-
Notifications
You must be signed in to change notification settings - Fork 245
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue with uploading the SARIF report to GitHub #408
Comments
@uRhos that's interesting. I tested this earlier as you can see here and it was fine. Is it possible for you run the same scan locally with the Trivy CLI to see what output you get? It might be a bug with the SARIF output being generated incorrectly. Were the reports correctly being generated and uploaded in prior versions of Trivy action? |
I had similar issue since yesterday, had to revert to 0.25.0. |
Yes, after setting |
Also hitting this in multiple repos, pinning to 0.24.0 fixes it for us |
@uRhos could you try with the latest release https://github.com/aquasecurity/trivy-action/releases/tag/0.27.0 we had an issue where env var were not getting set and it should be addressed hopefully in this release. Let us know how it goes. |
Also having issues with SARIF upload. Confirmed the SARIF is there after the trivy scan, but didn't confirm its contents. Errors from the upload-sarif action attached. I changed no working directory settings or anything like that.
|
Hi @mat-sylvia-mark43 ! Can you give me an example of your workflow? |
The workflow we use is pretty much in the description, we just have one more step to checkout the code first |
@uRhos Ah, I accidentally mentioned you |
so we tried it with the 0.27.0 version of trivy-action and 0.56.2 version of trivy and got the same error, after setting the trivy version to 0.55.2 it works, so it's probably a bug in the latest trivy release |
@nikpivkin Here you go! |
@nikpivkin any thoughts? The action appears to be completely broken by this. |
We are also running into this issue using aquasecurity/[email protected]. Here is our GitHub Action:
|
Hi, we are also facing the same issue. Github action:
It seems that we are not have issues with our AWS Terraform repositories, however, it is failing with our GCP mono-repo repository. |
@simar7, @nikpivkin I have noticed that some
|
Any update on this? I think it is more of a Trivy issue than a Trivy-Action. |
I've just upgrade to Trivy v0.58.0 (I was waiting for another issue to be fixed) and getting the same error when uploading to codeql. I can see an empty URI parameter too.
And manually removing the section with the empty URI helps. And it looks dodgy in normal output as well:
|
Hi @ZsoltPath ! Does trivy load checks bundle by itself or do you override the repository with the |
It does on it's own.
|
@ZsoltPath Do you have a sample I scanned the config with Trivy v0.58 but did not reproduce the problem: ❯ cat main.tf
resource "aws_lambda_function" "test_lambda" {
function_name = "lambda_function_name"
role = aws_iam_role.iam_for_lambda.arn
handler = "index.test"
}%
❯ trivy conf main.tf -f sarif
...
"results": [
{
"ruleId": "AVD-AWS-0066",
"ruleIndex": 0,
"level": "note",
"message": {
"text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0066\nSeverity: LOW\nMessage: Function does not have tracing enabled.\nLink: [AVD-AWS-0066](https://avd.aquasec.com/misconfig/avd-aws-0066)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 5,
"endColumn": 1
}
},
"message": {
"text": "main.tf"
}
}
]
}
],
... |
I have 15 aws_lambda_functions in the codebase. All of them through the same module. |
Are you using this module or a custom one? |
No, it's our custom one |
How did you run Trivy, can you show an example of the step? |
I run it in Github Workflow and manually on my Mac too.
or |
Hello,
We're facing issues with the Using Trivy to scan your Git repo setup, the action is working fine and creates a SARIF report, however that report is not accepted by GithHub in the
Upload Trivy scan results to GitHub Security tab
step. Here's our workflow.yaml config:The error from the
Upload Trivy scan results to GitHub Security tab
is:Error: Code Scanning could not process the submitted SARIF file: locationFromSarifResult: expected artifact location, locationFromSarifResult: expected artifact location
We're using the latest version supported in the trivy-action.
The text was updated successfully, but these errors were encountered: