search

aquasecurity / trivy-action

Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities
Apache License 2.0
827 stars 238 forks source link

Issue Scanning Image from GHCR Using GitHub Actions #381

Closed kgochenour closed 3 months ago

kgochenour commented 3 months ago

We currently use GitHub Container Registry and GitHub Actions. While trying to get scanning working , we are running into an interesting issue.

The docker image builds just fine and is pushed to the registry. Locally, I can run: trivy image --ignore-unfixed --vuln-type os,library ghcr.io/organization/github_actions_container_tools:kag-trivy which uses my own PAT to pull down the image. And the scan works just fine.

However in GitHub Actions, no dice. We use self hosted runners with ARC. Which meant running the Trivy Action in DockerInDocker. This works for our IaC scans without issue. But it did not work for our DockerInDocker runners. However, changing it to run on GitHub's runners did not resolve the issue.

GitHub Action Log is attached. runner.log

This is the GHA Workflow:

...build job above...
  scan:
    runs-on: ubuntu-20.04
    #runs-on: runner-docker (how i switch to the ARC Runners)
    permissions:
      attestations: write
      contents: read
      packages: write
      id-token: write
    needs: build-and-push
    env:
      TRIVY_DEBUG: true
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Run Trivy vulnerability scanner for Docker
        uses: aquasecurity/trivy-action@0.20.0
        with:
          image-ref: ${{ needs.build-and-push.outputs.tags }} (comes from job not included here, but is correct value)
          format: 'table'
          #output: 'trivy-results.sarif' (Turned off for troubleshooting)
          ignore-unfixed: true
          github-pat: ${{ secrets.GITHUB_TOKEN }}

I am totally stumped here as I thought it was an issue with ARC, but even when running the example action, still getting the same error.

kgochenour commented 3 months ago

If anyone finds this in the future, I got this working by treating GHCR as a private repo and adding:

        env:
          TRIVY_USERNAME: ${{ github.actor }}
          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

to the aquasecurity/trivy-action@0.20.0 step

While GitHub Actions should be able to read by default through it's own token, Trivy is still doing some sort of login and thus GHCR is treated as any other repo.