
        aws-region: '${{ inputs.AWS_REGION }}'
    - id: login-ecr
      uses: aws-actions/amazon-ecr-login@v1
    - name: build and push image
      uses: docker/build-push-action@v3
      with:
        context: .
        file: ${{ inputs.dockerfile }}.Dockerfile
        push: true
        platforms: ${{ inputs.platforms }}
        # cache-from: type=gha
        # cache-to: type=gha,mode=max
        tags: ${{ steps.login-ecr.outputs.registry }}/${{ inputs.registry }}:${{ inputs.tag }}
    - uses: aquasecurity/trivy-action@0.6.0
      if: ${{ steps.image_meta.outputs.IMAGE_META == ''}}
      with:
        image-ref: '${{ inputs.AWS_ACCOUNT_ID }}.dkr.ecr.${{ inputs.AWS_REGION }}.amazonaws.com/${{ inputs.registry }}:${{ inputs.tag }}'
        format: 'table'
        exit-code: '0'
        ignore-unfixed: true
        timeout: '10m0s'
        vuln-type: 'os,library'
        severity: 'CRITICAL'
pbnj-dragon commented 9 months ago

I was able to solve this issue in my workflow by specifying the platform in trivy.yaml file.

Example:

  1. In trivy.yaml:

    image:
 platform: linux/arm64

  2. In GitHub Workflow file:

    - uses: aquasecurity/trivy-action@0.6.0
  with:
    image-ref: '${{ inputs.AWS_ACCOUNT_ID }}.dkr.ecr.${{ inputs.AWS_REGION }}.amazonaws.com/${{ inputs.registry }}:${{ inputs.tag }}'
    trivy-config: trivy.yaml
pbnj-dragon commented 8 months ago

Found a better solution than trivy.yaml config file.

See related issue/comment: https://github.com/aquasecurity/trivy-action/issues/279#issuecomment-1925050674

TLDR: specify image platform using TRIVY_ environment variables, like:

# ...
    - uses: aquasecurity/trivy-action@0.6.0
      if: ${{ steps.image_meta.outputs.IMAGE_META == ''}}
      with:
        image-ref: '${{ inputs.AWS_ACCOUNT_ID }}.dkr.ecr.${{ inputs.AWS_REGION }}.amazonaws.com/${{ inputs.registry }}:${{ inputs.tag }}'
        format: 'table'
        exit-code: '0'
        ignore-unfixed: true
        timeout: '10m0s'
        vuln-type: 'os,library'
        severity: 'CRITICAL'
      env:
        TRIVY_PLATFORM: linux/arm64