-
Notifications
You must be signed in to change notification settings - Fork 223
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unexpected behaviour when scanning with SARIF formatting #142
Comments
hi @jonpulsifer - as mentioned in the issue #95, this is currently by design. We want all vulnerabilities that exist in a repository to be submitted as SARIF results to GitHub. If you think this isn't desired and would rather not have it, we'll take your feedback. If you have any other ideas on how we can implement this better (without running the scan twice), we're happy to hear from you. |
👋 pardon the delay and thanks for the response! In our case:
A specific fix for us would be to append if [ $trivyConfig ]; then
echo "Running Trivy with trivy.yaml config from: " $trivyConfig
trivy --config $trivyConfig ${scanType} ${artifactRef}
returnCode=$?
elif [[ "${format}" == "sarif" ]]; then
# SARIF is special. We output all vulnerabilities,
# regardless of severity level specified in this report.
# This is a feature, not a bug :)
echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
returnCode=$?
else
echo "Running trivy with options: ${ARGS}" "${artifactRef}"
echo "Global options: " "${GLOBAL_ARGS}"
trivy $GLOBAL_ARGS ${scanType} $ARGS ${artifactRef}
returnCode=$?
fi In any case, it sounds like adding |
hi @jonpulsifer - thanks for explaining, that makes sense. I've cut a PR for it #156 |
Wat
The action runs trivy twice when the format is set to
sarif
, so some options are not respected (including timeouts)imo we should remove the second trivy run altogether, since it's mostly duplication, but thought I should open an issue before a PR 😄 .. any concerns?
Similar #95 and #153
Expectation
Given the following step:
I was expecting the step to succeed in under 10 minutes.
Reality
It fails with a timeout after 8 minutes.
Cause
It runs trivy twice. Once with a timeout, and one without.
Additionally, the timeouts in my case are caused by secret scanning on a large image, which would not be disabled when trivy runs the second time.
trivy-action/entrypoint.sh
Line 162 in 7b7aa26
Resolves to:
trivy image --format sarif --ignore-unfixed --vuln-type os --security-checks vuln --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL --output trivy-image.sarif --timeout 10m library/alpine
trivy-action/entrypoint.sh
Lines 165 to 171 in 7b7aa26
Resolves to:
trivy --quiet image --format sarif --output trivy-image.sarif --ignore-unfixed --vuln-type os library/alpine
The text was updated successfully, but these errors were encountered: