search

reviewdog / action-trivy

MIT License
9 stars 8 forks source link

reordering trivy command #51

Open loganbest opened 4 months ago

loganbest commented 4 months ago

I'm using this command

      - name: Run trivy with reviewdog output on the PR
        uses: reviewdog/action-trivy@v1
        with:
          github_token: ${{ secrets.github_token }}
          trivy_command: filesystem
          trivy_target: .
          level: info
          reporter: github-pr-review
          filter_mode: nofilter
          fail_on_error: true
          flags: -tee
          trivy_flags: "--scanners secret,misconfig --tf-exclude-downloaded-modules"

and the action is erroring with the following:

Run reviewdog/action-trivy@v1
Run $GITHUB_ACTION_PATH/script.sh
Preparing ...
🐶 Installing reviewdog (v0.18.1) ... https://github.com/reviewdog/reviewdog
  reviewdog/reviewdog info checking GitHub for tag 'v0.18.1'
  reviewdog/reviewdog info found version: 0.18.1 for v0.18.1/Linux/x86_64
  reviewdog/reviewdog info installed /tmp/tmp.PRlLJ5iEyi/reviewdog/reviewdog
 Installing trivy (latest) ... https://github.com/aquasecurity/trivy
  Downloading https://github.com/aquasecurity/trivy/releases/download/v0.52.2/trivy_0.52.2_Linux-64bit.tar.gz to trivy.tar.gz
  URL: https://github.com/aquasecurity/trivy/releases/download/v0.52.2/trivy_0.52.2_Linux-64bit.tar.gz
  ARCHIVE: trivy.tar.gz
  trivy.tar.gz
 Print trivy details ...
  Version: 0.52.2
 Running trivy with reviewdog 🐶 ...
  + /tmp/tmp.il4JLprYw9/trivy/trivy --format sarif --scanners secret,misconfig --tf-exclude-downloaded-modules --exit-code 1 filesystem .
  + /tmp/tmp.il4JLprYw9/reviewdog/reviewdog -f=sarif -name=trivy -reporter=github-pr-review -level=info -fail-on-error=true -filter-mode=nofilter -tee
  reviewdog: parse error: EOF
  + trivy_return=1
  + reviewdog_return=1
  + exit_code=1
  + echo trivy-return-code=1
  + echo reviewdog-return-code=1
  + echo ::endgroup::
  + exit 1
  ::endgroup::
Error: Process completed with exit code 1.

When running that trivy command locally I get a fatal error due to argument order:

trivy --format sarif --tf-exclude-downloaded-modules --exit-code 1 filesystem .
Error: unknown flag: --tf-exclude-downloaded-modules
<redacted help output>
2024-06-27T21:04:14-04:00   FATAL   Fatal error unknown flag: --tf-exclude-downloaded-modules

After reordering the command this is the cleaned and proper output:

 Running trivy with reviewdog 🐶 ...
  + echo ::endgroup::
  + echo '::group:: Running trivy with reviewdog 🐶 ...'
  + export REVIEWDOG_GITHUB_API_TOKEN=***
  + REVIEWDOG_GITHUB_API_TOKEN=***
  + set +Eeuo pipefail
  + /tmp/tmp.PKxX84DdIx/trivy/trivy --format sarif filesystem --scanners secret,misconfig --tf-exclude-downloaded-modules --exit-code 1 .
  + /tmp/tmp.PKxX84DdIx/reviewdog/reviewdog -f=sarif -name=trivy -reporter=github-pr-review -level=info -fail-on-error=true -filter-mode=nofilter -tee
  {
    "version": "2.1.0",
    "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
    "runs": [
      {
        "tool": {
          "driver": {
            "fullName": "Trivy Vulnerability Scanner",
            "informationUri": "https://github.com/aquasecurity/trivy",
            "name": "Trivy",
            "rules": [],
            "version": "0.52.2"
          }
        },
        "results": [],
        "columnKind": "utf16CodeUnits",
        "originalUriBaseIds": {
          "ROOTPATH": {
            "uri": "file:///home/runner/work/terraform-aws-vpc/terraform-aws-vpc/"
          }
        }
      }
    ]
  + trivy_return=0
  + reviewdog_return=0
  + exit_code=0
  + echo trivy-return-code=0
  }::endgroup::
  + echo reviewdog-return-code=0
  + echo ::endgroup::
  + exit 0
loganbest commented 4 months ago

@haya14busa @shogo82148 I'm not sure how to fix the Windows check that's failing. Any ideas on what I can do there?

shogo82148 commented 4 months ago

It seems to be the impact of https://github.com/actions/runner-images/issues/10009

loganbest commented 4 months ago

It seems to be the impact of https://github.com/actions/runner-images/issues/10009

Is that a blocker for this PR given everything else passes and it's a trivial change?

haya14busa commented 4 months ago

Can you add a test case? https://github.com/reviewdog/action-trivy/blob/main/.github/workflows/tests.yml

Is that a blocker for this PR given everything else passes and it's a trivial change?

It's not a blocker. I'm fine to include your change. Thanks!

loganbest commented 4 months ago

Can you add a test case? https://github.com/reviewdog/action-trivy/blob/main/.github/workflows/tests.yml

Is that a blocker for this PR given everything else passes and it's a trivial change?

It's not a blocker. I'm fine to include your change. Thanks!

What am I writing a test case for exactly? The only valid thing I can think of is to check return codes which there's already a test case for, and I'm surprised didn't catch this previously since that's all that was returned this error.

haya14busa commented 4 months ago

I'm surprised didn't catch this previously since that's all that was returned this error.

Me too. That's why I'm asking adding a test case which should fail without this pr change. Maybe if trivy_command=config, it works but it won't work with filesystem?

nayuta commented 2 months ago

I found that trivy already supports filesystem command. fs command is still supported so I added the test: https://github.com/reviewdog/action-trivy/pull/35/commits/53cc527a5837e45b62fd88040635d6fdf25551f0