-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GitHub Action - analysis fails after sarif upload #1038
Comments
Hello @mgmgwi I have created a test public repo https://github.com/rahul2393/trivy-workflow, I am trying to replicate the error, can you help me upload step work fine. |
Did you enable |
One more note: they recently updated |
Can you also check if putting this template on your root directory |
Hmm, there might be a problem with GitHub right now. I tried setting it up on a fork but it doesn't work. So we may need to wait for GitHub until they fix their code scanning. |
Ok thanks for the quick checking, can you also check the above sarif_test.tpl, I run on validator the output from above is passing, let me know if you still face error with above template. |
I tried the new template, you can see the result file here: https://github.com/mgmgwi/trivy-workflow/actions/runs/982158248 The SARIF Validator complains about
But I don't think that these would cause the code analysis to fail. |
Hello, just a quick introduction we are working closely with GH helping tools to integrate with GH Actions. Looking at this, the issues are related to the GH rules. @yongyan-gh @shaopeng-gh, can you check if we can improve the sarif file? |
The artifactLocation Uri value comes from .Target fields of Result struct.
From .sarif file we can see the vulnerability is OS package vulnerability:
Can you pls suggest what the right file Uri we should use in this case? @simar7 |
It looks like a vulnerability in |
Hi @simar7 , the issue that we are seeing here is:
Today, per my understanding, we are pointing to a place that isn't a file in the repository/files that you analyzed...which is generating the issue above. |
Roger that. @rahul2393 - could you have another look at it? |
HI @simar7 , let us know if we can help with this bugfix, ok? |
I am trying to get Trivy (and Dockle) to work with Github Code Scanning. Sadly the results are not processed on Github side and I cant find any more details in the GitHub UI. You can find the Github Action Workflow here: https://github.com/tricky42/kratos/blob/5775b9027eee48f4bb94953c067043456604a92c/.github/workflows/scan.yml#L39 Github UI shows the following error: I am using the customized template to include the locations as mentioned above: https://github.com/tricky42/kratos/blob/master/.github/trivy/sarif.tpl This is the content of the created trivy-results.sarif file:
And this is the report from the SARIF Validator when validating the file above:
Any tip on how to get this working is highly appreciated. |
Hi @eddynaka |
Hi @AndreyLevchenko , maybe i didn't understand much how Trivy works. If Trivy analyzes the docker itself: yeah, that's complex. |
Trivy can check both, but in the scenario above entire docker image is checked. (So it's scenario 1) |
HI @AndreyLevchenko , got it. What do you think? |
So there is no option to return |
GH Security is trying to help developers fixing source code issues. With that in mind, if we don't have a file to point to, GH cannot render correctly the SARIF causing the issue above. The SARIF itself can handle that. |
This issue is stale because it has been labeled with inactivity. |
Description
I'm scanning a docker image and want to upload the result via the
github/codeql-action/upload-sarif@v1
action.What did you expect to happen?
sarif file gets analyzed correctly.
What happened instead?
The error 'Analysis failed for trivy-workflow' is shown on the Code scanning alerts tab.
Output of run with
-debug
:Output of
trivy -v
:Additional details (base image name, container registry info...):
Uploading the result file to the Microsoft SARIF validator shows these problems:
I don't know whether these problems are the cause of the error, but maybe they can be fixed by adjusting this block
trivy/contrib/sarif.tpl
Lines 76 to 80 in fb19abd
if a Docker image is scanned.
The text was updated successfully, but these errors were encountered: