search

aquasecurity / trivy-action

Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities
Apache License 2.0
806 stars 233 forks source link

Trivy action in SBOM mode error: Docker Action run completed with exit code 1 #262

Open rblancou opened 1 year ago

rblancou commented 1 year ago

I'm using Trivy to generate SBOM of my prpject dependencies and submit them to GitHub Dependency Graph. I'm following the steps described in Trivy documentation.

This is my .yml to configure the action:

name: Dependency graph scanning

on:
  push:
    branches:
      - main

permissions:
  contents: write

jobs:
  build:
    name: Dependency graph scanning
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          format: 'github'
          output: 'dependency-results.sbom.json'
          image-ref: '.'
          github-pat: ${{ secrets.GITHUB_TOKEN }}
          trivy-config: trivy-dependency-graph.yaml

This is my additional Trivy configuration params:

timeout: 10m
include-dev-deps: true
exit-code: 1
format: github
output: dependency-results.sbom.json
severity:
  - MEDIUM
  - HIGH
  - CRITICAL
scan:
  scanners:
    - vuln
    - secret
    - config
vulnerability:
  type:
    - os
    - library
  ignore-unfixed: true

And this is the Action result (with debug mode): image

The Github dependency snapshot is uploaded successfully but the debug console shows the Docker Action run completed with exit code 1 error and the Action fails.

Why it happens?

Maxim-Durand commented 11 months ago

You're specifying in your trivy-dependency-graph.yaml: exit-code: 1 from the doc:

Exit code when specified vulnerabilities are found

So it's probably just that the scan found vulnerabilities.

rblancou commented 11 months ago

You're specifying in your trivy-dependency-graph.yaml: exit-code: 1 from the doc:

Exit code when specified vulnerabilities are found

So it's probably just that the scan found vulnerabilities.

@Maxim-Durand If I'm not wrong, that configuration says that when there is an error, fire code 1 so that the Github action knows that it has failed.

However, the problem I have is that everything runs fine (there aren't vulnerabilities) but it returns code 1 when it should return code 0.

Maxim-Durand commented 11 months ago

Have you tried without exit-code: 1 (by default trivy uses exit-code: 0) ?

rblancou commented 11 months ago

Have you tried without exit-code: 1 (by default trivy uses exit-code: 0) ?

Yes, I've tried. If I remove the exit-code: 1 and Trivy finds some vulnerabilities, it will return a 0 code so github actions won't recognise an error

wiegell commented 2 months ago

I'm experiencing this too. It's frustrating, since we use the exit code to block releases and now it blocks on too low a severity