search

aquasecurity / trivy-action

Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities
Apache License 2.0
789 stars 227 forks source link

Trivy action not actually scanning #301

Closed markgov closed 7 months ago

markgov commented 8 months ago

Hi i have my trivy action code setup as follows

 trivy:
    permissions:
      contents: read # for actions/checkout to fetch code
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status.
    name: trivy
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner in repo mode
        uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca
        with:
          scan-type: 'fs'
          scanners: 'misconfig', 'vuln', 'secret'
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'

      - name: Upload Trivy scan results to GitHub Security tab
        if: success() || failure()
        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
        with:
          sarif_file: 'trivy-results.sarif'

The action show as complete but it has not actaully done a scan and i have found this is the logs

Run aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca
/usr/bin/docker run --name eebaca6b1215e4f5541e3a80c81027b605968_ba9d1c --label 8eebac --workdir /github/workspace --rm -e "GITHUB_TOKEN" -e "INPUT_SCAN-TYPE" -e "INPUT_SCANNERS" -e "INPUT_FORMAT" -e "INPUT_OUTPUT" -e "INPUT_SEVERITY" -e "INPUT_IMAGE-REF" -e "INPUT_INPUT" -e "INPUT_SCAN-REF" -e "INPUT_EXIT-CODE" -e "INPUT_IGNORE-UNFIXED" -e "INPUT_VULN-TYPE" -e "INPUT_TEMPLATE" -e "INPUT_SKIP-DIRS" -e "INPUT_SKIP-FILES" -e "INPUT_CACHE-DIR" -e "INPUT_TIMEOUT" -e "INPUT_IGNORE-POLICY" -e "INPUT_HIDE-PROGRESS" -e "INPUT_LIST-ALL-PKGS" -e "INPUT_TRIVYIGNORES" -e "INPUT_ARTIFACT-TYPE" -e "INPUT_GITHUB-PAT" -e "INPUT_TRIVY-CONFIG" -e "INPUT_TF-VARS" -e "INPUT_LIMIT-SEVERITIES-FOR-SARIF" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/modernisation-platform/modernisation-platform":"/github/workspace" 8eebac:a6b1215e4f5541e3a80c81027b605968  "-a fs" "-b sarif" "-c " "-d " "-e false" "-f os,library" "-g CRITICAL,HIGH" "-h trivy-results.sarif" "-i " "-j ." "-k " "-l " "-m " "-n " "-o " "-p " "-q " "-r false" "-s (misconfig, secret)" "-t " "-u " "-v " "-x " "-z "
/entrypoint.sh: line 121: [: (misconfig,: unary operator expected
Building SARIF report with options:  --vuln-type  os,library .

i have tried a few different ways but it does not seem to accept the comma list am i missing something or doing something wrong?

if i put just one of the items in i.e misconfig on it's own the scan works and i get a report back

can you help?

kderck commented 7 months ago

Change scanners: 'misconfig', 'vuln', 'secret' to scanners: misconfig,vuln,secret

markgov commented 7 months ago

thanks that seems to have worked

KylePeterDavies commented 7 months ago

Hi @markgov. Can this be closed?