Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 Trivy config is not loaded #238

Closed
flaxel opened this issue Jun 6, 2023 · 3 comments
Closed

🐛 Trivy config is not loaded #238

flaxel opened this issue Jun 6, 2023 · 3 comments

Comments

@flaxel
Copy link
Contributor

flaxel commented Jun 6, 2023

Currently I want to bump the trivy action to the new version but I recognized that the trivy config is not loaded anymore.

This is my trivy config:

format: json
exit-code: 1
timeout: 10m
severity:
  - CRITICAL
  - HIGH
vulnerability:
  ignore-unfixed: true
ignorefile: .trivyignore

This is my workflow config:

- name: Run Trivy vulnerability scanner
  uses: aquasecurity/trivy-action@0.11.0
  env:
    TRIVY_USERNAME: ${{ secrets.DOCKER_USERNAME }}
    TRIVY_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
  with:
    image-ref: registry/image_name
    trivy-config: trivy.yaml

These are the logs:

/usr/bin/docker run --name ed866efed28e34d34f41008823de6006fa81e5_745fcf --label ed866e --workdir /github/workspace --rm -e "JAVA_HOME" -e "JAVA_HOME_17_X64" -e "LD_PRELOAD" -e "INPUT_INPUT" -e "INPUT_TRIVY-CONFIG" -e "INPUT_SCAN-TYPE" -e "INPUT_IMAGE-REF" -e "INPUT_SCAN-REF" -e "INPUT_EXIT-CODE" -e "INPUT_IGNORE-UNFIXED" -e "INPUT_VULN-TYPE" -e "INPUT_SEVERITY" -e "INPUT_FORMAT" -e "INPUT_TEMPLATE" -e "INPUT_OUTPUT" -e "INPUT_SKIP-DIRS" -e "INPUT_SKIP-FILES" -e "INPUT_CACHE-DIR" -e "INPUT_TIMEOUT" -e "INPUT_IGNORE-POLICY" -e "INPUT_HIDE-PROGRESS" -e "INPUT_LIST-ALL-PKGS" -e "INPUT_SCANNERS" -e "INPUT_TRIVYIGNORES" -e "INPUT_ARTIFACT-TYPE" -e "INPUT_GITHUB-PAT" -e "INPUT_LIMIT-SEVERITIES-FOR-SARIF" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/backend/backend":"/github/workspace" ed866e:fed28e34d34f41008823de6006fa81e5  "-a image" "-b table" "-c " "-d " "-e false" "-f os,library" "-g UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" "-h " "-i " "-j ." "-k " "-l image.tar" "-m " "-n " "-o " "-p " "-q " "-r false" "-s " "-t " "-u " "-v trivy.yaml" "-z "
Running Trivy with trivy.yaml config from:  trivy.yaml
2023-06-06T08:33:16.705Z	INFO	Loaded trivy.yaml
2023-06-06T08:33:16.715Z	INFO	Need to update DB
2023-06-06T08:33:16.715Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2023-06-06T08:33:16.715Z	INFO	Downloading DB...
2.45 MiB / 37.37 MiB [---->__________________________________________________________] 6.55% ? p/s ?4.82 MiB / 37.37 MiB [------->______________________________________________________] 12.90% ? p/s ?7.28 MiB / 37.37 MiB [------------>_________________________________________________] 19.49% ? p/s ?21.40 MiB / 37.37 MiB [--------------------------->____________________] 57.27% 31.58 MiB p/s ETA 0s37.37 MiB / 37.37 MiB [---------------------------------------------->] 100.00% 31.58 MiB p/s ETA 0s37.37 MiB / 37.37 MiB [---------------------------------------------->] 100.00% 31.58 MiB p/s ETA 0s37.37 MiB / 37.37 MiB [---------------------------------------------->] 100.00% 31.26 MiB p/s ETA 0s37.37 MiB / 37.37 MiB [---------------------------------------------->] 100.00% 31.26 MiB p/s ETA 0s37.37 MiB / 37.37 MiB [---------------------------------------------->] 100.00% 31.26 MiB p/s ETA 0s37.37 MiB / 37.37 MiB [---------------------------------------------->] 100.00% 29.24 MiB p/s ETA 0s37.37 MiB / 37.37 MiB [---------------------------------------------->] 100.00% 29.24 MiB p/s ETA 0s37.37 MiB / 37.37 MiB [-------------------------------------------------] 100.00% [17](https://github.com/repository/actions/runs/5186336542/jobs/9347305657?pr=10001#step:7:18).78 MiB p/s 2.3s2023-06-06T08:33:19.270Z	INFO	Vulnerability scanning is enabled
2023-06-06T08:33:19.270Z	INFO	Secret scanning is enabled
2023-06-06T08:33:19.270Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-06-06T08:33:19.270Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.42/docs/secret/scanning/#recommendation for faster secret detection
2023-06-06T08:33:30.317Z	INFO	JAR files found
2023-06-06T08:33:30.320Z	INFO	Java DB Repository: ghcr.io/aquasecurity/trivy-java-db:1
2023-06-06T08:33:30.320Z	INFO	Downloading the Java DB...
291.69 KiB / 432.93 MiB [>___________________________________________________________] 0.07% ? p/s ?515.69 KiB / 432.93 MiB [>___________________________________________________________] 0.12% ? p/s ?755.69 KiB / 432.93 MiB [>___________________________________________________________] 0.17% ? p/s ?995.69 KiB / 432.93 MiB [>____________________________________________] 0.22% 1.15 MiB p/s ETA 6m16s[18](https://github.com/repository/actions/runs/5186336542/jobs/9347305657?pr=10001#step:7:19).46 MiB / 432.93 MiB [-->____________________________________________] 4.26% 1.15 MiB p/s ETA 6m1s38.53 MiB / 432.93 MiB [---->_________________________________________] 8.90% 1.15 MiB p/s ETA 5m43s67.21 MiB / 432.93 MiB [------->_______________________________________] 15.53% 8.17 MiB p/s ETA 44s75.03 MiB / 432.93 MiB [-------->______________________________________] 17.33% 8.17 MiB p/s ETA 43s86.49 MiB / 432.93 MiB [--------->_____________________________________] 19.98% 8.17 MiB p/s ETA 42s109.21 MiB / 432.93 MiB [----------->_________________________________] 25.23% 12.11 MiB p/s ETA 26s138.23 MiB / 432.93 MiB [-------------->______________________________] 31.93% 12.11 MiB p/s ETA 24s167.35 MiB / 432.93 MiB [----------------->___________________________] 38.66% 12.11 MiB p/s ETA 21s181.76 MiB / 432.93 MiB [------------------>__________________________] 41.98% 18.63 MiB p/s ETA 13s190.69 MiB / 432.93 MiB [------------------->_________________________] 44.05% 18.63 MiB p/s ETA 13s205.48 MiB / 432.93 MiB [--------------------->_______________________] 47.46% 18.63 MiB p/s ETA 12s213.79 MiB / 432.93 MiB [---------------------->______________________] 49.38% 21.16 MiB p/s ETA 10s222.76 MiB / 432.93 MiB [----------------------->______________________] 51.46% 21.16 MiB p/s ETA 9s228.61 MiB / 432.93 MiB [------------------------>_____________________] 52.80% 21.16 MiB p/s ETA 9s240.31 MiB / 432.93 MiB [------------------------->____________________] 55.51% 22.67 MiB p/s ETA 8s251.75 MiB / 432.93 MiB [-------------------------->___________________] 58.15% 22.67 MiB p/s ETA 7s260.81 MiB / 432.93 MiB [--------------------------->__________________] 60.24% 22.67 MiB p/s ETA 7s274.71 MiB / 432.93 MiB [----------------------------->________________] 63.46% 24.88 MiB p/s ETA 6s285.59 MiB / 432.93 MiB [------------------------------>_______________] 65.97% 24.88 MiB p/s ETA 5s305.03 MiB / 432.93 MiB [-------------------------------->_____________] 70.46% 24.88 MiB p/s ETA 5s331.80 MiB / 432.93 MiB [----------------------------------->__________] 76.64% 29.43 MiB p/s ETA 3s360.81 MiB / 432.93 MiB [-------------------------------------->_______] 83.34% 29.43 MiB p/s ETA 2s385.46 MiB / 432.93 MiB [---------------------------------------->_____] 89.04% 29.43 MiB p/s ETA 1s415.92 MiB / 432.93 MiB [-------------------------------------------->_] 96.07% 36.61 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 36.61 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 36.61 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 36.07 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 36.07 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 36.07 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 33.75 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 33.75 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 33.75 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 31.57 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 31.57 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 31.57 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 29.53 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 29.53 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 29.53 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 27.63 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 27.63 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 27.63 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 25.85 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 25.85 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 25.85 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 24.18 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 24.18 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 24.18 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 22.62 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 22.62 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 22.62 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 21.16 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 21.16 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 21.16 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 19.79 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 19.79 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 19.79 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 18.52 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 18.52 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 18.52 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 17.32 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 17.32 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 17.32 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 16.20 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 16.20 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 16.20 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [-------------------------------------------->] 100.00% 15.16 MiB p/s ETA 0s432.93 MiB / 432.93 MiB [------------------------------------------------] 100.00% 31.05 MiB p/s 14s2023-06-06T08:33:45.238Z	INFO	The Java DB is cached for 3 days. If you want to update the database more frequently, the '--reset' flag clears the DB cache.
2023-06-06T08:33:45.246Z	INFO	Analyzing JAR files takes a while...
[20](https://github.com/repository/actions/runs/5186336542/jobs/9347305657?pr=10001#step:7:21)23-06-06T08:33:46.442Z	INFO	Detected OS: debian
2023-06-06T08:33:46.442Z	INFO	Detecting Debian vulnerabilities...
2023-06-06T08:33:46.500Z	INFO	Number of language-specific files: 1
2023-06-06T08:33:46.500Z	INFO	Detecting jar vulnerabilities...
2023-06-06T08:33:46.601Z	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

image.tar (debian 11.7)
=======================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


Java (jar)
==========
Total: [21](https://github.com/repository/actions/runs/5186336542/jobs/9347305657?pr=10001#step:7:22) (UNKNOWN: 0, LOW: 0, MEDIUM: 21, HIGH: 0, CRITICAL: 0)

┌────────────────────────────────────────────────────────────┬─────────────────────┬──────────┬───────────────────┬────────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│                          Library                           │    Vulnerability    │ Severity │ Installed Version │           Fixed Version            │                            Title                             │
├────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
...
@amandahla
Copy link

amandahla commented Jun 6, 2023
edited
Loading

Same thing. It seems that this commit changed the action to consider flags over config now. It would be preferable to keep the priority to the config file instead.

@antoninbas
Copy link

+1 on this. #231 introduced a bug, specifically for action inputs that have a default value specified in https://github.com/aquasecurity/trivy-action/blob/master/action.yaml.

As shown above, when omitting severity as an input, trivy will be invoked with "-g UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL". This will take priority over any severity value included in the user-provided config, which is clearly not the desired behavior.

@antoninbas antoninbas mentioned this issue Jun 6, 2023
Merged
@amandahla amandahla mentioned this issue Jun 7, 2023
Merged
@arturo-seijas arturo-seijas mentioned this issue Jun 7, 2023
Merged
@simar7 simar7 closed this as completed in 41f05d9 Jun 9, 2023
@simar7
Copy link
Member

simar7 commented Jun 9, 2023

I've reverted the offending PR and https://github.com/aquasecurity/trivy-action/releases/tag/0.11.2 release should have the fix.

This was referenced Jun 12, 2023
Merged
Merged
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@simar7 @antoninbas @amandahla @flaxel