Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

trivy-action attempts to run sudo on the local machine (!?) #403

Closed
mattnakama-skytap opened this issue Oct 8, 2024 · 5 comments · Fixed by #406
Closed

trivy-action attempts to run sudo on the local machine (!?) #403

mattnakama-skytap opened this issue Oct 8, 2024 · 5 comments · Fixed by #406

Comments

@mattnakama-skytap
Copy link

It looks like #399 changed trivy-action to use "composite" instead of "docker", and it attempts to install trivy via a curl [url]/install.sh | sudo sh - style method. This seems a bit dangerous to run on the local system outside of docker.

Am I misunderstanding what "composite" is supposed to do? I'm not going to grant sudo access to the github action runner user.

When running the latest, action, I get this in the log output:

Run aquasecurity/trivy-action@master
  with:
    image-ref: [redacted]
    exit-code: 1
    severity: MEDIUM,HIGH,CRITICAL
    format: table
    scan-type: image
    scan-ref: .
    ignore-unfixed: false
    vuln-type: os,library
    cache-dir: /run/github-runner/argo-2/argo/argo/.cache/trivy
    list-all-pkgs: false
    version: v0.56.1
    cache: true
Run curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.56.1
  curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.56.1
  shell: /nix/store/516kai7nl5dxr792c0nzq0jp8m4zvxpi-bash-5.2p32/bin/bash --noprofile --norc -e -o pipefail {0}
/run/github-runner/argo-2/_temp/1455b404-12e8-4243-bcd6-0e695ee57cfc.sh: line 1: curl: command not found
/run/github-runner/argo-2/_temp/1455b404-12e8-4243-bcd6-0e695ee57cfc.sh: line 1: sudo: command not found
Error: Process completed with exit code 127.

I left a comment on the relevant code change:
https://github.com/aquasecurity/trivy-action/pull/399/files#r1792533665
@wallies
Copy link

wallies commented Oct 8, 2024
edited
Loading

Been getting this with the new version as well. Definitely cant have sudo running, goes against openssf security practice for github actions

@simar7
Copy link
Member

simar7 commented Oct 8, 2024

cc @knqyf263 @DmitriyLewen

@portswigger-tim
Copy link

This is not good on unprivileged self-hosted runners 😬

Run curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.56.1
sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.
Error: Process completed with exit code 1.

@DmitriyLewen
Copy link
Contributor

Hello all
We are already working on this task.

@sp3c1 sp3c1 mentioned this issue Oct 9, 2024
Open
@DmitriyLewen DmitriyLewen mentioned this issue Oct 9, 2024
Merged
@rv0lt rv0lt mentioned this issue Oct 9, 2024
Merged
23 tasks
@DmitriyLewen
Copy link
Contributor

Hello all!
We merged #406
trivy-action installs Trivy from release page now. So we don't need to use curl and sudo.

Fill free to write here if you still have problems/questions.

@DmitriyLewen DmitriyLewen mentioned this issue Oct 25, 2024
Closed
This was referenced Dec 12, 2024
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ci: use setup-trivy to install Trivy DmitriyLewen/trivy-action
5 participants
@wallies @simar7 @DmitriyLewen @portswigger-tim @mattnakama-skytap