search

crazy-max / ghaction-container-scan

GitHub Action to check for vulnerabilities in your container image
https://github.com/marketplace/actions/container-scan
MIT License
59 stars 17 forks source link

Scans only work with amd64 images #9

Open thespad opened 2 years ago

thespad commented 2 years ago

Behaviour

Steps to reproduce this issue

  1. Build an image with only arm64 and/or arm32 manifests
  2. Run scan action against it

Expected behaviour

Scanning should be possible as trivy provide arm binaries

Actual behaviour

Error: 2021-12-13T23:32:23.703Z FATAL scan error: unable to initialize a scanner: unable to initialize a docker scanner: 3 errors occurred:

  • unable to inspect the image (ghcr.io/thespad/dive:v0.10.0-spad003): Error: No such image: ghcr.io/thespad/dive:v0.10.0-spad003
  • unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
  • no child with platform linux/amd64 in index ghcr.io/thespad/dive:v0.10.0-spad003

Configuration

      -
        name: Scan for vulnerabilities
        uses: crazy-max/ghaction-container-scan@v1
        with:
          image: ${{ fromJSON(steps.docker_meta.outputs.json).tags[0] }}

Logs

logs_72.zip

crazy-max commented 2 years ago

Hum yeah that might be an issue with the container scanner. Can you try with:

      -
        name: Build and push
        uses: docker/bake-action@v1.6.0
        with:
          files: |
            ./docker-bake.hcl
            ${{ steps.docker_meta.outputs.bake-file }}
          targets: image-all
          push: true
      -
        name: OCI
        uses: docker/bake-action@v1.6.0
        with:
          files: |
            ./docker-bake.hcl
            ${{ steps.docker_meta.outputs.bake-file }}
          targets: image-all
          set: *.output=type=oci,dest=/tmp/image.tar
      -
        name: Scan for vulnerabilities
        uses: crazy-max/ghaction-container-scan@v1
        with:
          tarball: /tmp/image.tar

The OCI step should be pretty fast as the image is already built in the previous step.

Or you can build your image matching the current platform and build and push the multi-platform one after that: https://github.com/crazy-max/ghaction-container-scan#build-scan-and-push-your-image

thespad commented 2 years ago

Yeah I'd like to try and avoid building for amd64 in this instance just to scan it and then throw it away.

Tried your suggestion but

Error: 2021-12-21T10:17:33.199Z FATAL   scan error: unable to initialize a scanner: unable to initialize the archive scanner: 2 errors occurred:
    * unable to open /tmp/image.tar as a Docker image: file manifest.json not found in tar
    * unable to open /tmp/image.tar as an OCI Image: stat /tmp/image.tar/index.json: not a directory

Full logs: logs_81.zip

crazy-max commented 2 years ago

avoid building for amd64 in this instance just to scan it and then throw it away.

Yeah you right, we might need a multi exporter on BuildKit to handle that easily: https://github.com/moby/buildkit/issues/1555

frankgrimes97 commented 6 months ago

Hi, it appears that the upstream bug/limitation has now been addressed (https://github.com/moby/buildkit/issues/1555, https://github.com/moby/buildkit/pull/4134)... any work still needed on your side to complete support for this or can this issue now be marked as closed/resolved?

maggie44 commented 1 month ago

Still appears to be trying to use amd64 images, even though on an arm GitHub action.