New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trivy Config ignored in latest version #342
Comments
Dupe of #308 Please see the comment here #308 (comment) |
Hey @simar7 - Thanks for looking into this, I don't think this is a dupe. Did some additional testing to show you why. In #308 you mentioned:
- name: Cat trivy config with workspace
run: cat ${{ github.workspace }}/.trivy.yaml
- name: Cat trivy config w/o workspace
run: cat .trivy.yaml Both resulting in the same output: Run cat .trivy.yaml
severity: HIGH,CRITICAL
... Given that we know where - name: Cat trivy config w/o workspace
run: cat .trivy.yaml #succeeds
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 #0.19.0
with:
image-ref: '$ref'
scan-type: 'image'
trivy-config: '${{ github.workspace }}/.trivy.yaml' and - name: Cat trivy config w/o workspace
run: cat .trivy.yaml #succeeds
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 #0.19.0
with:
image-ref: '$ref'
scan-type: 'image'
trivy-config: '.trivy.yaml' And wtih both cases, in our action, observe that the trivy.yaml file is fully ignored: Run aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55
with:
image-ref: ***
scan-type: image
trivy-config:/home/runner/work/our-org/our-repo/.trivy.yaml
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL # these should only contain high, critical Repo structure is currently as follows: .
├── .github
│ ├── CODEOWNERS
│ └── workflows
│ └── trivy-action.yaml
└── .trivy.yaml
|
@Frituurpanda thanks for the explanation. @afdesk could you take a look? thank you! |
@simar7 yes, sure. I'll take a look at this issue today |
Hi @Frituurpanda Now there is a problem with using Trivy config file:
it's a known issue and will be fixed soon. But I can see another moment here:
CLI arguments in Trivy have higher priority then trivy-config params, You can test it locally: $ cat .trivy.yaml
severity: HIGH,CRITICAL
$ trivy image -c .trivy.yaml alpine:3.14.1
2024-04-26T19:17:56.562+0600 INFO Loaded .trivy.yaml
2024-04-26T19:17:56.580+0600 INFO Vulnerability scanning is enabled
2024-04-26T19:17:56.580+0600 INFO Secret scanning is enabled
...
alpine:3.14.1 (alpine 3.14.1)
Total: 37 (HIGH: 34, CRITICAL: 3)
...
$ trivy image -c .trivy.yaml --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL alpine:3.14.1
2024-04-26T19:18:37.006+0600 INFO Loaded .trivy.yaml
2024-04-26T19:18:37.023+0600 INFO Vulnerability scanning is enabled
2024-04-26T19:18:37.023+0600 INFO Secret scanning is enabled
alpine:3.14.1 (alpine 3.14.1)
Total: 47 (UNKNOWN: 0, LOW: 0, MEDIUM: 10, HIGH: 34, CRITICAL: 3)
... So I think you have a mix of these two moments, @Frituurpanda wdyt? |
Hey @afdesk, Thanks for investigating! On our case we are actually using the github action: https://github.com/aquasecurity/trivy-action Thus are not mixing and matching config parameters and non config parameters. The simplest form that fails is: - name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 #0.19.0
with:
image-ref: '$ref'
scan-type: 'image'
trivy-config: '.trivy.yaml' with the following in our severity:
- HIGH
- CRITICAL I'll try to step down through the versions, try to isolate if that's the problem, otherwise it's probably our org that's inherently broken. I've seen the sample provided by @simar7 and can reproduce that this works, I simply can't reproduce that in my org. |
We are currently running Trivy with the latest version:
Subsequent uploading works perfectly fine with:
And want to start using Trivy in more actions, thus looking at using Trivy with a config file. When we take this exact set, and place it in a
.trivy.yml
at the root of our repository:And modifying the action to use
trivy-config
:fails as the action reports that:
and that should not be the case, as with our previous version. The upload also fails the output does not exist:
Path does not exist: trivy-results.sarif
Anything we can do here to resolve this issue? Happy to test and provide more data.
The text was updated successfully, but these errors were encountered: