Timeout parameter ignored

[ralfstuckert]

Since version 0.5.0 the timeout parameter seems to be ignored (we run into a timeout after 5 min)

Setup looks like this:

    - name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@0.6.0
      with:
        image-ref: ${{ secrets.CONTAINER_REGISTRY }}/${{ inputs.image-package }}/${{ inputs.image-name }}:${{ env.IMAGE_VERSION }}
        format: 'sarif'
        output: 'trivy-results.sarif'
        exit-code: '1'
        ignore-unfixed: true
        vuln-type: 'os'
        security-checks: 'vuln'
        severity: 'CRITICAL,HIGH'
        timeout: '30m'

However, if we pass the timeout via yaml config, it works:

    - name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@0.6.0
      with:
        image-ref: ${{ secrets.CONTAINER_REGISTRY }}/${{ inputs.image-package }}/${{ inputs.image-name }}:${{ env.IMAGE_VERSION }}
        format: 'sarif'
        ...
        trivy-config: ./trivy.yaml

trivy.yaml

timeout: 30m

[simar7]

hi @ralfstuckert - thanks for reporting this but I'm unable to reproduce this locally. Would you mind sharing the logs of your GitHub action here?

[iameskild]

Hi @simar7, I've been experiencing a similar issue, but given what I've been seeing, I was wondering if there was another timeout setting specific to the Building SARIF report... step. Here are the GHA logs for my most recent attempt:

2022-08-01T19:23:28.2482254Z ##[group]Run aquasecurity/trivy-action@master
2022-08-01T19:23:28.2482537Z with:
2022-08-01T19:23:28.2482848Z   input: /github/workspace/jupyterlab-e544d8056a23cd010af544e0dd7e7606d8c3d2be.tar.gz
2022-08-01T19:23:28.2483184Z   format: sarif
2022-08-01T19:23:28.2483388Z   output: trivy-results.sarif
2022-08-01T19:23:28.2483624Z   severity: CRITICAL,HIGH
2022-08-01T19:23:28.2483844Z   ignore-unfixed: true
2022-08-01T19:23:28.2484057Z   cache-dir: .trivy
2022-08-01T19:23:28.2484266Z   security-checks: vuln
2022-08-01T19:23:28.2484638Z   timeout: 30m0s
2022-08-01T19:23:28.2484845Z   scan-type: image
2022-08-01T19:23:28.2485049Z   scan-ref: .
2022-08-01T19:23:28.2485262Z   vuln-type: os,library
2022-08-01T19:23:28.2485555Z   list-all-pkgs: false
2022-08-01T19:23:28.2485744Z env:
2022-08-01T19:23:28.2486129Z   DOCKER_ORG: nebari-dev
2022-08-01T19:23:28.2486437Z   GITHUB_SHA: e544d8056a23cd010af544e0dd7e7606d8c3d2be
2022-08-01T19:23:28.2486779Z ##[endgroup]
2022-08-01T19:23:28.2765567Z ##[command]/usr/bin/docker run --name cd98ff771388e862c4609bd959e8a3c675779_2a24c1 --label 4cd98f --workdir /github/workspace --rm -e DOCKER_ORG -e GITHUB_SHA -e INPUT_INPUT -e INPUT_FORMAT -e INPUT_OUTPUT -e INPUT_SEVERITY -e INPUT_IGNORE-UNFIXED -e INPUT_CACHE-DIR -e INPUT_SECURITY-CHECKS -e INPUT_TIMEOUT -e INPUT_SCAN-TYPE -e INPUT_IMAGE-REF -e INPUT_SCAN-REF -e INPUT_EXIT-CODE -e INPUT_VULN-TYPE -e INPUT_TEMPLATE -e INPUT_SKIP-DIRS -e INPUT_SKIP-FILES -e INPUT_IGNORE-POLICY -e INPUT_HIDE-PROGRESS -e INPUT_LIST-ALL-PKGS -e INPUT_TRIVYIGNORES -e INPUT_ARTIFACT-TYPE -e INPUT_GITHUB-PAT -e INPUT_TRIVY-CONFIG -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RETENTION_DAYS -e GITHUB_RUN_ATTEMPT -e GITHUB_ACTOR -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL -e GITHUB_REF_NAME -e GITHUB_REF_PROTECTED -e GITHUB_REF_TYPE -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e GITHUB_ACTION_REPOSITORY -e GITHUB_ACTION_REF -e GITHUB_PATH -e GITHUB_ENV -e GITHUB_STEP_SUMMARY -e RUNNER_OS -e RUNNER_ARCH -e RUNNER_NAME -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/nebari-docker-images/nebari-docker-images":"/github/workspace" 4cd98f:f771388e862c4609bd959e8a3c675779  "-a image" "-b sarif" "-c " "-d " "-e true" "-f os,library" "-g CRITICAL,HIGH" "-h trivy-results.sarif" "-i " "-j ." "-k " "-l /github/workspace/jupyterlab-e544d8056a23cd010af544e0dd7e7606d8c3d2be.tar.gz" "-m .trivy" "-n 30m0s" "-o " "-p " "-q " "-r false" "-s vuln" "-t " "-u " "-v "
2022-08-01T19:23:29.9490043Z Running trivy with options:  --format sarif --ignore-unfixed --vuln-type  os,library --security-checks  vuln --severity  CRITICAL,HIGH --output  trivy-results.sarif --timeout  30m0s --input /github/workspace/jupyterlab-e544d8056a23cd010af544e0dd7e7606d8c3d2be.tar.gz
2022-08-01T19:23:29.9490753Z Global options:   --cache-dir  .trivy
2022-08-01T19:23:30.7851437Z 2022-08-01T19:23:30.784Z	�[34mINFO�[0m	Need to update DB
2022-08-01T19:23:30.7852181Z 2022-08-01T19:23:30.784Z	�[34mINFO�[0m	DB Repository: ghcr.io/aquasecurity/trivy-db
2022-08-01T19:23:32.6838166Z 2022-08-01T19:23:30.784Z	�[34mINFO�[0m	Downloading DB...
2022-08-01T19:23:32.6840761Z 30.81 MiB / 33.33 MiB [-------------------------------------------------------->____] 92.44% ? p/s ?33.33 MiB / 33.33 MiB [----------------------------------------------------------->] 100.00% ? p/s ?33.33 MiB / 33.33 MiB [----------------------------------------------------------->] 100.00% ? p/s ?33.33 MiB / 33.33 MiB [----------------------------------------------->] 100.00% 4.20 MiB p/s ETA 0s33.33 MiB / 33.33 MiB [----------------------------------------------->] 100.00% 4.20 MiB p/s ETA 0s33.33 MiB / 33.33 MiB [----------------------------------------------->] 100.00% 4.20 MiB p/s ETA 0s33.33 MiB / 33.33 MiB [----------------------------------------------->] 100.00% 3.93 MiB p/s ETA 0s33.33 MiB / 33.33 MiB [-------------------------------------------------] 100.00% 25.30 MiB p/s 1.5s2022-08-01T19:23:32.683Z	�[34mINFO�[0m	Vulnerability scanning is enabled
2022-08-01T19:24:44.5147068Z 2022-08-01T19:24:44.514Z	�[34mINFO�[0m	Detected OS: ubuntu
2022-08-01T19:24:44.5147795Z 2022-08-01T19:24:44.514Z	�[34mINFO�[0m	Detecting Ubuntu vulnerabilities...
2022-08-01T19:24:44.5206130Z 2022-08-01T19:24:44.520Z	�[34mINFO�[0m	Number of language-specific files: 2
2022-08-01T19:24:44.5206935Z 2022-08-01T19:24:44.520Z	�[34mINFO�[0m	Detecting python-pkg vulnerabilities...
2022-08-01T19:24:44.5302568Z 2022-08-01T19:24:44.529Z	�[34mINFO�[0m	Detecting node-pkg vulnerabilities...
2022-08-01T19:24:44.5691273Z Building SARIF report with options:  --ignore-unfixed --vuln-type  os,library --input /github/workspace/jupyterlab-e544d8056a23cd010af544e0dd7e7606d8c3d2be.tar.gz
2022-08-01T19:29:44.9885758Z 2022-08-01T19:29:44.987Z	�[31mFATAL�[0m	image scan error: scan error: image scan failed: failed analysis: analyze error: timeout: context deadline exceeded

For the full logs see here.

I was running this action as a matrix and the two other images were successfully scanned and their results uploaded to the GitHub security tab. I did attempt this using trivy image on my local machine and it appeared to work for the image in question.

[ralfstuckert]

Sorry, have been off for a couple of days. I can confirm that the fix solves the problem. Even more: the reason for running into the timeout was 'not passing the security-checks parameter' which was also fixed. Now the scan runs in seconds :-D