search

aquasecurity / trivy-action

Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities
Apache License 2.0
806 stars 234 forks source link

🐛 tar file is invalid after build #189

Open xomgc3 opened 1 year ago

xomgc3 commented 1 year ago

I've reviewed #120. I'm still getting the same error after following the documentation.

2023-01-11T21:32:49.912Z    FATAL   image scan error: scan error: unable to initialize a scanner: unable to initialize the archive scanner: 2 errors occurred:
    * unable to open /github/workspace/trivy.tar as a Docker image: file manifest.json not found in tar
    * unable to open /github/workspace/trivy.tar as an OCI Image: stat

Here's my job config:

      - name: Build Image Tar
        uses: docker/build-push-action@v3
        with:
          context: ${{ inputs.context }}
          push: false
          outputs: type=tar,dest=trivy.tar

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'image'
          input: /github/workspace/trivy.tar
          hide-progress: false
          format: 'sarif'
          output: 'trivy-results.sarif'
          ignore-unfixed: true
          severity: 'CRITICAL,HIGH'
xomgc3 commented 1 year ago

Using type=oci,dest=trivy.tar resolves this as it includes the manifest that Trivy expects. Please ensure that the documentation reflects this requirement.