Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to use binary on CIS hardened Pipeline Agent #44

Open
MrBasset opened this issue Aug 8, 2023 · 0 comments
Open

Unable to use binary on CIS hardened Pipeline Agent #44

MrBasset opened this issue Aug 8, 2023 · 0 comments

Comments

@MrBasset
Copy link

MrBasset commented Aug 8, 2023

Hi,

I'm running the Trivy Pipeline extension on a self-hosted agent that per our customer's requirements has been hardened to CIS Benchmark Level 1 - part of this specification will mount the tmpfs with the no execute bit set. This means that the Trivy Extension when run in Binary mode fails to run as it moves the file to /tmp and executes a chmod +x on it.

Would it be possible to allow the tmp path to be set manually or use the /agent/_work/temp path instead?

For now I have been able to hack around the problem by remounting the /tmp directory, and then reverting the change after executing Trivy.

sudo mount -o remount,exec /tmp

<execute trivy extension here>

sudo mount -o remount,noexec /tmp

Note: we are not able to run using the docker image (our preferred option) due to encountering the same issue specified in issues #3 and #19. The work around for these issues was given as running in binary mode.
@MrBasset MrBasset changed the title Unable to use binary on CIS hardened image Unable to use binary on CIS hardened Pipeline Agent Aug 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@MrBasset