trivy-action
trivy-action copied to clipboard
aquasecurity
PR is not blocked although trivy found critical issues
Hi there,
we are using codeql already, and have Code scanning results / CodeQL in our repos. additionally with the following rule: Settings -> Code security and analysis -> Code Scanning -> Check Failure: High or higher / Only Errors
this is described here: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#defining-the-severities-causing-pull-request-check-failure
so my thought was, when adding trivy, we can simply go the same path, let it scan report errors, and the checkbox mentioned above will block the pr, here my trivy action for that matter:
- name: Build image
uses: docker/build-push-action@v3
with:
push: false
#tags: ghcr.io/${{ github.repository_owner }}/mail-drop:${{ github.sha }}
tags: phi-test
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: phi-test
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
# exit-code: 1 <---- this is intentionally commented out
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: always() #cause trivy will exit with non-zero if it found something
with:
sarif_file: 'trivy-results.sarif'
since i wanted that the run is always successful no matter if issues were found or not, i removed the exit-code: 1 line - because why should i need it when following the github documentation mentioned above
with the above settings this leads to the following result:
trivy-verify ( the action itself> -> green - good
codeql find not something new -> green - good
Code scanning Results / Trivy found 1 high. several medium -> red - good
but i am able to merge without complaints - not good
now finally the question: why am i able to merge this pr?
you can find that pr here: https://github.com/kaffeekrone/mail-drop/pull/1
hi, is this your config? https://github.com/kaffeekrone/mail-drop/blob/main/.github/workflows/trivy-analysis.yml#L41 if so I don't see an exit code stanza that should make it fail.
@simar7 i don't think that's an issue in my config, even though it is suggested by the documentation here. thing is https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#defining-the-severities-causing-pull-request-check-failure
is is supposed to fail either way, isn't it?
@simar7 i don't think that's an issue in my config, even though it is suggested by the documentation here. thing is https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#defining-the-severities-causing-pull-request-check-failure
is is supposed to fail either way, isn't it?
yes but you need an exit-code param in your config for trivy to return a non zero exit code so it can fail the pipeline. it's documented here https://github.com/aquasecurity/trivy-action#scan-ci-pipeline