Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trivy is failing on sarif mode #386

Open
khantnaingset-kns opened this issue Sep 10, 2024 · 8 comments
Open

Trivy is failing on sarif mode #386

khantnaingset-kns opened this issue Sep 10, 2024 · 8 comments

Comments

@khantnaingset-kns
Copy link

I'm experiencing an issue with Trivy when running it in SARIF mode. Unfortunately, I'm not seeing any error logs, making it difficult to troubleshoot. To investigate further, I switched to Table mode, which allowed me to view more logs. The step completed successfully in Table mode, no errors logs. However, when I switched back to SARIF mode, the step failed again. I'm puzzled as to why this is happening and would appreciate an explanation.

Outputs for sarif mode:

Screenshot 2567-09-11 at 03 17 32

Code for sarif mode:

Screenshot 2567-09-11 at 03 18 41

Outputs for Table mode:

image

Code for Table mode:

image
@stianfro
Copy link

I am having the same issue with a configuration like this:

jobs:
  trivy-analysis:
    runs-on: ubuntu-latest
      - name: Run Trivy
        uses: aquasecurity/trivy-action@0.24.0
        with:
          scan-type: "config"
          exit-code: "1"
          format: "sarif"
          output: "trivy-results.sarif"

Works when running in other formats.

@khantnaingset-kns
Copy link
Author

I am having the same issue with a configuration like this:

jobs:
  trivy-analysis:
    runs-on: ubuntu-latest
      - name: Run Trivy
        uses: aquasecurity/trivy-action@0.24.0
        with:
          scan-type: "config"
          exit-code: "1"
          format: "sarif"
          output: "trivy-results.sarif"

Works when running in other formats.

Yeah, fine in other formats, error only happened in sarif mode. It's weird.

@nikpivkin
Copy link
Contributor

Hi @khantnaingset-kns !

Are you encountering a issue with the latest version of action (0.26)?

@radical-izak
Copy link

radical-izak commented Oct 22, 2024
edited
Loading

The issue still happens in version .28

@khantnaingset-kns
Copy link
Author

Hi @khantnaingset-kns !

Are you encountering a issue with the latest version of action (0.26)?

Still the same on version 28.

@LukaSvastVolue
Copy link

same issue on v29

@stianfro
Copy link

Works for me since 0.28.0 with the following job:

jobs:
  trivy-analysis:
    name: Trivy Analysis
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner on built YAML files
        uses: aquasecurity/trivy-action@0.28.0
        with:
          scan-type: "config"
          scan-ref: "."
          format: "sarif"
          output: "trivy-results.sarif"
          trivyignores: .trivyignore.yaml
          trivy-config: trivy.yaml
          severity: "CRITICAL,HIGH"

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: "trivy-results.sarif"

My trivy.yaml:

scan:
  skip-files: []
  skip-dirs: []

severity:
  - HIGH
  - CRITICAL

And my .trivyignore:

misconfigurations:
  - id: AVD-KSV-0011
    statement: ""
  - id: AVD-KSV-0020
    statement: ""
  - id: AVD-KSV-0021
    statement: ""
  - id: AVD-KSV-0014
    paths: []
    statement: ""

Note that I'm using config scan-type, not sure if there would be any difference with image.

@david-marconis
Copy link

david-marconis commented Nov 21, 2024
edited
Loading

I think this is the issue: https://github.com/aquasecurity/trivy-action/blob/master/entrypoint.sh#L33
You can avoid this behaviour by setting INPUT_LIMIT_SEVERITIES_FOR_SARIF=true
Seems like a breaking change to me.

Here is some testing:

export INPUT_IMAGE_REF=node:23.2.0-alpine3.20
❯ export TRIVY_FORMAT=sarif
❯ export TRIVY_SEVERITY=CRITICAL,HIGH
❯ export TRIVY_QUIET=true
❯ export TRIVY_EXIT_CODE=1
❯ if ./entrypoint.sh > /dev/null; then echo pass; else echo fail; fi
fail
❯ export INPUT_LIMIT_SEVERITIES_FOR_SARIF=true
❯ if ./entrypoint.sh > /dev/null; then echo pass; else echo fail; fi
pass

The previous version of this code used this check:

trivy-action/entrypoint.sh

Line 190 in 1b8b83d

if [ "${format}" == "sarif" ] && [ "${limitSeveritiesForSARIF}" != "true" ]; then

Which would be true only when the var was "true", but now an unset var is also considered true.
From the documentation this should default to false, but it was actually not.
This could be considered a bug fix even though it indeed introduces a breaking change of default values.

The proper fix is to specify the input limit-severities-for-sarif: true:

      - uses: aquasecurity/trivy-action@0.29.0
        with:
          image-ref: node:23.2.0-alpine3.20
          severity: CRITICAL,HIGH
          exit-code: 1
          format: sarif
          limit-severities-for-sarif: true

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@khantnaingset-kns @stianfro @LukaSvastVolue @radical-izak @nikpivkin @david-marconis