Open uRhos opened 1 month ago
simar7
commented
1 month ago @uRhos that's interesting. I tested this earlier as you can see here and it was fine.
Is it possible for you run the same scan locally with the Trivy CLI to see what output you get? It might be a bug with the SARIF output being generated incorrectly.
Were the reports correctly being generated and uploaded in prior versions of Trivy action?
richardrobarth
commented
1 month ago I had similar issue since yesterday, had to revert to 0.25.0. Our problem was that result was generated in table format (not sarif). From the looks of it the action isnt picking up the correct config (from trivy.yaml).
uRhos
commented
1 month ago @uRhos that's interesting. I tested this earlier as you can see here and it was fine.
Is it possible for you run the same scan locally with the Trivy CLI to see what output you get? It might be a bug with the SARIF output being generated incorrectly.
Were the reports correctly being generated and uploaded in prior versions of Trivy action?
Yes, after setting version: 'v0.55.0' the workflow is completed correctly, but I agree with @richardrobarth the trivy.yaml config is not being picked up, so we had to change from using it to using the inputs and env vars
JackDallas
commented
1 month ago Also hitting this in multiple repos, pinning to 0.24.0 fixes it for us
simar7
commented
1 month ago @uRhos could you try with the latest release https://github.com/aquasecurity/trivy-action/releases/tag/0.27.0 we had an issue where env var were not getting set and it should be addressed hopefully in this release. Let us know how it goes.
mat-sylvia-mark43
commented
1 month ago Also having issues with SARIF upload. Confirmed the SARIF is there after the trivy scan, but didn't confirm its contents. Errors from the upload-sarif action attached. I changed no working directory settings or anything like that.
git call failed. Continuing with commit SHA from user input or environment. Error: The checkout path provided to the action does not appear to be a git repository. git call failed. Will calculate the base branch SHA on the server. Error: The checkout path provided to the action does not appear to be a git repository.
nikpivkin
commented
1 month ago Hi @mat-sylvia-mark43 ! Can you give me an example of your workflow?
uRhos
commented
1 month ago Hi @uRhos ! Can you give me an example of your workflow?
The workflow we use is pretty much in the description, we just have one more step to checkout the code first
nikpivkin
commented
1 month ago @uRhos Ah, I accidentally mentioned you
uRhos
commented
1 month ago @uRhos could you try with the latest release https://github.com/aquasecurity/trivy-action/releases/tag/0.27.0 we had an issue where env var were not getting set and it should be addressed hopefully in this release. Let us know how it goes.
so we tried it with the 0.27.0 version of trivy-action and 0.56.2 version of trivy and got the same error, after setting the trivy version to 0.55.2 it works, so it's probably a bug in the latest trivy release
mat-sylvia-mark43
commented
1 month ago @nikpivkin Here you go!
mat-sylvia-mark43
commented
1 month ago @nikpivkin any thoughts? The action appears to be completely broken by this.
mdemers-cobank
commented
3 weeks ago We are also running into this issue using aquasecurity/trivy-action@0.28.0. Here is our GitHub Action:
- name: Run Trivy vulnerability scanner in IaC mode and publish to Secuirty Tab
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'fs'
scan-ref: '.'
scanners: 'vuln,misconfig'
hide-progress: true
format: 'sarif'
output: 'trivy-results.sarif'
ignore-unfixed: true
severity: 'CRITICAL,HIGH,MEDIUM,LOW'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3.27.0
if: failure() || success()
with:
sarif_file: 'trivy-results.sarif' 
obounaim
commented
3 weeks ago Hi, we are also facing the same issue.
Github action:
jobs:
security:
name: security
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in IaC mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'config'
severity: 'CRITICAL,HIGH'
hide-progress: false
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
It seems that we are not have issues with our AWS Terraform repositories, however, it is failing with our GCP mono-repo repository.
obounaim
commented
2 days ago @simar7, @nikpivkin I have noticed that some uri fields are missing from the SARIF file, could this be the cause of the upload problem? Example bellow :
{
"ruleId": "AVD-GCP-0061",
"ruleIndex": 1,
"level": "error",
"message": {
"text": "Artifact: \nType: terraform\nVulnerability AVD-GCP-0061\nSeverity: HIGH\nMessage: Cluster does not have master authorized networks enabled.\nLink: [AVD-GCP-0061](https://avd.aquasec.com/misconfig/avd-gcp-0061)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
},
"message": {
"text": ""
}
}
]
},
Hello,
We're facing issues with the Using Trivy to scan your Git repo setup, the action is working fine and creates a SARIF report, however that report is not accepted by GithHub in the
Upload Trivy scan results to GitHub Security tabstep. Here's our workflow.yaml config:The error from the
Upload Trivy scan results to GitHub Security tabis:Error: Code Scanning could not process the submitted SARIF file: locationFromSarifResult: expected artifact location, locationFromSarifResult: expected artifact locationWe're using the latest version supported in the trivy-action.