Sarif output has root:root permissions

[mikejgray]

When outputting a trivy-results.sarif file, it has root:root permissions, which is likely because the Docker container that executes Trivy is running as root.

Steps:

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ************.dkr.ecr.us-east-1.amazonaws.com/service:${{ github.sha }}
          format: sarif
          exit-code: "0"
          ignore-unfixed: true
          vuln-type: os,library
          severity: CRITICAL,HIGH
          scan-type: image
          output: trivy-results.sarif
          scan-ref: ""
      - name: Troubleshooting
        run: ls -lah
      - name: Upload Trivy scan results to GitHub Security tab
        if: always()
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: trivy-results.sarif
      - name: Push Docker Image to ECR
        run: |-
          docker push ************.dkr.ecr.us-east-1.amazonaws.com/service:${{ github.sha }}
          docker push ************.dkr.ecr.us-east-1.amazonaws.com/service:latest

Output snippets:

Building SARIF report with options:  --exit-code  0 --ignore-unfixed --vuln-type  os,library  ***.dkr.ecr.us-east-1.amazonaws.com/merida:87e4cb552e20775a5f556b83de1bfdfad0e67641

Run ls -lah
total 296K
...snip...
-rw-r--r--  1 root   root   150K Nov 15 19:18 trivy-results.sarif

Error: codeql/upload-sarif action failed: Resource not accessible by integration

If the Docker container cannot be run as non-root, would it be possible to add a step to change the permissions to the output file as part of the action? Thank you.

[kderck]

Hi @mikejgray are you running this on your own runner, or a GitHub's public runners?

[mikejgray]

@kderck This is using GitHub's provided runners