Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SARIF file when using sacn-type 'config' cannot be uploaded to GitHub Advance Security. Validation error. #320

Open
rkeidar opened this issue Mar 14, 2024 · 3 comments
Open

SARIF file when using sacn-type 'config' cannot be uploaded to GitHub Advance Security. Validation error. #320

rkeidar opened this issue Mar 14, 2024 · 3 comments

Comments

@rkeidar
Copy link

rkeidar commented Mar 14, 2024

I'm using Trivy to scan IaC with this bellow actions. The upload-sarif step fails with below errors. I've downloaded the result file and it failed the SARIF validation on this sarif validation web site
.

### GitHub Error:

Error: Code Scanning could not process the submitted SARIF file:
SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file"
Error: Code Scanning could not process the submitted SARIF file:
SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file", SARIF URI scheme "git" did not match the checkout URI scheme "file"

### Workflows steps:

- name: Run Trivy vulnerability scanner in IaC mode
  uses: aquasecurity/trivy-action@master
  with:
    scan-type: 'config'
    hide-progress: false
    format: 'sarif'
    output: 'trivy-results.sarif2'
    exit-code: '0'
    ignore-unfixed: true
    severity: 'CRITICAL,HIGH'

- name: Upload Trivy scan results to GitHub Security tab
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: 'trivy-results.sarif2'
    category: "IaC"
@rkeidar
Copy link
Author

rkeidar commented Mar 18, 2024

Here is the screenshot.
image

The format error is:
SARIF1004: runs[0].results[80].locations[0].physicalLocation.artifactLocation: This 'artifactLocation' object has a 'uriBaseId' property 'ROOTPATH', but its 'uri' property 'git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=5818de1fbdcca461a917e889e6703218d740494c/main.tf' is an absolute URI. Since the purpose of 'uriBaseId' is to resolve a relative reference to an absolute URI, it is not allowed when the 'uri' property is already an absolute URI.

@afdesk
Copy link

afdesk commented Mar 28, 2024

Hi @rkeidar
it seems it's a known issue in Trivy aquasecurity/trivy#5003
and there is a fix, but it hasn't merged yet
aquasecurity/trivy#6405

wdyt?

@afdesk
Copy link

afdesk commented Mar 28, 2024

the next trivy release should have the fix )

@ctcampbell ctcampbell mentioned this issue Apr 29, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@afdesk @rkeidar