Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upload SBoM to GitHub Enterprise: supported? #312

Open
RoFz opened this issue Feb 19, 2024 · 1 comment
Open

Upload SBoM to GitHub Enterprise: supported? #312

RoFz opened this issue Feb 19, 2024 · 1 comment

Comments

@RoFz
Copy link

RoFz commented Feb 19, 2024

I have a very simple pipeline (based on the example provided in this repo's README.md) running on a GitHub Enterprise Server, but it keeps failing due to 'Bad credentials'.

Attempt no. 1: with GITHUB_TOKEN

---
on:
  workflow_call: 
  push:
    branches:
      - '**'
  pull_request:
    branches:
      - '**'

permissions:
  contents: write

jobs:
  build:
    name: Checks
    runs-on: [self-hosted, Linux]
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          ignore-unfixed: true
          input: src/image.tar
          scan-type: image
          format: 'github' # table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln
          output: 'dependency-results.sbom.json'
          github-pat: ${{ secrets.GITHUB_TOKEN }}
          severity: "MEDIUM,HIGH,CRITICAL"
          scanners: "vuln" # vuln,misconfig,secret,license
          timeout: 30m0s

Attempt no. 2: with PAT

---
on:
  workflow_call: 
  push:
    branches:
      - '**'
  pull_request:
    branches:
      - '**'

jobs:
  build:
    name: Checks
    runs-on: [self-hosted, Linux]
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          ignore-unfixed: true
          input: src/image.tar
          scan-type: image
          format: 'github' # table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln
          output: 'dependency-results.sbom.json'
          github-pat: ${{ secrets.PAT_TOKEN }}
          severity: "MEDIUM,HIGH,CRITICAL"
          scanners: "vuln" # vuln,misconfig,secret,license
          timeout: 30m0s

Error produced in both attempts:

/usr/bin/docker run --name fcba85d282d3159c7e476c8588bf73c34e8ba2_7b9ec6 --label fcba85 --workdir /github/workspace --rm -e "BCM_REGISTRY" -e "IMAGE_NAME" -e "SHA" -e "COMPARE_TAG" -e "INPUT_IGNORE-UNFIXED" -e "INPUT_INPUT" -e "INPUT_SCAN-TYPE" -e "INPUT_FORMAT" -e "INPUT_OUTPUT" -e "INPUT_GITHUB-PAT" -e "INPUT_SEVERITY" -e "INPUT_SCANNERS" -e "INPUT_TIMEOUT" -e "INPUT_IMAGE-REF" -e "INPUT_SCAN-REF" -e "INPUT_EXIT-CODE" -e "INPUT_VULN-TYPE" -e "INPUT_TEMPLATE" -e "INPUT_SKIP-DIRS" -e "INPUT_SKIP-FILES" -e "INPUT_CACHE-DIR" -e "INPUT_IGNORE-POLICY" -e "INPUT_HIDE-PROGRESS" -e "INPUT_LIST-ALL-PKGS" -e "INPUT_TRIVYIGNORES" -e "INPUT_ARTIFACT-TYPE" -e "INPUT_TRIVY-CONFIG" -e "INPUT_TF-VARS" -e "INPUT_LIMIT-SEVERITIES-FOR-SARIF" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_I...
Running trivy with options: trivy image  --format github --ignore-unfixed --vuln-type  os,library --scanners  vuln --severity  MEDIUM,HIGH,CRITICAL --output  dependency-results.sbom.json --timeout  30m0s --input src/image.tar
Global options:  
2024-02-19T13:18:59.259Z	INFO	Vulnerability scanning is enabled
2024-02-19T13:[21](https://<ghes>/<org>/<repo>/actions/runs/4749323/job/15071587#step:7:22):16.206Z	INFO	Detected OS: ubuntu
2024-02-19T13:21:16.206Z	WARN	This OS version is not on the EOL list: ubuntu 24.04
2024-02-19T13:21:16.207Z	INFO	Detecting Ubuntu vulnerabilities...
2024-02-19T13:21:16.215Z	INFO	Number of language-specific files: 8
2024-02-19T13:21:16.[22](https://<ghes>/<org>/<repo>/actions/runs/4749323/job/15071587#step:7:23)0Z	INFO	Detecting dotnet-core vulnerabilities...
20[24](https://<ghes>/<org>/<repo>/actions/runs/4749323/job/15071587#step:7:25)-02-19T13:21:16.317Z	INFO	Detecting node-pkg vulnerabilities...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
100  [26](https://<ghes>/<org>/<repo>/actions/runs/4749323/job/15071587#step:7:27)0k  100    90  100  260k     48   140k  0:00:01  0:00:01 --:--:--  142k
 Uploading GitHub Dependency Snapshot{
  "message": "Bad credentials",
  "documentation_url": "https://docs.github.com/rest"
}

I'd just like to obtain confirmation that this action indeed supports GitHub Enterprise before proceeding any further into the troubleshooting.

Thanks in advance.
@bosch-ch
Copy link

It looks like it's hard coded to github.com maybe?

trivy-action/entrypoint.sh

Line 204 in 062f259

curl -H 'Accept: application/vnd.github+json' -H "Authorization: token $githubPAT" 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./$(echo $output | xargs)

Would be very interested in this being supported.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@RoFz @bosch-ch