trivy-action
trivy-action copied to clipboard
Add ability to pull trivy image from a mirror
Hi team,
I'd like to experiment this action for my company, but I'm facing the following issue :
- the action builds a Docker image and starts by pulling the base image from
ghcr.io
- the pull is blocked because our company network is behind a proxy and our system team doesn't want to open the gates to all
ghcr.io
domain (which I can understand)
A possible solution for us would be to mirror the base image ghcr.io/aquasecurity/trivy
to our internal registry, but we would then need the first line of the Dockerfile to be configurable to have something like this :
# Configurable base image with default value
ARG trivyBaseImage="ghcr.io/aquasecurity/trivy:0.31.2"
FROM ${trivyBaseImage}
...
And then adapt the action itself to support this new argument.
Would it sound like an acceptable feature ?
Thank you, Adrien
This actually looks harder than I first thought, as the action.yaml
may not support this : https://github.com/orgs/community/discussions/25241
Looks like if I want to do something similar, I need to build the Dockerfile first from the mirrored image aquasecurity/trivy
and then tell the action to run my image instead of Dockerfile
...
hi @adriil - thanks for sharing this. I didn't know about this limitation of GitHub Actions. Would this help in anyway if we could adapt to use it with the Trivy Action somehow? https://aquasecurity.github.io/trivy/v0.31.3/docs/advanced/air-gap/
Hi @simar7
I think air-gap faces the same limitation as trivy
is needed to download the database and ultimately run the scan if I understood. The only way I see to achieve this is by installing trivy
on our runners (or runners hosts) directly, but then this action wouldn't be necessary anymore and we would miss the point of not having to care about the client at all.
Yeah I see your point. The best alternative I can think of is that you fork this action and modify the base image, while keeping it up to date with the upstream changes (this action repo).
As much as I wish you wouldn't have to fork this repo, I don't see a way out considering the pull is blocked and GitHub does not allow passing custom build args.
I agree, forking the repo sounds like a suitable workaround until GitHub supports --build-arg
. They clearly must add it :)
Thank you for your support.