perf(misconf): Trivy IaC scanner OOM when run in container or github actions #7548

nikpivkin · 2024-09-19T08:20:48Z

Trivy creates an object for each port in the range, which leads to high memory consumption and poor performance. Instead, we need to use port ranges.

Example:

resource "google_compute_network" "this" {
  name = "test-network"
}

resource "google_compute_firewall" "this" {
  name = "test"
  network = google_compute_network.this

  allow {
    protocol = "tcp"
    ports    = ["0-200000"]
  }
}

Large range:

       5.33 real         9.10 user         0.29 sys
          2523021312  maximum resident set size
                   0  average shared memory size
                   0  average unshared data size
                   0  average unshared stack size
              155229  page reclaims
                  46  page faults
                   0  swaps
                   0  block input operations
                   0  block output operations
                   0  messages sent
                   0  messages received
                 814  signals received
                 366  voluntary context switches
               12447  involuntary context switches
        104996578111  instructions retired
         26772673867  cycles elapsed
          2477725696  peak memory footprint

Small range:

      0.53 real         0.79 user         0.05 sys
           164560896  maximum resident set size
                   0  average shared memory size
                   0  average unshared data size
                   0  average unshared stack size
               10990  page reclaims
                  30  page faults
                   0  swaps
                   0  block input operations
                   0  block output operations
                   0  messages sent
                   0  messages received
                 252  signals received
                 128  voluntary context switches
                1941  involuntary context switches
          8191908682  instructions retired
          2398659990  cycles elapsed
           118195712  peak memory footprint

Discussed in #6517

^{Originally posted by obounaim April 18, 2024}

Description

Trivy was OOM killed while scanning for Misconfiguration / IaC in Github Action or in Docker. Exit code 137.

trivy config terraform/ --debug

Tested with other commands, gave same behavior:
trivy fs --scanners misconfig terraform/ --debug
trivy repo --scanners misconfig terraform/ --debug

du -sch terraform 12M terraform 12M total

The scan works just fine on local system.

The text was updated successfully, but these errors were encountered:

nikpivkin added kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning labels Sep 19, 2024

nikpivkin self-assigned this Sep 19, 2024

nikpivkin mentioned this issue Sep 19, 2024

perf(misconf): use port ranges instead of enumeration #7549

Merged

6 tasks

simar7 added this to the v0.56.0 milestone Sep 20, 2024

simar7 changed the title ~~Trivy IaC scanner crashed when run in container or github actions - 137 exit code~~ perf(misconf): Trivy IaC scanner crashed when run in container or github actions - 137 exit code Sep 20, 2024

simar7 changed the title ~~perf(misconf): Trivy IaC scanner crashed when run in container or github actions - 137 exit code~~ perf(misconf): Trivy IaC scanner OOM when run in container or github actions Sep 20, 2024

simar7 closed this as completed in #7549 Sep 20, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

perf(misconf): Trivy IaC scanner OOM when run in container or github actions #7548

perf(misconf): Trivy IaC scanner OOM when run in container or github actions #7548

nikpivkin commented Sep 19, 2024

Description

perf(misconf): Trivy IaC scanner OOM when run in container or github actions #7548

perf(misconf): Trivy IaC scanner OOM when run in container or github actions #7548

Comments

nikpivkin commented Sep 19, 2024

Discussed in #6517

Description