Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 Trivy scan fails when no critical vulnerabilities are detected #2251

Closed
Tracked by #1827
jacobwoffenden opened this issue Nov 7, 2023 · 2 comments · Fixed by #2254
Closed
Tracked by #1827

🐛 Trivy scan fails when no critical vulnerabilities are detected #2251

jacobwoffenden opened this issue Nov 7, 2023 · 2 comments · Fixed by #2254
Labels
bug Something isn't working data-platform-apps-and-tools This issue is owned by Data Platform Apps and Tools 🧑‍💻 Apps & Tools BAU (Epic #1827)

Comments

@jacobwoffenden
Copy link
Member

Describe the bug.

Our scanning workflow is designed to fail when it detects CRITICAL

https://github.com/ministryofjustice/data-platform/blob/74cd81562d66e5ad0e101cc08adce6cd39e1e142/.github/workflows/reusable-workflow-containers.yml#L183-L191

However it is failing regardless https://github.com/ministryofjustice/data-platform/actions/runs/6786028361/job/18445644387?pr=2227#step:5:15

To Reproduce

  1. Push an image with no CRITICAL vulnerabilities

Expected Behaviour

Workflow passes

Additional context

I built the offending image locally and ran it through Trivy and the generated SARIF is as expected

Related: aquasecurity/trivy-action#281
@jacobwoffenden jacobwoffenden added bug Something isn't working data-platform-apps-and-tools This issue is owned by Data Platform Apps and Tools 🧑‍💻 Apps & Tools BAU (Epic #1827) labels Nov 7, 2023
@github-actions github-actions bot mentioned this issue Nov 7, 2023
Open
77 tasks
@eugentius
Copy link

eugentius commented Nov 7, 2023
edited
Loading

limit-severities-for-sarif: true fixes the issue

limit-severities-for-sarif: true
trivy  image <image-with-no-critical-vuln> --exit-code  1 --ignore-unfixed --vuln-type  os,library --severity CRITICAL; echo $?
0

limit-severities-for-sarif: false
trivy  image <image-with-no-critical-vuln> --exit-code  1 --ignore-unfixed --vuln-type  os,library ; echo $? 
1

@jacobwoffenden jacobwoffenden mentioned this issue Nov 7, 2023
Merged
@jacobwoffenden
Copy link
Member Author

Thanks @eugentius!

@github-project-automation github-project-automation bot moved this from 🧐 To Do to ✨ Done ✨ in Analytical Platform Nov 7, 2023
@github-actions github-actions bot mentioned this issue Dec 1, 2023
Closed
@jacobwoffenden jacobwoffenden moved this to 🎉 Done in Analytical Platform Feb 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working data-platform-apps-and-tools This issue is owned by Data Platform Apps and Tools 🧑‍💻 Apps & Tools BAU (Epic #1827)
Projects
Analytical Platform
Archived in project
Milestone
No milestone
2 participants
@jacobwoffenden @eugentius