project-copacetic
Regarding Copa for scanning the docker image
Hello
I am trying to use Copa for scanning the build docker image using its GitHub action, but getting below error.
As the action states, we have to give the names of docker images to scan in the matrix and Copa action will try to download those images from docker, then scans and patch it.
Is it possible to scan the docker image which is build in previous github action step? Like below example-
`
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Build Docker image
run: |
docker build -t pythonworld:${{ github.sha }} .
- name: Generate Trivy Report
uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # 0.16.1
with:
scan-type: "image"
format: "json"
output: "report.json"
ignore-unfixed: true
vuln-type: "os"
image-ref: "pythonworld:${{ github.sha }}"
- name: Check vulnerability count
id: vuln_count
run: |
report_file="report.json"
vuln_count=$(jq 'if .Results then [.Results[] | select(.Class=="os-pkgs" and .Vulnerabilities!=null) | .Vulnerabilities[]] | length else 0 end' "$report_file")
echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT
- name: Log in to Azure Container Registry
uses: azure/docker-login@v2
with:
username: ${{ secrets.CONTAINER_REGISTRY_USERNAME }}
password: ${{ secrets.CONTAINER_REGISTRY_PASSWORD }}
login-server: ${{ secrets.CONTAINER_REGISTRY_URL }}
- name: Run Copa action
if: steps.vuln_count.outputs.vuln_count != '0'
id: copa
# using main for testing purposes
# use a tag (such as v1 or v1.0.1) at a bare minimum
# recommendation is to pin to a digest for security and stability
# and rely on dependabot for digest/version updates
uses: project-copacetic/copa-action@main
with:
image: "pythonworld:${{ github.sha }}"
image-report: "report.json"
patched-tag: ${{ github.sha }}
timeout: "5m" # optional, default is 5m
output: vex.json # optional
format: "openvex" # optional, default is openvex`
Need help @sozercan @ashnamehrotra Also when using socket configuration for local docker images,
` - name: Set up Docker uses: crazy-max/ghaction-setup-docker@v3 with: daemon-config: | { "debug": true, "experimental": true, "features": { "containerd-snapshotter": true } }
- name: Get socket path
run: |
url=$(docker context inspect | jq -r .[0].Endpoints.docker.Host)
socket_path=$(echo "$url" | awk -F// '{print $2}')
echo "$socket_path"
echo "SOCKET=$socket_path" >> $GITHUB_ENV
- name: Run Copa action
if: steps.vuln_count.outputs.vuln_count != '0'
id: copa
# using main for testing purposes
# use a tag (such as v1 or v1.0.1) at a bare minimum
# recommendation is to pin to a digest for security and stability
# and rely on dependabot for digest/version updates
uses: project-copacetic/copa-action@main
with:
image: "pythonworld:${{ github.sha }}"
image-report: "report.json"
patched-tag: ${{ github.sha }}
timeout: "5m" # optional, default is 5m
output: vex.json # optional
format: "openvex" # optional, default is openvex
custom-socket: ${SOCKET}`
I am getting below error
After using latest docker setup action, I am getting below authentication error
@ofschnai after authenticating to the registry, can you confirm if you are able to pull the image in a separate step?
@ofschnai here's an example of copa action running on a local image:
https://github.com/sozercan/copa-test/blob/main/.github/workflows/patch-action-containerd-local.yaml https://github.com/sozercan/copa-test/actions/runs/13399370009
I am not sure if trivy action runs with containerd image store, but that's a separate issue on trivy action side if you are using trivy as a scanner
@ashnamehrotra Thank you so much for your reply. Is it possible to build the image in a action and scan/patch it in next github action?
Like below
`- name: Set up Docker Buildx uses: docker/setup-buildx-action@v2
- name: Build Docker image
run: |
docker build -t pythonworld:${{ github.sha }} .
- name: Run Trivy Scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: "image"
format: "json"
output: "report.json"
ignore-unfixed: true
vuln-type: "os,library"
image-ref: "pythonworld:${{ github.sha }}"
- name: Check vulnerability count
id: vuln_count
run: |
report_file="report.json"
vuln_count=$(jq 'if .Results then [.Results[] | select(.Class=="os-pkgs" and .Vulnerabilities!=null) | .Vulnerabilities[]] | length else 0 end' "$report_file")
echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT
- name: Run Copa action
id: copa
# using main for testing purposes
# use a tag (such as v1 or v1.0.1) at a bare minimum
# recommendation is to pin to a digest for security and stability
# and rely on dependabot for digest/version updates
uses: project-copacetic/[email protected]
with:
image: "pythonworld:${{ github.sha }}"
image-report: "report.json"
patched-tag: "patched"
timeout: "5m" # optional, default is 5m `
@ofschnai yes, if it would just be a local image after building, you can follow option 2 here: https://github.com/project-copacetic/copa-action?tab=readme-ov-file#option-2-connect-using-defaults-through-a-custom-socket to ensure containerd image store is enabled in your setup
@ashnamehrotra I have already tried the Option 2, but I am getting below error in Trivy Scan step
And the Github Actions which I am using are as follows -
`
name: Build, Scan, and Deploy Python Docker Image to AKS
on: push: branches: - master # Trigger on pushes to main branch
jobs:
patch: runs-on: ubuntu-latest # used for pushing patched image to GHCR permissions: contents: read packages: write steps: - name: Checkout uses: actions/checkout@v4
- name: Set up Docker
uses: docker/setup-docker-action@v4
with:
daemon-config: |
{
"debug": true,
"experimental": true,
"features": {
"containerd-snapshotter": true
}
}
- name: Build Docker image
run: |
docker buildx build --load -t docker.io/local/pythonworld:${{ github.sha }} -f Dockerfile .
docker images
- name: Get socket path
run: |
url=$(docker context inspect | jq -r .[0].Endpoints.docker.Host)
socket_path=$(echo "$url" | awk -F// '{print $2}')
echo "$socket_path"
echo "SOCKET=$socket_path" >> $GITHUB_ENV
- name: Run Trivy Scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: "image"
format: "json"
output: "pythonworld_report.json"
ignore-unfixed: true
vuln-type: "os,library"
image-ref: "docker.io/local/pythonworld:${{ github.sha }}"
DOCKER-HOST: "/home/runner/setup-docker-action-cd960e80/docker.sock"
# copa action will only run if there are vulnerabilities
- name: Run Copa action
id: copa
uses: project-copacetic/[email protected]
with:
image: "docker.io/local/pythonworld:${{ github.sha }}"
image-report: "pythonworld_report.json"
patched-tag: "patched"
timeout: 5m
custom-socket: ${SOCKET}
output: out.json
- run: sudo cat out.json `
@sozercan @ashnamehrotra Also When I am trying to scan image from ACR, I am getting below error, even though ACR Login is successful in the previous step -
Below are the github actions -
` - name: Log in to Docker Hub uses: azure/docker-login@v2 with: login-server: ${{ secrets.CONTAINER_REGISTRY_URL }} username: ${{ secrets.CONTAINER_REGISTRY_USERNAME }} password: ${{ secrets.CONTAINER_REGISTRY_PASSWORD }}
- name: Run Trivy Scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: "image"
format: "json"
output: "pythonworld_report.json"
ignore-unfixed: true
vuln-type: "os,library"
image-ref: ${{ secrets.CONTAINER_REGISTRY_URL }}/test/devops-template-api:3.1.1
severity: 'CRITICAL,HIGH,MEDIUM,LOW'
env:
TRIVY_USERNAME: ${{ secrets.CONTAINER_REGISTRY_USERNAME }}
TRIVY_PASSWORD: ${{ secrets.CONTAINER_REGISTRY_PASSWORD }}
# copa action will only run if there are vulnerabilities
- name: Run Copa action
id: copa
uses: project-copacetic/[email protected]
with:
image: "${{ secrets.CONTAINER_REGISTRY_URL }}/test/devops-template-api:3.1.1"
image-report: "pythonworld_report.json"
patched-tag: "patched"
timeout: 5m
output: out.json`
@ofschnai rather than using the Trivy github aciton, can you try installing Trivy and then passing the --docker-host flag? https://github.com/project-copacetic/copa-action/issues/46. For the ACR image, can you confirm that you can pull the image after the login step?
@ashnamehrotra I tried that it is working with ACR image but not with the local image which I am trying to build in previous step,but getting same error. Below are the attached logs and script.
`- name: Checkout uses: actions/checkout@v4
- name: Set up Docker
uses: docker/setup-docker-action@v4
with:
daemon-config: |
{
"debug": true,
"experimental": true,
"features": {
"containerd-snapshotter": true
}
}
- name: Build Docker image
run: |
docker buildx build --load -t docker.io/local/pythonworld -f Dockerfile .
docker images
- name: Get socket path
run: |
url=$(docker context inspect | jq -r .[0].Endpoints.docker.Host)
socket_path=$(echo "$url" | awk -F// '{print $2}')
echo "$socket_path"
echo "SOCKET=$socket_path" >> $GITHUB_ENV
- name: Download Trivy
run: |
sudo apt-get install wget gnupg
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
- name: Get Trivy report
run: |
sudo trivy image --format json --output pythonworld.json docker.io/local/pythonworld --docker-host $SOCKET
sudo cat pythonworld.json
- name: Run Copa action
id: copa
uses: project-copacetic/[email protected]
with:
image: "docker.io/local/pythonworld"
image-report: "pythonworld.json"
patched-tag: "patched"
timeout: 5m
custom-socket: ${SOCKET}
output: out.json
`
@ofschnai are you still having this issue? what do you see for the output of "docker images"?
@ashnamehrotra Hi Ashna, I am using the mentioned github actions for scanning and patching the docker image stored in Azure Container Registry but getting error while patching the image. Trivy scan is working properly. ` jobs: get-deployed-image: runs-on: ubuntu-latest
permissions:
contents: read
packages: write
strategy:
fail-fast: false
matrix:
# provide relevant list of images to scan on each run
images:
- "ablacr.azurecr.io/test/devops-template-api/pythonworld:latest"
steps:
# generate trivy report for fixable OS package vulnerabilities
- name: Generate Trivy Report
uses: aquasecurity/trivy-action@master # 0.16.1
with:
scan-type: "image"
format: "json"
output: "report.json"
ignore-unfixed: true
vuln-type: "os,library"
image-ref: ${{ matrix.images }}
severity: 'CRITICAL,HIGH,MEDIUM,LOW'
env:
TRIVY_USERNAME: ${{ secrets.CONTAINER_REGISTRY_ACR_USERNAME }}
TRIVY_PASSWORD: ${{ secrets.CONTAINER_REGISTRY_ACR_PASSWORD }}
# check whether there are any OS package vulnerabilities
- name: Check vulnerability count
id: vuln_count
run: |
report_file="report.json"
vuln_count=$(jq 'if .Results then [.Results[] | select(.Class=="os-pkgs" and .Vulnerabilities!=null) | .Vulnerabilities[]] | length else 0 end' "$report_file")
echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT
echo $vuln_count
- name: Login to ACR
id: login
uses: azure/docker-login@v2
with:
login-server: ${{ secrets.CONTAINER_REGISTRY_ACR_URL }}
username: ${{ secrets.CONTAINER_REGISTRY_ACR_USERNAME }}
password: ${{ secrets.CONTAINER_REGISTRY_ACR_PASSWORD }}
# copa action will only run if there are vulnerabilities
- name: Run Copa action
if: steps.vuln_count.outputs.vuln_count != '0'
id: copa
# using main for testing purposes
# use a tag (such as v1 or v1.0.1) at a bare minimum
# recommendation is to pin to a digest for security and stability
# and rely on dependabot for digest/version updates
uses: project-copacetic/copa-action@main
with:
image: ${{ matrix.images }}
image-report: "report.json"
patched-tag: "patched"
timeout: "5m" # optional, default is 5m
output: vex.json # optional
format: "openvex" # optional, default is openvex
# copa-version: "0.6.0" # optional, default is latest
# buildkit-version: "v0.12.4" # optional, default is latest
# custom-socket: "/var/run/buildkit/buildkitd.sock" # optional, used for custom socket address`