trivy-action icon indicating copy to clipboard operation
trivy-action copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

Add ability to pull trivy image from a mirror

Open adriil opened this issue 1 year ago • 5 comments

Hi team,

I'd like to experiment this action for my company, but I'm facing the following issue :

  1. the action builds a Docker image and starts by pulling the base image from ghcr.io
  2. the pull is blocked because our company network is behind a proxy and our system team doesn't want to open the gates to all ghcr.io domain (which I can understand)

A possible solution for us would be to mirror the base image ghcr.io/aquasecurity/trivy to our internal registry, but we would then need the first line of the Dockerfile to be configurable to have something like this :

# Configurable base image with default value
ARG trivyBaseImage="ghcr.io/aquasecurity/trivy:0.31.2"

FROM ${trivyBaseImage}
...

And then adapt the action itself to support this new argument.

Would it sound like an acceptable feature ?

Thank you, Adrien

adriil avatar Aug 30 '22 11:08 adriil

This actually looks harder than I first thought, as the action.yaml may not support this : https://github.com/orgs/community/discussions/25241 Looks like if I want to do something similar, I need to build the Dockerfile first from the mirrored image aquasecurity/trivy and then tell the action to run my image instead of Dockerfile...

adriil avatar Aug 30 '22 14:08 adriil

hi @adriil - thanks for sharing this. I didn't know about this limitation of GitHub Actions. Would this help in anyway if we could adapt to use it with the Trivy Action somehow? https://aquasecurity.github.io/trivy/v0.31.3/docs/advanced/air-gap/

simar7 avatar Aug 30 '22 23:08 simar7

Hi @simar7 I think air-gap faces the same limitation as trivy is needed to download the database and ultimately run the scan if I understood. The only way I see to achieve this is by installing trivy on our runners (or runners hosts) directly, but then this action wouldn't be necessary anymore and we would miss the point of not having to care about the client at all.

adriil avatar Aug 31 '22 07:08 adriil

Yeah I see your point. The best alternative I can think of is that you fork this action and modify the base image, while keeping it up to date with the upstream changes (this action repo).

As much as I wish you wouldn't have to fork this repo, I don't see a way out considering the pull is blocked and GitHub does not allow passing custom build args.

simar7 avatar Sep 01 '22 05:09 simar7

I agree, forking the repo sounds like a suitable workaround until GitHub supports --build-arg. They clearly must add it :) Thank you for your support.

adriil avatar Sep 01 '22 15:09 adriil