Error while retrieving the default branch name

[BAiler-ai]

I am trying to use the latest master version (0.28.0) to scan a docker image from a private registry. We are currently on version 0.25.0 The action fails while it trys to resolve the default branch. I havn't found a flag to set the default branch for the action. I am currently testing it on a separate branch which is up-to-date with the default (master) branch. I tried to set a github-pat but it hasn't fixed it.

The error is: Determining the default branch Retrieving the default branch name Not Found - https://docs.github.com/enterprise-server@3.12/rest/repos/repos#get-a-repository

[simar7]

hi @BAiler-ai trying to understand your question, how do you specify the action to use in GitHub workflow? It should be as such

   - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@0.28.0

That will use the released v0.28.0 version from the master branch.

[BAiler-ai]

Hi @simar7 yes very similar I just tried the @master version instead of a fixed version.

[uhei]

We have the same error. We're running

      - name: Run Trivy vulnerability scanner in repo mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'repo'
          ignore-unfixed: true
          severity: 'MEDIUM,HIGH,CRITICAL'
          scanners: 'secret'
          hide-progress: true
          exit-code: '1'

on a Github Enterprise Server 3.13. Problem seems that the action 'actions/checkout' (which is called by 'actions/cache' which is called by 'aquasecurity/setup-trivy') is calling Get a repository.

For a 'Internal' or 'Private' repo we receive there a '404 Not found'.

It seems that the required token is not forwarded as needed in the actions chain (just a guess).

[uhei]

We have the same error. We're running

      - name: Run Trivy vulnerability scanner in repo mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'repo'
          ignore-unfixed: true
          severity: 'MEDIUM,HIGH,CRITICAL'
          scanners: 'secret'
          hide-progress: true
          exit-code: '1'

on a Github Enterprise Server 3.13. Problem seems that the action 'actions/checkout' (which is called by 'actions/cache' which is called by 'aquasecurity/setup-trivy') is calling Get a repository.

For a 'Internal' or 'Private' repo we receive there a '404 Not found'.

It seems that the required token is not forwarded as needed in the actions chain (just a guess).

Update: issue is not "our" 'Internal' or 'Private' repo. Issue seems that 'actions/checkout' is trying to get the default branch of repo 'https://github.<##redacted##>/aquasecurity/trivy' on our internal Enterprise Server. This repo does (of course) not exists here (it should be 'https://github.com/aquasecurity/trivy').

[uhei]

Issue already documented in https://github.com/aquasecurity/setup-trivy/issues/10

[DmitriyLewen]

Hi all!

I created 2 PRs:

• https://github.com/aquasecurity/setup-trivy/pull/12
• https://github.com/aquasecurity/trivy-action/pull/421

But i don't have GHES to test it (my local runner works correctly).

Can you test these changes to make sure they work for GHES?

[BAiler-ai]

Hi @DmitriyLewen the PR https://github.com/aquasecurity/setup-trivy/pull/12 worked for me at least once I set an github.com token as input parameter. Is this the expected behavior so I need a valid github.com token to run the action?

[DmitriyLewen]

Hello @BAiler-ai

so I need a valid github.com token to run the action?

Right. github.token for GHES is not valid for https://github.com server. But GitHub still checks token (i don't know why and for what) when checkout public repository.

You can use https://github.com/actions/create-github-app-token to create this token.

[m-breitbach]

For our use case, the effort of setting up the app token seems to be unjustified. We will just add a manual install step using curl (as was done by the trivy-action before) and set skip-setup-trivy: true for now.

[DmitriyLewen]

Hi @m-breitbach We also wanted to use curl, but some users don't have curl, sudo, etc. in their runner (see https://github.com/aquasecurity/trivy-action/issues/403)

So we are trying to find ways for all users.

So it's great that trivy-action has way to solve your problem.