crazy-max / ghaction-container-scan Goto Github PK

View Code? Open in Web Editor NEW

58.0 7.0 15.0 4.82 MB

GitHub Action to check for vulnerabilities in your container image

Home Page: https://github.com/marketplace/actions/container-scan

License: MIT License

TypeScript 84.66% HCL 4.23% Dockerfile 11.12%

docker github-actions sarif-report trivy vulnerability-scanners security-tools

ghaction-container-scan's Introduction

About

GitHub Action to check for vulnerabilities in your container image with Trivy.

Usage
Customizing
- inputs
- outputs
Notes
Contributing
License

Usage

Scan image

name: ci

on:
  push:

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v3
      -
        name: Build
        uses: docker/build-push-action@v4
        with:
          context: .
          push: true
          tags: user/app:latest
      -
        name: Scan for vulnerabilities
        uses: crazy-max/ghaction-container-scan@v3
        with:
          image: user/app:latest

Scan tarball

name: ci

on:
  push:

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v3
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      -
        name: Build
        uses: docker/build-push-action@v4
        with:
          context: .
          outputs: type=docker,dest=/tmp/image.tar
          tags: user/app:latest
      -
        name: Scan for vulnerabilities
        uses: crazy-max/ghaction-container-scan@v3
        with:
          tarball: /tmp/image.tar

Severity threshold

You can define a threshold for severity to mark the job as failed:

name: ci

on:
  push:

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v3
      -
        name: Build
        uses: docker/build-push-action@v4
        with:
          context: .
          push: true
          tags: user/app:latest
      -
        name: Scan for vulnerabilities
        uses: crazy-max/ghaction-container-scan@v3
        with:
          image: user/app:latest
          severity_threshold: HIGH

GitHub annotations

This action is also able to create GitHub annotations in your workflow for vulnerabilities discovered:

name: ci

on:
  push:

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v3
      -
        name: Build
        uses: docker/build-push-action@v4
        with:
          context: .
          push: true
          tags: user/app:latest
      -
        name: Scan for vulnerabilities
        uses: crazy-max/ghaction-container-scan@v3
        with:
          image: user/app:latest
          annotations: true

Upload to GitHub Code Scanning

This action also supports the SARIF format for integration with GitHub Code Scanning to show issues in the GitHub Security tab:

name: ci

on:
  push:

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v3
      -
        name: Build
        uses: docker/build-push-action@v4
        with:
          context: .
          push: true
          tags: user/app:latest
      -
        name: Scan for vulnerabilities
        id: scan
        uses: crazy-max/ghaction-container-scan@v3
        with:
          image: user/app:latest
          dockerfile: ./Dockerfile
      -
        name: Upload SARIF file
        if: ${{ steps.scan.outputs.sarif != '' }}
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}

💡 dockerfile input is required to generate a sarif report.

Build, scan and push your image

name: ci

on:
  push:

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v3
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@v2
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      -
        name: Build and load
        uses: docker/build-push-action@v4
        with:
          context: .
          load: true
          tags: user/app:latest
      -
        name: Scan for vulnerabilities
        id: scan
        uses: crazy-max/ghaction-container-scan@v3
        with:
          image: user/app:latest
          dockerfile: ./Dockerfile
      -
        name: Build multi-platform and push
        uses: docker/build-push-action@v4
        with:
          context: .
          platforms: linux/amd64,linux/arm64
          push: true
          tags: user/app:latest

Customizing

inputs

Following inputs can be used as step.with keys

Name	Type	Description
`trivy_version`	String	Trivy CLI version (default `latest`)
`image`	String	Container image to scan (e.g. `alpine:3.7`)
`tarball`	String	Container image tarball path to scan
`dockerfile`	String	Dockerfile required to generate a sarif report
`severity`	String	Report vulnerabilities of provided level or higher (default: `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL`)
`severity_threshold`	String	Defines threshold for severity
`annotations`	Bool	Create GitHub annotations in your workflow for vulnerabilities discovered

outputs

Following outputs are available

Name	Type	Description
`json`	File	JSON format scan result
`sarif`	File	SARIF format scan result

Notes

GITHUB_TOKEN Minimum Permissions

If you want the scan to include the Dockerfile, you'll need to checkout the repository and give the job:

permissions:
  contents: read

If you want to upload the SARIF report to GitHub Security, you'll need to add these permissions to the job:

permissions:
  actions: read
  security-events: write

`Advanced Security must be enabled for this repository to use code scanning`

If you receive this error, it likely means you're using a private repository and trying to upload SARIF reports, which requires a org admin to enable Advanced Security for the repository.

`failed to copy the image: write /tmp/fanal-2740541230: no space left on device`

If you encounter this error, you probably have a huge image to scan so, you may need to free up some space in your runner. You can remove the dotnet framework for example that takes around 23GB of disk space:

      -
        name: Remove dotnet
        run: sudo rm -rf /usr/share/dotnet
      -
        name: Scan for vulnerabilities
        uses: crazy-max/ghaction-container-scan@v3
        with:
          image: user/app:latest

`timeout: context deadline exceeded`

This error is caused by the timeout of the trivy command. You can increase the timeout by setting TRIVY_TIMEOUT environment variable:

      -
        name: Scan for vulnerabilities
        uses: crazy-max/ghaction-container-scan@v3
        with:
          image: user/app:latest
        env:
          TRIVY_TIMEOUT: 10m

`could not parse reference: ghcr.io/UserName/myimage:latest`

You may encounter this issue if you're using github.repository as a repo slug for the image input:

Error: 2021-11-30T09:52:13.115Z	FATAL	scan error: unable to initialize a scanner: unable to initialize a docker scanner: failed to parse the image name: could not parse reference: ghcr.io/UserName/myimage:latest

To fix this issue you can use our metadata action to generate sanitized tags:

-
  name: Docker meta
  id: meta
  uses: docker/metadata-action@v4
  with:
    images: ghcr.io/${{ github.repository }}
    tags: latest
-
  name: Build and push
  uses: docker/build-push-action@v4
  with:
    context: .
    push: true
    tags: ${{ steps.meta.outputs.tags }}
-
  name: Scan for vulnerabilities
  id: scan
  uses: crazy-max/ghaction-container-scan@v3
  with:
    image: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
    dockerfile: ./Dockerfile

Or a dedicated step to sanitize the slug:

-
  name: Sanitize repo slug
  uses: actions/github-script@v6
  id: repo_slug
  with:
    result-encoding: string
    script: return 'ghcr.io/${{ github.repository }}'.toLowerCase()
-
  name: Build and push
  uses: docker/build-push-action@v4
  with:
    context: .
    push: true
    tags: ${{ steps.repo_slug.outputs.result }}:latest
-
  name: Scan for vulnerabilities
  id: scan
  uses: crazy-max/ghaction-container-scan@v3
  with:
    image: ${{ steps.repo_slug.outputs.result }}:latest
    dockerfile: ./Dockerfile

Contributing

Want to contribute? Awesome! The most basic way to show your support is to star the project, or to raise issues. You can also support this project by becoming a sponsor on GitHub or by making a PayPal donation to ensure this journey continues indefinitely!

Thanks again for your support, it is much appreciated! 🙏

License

MIT. See LICENSE for more details.

ghaction-container-scan's People

Contributors

Stargazers

Watchers

Forkers

syllogy maorkuriel firebuggirl valeriilav balashiri nk78937 sathishcyberintelsysnew tejask-5 amedeopalopoli c-ameron fuellabs farzanehaghaei gipo355 seanpm2001

ghaction-container-scan's Issues

Document GITHUB_TOKEN permissions required

After some testing, I believe this is true, but would like someone else to validate if possible before I update README.md

GITHUB_TOKEN Minimum Permissions

If you want the scan to include the Dockerfile, you'll need to checkout the repository and give the job:

permissions:
  contents: read

If you want to upload the SARIF report to GitHub Security, you'll need to add these permissions to the job:

permissions:
  actions: read
  security-events: write

If you receive the error Advanced Security must be enabled for this repository to use code scanning. This likely means you're using a private repository and trying to upload SARIF reports, which requires a org admin to enable Advanced Security for the repository.

Pass more arguments to trivy

Would it be an idea to have an ENV var that will be used to pass along with the trivy command?
I would like to pass:

--security-checks vuln
--ignore-unfixed

What would make it a bit difficult is that some of the params need a specific location in the command

trivy --security-checks vuln image --ignore-unfixed --severity HIGH examples/python-fastapi:latest -d

Otherwise I would like ta have a "with" param to set ignore-unfixed and security-checks

Detect configuration issues in Dockerfile

Detect configuration issues if a Dockerfile is provided.

Please increase the timeout to automatically exit, but do not exit the action

Run crazy-max/ghaction-container-scan@v1
  with:
    image: ***/***:latest
    dockerfile: Dockerfiles/Dockerfile
    trivy_version: latest
    annotations: false
    github_token: ***
  env:
    TRIVY_TIMEOUT: 20m
Download and install trivy
  Downloading https://github.com/aquasecurity/trivy/releases/download/v0.[2](https://github.com/xxxxxxxxx?check_suite_focus=true#step:12:2)7.0/trivy_0.27.0_Linux-64bit.tar.gz
  Extracting trivy
  /usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/febbaea5-e641-41ea-bc45-729a2c[3](https://github.com/xxxxxxxxx?check_suite_focus=true#step:12:3)b7650 -f /home/runner/work/_temp/6217[4](https://github.com/xxxxxxxxx?check_suite_focus=true#step:12:4)31f-1f60-48b7-b[5](https://github.com/xxxxxxxxx?check_suite_focus=true#step:12:5)c4-91b1[6](https://github.com/xxxxxxxxx?check_suite_focus=true#step:12:6)6cb9bc5
  Fixing perms
Scanning ***/***:latest container image
  
  Starting scan (json format)
  =============================
  /opt/hostedtoolcache/trivy/0.2[7](https://github.com/xxxxxxxxx?check_suite_focus=true#step:12:7).0/x64/trivy image --no-progress --output /tmp/container-scan-xVNWJV/result.json --format json ***/***:latest
  2022-04-27T04:56:01.415Z	INFO	Need to update DB
  2022-04-27T04:56:01.415Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
  2022-04-27T04:56:01.415Z	INFO	Downloading DB...
  2022-04-27T05:06:01.4[12](https://github.com/xxxxxxxxx?check_suite_focus=true#step:12:12)Z	WARN	Increase --timeout value
  [20](https://github.com/xxxxxxxxx?check_suite_focus=true#step:12:20)[22](https://github.com/xxxxxxxxx?check_suite_focus=true#step:12:22)-04-27T05:06:01.412Z	FATAL	scan error: image scan failed: failed analysis: analyze error: timeout: context deadline exceeded
Error: 2022-04-27T05:06:01.412Z	FATAL	scan error: image scan failed: failed analysis: analyze error: timeout: context deadline exceeded

And it doesn't seem to hide some information
like github.com/user/repo, bug other github will hide

Update sarif template behavior in trivy >= v0.23.0

Behaviour

Today, this action uses this Trivy command for sarif format:

  Starting scan (sarif format)
  =============================
  /opt/hostedtoolcache/trivy/0.25.0/x64/trivy image --no-progress --output /tmp/container-scan-S1dqvB/result.sarif --format template --template @/tmp/container-scan-S1dqvB/sarif.tpl ghcr.io/bretfisher/bla-bla:tag

You'll also see this error with Trivy v0.23.0 or newer (current: v0.25.0)

WARN	Using `--template sarif.tpl` is deprecated. Please migrate to `--format sarif`.

More info: aquasecurity/trivy#1571

Since this action supports multiple Trivy versions, I'm not sure what you'd like to do in order to remain backwards compatible. Maybe we do nothing until the sarif.tpl template is pulled from Trivy all together.

Allow to set trivy timeout

I would like to increase the trivy timeout to work around:

scan error: image scan failed: failed analysis: analyze error: timeout: context deadline exceeded

aquasecurity/trivy#802
https://github.com/horovod/horovod/runs/5018091710?check_suite_focus=true#step:9:20

Is there such an option already? I could not find it.

Scans only work with amd64 images

Behaviour

Steps to reproduce this issue

Build an image with only arm64 and/or arm32 manifests
Run scan action against it

Expected behaviour

Scanning should be possible as trivy provide arm binaries

Actual behaviour

Error: 2021-12-13T23:32:23.703Z FATAL scan error: unable to initialize a scanner: unable to initialize a docker scanner: 3 errors occurred:
* unable to inspect the image (ghcr.io/thespad/dive:v0.10.0-spad003): Error: No such image: ghcr.io/thespad/dive:v0.10.0-spad003
* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
* no child with platform linux/amd64 in index ghcr.io/thespad/dive:v0.10.0-spad003

Configuration

Repository URL (if public): https://github.com/TheSpad/docker-dive
Build URL (if public): https://github.com/TheSpad/docker-dive/runs/4513428777?check_suite_focus=true

      -
        name: Scan for vulnerabilities
        uses: crazy-max/ghaction-container-scan@v1
        with:
          image: ${{ fromJSON(steps.docker_meta.outputs.json).tags[0] }}

Logs

logs_72.zip

Scan fails when passing repo owner if it contains upper case characters

Behaviour

If you're using something like image: ghcr.io/${{ inputs.repo_owner }}/myimage:latest to call the scan action and your repo owner name (or image name, but weirdly not tag) contains upper case characters the action will fail because the docker repo name must be in lower case. I know this isn't technically an issue with the action, more with the docker client/repo behaviour, but it would be ideal if the action could lowercase any image input to avoid the problem occurring.

Steps to reproduce this issue

Setup an action using something like

      -
        name: Scan for vulnerabilities
        uses: crazy-max/ghaction-container-scan@v1
        with:
          image: ghcr.io/${{ github.repository_owner }}/${{ inputs.image_name }}:latest

Where your repo owner containers upper case characters (in this case TheSpad)

Run the Action

Expected behaviour

Scan should run against the image

Actual behaviour

Scan fails with

Error: 2021-11-30T09:52:13.115Z	FATAL	scan error: unable to initialize a scanner: unable to initialize a docker scanner: failed to parse the image name: could not parse reference: ghcr.io/TheSpad/get_iplayer:latest

Configuration

Repository URL (if public): https://github.com/TheSpad/docker-get_iplayer
Build URL (if public): https://github.com/TheSpad/docker-get_iplayer/runs/4365527296?check_suite_focus=true

name: Build Image On Release

on:
  workflow_call:
    inputs:
      repo_owner:
        required: true
        type: string
      app_name:
        required: true
        type: string
      dockerhub_user:
        required: true
        type: string
    secrets:
      dockerhub_password:
        required: true

jobs:
  bake:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/[email protected]
      -  
        name: Docker meta
        id: docker_meta
        uses: docker/[email protected]
        with:
          images: |
            ${{ inputs.repo_owner }}/${{ inputs.app_name }}
            ghcr.io/${{ inputs.repo_owner }}/${{ inputs.app_name }}
          labels: |
            org.opencontainers.image.title=${{ inputs.app_name }}
            org.opencontainers.image.description=${{ inputs.app_name }}
            org.opencontainers.image.vendor=${{ inputs.repo_owner }}
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@v1
      -
        name: Set up Docker Buildx
        uses: docker/[email protected]
      -
        name: Login to DockerHub
        uses: docker/[email protected]
        with:
          username: ${{ inputs.dockerhub_user }}
          password: ${{ secrets.dockerhub_password }}
      -
        name: Login to GitHub Container Registry
        uses: docker/[email protected]
        with:
          registry: ghcr.io
          username: ${{ inputs.repo_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      -
        name: Build and push
        uses: docker/[email protected]
        with:
          files: |
            ./docker-bake.hcl
            ${{ steps.docker_meta.outputs.bake-file }}
          targets: image-all
          push: true
      -
        name: Scan for vulnerabilities
        uses: crazy-max/ghaction-container-scan@v1
        with:
          image: ghcr.io/${{ inputs.repo_owner }}/${{ inputs.app_name }}:${{ steps.docker_meta.outputs.tags }}

Logs

logs_3160.zip

Scanning with `severity_threshold` fails with `Invalid array length`

Behaviour

Steps to reproduce this issue

With severity_threshold set, the action fails, without that option it succeeds.

Expected behaviour

The action should fail saying the docker image is unhealthy:
https://github.com/crazy-max/ghaction-container-scan#severity-threshold

Actual behaviour

The action fails with Invalid array length:
https://github.com/EnricoMi/publish-unit-test-result-action/runs/5012959037?check_suite_focus=true#step:8:2

Without the severity_threshold option, the actions succeeds:
https://github.com/EnricoMi/publish-unit-test-result-action/runs/5012845758?check_suite_focus=true#step:8:2

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1

      - name: Build Docker image
        id: build
        uses: docker/build-push-action@v2
        with:
          load: true
          push: false
          tags: enricomi/publish-unit-test-result-action:latest
          outputs: type=docker

      - name: Scan for vulnerabilities
        id: scan
        uses: crazy-max/ghaction-container-scan@v1
        with:
          image: enricomi/publish-unit-test-result-action:latest
          dockerfile: ./Dockerfile
          severity_threshold: LOW
          annotations: true
      - name: Upload SARIF file
        if: always() && steps.scan.outputs.sarif != ''
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}

crazy-max / ghaction-container-scan Goto Github PK

ghaction-container-scan's Introduction

About

Usage

Scan image

Scan tarball

Severity threshold

GitHub annotations

Upload to GitHub Code Scanning

Build, scan and push your image

Customizing

inputs

outputs

Notes

GITHUB_TOKEN Minimum Permissions

Advanced Security must be enabled for this repository to use code scanning

failed to copy the image: write /tmp/fanal-2740541230: no space left on device

timeout: context deadline exceeded

could not parse reference: ghcr.io/UserName/myimage:latest

Contributing

License

ghaction-container-scan's People

Contributors

Stargazers

Watchers

Forkers

ghaction-container-scan's Issues

GITHUB_TOKEN Minimum Permissions

Behaviour

Behaviour

Steps to reproduce this issue

Expected behaviour

Actual behaviour

Configuration

Logs

Behaviour

Steps to reproduce this issue

Expected behaviour

Actual behaviour

Configuration

Logs

Behaviour

Steps to reproduce this issue

Expected behaviour

Actual behaviour

Recommend Projects

Recommend Topics

Recommend Org

`Advanced Security must be enabled for this repository to use code scanning`

`failed to copy the image: write /tmp/fanal-2740541230: no space left on device`

`timeout: context deadline exceeded`

`could not parse reference: ghcr.io/UserName/myimage:latest`