Skip to content

fix(ci): update trivy-action to use master #3296

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

fix(ci): update trivy-action to use master #3296

wants to merge 1 commit into from

Conversation

jsjoeio
Copy link
Contributor

@jsjoeio jsjoeio commented May 5, 2021
edited
Loading

Problem

In ci.yaml, we have a job called trivy-scan-repo which scans the repo for vulnerabilities using trivy-action. It then uploads those results to the GitHub Security tab. It's failing due to this error (see logs):

Error: Unable to upload "trivy-repo-results.sarif" as it is not valid SARIF:
- instance.runs[0].tool.driver.rules contains duplicate item

This issue was filed back in December 2020 and fixed in `trivy on March 23 (see PR).

According to the maintainers, this fix should be in trivy-action because:

Trivy Action uses the latest released version of Trivy https://github.com/aquasecurity/trivy-action/blob/master/Dockerfile#L1
Trivy recently had a new release which includes this fix so by the virtue of that the new Trivy Action will also have it.

Reference: aquasecurity/trivy-action#22 (comment)

UPDATE: they're looking into it
Reference: aquasecurity/trivy-action#22 (comment)

@jsjoeio jsjoeio requested a review from a team as a code owner May 5, 2021 19:32
@codecov
Copy link

codecov bot commented May 5, 2021

Codecov Report

Merging #3296 (286c857) into main (b798bfd) will increase coverage by 2.76%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #3296      +/-   ##
==========================================
+ Coverage   54.78%   57.54%   +2.76%     
==========================================
  Files          23       24       +1     
  Lines        1265     1279      +14     
  Branches      286      290       +4     
==========================================
+ Hits          693      736      +43     
+ Misses        460      441      -19     
+ Partials      112      102      -10
Impacted Files Coverage Δ
src/node/entry.ts 0.00% <0.00%> (ø)
src/node/constants.ts 100.00% <0.00%> (ø)
src/node/main.ts 36.78% <0.00%> (ø)
src/node/cli.ts 77.87% <0.00%> (+0.18%) ⬆️
src/node/util.ts 48.97% <0.00%> (+2.04%) ⬆️
src/node/coder_cloud.ts 28.57% <0.00%> (+28.57%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b798bfd...286c857. Read the comment docs.

@jsjoeio jsjoeio self-assigned this May 5, 2021
@jsjoeio jsjoeio marked this pull request as draft May 5, 2021 20:23
@jsjoeio jsjoeio added ci Issues related to ci security Security related labels May 5, 2021
@jsjoeio jsjoeio added this to the v3.9.4 milestone May 5, 2021
@jsjoeio jsjoeio changed the title fix: try using master for trivy fix(ci): update trivy-action to use master May 5, 2021
@jsjoeio jsjoeio modified the milestones: v3.10.0, v3.11.0 May 7, 2021
@jsjoeio
Copy link
Contributor Author

jsjoeio commented May 11, 2021

Closing in favor of #3341

@jsjoeio jsjoeio closed this May 11, 2021
@jsjoeio jsjoeio deleted the jsjoeio/fix-trivy branch May 11, 2021 00:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jsjoeio jsjoeio

Labels
ci Issues related to ci security Security related
Projects
None yet
Milestone
v3.10.1
Development

Successfully merging this pull request may close these issues.
1 participant
@jsjoeio