trivy-action
trivy-action copied to clipboard
aquasecurity
Unable to pass .trivyignore file downloaded on runner to trivy action for container scan
I wanted to download a .trivyignore file on the runner before the action is called and pass that file to the action using trivyignores variable. However, it seems trivy action is unable to find the file.
What is the recommended way to pass this file other than put it inside the container image?
hi @raoganeshr - you could do something like this:
- name: Run Trivy vulnerability scanner with trivyignore
uses: aquasecurity/trivy-action@master
with:
trivyignore: /github/workspace/.trivyignore
hi @raoganeshr - you could do something like this:
- name: Run Trivy vulnerability scanner with trivyignore uses: aquasecurity/trivy-action@master with: trivyignore: /github/workspace/.trivyignore
tried this:
- name: Download Trivy Ignore
run: |
curl -s https://${{ secrets.GH_TOKEN }}@raw.githubusercontent.com/Owner/workflows/main/trivy/.trivyignore -o "${{ github.workspace }}/.trivyignore"
ls -a
shell: bash
- name: Scan container image
uses: aquasecurity/trivy-action@master
with:
image-ref: "${{ env.GHCR_REPO }}/${{ inputs.image_name }}:${{ needs.build.outputs.image_tag }}"
trivyignores: "${{ github.workspace }}/.trivyignore"
But it did not work. I believe it was trying to search for the file inside the container.
Hi,
I'll provide some more information on this as it's a bit of a blocker for me too.
In my scenario I'm creating a composite action that includes trivy-action to generate SBOMs for a container and then scans the container.
One particular area it's failing is the inclusion of a trivyignore file.
- name: Scan image
id: image-scan
uses: aquasecurity/[email protected]
with:
image-ref: "local/${{ inputs.image-name }}:${{ inputs.image-tag }}"
format: 'json'
output: 'trivy-results.json'
exit-code: ${{ inputs.scan-fail-on-detection }}
ignore-unfixed: true
scanners: 'vuln,secret,config'
trivyignores: "${{ github.workspace }}/${{ inputs.trivyignore-file }}"
severity: ${{ inputs.trivy-check-severity }}
As you can see from the snippet above I'm using an absolute file path. This is only because I've tried every perceivable (from my perspective of course!) variation of this and it's not working for me.
I've tried allowing the user to pass the filepath in via:
trivyignores: "${{ inputs.trivyignore-file }}"
I've tried hardcoding it - though I never expected this to work as I suspect it's looking in the action directory instead:
trivyignores: ".trivyignore"
I've even tried omitting it altogether to see if Trivy picks up the .trivyignore file - which again I never expect to work but it was worth a shot.
The only thing left I can think of is to have a step where by the .trivyignore file is copied into the location of the trivy-action. I still suspect this may not work though so any suggestions would be really appreciated.
I've looked at the entrypoint script to see how it's working but from what I can tell if a value is passed, it get catted out into a file local to the action and then that's referenced - so in theory it should be working but it's not even finding the file when it's referenced absolutely.
A bit of output for you:
In the meantime I will keep digging into this from my side.
Thanks
Not sure if you ever resolved this, but I was having a similar issue. The fix was to run the checkout action in the step prior to the trivy action to pull the.trivyignore file into the workspace used by the job, giving the trivy action access to the file as well.
Aaah yeah I sorted this a while back. I forgot about this issue🤦♂️ and yes, that was the fix for me too!