Output file created as root, stucks pipeline with "Unable to clean or reset the repository" #5333

nv35 · 2022-05-11T07:58:11Z

nv35
May 11, 2022

Hi, KICS with Checkmarx/kics-github-action can't run on my self-hosted runner, that is running under a non-root user on the linux server, after the second pipeline execution on the same repo.

My pipeline is a standard one

kics-scan:
    runs-on: [ ec2 ]
    steps:
    - uses: actions/checkout@v2
    # Scan Iac with kics
    - name: run kics Scan
      uses: Checkmarx/action-kics@4988213
      with:
        path: 'iaac'
        output_path: kics-results/
    # Display the results in json format
    - name: display kics results
      run: |
        cat kics-results/results.json

It fails because it can't delete the result of the previous scan run.

Run actions/checkout@v2
Syncing repository: nv35/IaaC
Getting Git version info
/usr/bin/git config --local --get remote.origin.url
https://github.corp.net/nv35/AWS-IaaC
Removing previously created refs, to avoid conflicts
Cleaning the repository
Warning: Unable to clean or reset the repository. The repository will be recreated instead.
Deleting the contents of '/home/githubactionsrunner/actions-runner/_work/AWS-IaaC/AWS-IaaC'
Error: Command failed: rm -rf "/home/githubactionsrunner/actions-runner/_work/AWS-IaaC/AWS-IaaC/kics-results"
rm: cannot remove '/home/githubactionsrunner/actions-runner/_work/AWS-IaaC/AWS-IaaC/kics-results/results.json': Permission denied

The folder belongs to root instead of the user that runs github action:

root@githubrunner:/home/githubactionsrunner/actions-runner/_work/AWS-IaaC/AWS-IaaC# ls -lah
total 20K
drwxr-xr-x 5 githubactionsrunner githubactionsrunner 4.0K May 11 06:56 .
drwxr-xr-x 3 githubactionsrunner githubactionsrunner 4.0K May 10 13:38 ..
drwxr-xr-x 2 root                root                4.0K May 10 13:39 kics-results
drwxr-xr-x 3 githubactionsrunner githubactionsrunner 4.0K May 10 13:38 modules
drwxr-xr-x 3 githubactionsrunner githubactionsrunner 4.0K May 10 13:38 iaac

I guess the KICS docker image runs as root user inside the container, resulting in files created on the host as root instead of correct user. Then, in next pipeline run, github actions runner can't cleanup the repo.
This is basically the same issue that i've described at SonarSource/sonarqube-scan-action/issues/27. See also the solution that was provided, that allows resetting output folder permission. See also #4057.

Is there any known solution or should I create an issue?

kaplanlior · 2022-05-22T11:09:05Z

kaplanlior
May 22, 2022

@nv35 Can you try with the UBI images which are configured to run KICS as non-root ?

See https://github.com/Checkmarx/kics/blob/master/docs/getting-started.md

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Output file created as root, stucks pipeline with "Unable to clean or reset the repository" #5333

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment

{{title}}

Select a reply

Output file created as root, stucks pipeline with "Unable to clean or reset the repository" #5333

nv35 May 11, 2022

Replies: 1 comment

kaplanlior May 22, 2022

nv35
May 11, 2022

kaplanlior
May 22, 2022