Open RichardoC opened 11 months ago
I was able to work around this issue in my workflow by specifying the platform in trivy.yaml
file.
Example:
In trivy.yaml
:
image:
platform: linux/arm64
In GitHub Workflow file:
- name: Run Trivy vulnerability scanner for distroless container
uses: aquasecurity/trivy-action@0.13.1
with:
image-ref: 'ghcr.io/someimage:${{github.sha}}-distroless'
format: 'sarif'
output: 'distroless-results.sarif'
github-pat: '${{ secrets.GITHUB_TOKEN }}'
trivy-config: trivy.yaml
Thanks, that's a good workaround @pbnj-dragon though it would be fantastic to have cross-platform scanning
Agreed.
I would like to see an input for platform, like:
- name: Run Trivy vulnerability scanner for distroless container
uses: aquasecurity/trivy-action@0.13.1
with:
image-ref: 'ghcr.io/someimage:${{github.sha}}-distroless'
platform: 'linux/arm64'
format: 'sarif'
output: 'distroless-results.sarif'
github-pat: '${{ secrets.GITHUB_TOKEN }}'
That way, I can leverage Job Matrix as needed.
Although, I am not sure if image platform has that much effect on vulnerabilities (I could be wrong).
I just came across this bit of documentation in the action's README:
You can use Trivy environment variables to set the necessary options (including flags that are not supported by Inputs, such as --secret-config).
Upon reading the docs, it seems that trivy respects environment variables like:
- name: Run Trivy vulnerability scanner for distroless container
uses: aquasecurity/trivy-action@0.13.1
with:
image-ref: 'ghcr.io/someimage:${{github.sha}}-distroless'
format: 'sarif'
output: 'distroless-results.sarif'
github-pat: '${{ secrets.GITHUB_TOKEN }}'
env:
TRIVY_PLATFORM: linux/arm64
Which effectively enables the same use-cases that having a dedicated platform:
input would.
For example, you can scan the same image for different platforms, using a Job Matrix, like:
jobs:
trivy-image:
strategy:
matrix:
platforms: [ "linux/arm64", "linux/amd64" ]
steps:
- name: Run Trivy vulnerability scanner for distroless container
uses: aquasecurity/trivy-action@0.13.1
with:
image-ref: 'ghcr.io/someimage:${{github.sha}}-distroless'
env:
TRIVY_PLATFORM: ${{ matrix.platform }}
I've a workflow that builds ARM64 images then attempts to scan them with trivy, unfortunately because the host is AMD64 the images can't be found.
Is there a way to use docker buildx/etc to run trivy against these non-native architecture images?
Example workflow below, which fails with the following error