search

aquasecurity / trivy-action

Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities
Apache License 2.0
808 stars 233 forks source link

trivy-action does not download terraform modules that are stored in a private github repository #383

Closed al-lac closed 6 days ago

al-lac commented 2 months ago

I am scanning a terraform plan that uses multiple modules that are stored in private github repos.

Trivy does however not seem to pickup issues in the module, probably because it can't download them when running on github-actions.

Locally everything works fine.

I am referencing the modules like this:

module "test_module" {
  source = "github.com/org/terraform-aws-test-module.git?ref=v1.2.0"

  var1 = "test"
}

I am using trivy like this:

- name: Run Trivy scanner
        uses: aquasecurity/trivy-action@0.24.0
        with:
          scan-type: config
          hide-progress: true
          output: trivy.txt
          ignore-unfixed: true
          severity: 'CRITICAL,HIGH'

I already tried multiple things like running terraform init before the scan or adding a TF_TOKEN variable. But nothing helped so far.

Any clue what the issue here could be?

simar7 commented 2 months ago

The only thing I can think of is a network ACL that prevents your hosted registries to deny inbound connections from sources such as GitHub runners. Since you mention it works locally, I would assume that network space is allowed.

al-lac commented 2 months ago

@simar7 Seems to have something to do with the fact that the repos are private:


2024-08-20T11:38:10Z    DEBUG   [misconf] 38:10.990153932 terraform.parser.<root>.evaluator.resolver Downloading github.com/org/terraform-aws-test-module.git?ref=v1.2.0...
2024-08-20T11:38:11Z    DEBUG   [misconf] 38:11.047044083 terraform.parser.<root>.evaluator Failed to load module "failed to download: error downloading 'https://github.com/org/terraform-aws-test-module.git?ref=v1.2.0': /usr/bin/git exited with 128: Cloning into '/tmp/.aqua/cache/ca3f503b26bf407e58f6773e4ef4984c'...\nfatal: could not read Username for 'https://github.com': No such device or address\n". Maybe try 'terraform init'?```

How would i supply those credentials to trivy? Or can i run extra command in the trivy container before, to setup git credentials?
al-lac commented 2 months ago

So i got it working by running terraform init before the scan, like it was mentioned in the error message. But this is not really optimal and should be easier to achieve:

...
  env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v4.1.7

      - uses: hashicorp/setup-terraform@v3

      - run: git config --global url."https://oauth2:${{ secrets.GITHUB_TOKEN }}@github.com".insteadOf https://github.com

      - run: terraform init

      - name: Run Trivy scanner
        uses: aquasecurity/trivy-action@0.24.0
        with:
          scan-type: config
          hide-progress: true
          ignore-unfixed: true
          severity: 'CRITICAL,HIGH'
          format: table
...
nikpivkin commented 2 weeks ago

Hi @al-lac ! Are the modules located in repositories other than the target repository?

I tried your case (but with my repositories) with running terraform init, but that also failed:

 Could not download module "test" (main.tf:1) source code from
│ "git::https://github.com/nikpivkin/test-private-tf-module.git": error
│ downloading 'https://github.com/nikpivkin/test-private-tf-module.git':
│ /usr/bin/git exited with 128: Cloning into '.terraform/modules/test'...
│ remote: Repository not found.
│ fatal: repository
│ 'https://github.com/nikpivkin/test-private-tf-module.git/' not found

From the documentation about GITHUB_TOKEN:

The token's permissions are limited to the repository that contains your workflow.

So I created my token and added it to the secrets: - run: git config --global url."https://oauth2:${{ secrets.MY_GITHUB_PAT }}@github.com".insteadOf https://github.com. After that, the scan completed successfully.

al-lac commented 2 weeks ago

Hey @nikpivkin!

Yeah the modules i am trying to scan are located in different repositories.

I also am already setting the token like you did, but without the terraform init before i would still run into the same error.

nikpivkin commented 2 weeks ago

@al-lac Can you share the final version of your workflow and what error you are getting with it?

al-lac commented 1 week ago

Hey @nikpivkin, this was the error: https://github.com/aquasecurity/trivy-action/issues/383#issuecomment-2298668679

Now with this setup, it is working: https://github.com/aquasecurity/trivy-action/issues/383#issuecomment-2298880157

Of course I would prefer this to would work without these extra steps.

nikpivkin commented 1 week ago

@al-lac I think this is the minimum configuration that should work. To access a private repository you need a token with repository access permission, but not secrets.GITHUB_TOKEN .

name: Scan
on:
  workflow_dispatch:

jobs:
  scan:
    name: Scan
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - run: git config --global url."https://oauth2:${{ secrets.MY_GITHUB_PAT }}@github.com".insteadOf https://github.com

      - name:  Run Trivy
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'config'
          format: 'sarif'
          output: 'trivy-results.sarif'
          exit-code: '1'

Git configuration is required, see https://github.com/hashicorp/setup-terraform/issues/33#issuecomment-714837963

al-lac commented 6 days ago

Good news @nikpivkin. I just removed the setup-terraform and terraform init steps and it seems to work now!

I always had a custom github token with permissions set, not sure what went wrong before.

Also updated the trivy-action from 0.24.0 to 0.28.0.

Thanks for your help, will close this issue then.