Open RoFz opened 4 months ago
I have a very simple pipeline (based on the example provided in this repo's README.md) running on a GitHub Enterprise Server, but it keeps failing due to 'Bad credentials'.
Attempt no. 1: with GITHUB_TOKEN
--- on: workflow_call: push: branches: - '**' pull_request: branches: - '**' permissions: contents: write jobs: build: name: Checks runs-on: [self-hosted, Linux] steps: - name: Checkout code uses: actions/checkout@v3 - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: ignore-unfixed: true input: src/image.tar scan-type: image format: 'github' # table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln output: 'dependency-results.sbom.json' github-pat: ${{ secrets.GITHUB_TOKEN }} severity: "MEDIUM,HIGH,CRITICAL" scanners: "vuln" # vuln,misconfig,secret,license timeout: 30m0s
Attempt no. 2: with PAT
--- on: workflow_call: push: branches: - '**' pull_request: branches: - '**' jobs: build: name: Checks runs-on: [self-hosted, Linux] steps: - name: Checkout code uses: actions/checkout@v3 - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: ignore-unfixed: true input: src/image.tar scan-type: image format: 'github' # table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln output: 'dependency-results.sbom.json' github-pat: ${{ secrets.PAT_TOKEN }} severity: "MEDIUM,HIGH,CRITICAL" scanners: "vuln" # vuln,misconfig,secret,license timeout: 30m0s
Error produced in both attempts:
/usr/bin/docker run --name fcba85d282d3159c7e476c8588bf73c34e8ba2_7b9ec6 --label fcba85 --workdir /github/workspace --rm -e "BCM_REGISTRY" -e "IMAGE_NAME" -e "SHA" -e "COMPARE_TAG" -e "INPUT_IGNORE-UNFIXED" -e "INPUT_INPUT" -e "INPUT_SCAN-TYPE" -e "INPUT_FORMAT" -e "INPUT_OUTPUT" -e "INPUT_GITHUB-PAT" -e "INPUT_SEVERITY" -e "INPUT_SCANNERS" -e "INPUT_TIMEOUT" -e "INPUT_IMAGE-REF" -e "INPUT_SCAN-REF" -e "INPUT_EXIT-CODE" -e "INPUT_VULN-TYPE" -e "INPUT_TEMPLATE" -e "INPUT_SKIP-DIRS" -e "INPUT_SKIP-FILES" -e "INPUT_CACHE-DIR" -e "INPUT_IGNORE-POLICY" -e "INPUT_HIDE-PROGRESS" -e "INPUT_LIST-ALL-PKGS" -e "INPUT_TRIVYIGNORES" -e "INPUT_ARTIFACT-TYPE" -e "INPUT_TRIVY-CONFIG" -e "INPUT_TF-VARS" -e "INPUT_LIMIT-SEVERITIES-FOR-SARIF" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_I... Running trivy with options: trivy image --format github --ignore-unfixed --vuln-type os,library --scanners vuln --severity MEDIUM,HIGH,CRITICAL --output dependency-results.sbom.json --timeout 30m0s --input src/image.tar Global options: 2024-02-19T13:18:59.259Z INFO Vulnerability scanning is enabled 2024-02-19T13:[21](https://<ghes>/<org>/<repo>/actions/runs/4749323/job/15071587#step:7:22):16.206Z INFO Detected OS: ubuntu 2024-02-19T13:21:16.206Z WARN This OS version is not on the EOL list: ubuntu 24.04 2024-02-19T13:21:16.207Z INFO Detecting Ubuntu vulnerabilities... 2024-02-19T13:21:16.215Z INFO Number of language-specific files: 8 2024-02-19T13:21:16.[22](https://<ghes>/<org>/<repo>/actions/runs/4749323/job/15071587#step:7:23)0Z INFO Detecting dotnet-core vulnerabilities... 20[24](https://<ghes>/<org>/<repo>/actions/runs/4749323/job/15071587#step:7:25)-02-19T13:21:16.317Z INFO Detecting node-pkg vulnerabilities... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0 100 [26](https://<ghes>/<org>/<repo>/actions/runs/4749323/job/15071587#step:7:27)0k 100 90 100 260k 48 140k 0:00:01 0:00:01 --:--:-- 142k Uploading GitHub Dependency Snapshot{ "message": "Bad credentials", "documentation_url": "https://docs.github.com/rest" }
I'd just like to obtain confirmation that this action indeed supports GitHub Enterprise before proceeding any further into the troubleshooting.
Thanks in advance.
It looks like it's hard coded to github.com maybe?
https://github.com/aquasecurity/trivy-action/blob/062f2592684a31eb3aa050cc61e7ca1451cecd3d/entrypoint.sh#L204
Would be very interested in this being supported.
I have a very simple pipeline (based on the example provided in this repo's README.md) running on a GitHub Enterprise Server, but it keeps failing due to 'Bad credentials'.
Attempt no. 1: with GITHUB_TOKEN
Attempt no. 2: with PAT
Error produced in both attempts:
I'd just like to obtain confirmation that this action indeed supports GitHub Enterprise before proceeding any further into the troubleshooting.
Thanks in advance.