Closed al-lac closed 6 days ago
The only thing I can think of is a network ACL that prevents your hosted registries to deny inbound connections from sources such as GitHub runners. Since you mention it works locally, I would assume that network space is allowed.
@simar7 Seems to have something to do with the fact that the repos are private:
2024-08-20T11:38:10Z DEBUG [misconf] 38:10.990153932 terraform.parser.<root>.evaluator.resolver Downloading github.com/org/terraform-aws-test-module.git?ref=v1.2.0...
2024-08-20T11:38:11Z DEBUG [misconf] 38:11.047044083 terraform.parser.<root>.evaluator Failed to load module "failed to download: error downloading 'https://github.com/org/terraform-aws-test-module.git?ref=v1.2.0': /usr/bin/git exited with 128: Cloning into '/tmp/.aqua/cache/ca3f503b26bf407e58f6773e4ef4984c'...\nfatal: could not read Username for 'https://github.com': No such device or address\n". Maybe try 'terraform init'?```
How would i supply those credentials to trivy? Or can i run extra command in the trivy container before, to setup git credentials?
So i got it working by running terraform init before the scan, like it was mentioned in the error message. But this is not really optimal and should be easier to achieve:
...
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- name: Checkout code
uses: actions/checkout@v4.1.7
- uses: hashicorp/setup-terraform@v3
- run: git config --global url."https://oauth2:${{ secrets.GITHUB_TOKEN }}@github.com".insteadOf https://github.com
- run: terraform init
- name: Run Trivy scanner
uses: aquasecurity/trivy-action@0.24.0
with:
scan-type: config
hide-progress: true
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
format: table
...
Hi @al-lac ! Are the modules located in repositories other than the target repository?
I tried your case (but with my repositories) with running terraform init
, but that also failed:
Could not download module "test" (main.tf:1) source code from
│ "git::https://github.com/nikpivkin/test-private-tf-module.git": error
│ downloading 'https://github.com/nikpivkin/test-private-tf-module.git':
│ /usr/bin/git exited with 128: Cloning into '.terraform/modules/test'...
│ remote: Repository not found.
│ fatal: repository
│ 'https://github.com/nikpivkin/test-private-tf-module.git/' not found
From the documentation about GITHUB_TOKEN:
The token's permissions are limited to the repository that contains your workflow.
So I created my token and added it to the secrets: - run: git config --global url."https://oauth2:${{ secrets.MY_GITHUB_PAT }}@github.com".insteadOf https://github.com
. After that, the scan completed successfully.
Hey @nikpivkin!
Yeah the modules i am trying to scan are located in different repositories.
I also am already setting the token like you did, but without the terraform init before i would still run into the same error.
@al-lac Can you share the final version of your workflow and what error you are getting with it?
Hey @nikpivkin, this was the error: https://github.com/aquasecurity/trivy-action/issues/383#issuecomment-2298668679
Now with this setup, it is working: https://github.com/aquasecurity/trivy-action/issues/383#issuecomment-2298880157
Of course I would prefer this to would work without these extra steps.
@al-lac I think this is the minimum configuration that should work. To access a private repository you need a token with repository access permission, but not secrets.GITHUB_TOKEN
.
name: Scan
on:
workflow_dispatch:
jobs:
scan:
name: Scan
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- uses: actions/checkout@v4
- run: git config --global url."https://oauth2:${{ secrets.MY_GITHUB_PAT }}@github.com".insteadOf https://github.com
- name: Run Trivy
uses: aquasecurity/trivy-action@master
with:
scan-type: 'config'
format: 'sarif'
output: 'trivy-results.sarif'
exit-code: '1'
Git configuration is required, see https://github.com/hashicorp/setup-terraform/issues/33#issuecomment-714837963
Good news @nikpivkin. I just removed the setup-terraform
and terraform init
steps and it seems to work now!
I always had a custom github token with permissions set, not sure what went wrong before.
Also updated the trivy-action from 0.24.0
to 0.28.0
.
Thanks for your help, will close this issue then.
I am scanning a terraform plan that uses multiple modules that are stored in private github repos.
Trivy does however not seem to pickup issues in the module, probably because it can't download them when running on github-actions.
Locally everything works fine.
I am referencing the modules like this:
I am using trivy like this:
I already tried multiple things like running terraform init before the scan or adding a TF_TOKEN variable. But nothing helped so far.
Any clue what the issue here could be?