Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Run Trivy Vulnerability scanner github actions runs are flaky and failing some times #439

Open
yalamarthisr opened this issue Sep 19, 2024 · 0 comments

Comments

@yalamarthisr
Copy link

/usr/bin/docker run --name bbfa21899dd23a9b26470f8760c98fc82b97d4_6dd5af --label bbfa21 --workdir /github/workspace --rm -e "ProjectName" -e "somenev" -e "somenev" -e "somenev" -e "somenev" -e "somenev" -e "somenev" -e "someenv" -e "somenev" -e "FULLY_QUALIFIED_IMAGE" -e "INPUT_IMAGE-REF" -e "INPUT_FORMAT" -e "INPUT_OUTPUT" -e "INPUT_SEVERITY" -e "INPUT_IGNORE-UNFIXED" -e "INPUT_SCAN-TYPE" -e "INPUT_INPUT" -e "INPUT_SCAN-REF" -e "INPUT_EXIT-CODE" -e "INPUT_VULN-TYPE" -e "INPUT_TEMPLATE" -e "INPUT_SKIP-DIRS" -e "INPUT_SKIP-FILES" -e "INPUT_CACHE-DIR" -e "INPUT_TIMEOUT" -e "INPUT_IGNORE-POLICY" -e "INPUT_HIDE-PROGRESS" -e "INPUT_LIST-ALL-PKGS" -e "INPUT_SCANNERS" -e "INPUT_TRIVYIGNORES" -e "INPUT_ARTIFACT-TYPE" -e "INPUT_GITHUB-PAT" -e "INPUT_TRIVY-CONFIG" -e "INPUT_TF-VARS" -e "INPUT_LIMIT-SEVERITIES-FOR-SARIF" -e "INPUT_DOCKER-HOST" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "somenev" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_ID_TOKEN_REQUEST_URL" -e "ACTIONS_ID_TOKEN_REQUEST_TOKEN" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/repo/repo":"/github/workspace" bbfa21:899dd23a9b26470f8760c98fc82b97d4 "-a image" "-b sarif" "-c " "-d " "-e true" "-f os,library" "-g CRITICAL,HIGH" "-h scan-results.sarif" "-i docker.azurecr.io/test:27887ji" "-j ." "-k " "-l " "-m " "-n " "-o " "-p " "-q " "-r false" "-s " "-t " "-u " "-v " "-x " "-z " "-y "
Building SARIF report with options: --ignore-unfixed --vuln-type os,library docker.azurecr.io/test.27887ji.
This is the comman.d which is running when It is failing I am not sure this part

"-j ." "-k " "-l " "-m " "-n " "-o " "-p " "-q " "-r false" "-s " "-t " "-u " "-v " "-x " "-z " "-y "

It is failing in below step with no error at all . It's been happeing many times

- name: Run Trivy vulnerability scanner uses: aquasecurity/[email protected] with: image-ref: '${{ env.FULLY_QUALIFIED_IMAGE }}:${{ inputs.imagetag }}' format: 'sarif' output: 'scan-results.sarif' severity: 'CRITICAL,HIGH' ignore-unfixed: true

We are alsmost building 35 containers in their own github actions jobs at once and running the scanning for all containers. We use github hosted runners.

It is some times effecting our releases. I have raised similar issue couple of weeks back and got no response. If someone can take a look and hoping to get some response on this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant