search

aquasecurity / trivy-action

Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities
Apache License 2.0
836 stars 242 forks source link

SARIF file when using sacn-type 'config' cannot be uploaded to GitHub Advance Security. Validation error. #320

Open rkeidar opened 8 months ago

rkeidar commented 8 months ago

I'm using Trivy to scan IaC with this bellow actions. The upload-sarif step fails with below errors. I've downloaded the result file and it failed the SARIF validation on this sarif validation web site .

### GitHub Error:

Error: Code Scanning could not process the submitted SARIF file: SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file" Error: Code Scanning could not process the submitted SARIF file: SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file"

### Workflows steps:

- name: Run Trivy vulnerability scanner in IaC mode
  uses: aquasecurity/trivy-action@master
  with:
    scan-type: 'config'
    hide-progress: false
    format: 'sarif'
    output: 'trivy-results.sarif2'
    exit-code: '0'
    ignore-unfixed: true
    severity: 'CRITICAL,HIGH'

- name: Upload Trivy scan results to GitHub Security tab
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: 'trivy-results.sarif2'
    category: "IaC"
rkeidar commented 8 months ago

Here is the screenshot. image

The format error is: SARIF1004: runs[0].results[80].locations[0].physicalLocation.artifactLocation: This 'artifactLocation' object has a 'uriBaseId' property 'ROOTPATH', but its 'uri' property 'git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=5818de1fbdcca461a917e889e6703218d740494c/main.tf' is an absolute URI. Since the purpose of 'uriBaseId' is to resolve a relative reference to an absolute URI, it is not allowed when the 'uri' property is already an absolute URI.

afdesk commented 8 months ago

Hi @rkeidar it seems it's a known issue in Trivy https://github.com/aquasecurity/trivy/issues/5003 and there is a fix, but it hasn't merged yet https://github.com/aquasecurity/trivy/pull/6405/

wdyt?

afdesk commented 8 months ago

the next trivy release should have the fix )