search

aquasecurity / trivy-action

Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities
Apache License 2.0
732 stars 217 forks source link

Upload SBoM to GitHub Enterprise: supported? #312

Open RoFz opened 4 months ago

RoFz commented 4 months ago

I have a very simple pipeline (based on the example provided in this repo's README.md) running on a GitHub Enterprise Server, but it keeps failing due to 'Bad credentials'.

Attempt no. 1: with GITHUB_TOKEN

---
on:
  workflow_call: 
  push:
    branches:
      - '**'
  pull_request:
    branches:
      - '**'

permissions:
  contents: write

jobs:
  build:
    name: Checks
    runs-on: [self-hosted, Linux]
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          ignore-unfixed: true
          input: src/image.tar
          scan-type: image
          format: 'github' # table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln
          output: 'dependency-results.sbom.json'
          github-pat: ${{ secrets.GITHUB_TOKEN }}
          severity: "MEDIUM,HIGH,CRITICAL"
          scanners: "vuln" # vuln,misconfig,secret,license
          timeout: 30m0s

Attempt no. 2: with PAT

---
on:
  workflow_call: 
  push:
    branches:
      - '**'
  pull_request:
    branches:
      - '**'

jobs:
  build:
    name: Checks
    runs-on: [self-hosted, Linux]
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          ignore-unfixed: true
          input: src/image.tar
          scan-type: image
          format: 'github' # table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln
          output: 'dependency-results.sbom.json'
          github-pat: ${{ secrets.PAT_TOKEN }}
          severity: "MEDIUM,HIGH,CRITICAL"
          scanners: "vuln" # vuln,misconfig,secret,license
          timeout: 30m0s

Error produced in both attempts:

/usr/bin/docker run --name fcba85d282d3159c7e476c8588bf73c34e8ba2_7b9ec6 --label fcba85 --workdir /github/workspace --rm -e "BCM_REGISTRY" -e "IMAGE_NAME" -e "SHA" -e "COMPARE_TAG" -e "INPUT_IGNORE-UNFIXED" -e "INPUT_INPUT" -e "INPUT_SCAN-TYPE" -e "INPUT_FORMAT" -e "INPUT_OUTPUT" -e "INPUT_GITHUB-PAT" -e "INPUT_SEVERITY" -e "INPUT_SCANNERS" -e "INPUT_TIMEOUT" -e "INPUT_IMAGE-REF" -e "INPUT_SCAN-REF" -e "INPUT_EXIT-CODE" -e "INPUT_VULN-TYPE" -e "INPUT_TEMPLATE" -e "INPUT_SKIP-DIRS" -e "INPUT_SKIP-FILES" -e "INPUT_CACHE-DIR" -e "INPUT_IGNORE-POLICY" -e "INPUT_HIDE-PROGRESS" -e "INPUT_LIST-ALL-PKGS" -e "INPUT_TRIVYIGNORES" -e "INPUT_ARTIFACT-TYPE" -e "INPUT_TRIVY-CONFIG" -e "INPUT_TF-VARS" -e "INPUT_LIMIT-SEVERITIES-FOR-SARIF" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_I...
Running trivy with options: trivy image  --format github --ignore-unfixed --vuln-type  os,library --scanners  vuln --severity  MEDIUM,HIGH,CRITICAL --output  dependency-results.sbom.json --timeout  30m0s --input src/image.tar
Global options:  
2024-02-19T13:18:59.259Z    INFO    Vulnerability scanning is enabled
2024-02-19T13:[21](https://<ghes>/<org>/<repo>/actions/runs/4749323/job/15071587#step:7:22):16.206Z INFO    Detected OS: ubuntu
2024-02-19T13:21:16.206Z    WARN    This OS version is not on the EOL list: ubuntu 24.04
2024-02-19T13:21:16.207Z    INFO    Detecting Ubuntu vulnerabilities...
2024-02-19T13:21:16.215Z    INFO    Number of language-specific files: 8
2024-02-19T13:21:16.[22](https://<ghes>/<org>/<repo>/actions/runs/4749323/job/15071587#step:7:23)0Z INFO    Detecting dotnet-core vulnerabilities...
20[24](https://<ghes>/<org>/<repo>/actions/runs/4749323/job/15071587#step:7:25)-02-19T13:21:16.317Z INFO    Detecting node-pkg vulnerabilities...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
100  [26](https://<ghes>/<org>/<repo>/actions/runs/4749323/job/15071587#step:7:27)0k  100    90  100  260k     48   140k  0:00:01  0:00:01 --:--:--  142k
 Uploading GitHub Dependency Snapshot{
  "message": "Bad credentials",
  "documentation_url": "https://docs.github.com/rest"
}

I'd just like to obtain confirmation that this action indeed supports GitHub Enterprise before proceeding any further into the troubleshooting.

Thanks in advance.

bosch-ch commented 3 months ago

It looks like it's hard coded to github.com maybe?

https://github.com/aquasecurity/trivy-action/blob/062f2592684a31eb3aa050cc61e7ca1451cecd3d/entrypoint.sh#L204

Would be very interested in this being supported.