Open BAiler-ai opened 6 days ago
hi @BAiler-ai trying to understand your question, how do you specify the action to use in GitHub workflow? It should be as such
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.28.0
That will use the released v0.28.0 version from the master branch.
Hi @simar7 yes very similar I just tried the @master version instead of a fixed version.
We have the same error. We're running
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'repo'
ignore-unfixed: true
severity: 'MEDIUM,HIGH,CRITICAL'
scanners: 'secret'
hide-progress: true
exit-code: '1'
on a Github Enterprise Server 3.13. Problem seems that the action 'actions/checkout' (which is called by 'actions/cache' which is called by 'aquasecurity/setup-trivy') is calling Get a repository.
For a 'Internal' or 'Private' repo we receive there a '404 Not found'.
It seems that the required token is not forwarded as needed in the actions chain (just a guess).
We have the same error. We're running
- name: Run Trivy vulnerability scanner in repo mode uses: aquasecurity/trivy-action@master with: scan-type: 'repo' ignore-unfixed: true severity: 'MEDIUM,HIGH,CRITICAL' scanners: 'secret' hide-progress: true exit-code: '1'
on a Github Enterprise Server 3.13. Problem seems that the action 'actions/checkout' (which is called by 'actions/cache' which is called by 'aquasecurity/setup-trivy') is calling Get a repository.
For a 'Internal' or 'Private' repo we receive there a '404 Not found'.
It seems that the required token is not forwarded as needed in the actions chain (just a guess).
Update: issue is not "our" 'Internal' or 'Private' repo. Issue seems that 'actions/checkout' is trying to get the default branch of repo 'https://github.<##redacted##>/aquasecurity/trivy' on our internal Enterprise Server. This repo does (of course) not exists here (it should be 'https://github.com/aquasecurity/trivy').
Issue already documented in https://github.com/aquasecurity/setup-trivy/issues/10
Hi all!
I created 2 PRs:
But i don't have GHES to test it (my local runner works correctly).
Can you test these changes to make sure they work for GHES?
Hi @DmitriyLewen the PR https://github.com/aquasecurity/setup-trivy/pull/12 worked for me at least once I set an github.com token as input parameter. Is this the expected behavior so I need a valid github.com token to run the action?
Hello @BAiler-ai
so I need a valid github.com token to run the action?
Right.
github.token
for GHES is not valid for https://github.com
server.
But GitHub still checks token (i don't know why and for what) when checkout public repository.
You can use https://github.com/actions/create-github-app-token to create this token.
For our use case, the effort of setting up the app token seems to be unjustified. We will just add a manual install step using curl
(as was done by the trivy-action
before) and set skip-setup-trivy: true
for now.
Hi @m-breitbach
We also wanted to use curl
, but some users don't have curl
, sudo
, etc. in their runner (see https://github.com/aquasecurity/trivy-action/issues/403)
So we are trying to find ways for all users.
So it's great that trivy-action
has way to solve your problem.
I am trying to use the latest master version (0.28.0) to scan a docker image from a private registry. We are currently on version 0.25.0 The action fails while it trys to resolve the default branch. I havn't found a flag to set the default branch for the action. I am currently testing it on a separate branch which is up-to-date with the default (master) branch. I tried to set a github-pat but it hasn't fixed it.
The error is: Determining the default branch Retrieving the default branch name Not Found - https://docs.github.com/enterprise-server@3.12/rest/repos/repos#get-a-repository