-
Notifications
You must be signed in to change notification settings - Fork 246
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to scan non-AMD64 container images #279
Comments
I was able to work around this issue in my workflow by specifying the platform in Example:
|
Thanks, that's a good workaround @pbnj-dragon though it would be fantastic to have cross-platform scanning |
Agreed. I would like to see an input for platform, like: - name: Run Trivy vulnerability scanner for distroless container
uses: aquasecurity/[email protected]
with:
image-ref: 'ghcr.io/someimage:${{github.sha}}-distroless'
platform: 'linux/arm64'
format: 'sarif'
output: 'distroless-results.sarif'
github-pat: '${{ secrets.GITHUB_TOKEN }}' That way, I can leverage Job Matrix as needed. Although, I am not sure if image platform has that much effect on vulnerabilities (I could be wrong). |
I just came across this bit of documentation in the action's README:
Upon reading the docs, it seems that trivy respects environment variables like: - name: Run Trivy vulnerability scanner for distroless container
uses: aquasecurity/[email protected]
with:
image-ref: 'ghcr.io/someimage:${{github.sha}}-distroless'
format: 'sarif'
output: 'distroless-results.sarif'
github-pat: '${{ secrets.GITHUB_TOKEN }}'
env:
TRIVY_PLATFORM: linux/arm64 Which effectively enables the same use-cases that having a dedicated For example, you can scan the same image for different platforms, using a Job Matrix, like: jobs:
trivy-image:
strategy:
matrix:
platforms: [ "linux/arm64", "linux/amd64" ]
steps:
- name: Run Trivy vulnerability scanner for distroless container
uses: aquasecurity/[email protected]
with:
image-ref: 'ghcr.io/someimage:${{github.sha}}-distroless'
env:
TRIVY_PLATFORM: ${{ matrix.platform }} |
I've a workflow that builds ARM64 images then attempts to scan them with trivy, unfortunately because the host is AMD64 the images can't be found.
Is there a way to use docker buildx/etc to run trivy against these non-native architecture images?
Example workflow below, which fails with the following error
The text was updated successfully, but these errors were encountered: