-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add examples for scanning when using docker/setup-buildx-action #45
Comments
@audunsolemdal https://github.com/project-copacetic/copa-action?tab=readme-ov-file#option-2-connect-using-defaults-through-a-custom-socket has the details on how to set up containerd image store. If you are trying to patch a local image that's not pushed to a registry, you cannot do that with Another example is here: https://github.com/sozercan/copa-test/blob/main/.github/workflows/patch-action-containerd.yaml |
So I've noticed the images in the examples are all pre-built. I am trying to first build my own image before running trivy-action followed by copa-action Essentially something like this works, but this causes copa-action to fail due to containerd-snapshotter not being enabled aquasecurity/trivy-action#278 (comment) - name: Build image
id: build
uses: docker/build-push-action@v5
with:
file: Dockerfile
load: true
platforms: linux/amd64
push: false
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.build.outputs.imageid }} # or full image name with tag
format: table
exit-code: 1
ignore-unfixed: true
vuln-type: os,library
severity: CRITICAL,HIGH But if you add this step at the top of the workflow, I get the contiainer build working, - name: Set up docker
uses: crazy-max/ghaction-setup-docker@v3
with:
version: latest
daemon-config: |
{
"experimental": true,
"features": {
"containerd-snapshotter": true
}
} I tried a lot of variants but have failed. If trying to input docker-host to trivy-action:
Without |
This is an issue related to the Trivy Github action. When using containerd image store, we create a custom socket and need to be able supply that to Trivy. We can do this with the --docker-host flag when installing Trivy locally. For example:
This will allow you to scan the local images before you patch with Copa Action. It looks like the Trivy action also recently released support for a docker-host argument to the action, but I have not been able to get that to work so far. I will let you know if I can figure out why it works when using Trivy locally but not through the action. I created an issue ( #46) so this can be better documented along with a workflow that uses a locally built image. |
I am struggling to integrate copa-action with my current Workflow.
The workflow fails as I am trying to get copa to scan a local image, while it attempts to pull the image from a private registry where the workflow does not have access
I would appreciate ideas on how to fix this workflow while still using the
docker/setup-buildx-action
with the docker-container driver.I set up with the following
Scan it with trivy this way
The text was updated successfully, but these errors were encountered: