aquasecurity / trivy-action

Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities
Apache License 2.0
839 stars 242 forks source link

license scanner not possible via action? #219

Open erzz opened 1 year ago

erzz commented 1 year ago

It seems to me that the action is limited to only the scanners os and library?

Passing other valid types such as license is not possible.

Not sure if this is because you want to ensure that all the possible combinations of scan type and scanners would work?

- name: Trivy Image Scan
   uses: aquasecurity/trivy-action@0.9.2
   with:
     image-ref: ${{ needs.build-image.outputs.image-name }}:${{ needs.build-image.outputs.image-tag }}
     vuln-type: os,library,license

results in 2023-03-10T10:37:29.230Z WARN unknown vulnerability type: license

PeterBurner commented 1 year ago

Hey

I have a similar problem with license scanning. @erzz I think license should be passed to the scanners parameter and not vuln-type. If I run Trivy locally with trivy rootfs --scanners license . or trivy rootfs --config licence.yaml . it works. But if I use the same configuration with the GitHub Action, Trivy scans for vulnerabilities instead. It also ignores the config file. There seems to be a bug.

Local output:

trivy rootfs --config licence.yaml .
2023-04-19T10:09:29.877+0200    INFO    Loaded licence.yaml
2023-04-19T10:09:29.888+0200    INFO    Full license scanning is enabled

Node.js (license)
...

Action output:

Run aquasecurity/trivy-action@0.9.2
  with:
    format: table
    output: licenses.md
    exit-code: 1
    scan-type: rootfs
    scanners: license
    trivy-config: license.yaml
    scan-ref: .
    ignore-unfixed: false
    vuln-type: os,library
    severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
    list-all-pkgs: false
/usr/bin/docker run --name c04421f3d067f4aca45ff8d3252abb2922638_be1bc0 --label 6c0442 --workdir /github/workspace --rm -e "INPUT_FORMAT" -e "INPUT_OUTPUT" -e "INPUT_EXIT-CODE" -e "INPUT_SCAN-TYPE" -e "INPUT_SCANNERS" -e "INPUT_TRIVY-CONFIG" -e "INPUT_IMAGE-REF" -e "INPUT_INPUT" -e "INPUT_SCAN-REF" -e "INPUT_IGNORE-UNFIXED" -e "INPUT_VULN-TYPE" -e "INPUT_SEVERITY" -e "INPUT_TEMPLATE" -e "INPUT_SKIP-DIRS" -e "INPUT_SKIP-FILES" -e "INPUT_CACHE-DIR" -e "INPUT_TIMEOUT" -e "INPUT_IGNORE-POLICY" -e "INPUT_HIDE-PROGRESS" -e "INPUT_LIST-ALL-PKGS" -e "INPUT_TRIVYIGNORES" -e "INPUT_ARTIFACT-TYPE" -e "INPUT_GITHUB-PAT" -e "INPUT_LIMIT-SEVERITIES-FOR-SARIF" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_ID_TOKEN_REQUEST_URL" -e "ACTIONS_ID_TOKEN_REQUEST_TOKEN" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/backend/backend":"/github/workspace" 6c0442:1f3d067f4aca45ff8d3252abb2922638  "-a rootfs" "-b table" "-c " "-d 1" "-e false" "-f os,library" "-g UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" "-h licenses.md" "-i " "-j ." "-k " "-l " "-m " "-n " "-o " "-p " "-q " "-r false" "-s license" "-t " "-u " "-v license.yaml" "-z "
Running Trivy with trivy.yaml config from:  license.yaml
2023-04-19T08:01:00.052Z    INFO    Need to update DB
2023-04-19T08:01:00.052Z    INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2023-04-19T08:01:00.052Z    INFO    Downloading DB...
20.73 MiB / 36.59 MiB [---------------------------------->__________________________] 56.66% ? p/s ?36.59 MiB / 36.59 MiB [----------------------------------------------------------->] 100.00% ? p/s ?36.59 MiB / 36.59 MiB [----------------------------------------------------------->] 100.00% ? p/s ?36.59 MiB / 36.59 MiB [---------------------------------------------->] 100.00% 26.42 MiB p/s ETA 0s36.59 MiB / 36.59 MiB [---------------------------------------------->] 100.00% 26.42 MiB p/s ETA 0s36.59 MiB / 36.59 MiB [---------------------------------------------->] 100.00% 26.42 MiB p/s ETA 0s36.59 MiB / 36.59 MiB [---------------------------------------------->] 100.00% 24.72 MiB p/s ETA 0s36.59 MiB / 36.59 MiB [---------------------------------------------->] 100.00% 24.72 MiB p/s ETA 0s36.59 MiB / 36.59 MiB [---------------------------------------------->] 100.00% 24.72 MiB p/s ETA 0s36.59 MiB / 36.59 MiB [-------------------------------------------------] 100.00% 21.68 MiB p/s 1.9s2023-04-19T08:01:02.522Z    INFO    Vulnerability scanning is enabled
2023-04-19T08:01:02.522Z    INFO    Secret scanning is enabled
2023-04-19T08:01:02.522Z    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-04-19T08:01:02.522Z    INFO    Please see also https://aquasecurity.github.io/trivy/v0.38/docs/secret/scanning/#recommendation for faster secret detection
2023-04-19T08:01:13.008Z    INFO    Number of language-specific files: 45
2023-04-19T08:01:13.008Z    INFO    Detecting gobinary vulnerabilities...
2023-04-19T08:01:13.008Z    INFO    Detecting gomod vulnerabilities...
2023-04-19T08:01:13.256Z    INFO    Detecting node-pkg vulnerabilities...
...

Config file:

format: table
exit-code: 1
license:
  full: true
scan:
  scanners:
    - license
erzz commented 1 year ago

@PeterBurner thanks! You are right and it feels like something is working a little better by combining the two config methods (I am also using a later version v0.11.2)

Currently I am trying:

- name: Trivy License Scan
  uses: aquasecurity/trivy-action@0.11.2
  with:
    image-ref: ''
    scan-type: rootfs
    scanners: license
    exit-code: 1
    trivy-config: ospo.yml
    scan-ref: ${{ inputs.scan-directory }}
    severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
    format: table

WITH the additional config file found here https://github.com/erzz/configs/blob/main/configs/trivy-ospo-licenses.yml

The success part is that I do get it to scan for licenses:

Run aquasecurity/trivy-action@0.11.2
  with:
    scan-type: rootfs
    scanners: license
    exit-code: 1
    trivy-config: ospo.yml
    scan-ref: ./
    ignore-unfixed: false
    vuln-type: library
    severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
    format: table
    list-all-pkgs: false

resulting in (shortened):

Node.js (license)
=================
Total: 1396 (UNKNOWN: 17, LOW: 1376, MEDIUM: 3, HIGH: 0, CRITICAL: 0)

┌──────────────────────────────────────────────────────────────┬─────────────────────────────────────┬────────────────┬──────────┐
│                           Package                            │               License               │ Classification │ Severity │
├──────────────────────────────────────────────────────────────┼─────────────────────────────────────┼────────────────┼──────────┤
│ commondir                                                    │ MIT                                 │ notice         │ LOW      │
├──────────────────────────────────────────────────────────────┼─────────────────────────────────────┤                │          │
│ filesize                                                     │ BSD-3-Clause                        │                │          │
├──────────────────────────────────────────────────────────────┤                                     │                │          │
│ rtl-detect                                                   │                                     │                │          │
├──────────────────────────────────────────────────────────────┼─────────────────────────────────────┤                │          │
│ classnames                                                   │ MIT                                 │                │          │
├──────────────────────────────────────────────────────────────┤                                     │                │          │
│ postcss-selector-parser                                      │                                     │                │          │
├──────────────────────────────────────────────────────────────┤                                     │                │          │
│ regexpu-core                                                 │                                     │                │          │

So that is progress!

The issues are that:

So thats like 3 separate bugs I see that need to be fixed. I guess both exit code and the reporting are not considering license findings

erzz commented 1 year ago

Stillllll messy but it seems like there is some conflicts between the action and the config. Use of a config file seems to cause the action to ignore any inputs and thus default values are passed through instead for many things (like exit code) but not others (like format).

The thing is we need to pass a config for a long custom license list

So reducing the inputs to the bare minimum:

with:
  image-ref: ''
  scan-type: rootfs
  trivy-config: ospo.yml
  scan-ref: ${{ inputs.scan-directory }}

and throwing everything else into a trivy.yaml mentioned in the previous post, seems to at least get the job to fail when it should.

For the SARIF issue - its not supported but there is an open PR for it in trivy project https://github.com/aquasecurity/trivy/pull/4866

cbandy commented 1 month ago

This may be resolved by the recent change to a composite action: https://github.com/aquasecurity/trivy-action/pull/399

erzz commented 1 month ago

This may be resolved by the recent change to a composite action: #399

Thanks @cbandy

I think there is perhaps a related regression too - cross-posting here for visibility https://github.com/aquasecurity/trivy/discussions/7701