tar ball scanning broken

[timdittler]

Thanks for providing trivy and the action. I'm trying to supply input to scan an image directly after building it. The action fails like this:

Running trivy with options:  --format  json --exit-code  1 --ignore-unfixed --vuln-type  os,library --severity  CRITICAL --no-progress --input /tmp/image.tar
Global options:  
[20](https://github.com/org/repo/runs/6794428833?check_suite_focus=true#step:8:21)22-06-08T13:33:04.686Z	INFO	Need to update DB
2022-06-08T13:33:04.686Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2022-06-08T13:33:04.686Z	INFO	Downloading DB...
20[22](https://github.com/org/repo/runs/6794428833?check_suite_focus=true#step:8:23)-06-08T13:33:06.801Z	FATAL	image scan error: scan error: unable to initialize a scanner: unable to initialize the archive scanner: 2 errors occurred:
	* unable to open /tmp/image.tar as a Docker image: unable to open the file: open /tmp/image.tar: no such file or directory
	* unable to open /tmp/image.tar as an OCI Image: stat /tmp/image.tar/index.json: no such file or directory

Looking at #23 it seemed to work on day.

Trivy is actually trying to scan inside it's own container.
I can replicate the error locally. I have to mount the dir of the tarball to make it work

docker run -it -v /tmp:/tmp 740fe346690b "-a image" "-l /tmp/image.tar"

[timdittler]

I can access the image if I copy it into $GITHUB_WORKSPACE, but it's not accessible in $RUNNER_TEMP.

The image is build with docker/build-push-action@v3 before, but it looks like they don't actually share the same tmp.

[simar7]

hi @timdittler - thanks for the observation. I suspect something must have changed within the GitHub Action runtime that the $GITHUB_WORKSPACE and $RUNNER_TEMP are different.

Would you mind documenting this (your workaround that is)? Do you have any other ideas how we could solve it better? Open to thoughts.

[timdittler]

No idea, sorry. But usually having an open issue including a workaround is the best way of documenting such limitations for me :)

[achton]

Seems to me that a good starting point would be to add a test to test.bats that fails based on the above feedback, then work forward from there.

[toddbaert]

I'm seeing the same issue. In my case, moving the tarball to $GITHUB_WORKSPACE doesn't seem to help either. The input method seems not to be usable at this point.

It definitely seems to be related to some nefarious runtime change by github. Everything works as expected running locally with https://github.com/nektos/act

[simar7]

hi @toddbaert and @timdittler - just spent some time to investigate this. Looks like the following should help you:

name: build
on:
  push:
    branches:
    - master
  pull_request:
jobs:
  build:
    name: Build
    runs-on: ubuntu-20.04
    steps:
    - name: Checkout code
      uses: actions/checkout@v2

    - name: Generate tarball from image
      run: |
        docker pull <your-docker-image>
        docker save -o vuln-image.tar <your-docker-image>
        
    - name: Run Trivy vulnerability scanner in tarball mode
      uses: aquasecurity/trivy-action@master
      with:
        input: /github/workspace/vuln-image.tar
        severity: 'CRITICAL,HIGH'

$GITHUB_WORKSPACE is something like /home/runner/work/<repo>/<repo> but internally inside the trivy container it is mounted at "/github/workspace".

So using /github/workspace would be the correct path internally for trivy to use.

Let me know if it helps.

[timdittler]

Yes, this works. As I wrote above, tar scanning in github workspace works for me fine. For whatever reason, we were building it in /tmp and there I couldn't scan. This is not a big problem, just something you have to know.

…

On Fri, Jun 24, 2022 at 1:55 AM simar7 ***@***.***> wrote: hi @toddbaert <https://github.com/toddbaert> and @timdittler <https://github.com/timdittler> - just spent some time to investigate this. Looks like the following should help you: name: buildon: push: branches: - master pull_request:jobs: build: name: Build runs-on: ubuntu-20.04 steps: - name: Checkout code uses: ***@***.*** - name: Generate tarball from image run: | docker pull <your-docker-image> docker save -o vuln-image.tar <your-docker-image> - name: Run Trivy vulnerability scanner in tarball mode uses: ***@***.*** with: input: /github/workspace/vuln-image.tar severity: 'CRITICAL,HIGH' Looks like the volume is mounted, just at /github/workspace. Let me know if it helps. — Reply to this email directly, view it on GitHub <#120 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AWMTXKEWZ2XZPMGUSIG7STDVQT2QDANCNFSM5YJIRYVA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[toddbaert]

@simar7 I will give this a shot later today and report back. Thanks!

[toddbaert]

@simar7 confirmed that new advice fixed my issue. Thanks for updating the doc