Trivy failed to download ARM architecture node despite running on ARM GHA runner

[kewei5zhang]

Behaviour

Steps to reproduce this issue

1. Build a arm architecture only docker image and push to ECR
2. Use trivy to download and scan the image

Expected behaviour

Trivy should perform the requested security scan

Actual behaviour

Trivy tried to pull down the amd64 image even tho its running on an ARM runner.

2023-01-11T03:31:03.726Z	FATAL	image scan error: scan error: unable to initialize a scanner: unable to initialize a docker scanner: 4 errors occurred:
	* unable to inspect the image (***.dkr.ecr.***.amazonaws.com/image:tag): Error: No such image: ***.dkr.ecr.***.amazonaws.com/image:tag
	* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
	* containerd socket not found: /run/containerd/containerd.sock
	* no child with platform {Architecture:amd64 OS:linux OSVersion: OSFeatures:[] Variant: Features:[]} in index ***.dkr.ecr.***.amazonaws.com/image:tag

Configuration

• Repository URL (if public):
• Build URL (if public):

runs:
  using: "composite"
  steps:
    - uses: actions/checkout@v3
    - uses: docker/setup-buildx-action@v2
    - uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: '${{ inputs.AWS_ACCESS_KEY_ID }}'
        aws-secret-access-key: '${{ inputs.AWS_SECRET_ACCESS_KEY }}'
        aws-region: '${{ inputs.AWS_REGION }}'
    - id: login-ecr
      uses: aws-actions/amazon-ecr-login@v1
    - name: build and push image
      uses: docker/build-push-action@v3
      with:
        context: .
        file: ${{ inputs.dockerfile }}.Dockerfile
        push: true
        platforms: ${{ inputs.platforms }}
        # cache-from: type=gha
        # cache-to: type=gha,mode=max
        tags: ${{ steps.login-ecr.outputs.registry }}/${{ inputs.registry }}:${{ inputs.tag }}
    - uses: aquasecurity/[email protected]
      if: ${{ steps.image_meta.outputs.IMAGE_META == ''}}
      with:
        image-ref: '${{ inputs.AWS_ACCOUNT_ID }}.dkr.ecr.${{ inputs.AWS_REGION }}.amazonaws.com/${{ inputs.registry }}:${{ inputs.tag }}'
        format: 'table'
        exit-code: '0'
        ignore-unfixed: true
        timeout: '10m0s'
        vuln-type: 'os,library'
        severity: 'CRITICAL'

[pbnj-dragon]

I was able to solve this issue in my workflow by specifying the platform in trivy.yaml file.

Example:

1. In trivy.yaml:

   image:
     platform: linux/arm64

2. In GitHub Workflow file:

    - uses: aquasecurity/[email protected]
      with:
        image-ref: '${{ inputs.AWS_ACCOUNT_ID }}.dkr.ecr.${{ inputs.AWS_REGION }}.amazonaws.com/${{ inputs.registry }}:${{ inputs.tag }}'
        trivy-config: trivy.yaml

[pbnj-dragon]

Found a better solution than trivy.yaml config file.

See related issue/comment: #279 (comment)

TLDR: specify image platform using TRIVY_ environment variables, like:

# ...
    - uses: aquasecurity/[email protected]
      if: ${{ steps.image_meta.outputs.IMAGE_META == ''}}
      with:
        image-ref: '${{ inputs.AWS_ACCOUNT_ID }}.dkr.ecr.${{ inputs.AWS_REGION }}.amazonaws.com/${{ inputs.registry }}:${{ inputs.tag }}'
        format: 'table'
        exit-code: '0'
        ignore-unfixed: true
        timeout: '10m0s'
        vuln-type: 'os,library'
        severity: 'CRITICAL'
      env:
        TRIVY_PLATFORM: linux/arm64