trivy-action icon indicating copy to clipboard operation
trivy-action copied to clipboard
verified publisher icon aquasecurity

OCI runtime exec failed: exec failed: unable to start container process: exec: "bash": executable file not found in $PATH: unknown

Open Dr-DevOps opened this issue 1 year ago • 4 comments 

  - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: '***.dkr.ecr.ap-southeast-1.amazonaws.com/reponame:${{ github.sha }}'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL'
          format: 'table'
          scanners: 'vuln,config'

I have written the above code on my GHA. I am running GHA self-managed. Earlier Action was running fine, but for the last week, it has kept failing. EKS Version 1.28

Error Log-

Run aquasecurity/[email protected]
Run lowercase_repo=$(echo "Linux" | tr '[:upper:]' '[:lower:]')
  lowercase_repo=$(echo "Linux" | tr '[:upper:]' '[:lower:]')
  echo "PLATFORM=${lowercase_repo}" >> $GITHUB_OUTPUT
  shell: bash --noprofile --norc -e -o pipefail {0}
  env:
    AWS_DEFAULT_REGION: ap-southeast-1
    AWS_REGION: ap-southeast-1
    AWS_ACCESS_KEY_ID: ***
    AWS_SECRET_ACCESS_KEY: ***
    AWS_SESSION_TOKEN: ***
    DOCKER_METADATA_OUTPUT_VERSION: v2.0.2
    DOCKER_METADATA_OUTPUT_TAGS: ***.dkr.ecr.ap-southeast-1.amazonaws.com/reponame:v2.0.2
  ***.dkr.ecr.ap-southeast-1.amazonaws.com/reponame:ecc90d3
  ***.dkr.ecr.ap-southeast-1.amazonaws.com/reponame:latest
    DOCKER_METADATA_OUTPUT_LABELS: org.opencontainers.image.created=2024-10-15T08:38:31.1[60](https://github.com/org/reponame/actions/runs/11342371684/job/31542624648#step:5:62)Z
  org.opencontainers.image.description=
  org.opencontainers.image.licenses=
  org.opencontainers.image.revision=ecc90d399de8cdeaccb9238fd6314aaae7f0a512
  org.opencontainers.image.source=https://github.com/org/reponame
  org.opencontainers.image.title=reponame
  org.opencontainers.image.url=https://github.com/org/reponame
  org.opencontainers.image.version=v2.0.2
    DOCKER_METADATA_OUTPUT_JSON: {"tags":["***.dkr.ecr.ap-southeast-1.amazonaws.com/reponame:v2.0.2","***.dkr.ecr.ap-southeast-1.amazonaws.com/reponame:ecc90d3","***.dkr.ecr.ap-southeast-1.amazonaws.com/reponame:latest"],"labels":{"org.opencontainers.image.created":"2024-10-15T08:38:31.160Z","org.opencontainers.image.description":"","org.opencontainers.image.licenses":"","org.opencontainers.image.revision":"ecc90d399de8cdeaccb9238fd[63](https://github.com/org/reponame/actions/runs/11342371684/job/31542624648#step:5:65)14aaae7f0a512","org.opencontainers.image.source":"https://github.com/org/reponame","org.opencontainers.image.title":"api-gateway","org.opencontainers.image.url":"https://github.com/org/reponame","org.opencontainers.image.version":"v2.0.2"}}
    DOCKER_METADATA_OUTPUT_BAKE_FILE: /tmp/docker-actions-toolkit-oCjCJH/docker-metadata-action-bake.json
OCI runtime exec failed: exec failed: unable to start container process: exec: "bash": executable file not found in $PATH: unknown
Error: Process completed with exit code 126.

I am unable to fix it yet. :(

Dr-DevOps avatar Oct 15 '24 08:10 Dr-DevOps

hi @Dr-DevOps could you try the latest release of trivy-action? We've released some fixed that hopefully should address this. cc @DmitriyLewen

simar7 avatar Oct 15 '24 16:10 simar7

Hello @Dr-DevOps IIUC your action doesn't have bash, right? IN this case you can install trivy yourself and run trivy-action with skip-setup-trivy input. See this example - https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#setting-up-trivy-manually

DmitriyLewen avatar Oct 16 '24 03:10 DmitriyLewen 

  build_image:
    permissions:
      contents: write
      pull-requests: write
    name: Build Image for UAT
    runs-on:
      labels: [self-hosted,image-builder]
    container: 
      image: docker:rc-dind

I am using this as a base docker image to create a docker build and then using it for trivy scan.

  - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: '***.dkr.ecr.ap-southeast-1.amazonaws.com/reponame:${{ github.sha }}'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL'
          format: 'table'
          scanners: 'vuln,config'

Dr-DevOps avatar Oct 29 '24 16:10 Dr-DevOps

Hello @Dr-DevOps

You got same error for aquasecurity/[email protected], right?

  labels: [self-hosted,image-builder]

You use self-hosted runner. Your runner doesn't have bash. So i see 2 ways:

  • add step to install bash into your runner (or use another runner cintaining bash) before run trivy-action
  • install trivy manually and use skip-setup-trivy input (see https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#trivy-setup)

DmitriyLewen avatar Oct 30 '24 04:10 DmitriyLewen