Open
Description
I am struggling to integrate copa-action with my current Workflow.
The workflow fails as I am trying to get copa to scan a local image, while it attempts to pull the image from a private registry where the workflow does not have access
#1 resolve image config for docker-image://xxxx.azurecr.io/testteam1/testapp1:05-06-2024.744
Error: failed to resolve source metadata for xxxx.azurecr.io/testteam1/testapp1:05-06-2024.744: failed to authorize: failed to fetch anonymous token: unexpected status from GET request to https://xxxx.azurecr.io/oauth2/token?scope=repository%3Atestteam1%2Ftestapp1%3Apull&service=xxxx.azurecr.io: 403 Forbidden
I would appreciate ideas on how to fix this workflow while still using the docker/setup-buildx-action with the docker-container driver.
I set up with the following
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
id: buildx
with:
driver: docker-container # required for writing to github actions cache
# probably not the correct way to attempt to configure this..
buildkitd-config-inline: |
debug = true
[features]
containerd-snapshotter = true
- name: Build docker image using cache
uses: docker/build-push-action@v5
with:
cache-from: type=gha
cache-to: type=gha,mode=max #requires docker-container driver
outputs: type=docker,dest=./image.tar
(...)
Scan it with trivy this way
- name: Load container image to docker daemon
run: docker load -i ./image.tar
- name: Run Trivy vulnerability scanner for OS vulerabilities
if: "${{ inputs.run-image-scan == 'true' && steps.build.outputs.cache-hit != 'true'}}"
uses: aquasecurity/[email protected]
with:
#input: ./image.tar
image-ref: "${{ steps.env.outputs.full-image-name-tagless }}:${{ steps.env.outputs.tag }}"
format: "json"
output: "report.json"
severity: ${{inputs.image-scan-severity}}
ignore-unfixed: true
scanners: "vuln"
vuln-type: "os"
# check whether there are any OS package vulnerabilities
- name: Check vulnerability count
if: "${{ inputs.run-image-scan == 'true' && steps.build.outputs.cache-hit != 'true' }}"
id: vuln_count
run: |
report_file="report.json"
vuln_count=$(jq 'if .Results then [.Results[] | select(.Class=="os-pkgs" and .Vulnerabilities!=null) | .Vulnerabilities[]] | length else 0 end' "$report_file")
echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT
echo "Vulnerability count: $vuln_count"
- name: Get socket path
if: steps.vuln_count.outputs.vuln_count != '0'
id: socket_path
run: |
url=$(docker context inspect | jq -r .[0].Endpoints.docker.Host)
socket_path=$(echo "$url" | awk -F// '{print $2}')
echo "$socket_path"
echo "SOCKET=$socket_path" >> $GITHUB_ENV
- name: Run Copa action
if: steps.vuln_count.outputs.vuln_count != '0'
id: copa
uses: project-copacetic/copa-action@v1
with:
image: "${{ steps.env.outputs.full-image-name-tagless }}:${{ steps.env.outputs.tag }}"
image-report: "report.json"
patched-tag: "patched"
timeout: "5m" # optional, default is 5m
custom-socket: "${{ steps.socket_path.outputs.socket_path }}"Metadata
Metadata
Assignees
Labels
No labels
Activity