Closed markgov closed 7 months ago
Hi i have my trivy action code setup as follows
trivy: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status. name: trivy runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner in repo mode uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca with: scan-type: 'fs' scanners: 'misconfig', 'vuln', 'secret' format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' - name: Upload Trivy scan results to GitHub Security tab if: success() || failure() uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4 with: sarif_file: 'trivy-results.sarif'
The action show as complete but it has not actaully done a scan and i have found this is the logs
Run aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca /usr/bin/docker run --name eebaca6b1215e4f5541e3a80c81027b605968_ba9d1c --label 8eebac --workdir /github/workspace --rm -e "GITHUB_TOKEN" -e "INPUT_SCAN-TYPE" -e "INPUT_SCANNERS" -e "INPUT_FORMAT" -e "INPUT_OUTPUT" -e "INPUT_SEVERITY" -e "INPUT_IMAGE-REF" -e "INPUT_INPUT" -e "INPUT_SCAN-REF" -e "INPUT_EXIT-CODE" -e "INPUT_IGNORE-UNFIXED" -e "INPUT_VULN-TYPE" -e "INPUT_TEMPLATE" -e "INPUT_SKIP-DIRS" -e "INPUT_SKIP-FILES" -e "INPUT_CACHE-DIR" -e "INPUT_TIMEOUT" -e "INPUT_IGNORE-POLICY" -e "INPUT_HIDE-PROGRESS" -e "INPUT_LIST-ALL-PKGS" -e "INPUT_TRIVYIGNORES" -e "INPUT_ARTIFACT-TYPE" -e "INPUT_GITHUB-PAT" -e "INPUT_TRIVY-CONFIG" -e "INPUT_TF-VARS" -e "INPUT_LIMIT-SEVERITIES-FOR-SARIF" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/modernisation-platform/modernisation-platform":"/github/workspace" 8eebac:a6b1215e4f5541e3a80c81027b605968 "-a fs" "-b sarif" "-c " "-d " "-e false" "-f os,library" "-g CRITICAL,HIGH" "-h trivy-results.sarif" "-i " "-j ." "-k " "-l " "-m " "-n " "-o " "-p " "-q " "-r false" "-s (misconfig, secret)" "-t " "-u " "-v " "-x " "-z " /entrypoint.sh: line 121: [: (misconfig,: unary operator expected Building SARIF report with options: --vuln-type os,library .
i have tried a few different ways but it does not seem to accept the comma list am i missing something or doing something wrong?
if i put just one of the items in i.e misconfig on it's own the scan works and i get a report back
can you help?
Change scanners: 'misconfig', 'vuln', 'secret' to scanners: misconfig,vuln,secret
scanners: 'misconfig', 'vuln', 'secret'
scanners: misconfig,vuln,secret
thanks that seems to have worked
Hi @markgov. Can this be closed?
Hi i have my trivy action code setup as follows
The action show as complete but it has not actaully done a scan and i have found this is the logs
i have tried a few different ways but it does not seem to accept the comma list am i missing something or doing something wrong?
if i put just one of the items in i.e misconfig on it's own the scan works and i get a report back
can you help?