search

aquasecurity / trivy-action

Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities
Apache License 2.0
825 stars 238 forks source link

Scan locally built and tagged image w/o pulling from ECR #278

Closed Pro-XP closed 1 year ago

Pro-XP commented 1 year ago

Hello,

Qq, is it possible to scan a local image that was built, tagged, and pushed without the need to pull it back down from ECR? This is my config for the trivy scan:

    - name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@master
      with:
        image-ref: "***.dkr.ecr.us-****-*.amazonaws.com/xp-trivy:trivy-testing-${{ env.GIT_SHORT_SHA }}"
        format: table
        vuln-type: 'os,library'
        severity: 'CRITICAL,HIGH'
        timeout: 30m

I've been running into this error that can be solved by pulling the image back down before running the trivy scan but just wondering if this is really necessary since the image-ref exists locally on the runner:

2023-11-03T16:05:54.090Z    FATAL   image scan error: scan error: unable to initialize a scanner: unable to initialize a docker scanner: 4 errors occurred:
    * unable to inspect the image (***.dkr.ecr.us-****-*.amazonaws.com/xp-trivy:trivy-testing-f32****): Error response from daemon: no such image: ***.dkr.ecr.us-****-*.amazonaws.com/xp-trivy:trivy-testing-f32****: No such image: ***.dkr.ecr.us-****-*.amazonaws.com/xp-trivy:trivy-testing-f32****
    * containerd socket not found: /run/containerd/containerd.sock
    * unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
    * GET https://***.dkr.ecr.us-****-*.amazonaws.com/v2/xp-trivy/manifests/trivy-testing-f32****: unexpected status code 401 Unauthorized: Not Authorized
Pro-XP commented 1 year ago

Figured out what I was doing wrong.

hoopty commented 11 months ago

What was the issue & fix? I'm having the same issue with images built by GitHub actions using podman tooling & not docker.

rlex commented 11 months ago

i'm also interested in solution - ran into same issue

rlex commented 11 months ago

Okay, found it.

In your build step:

      - name: Build image
        id: build
        uses: docker/build-push-action@v5
        with:
          file: Dockerfile
          load: true
          platforms: linux/amd64
          push: false

Notice id: build, we will use it in next step:

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ steps.build.outputs.imageid }}
          format: table
          exit-code: 1
          ignore-unfixed: true
          vuln-type: os,library
          severity: CRITICAL,HIGH

So after building we save imageid, and use it in image-ref of trivy-action to load our image, refering via steps.build.outputs.

Pro-XP commented 11 months ago

Hey! Sorry just saw this. Yeah, the fix for me was discovering the load argument in the docker/build-push-action.

@hoopty If the trivy gh action isn't working for you, you can also download & install Trivy straight up and scan a tarball:

      shell: bash
      run: |
        echo "Downloading Latest Trivy Version"
        curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b . latest
        echo "Scanning ${{ inputs.serviceName }} service for vulnerabilities"
        tar=$(find . -name 'jib-image.tar')
        for path in ${tar[@]}
        do
        ./trivy image  --timeout 15m --format table --ignore-unfixed --vuln-type  os,library --severity  CRITICAL \
        --input "$path"
        done