An Azure Pipelines Task for trivy
Home Page: https://marketplace.visualstudio.com/items?itemName=AquaSecurityOfficial.trivy-official
License: MIT License
An Azure DevOps Pipelines Task for Trivy, with an integrated UI.
Documentation and more information is available on the Azure DevOps Marketplace.
I installed trivy on azure builder agent using:
dnf install -y https://github.com/aquasecurity/trivy/releases/download/v0.52.0/trivy_0.52.0_Linux-64bit.rpm
sh-4.4$ trivy -v
Version: 0.52.0
Vulnerability DB:
Version: 2
UpdatedAt: 2024-06-07 06:11:22.699349734 +0000 UTC
NextUpdate: 2024-06-07 12:11:22.699349173 +0000 UTC
DownloadedAt: 2024-06-07 08:44:09.02993983 +0000 UTC
Java DB:
Version: 1
UpdatedAt: 2024-06-07 01:02:34.188908636 +0000 UTC
NextUpdate: 2024-06-10 01:02:34.188908516 +0000 UTC
DownloadedAt: 2024-06-07 08:44:30.469425256 +0000 UTC
sh-4.4$ which trivy
/usr/bin/trivy
but azure devops task is trying again to download extension, but is not permitted to go on internet.
Preparing output location...
Run requested using local Trivy binary...
Finding correct Trivy version to install...
Required Trivy version is v0.52.0
Downloading Trivy...
Downloading: https://github.com/aquasecurity/trivy/releases/download/v0.52.0/trivy_0.52.0_Linux-64bit.tar.gz
how can I resolve?
tnx
I invoke Trivy task twice in the pipeline and while the report contains tabs of both scans, when switching between the tabs the list of vulnerabilities in not refreshed.
On the screenshot below, there are two scan results, one with 12 vulnerabilities and the other one with 0 vulnerabilities. When I switch to the second tab, it still shows vulnerabilities list from the first tab.
Here are the tasks:
- task: Docker@2
displayName: Login to Container Registry
inputs:
containerRegistry: "testmanagement"
command: "login"
- task: trivy@1
displayName: Scanning XXXXXX-client:$(DOCKER_TAG)
inputs:
image: XXXXXX/XXXXXX-client:$(DOCKER_TAG)
docker: false
exitCode: 0
- task: trivy@1
displayName: Scanning XXXXXX-flows:$(DOCKER_TAG)
inputs:
image: XXXXXX/XXXXXX-flows:$(DOCKER_TAG)
docker: false
exitCode: 0
Hello,
I added the task on a pipeline but it fails after 5 minutes on agents that have not run the task previously due to slow download time of the DB and unable to set the "--timeout" to prevent that.
Would it be possible to add an "options" or "args" to customise the command line executed ?
The links in the result panel does not work.
It takes you to a 404 not found page.
In Azure DevOps task using Trivy binary and tag "latest" it's downloading hardcoded 0.38 version. It is not latest anymore, should be fixed:
For now, I'm using workaround in task writing fixed version v0.44.1.
- task: trivy@1
displayName: Trivy Repository Scan
inputs:
version: "v0.44.1"
docker: false
path: ${{ variables.DIRECTORY }}
severities: ${{ variables.SEVERITIES }}
options: "--timeout 10m"
exitCode: ${{ variables.EXITCODE }}
Hi
I'm trying to use trivy in a private Azure Agent running in Kubernetes and it gives me the following error:
2022-07-04T08:14:38.113Z FATAL image scan error: scan error: unable to initialize a scanner: unable to initialize a docker scanner: 4 errors occurred:
* unable to inspect the image (***/myproject/myservice:4989): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
* containerd socket not found: /run/containerd/containerd.sock
This is probobly because Kubernetes does not support docker any more.
I'm running docker in a seperate container on my kubernetes cluster.
How can I tell trivy to use that docker instance?
In my Azure Build Agent, I'm doing this by changing the env variable like this:
The Trivy tab in Azure Devops pipeline doesn't work due an error:
TypeError: can't access property "forEach", e is undefined
results VulnerabilitiesTable.tsx:191
r VulnerabilitiesTable.tsx:127
React 11
r App.tsx:106
Babel 5
react-dom.production.min.js:194:194
React 11
r App.tsx:106
Babel 5
When I'm using trivy task in my pipeline, I'm getting a warning --security-checks is deprecated use --scanners instead.
I'm using trivy version 0.42.1
please make this change in a way that we can choose the type of scanner to use via argument
eg:
- task: trivy@1
displayName: 'trivy container'
inputs:
version: 'v0.42.1'
docker: false
image: 'node:latest'
scanners: 'vuln,secret'
severities: 'HIGH,CRITICAL'
exitCode: '1'
ignoreUnfixed: true
options: '--vuln-type library'I defined .trivyignore at root level and added following IDs to ignore but didn't work
AVD-AZU-0012
AVD-AZU-0047
AVD-AZU-0010
trivy Version : 1.4.1
I'm not sure if this is an issue with the plugin itself, or with the underlying version of trivy that it's using, but as of 2 hours ago when the 1.4.0 release went out, my builds are all failing now. I was setting the TRIVY_SEVERITY environment variable in my task like so:
- task: trivy@1
displayName: 'Fail build for critical vulnerabilities'
inputs:
version: 'latest'
docker: false
path: '$(System.DefaultWorkingDirectory)'
env:
TRIVY_SEVERITY: 'HIGH,CRITICAL'
TRIVY_IGNOREFILE: '$(System.DefaultWorkingDirectory)/.trivyignore'and it seems to be ignoring that and using the value passed in on the command line now (which defaults to 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'). Is there a way to get the old behavior back without going in and modifying all of my dozens of pipelines to pass in the values I want on the command line?
It doesn`t scan private terraform modules that are being called with ssh urls like [email protected]
It works with tfsec extension but not with trivy
I am using trivy extension with my ADO pipeline like
I ran Trivy as part of my pipeline and got results for Misconfigurations(1) and Secrets(2), with 0 vulnerabilities.
On azure DevOps, when I try to review the overlayed results, I get a blank screen (see video for full context)
When viewing the error console in Chrome, the following line is highlighted:
Which corresponds to this line: https://github.com/aquasecurity/trivy-azure-pipelines-task/blob/main/ui/src/BaseReport.tsx#L50
It should show the results overlay consecutively
Hi everyone
I am trying to use the trivy extension but I have this error when using the option "Run Trivy using the aquasec/trivy docker image" to analyze images
I'm sure that docker is running, because I build an image in the previous step.
I would appreciate any help you can give me.
Hello,
Is there a way to get the /tmp/scan-results.json from the task? Or override the output path?
In Azure DevOps for privatized deployments, we pull images from registry.my-company.com/third-party/trivy instead of aquasec/trivy because of network isolation.
Hi, there is a publishing workflow failure
error: Received response 401 (Not Authorized). Check that your personal access token is correct and hasn't expired.
Error: Process completed with exit code 255.
The latest version available on the marketplace is 1.4.1 and versions 1.4.2 and 1.5.0 are not published.
It looks like the PUBLISHER_TOKEN is expired. Can this be updated, please?
image scan error: scan error: scan failed: failed analysis: analyze error: timeout: context deadline exceeded
when setting up docker: false as recommended by #3 I run into concurrency issues because the binary is installed always on the same path /tmp/bin and the task forces a recursive remove of that path before installation. Concurrent builds bump into issues because of this.
Hi,
we would like to scan local images as part of our build process, before we push them.
Currently the task has no option to enable mounting of the local docker socket to scan local images.
Hi,
I'm running the Trivy Pipeline extension on a self-hosted agent that per our customer's requirements has been hardened to CIS Benchmark Level 1 - part of this specification will mount the tmpfs with the no execute bit set. This means that the Trivy Extension when run in Binary mode fails to run as it moves the file to /tmp and executes a chmod +x on it.
Would it be possible to allow the tmp path to be set manually or use the /agent/_work/temp path instead?
For now I have been able to hack around the problem by remounting the /tmp directory, and then reverting the change after executing Trivy.
sudo mount -o remount,exec /tmp
<execute trivy extension here>
sudo mount -o remount,noexec /tmp
Note: we are not able to run using the docker image (our preferred option) due to encountering the same issue specified in issues #3 and #19. The work around for these issues was given as running in binary mode.
It doesn't show passed results in ADO trivy UI interface after publishing result and don't find any input option to pass like --include-passed as we use in tfsec.
While running it on our pipeline, it's impossible to upload the file result:
The code is:
- task: trivy@1
displayName: "Trivy Scan"
inputs:
version: "${{ parameters.TrivyVersion }}"
path: .
As a pipeline user
I would like to convert the reported JSON output
after scanning by image and/or filesystem
without having to run the scan again
This feature could also be useful in the following situations:
The solution should contain a third option (aside from the current fs and image options) to run the convert action as described here
For convenience, the task should also report the file URI or path where the scan result can be found. Or the output location should be specified using a parameter.
There is no workaround available inside of the task, as there is a check for either an non-emtpy 'image' or 'path' parameter. The only way around this is to use Trivy as image or executable directly, which defeats the purpose of this plugin.
Hello,
I am looking for a proper Security Scanning Tool for my Azure DevOps organization, which uses mainly Bicep, PowerShell code, together with YAML files. I researched some tools, including Aqua Trivy, but I can't find any documentation about if it supports the previously mentioned technologies.
Does Aqua Trivy support these?
Is there any chance that the open issues are fixed in the near future?
A couple of issues could relative quickly fixed with the merge of this fork. https://github.com/georg-jung/trivy-azure-pipelines-task
The last release was another hardcoded last version string.
We currently use a home-grown trivy setup, and we fail the build if any critical or high issues are found (by setting the exit code to be > 0). We'd love to move to this task instead, but right now it seems we can only fail the build if any issues are found, which isn't quite what we need.
Can I suggest that there's an additional input surfaced for the severity argument please? Example:
jobs:
- job: Scan the local project
steps:
- task: trivy@1
inputs:
path: .
severity: CRITICAL,HIGH
I have configured the below YAML to run on Azure pipeline, when I try to use it, during the trivy scan step, I received the following errors.
##[error]Failed: Trivy detected problems. Publishing JSON results... ##[error]Unable to process command '##vso[task.addattachment type=JSON_RESULT;name=trivy0.4340597811797098.json;]/tmp/trivy-results-0.31370319055668205.json' successfully. Please reference documentation (http://go.microsoft.com/fwlink/?LinkId=817296) ##[error]Value cannot be null. (Parameter 'Cannot upload task attachment file, attachment file location is not specified or attachment file not exist on disk') Done! Finishing: Run Trivy Scan
The scan fails, under the Trivy tab the dashboard does not have any file to read so it is empty. Is there any solution for this??
YAML FILE
`trigger:
jobs:
Task adds an attachment that would be available presumably from the REST API. But it would be handy to be able to get the scan results (of interest the summary of each scan, and the counts of vulnerabilities, misconfigurations and secrets) so I can send them to slack or other services after the scan is complete.
At the moment it's not possible to specify which severities should be scannen for.
Also unfixable severities can't be hidden.
This is all possible with existing arguments for the trivy command.
Setting the "displayName" for the task to anything other than "trivy" results in this error:
When trying to run trivy task I have issue
Unable to scan docker images using Azure pipeline
Below is the docker version that I am using
Below is the pipeline code
Below is the pipeline job
Below is the trivy docker command it is running internally
/usr/bin/docker run --rm -v /root/.docker:/root/.docker -v /tmp:/tmp -v /azp/_work/1/s:/src --workdir /src aquasec/trivy:latest image --exit-code 1 --format json --output /tmp/trivy-results-0.8049780762459939.json --security-checks vuln,config,secret XXXXXXXX.azurecr.io/import:46517'
Can someone please help?
When I run the above docker command manually I am getting the below
I tried changing the volume to "-v /var/run/docker.sock:/var/run/docker.sock" then it is working.
How to fix this using azure pipeline trivy task. Please suggest
Using v0.40.0 this warning is shown by Trivy: '--security-checks' is deprecated. Use '--scanners' instead.
When I add the suggested --scanners option, this has no effect.
/tmp/trivy image --exit-code 0 --format json --output /tmp/trivy-results-0.25440671860932973.json --security-checks vuln,config,secret --ignore-unfixed --scanners vuln ***/hwbackend:0.5.0--156-fix-trivy.20-6e52186
2023-04-27T06:48:51.109Z WARN '--security-checks' is deprecated. Use '--scanners' instead.
Downloading Trivy...
Downloading: https://github.com/aquasecurity/trivy/releases/download/v0.38.2/trivy_0.38.2_Linux-64bit.tar.gz
##[warning]Content-Length (50287548 bytes) did not match downloaded file size (50285568 bytes).
Extracting Trivy...
Extracting archive
/usr/bin/tar xC /tmp/ -f /tmp/trivy
gzip: stdin: unexpected end of file
/usr/bin/tar: Unexpected EOF in archive
/usr/bin/tar: Unexpected EOF in archive
/usr/bin/tar: Error is not recoverable: exiting now
##[error]The process '/usr/bin/tar' failed with exit code 2
Finishing: trivy
As you can see anytime running against - task: trivy@1 - i get the above output
I'd like to have a more fine-grained way to configure if the pipeline task should fail. Currently, it's only possible let the task fail if at least one finding is present (with the exitCode parameter).
I'd like to have the task fail upon CRITICAL and HIGH issues while issues with lower priorities shall be reported as well but not fail the whole task. Setting the existing "severities" property to values < HIGH doesn't help, as the high ones won't be reported then.
HI, From some time ago, without changing anything, trivy plugin on azure devops, that scans our docker images, fails. Running same command locally, works fine in few minutes, but on azure devops it's going timeout even after 1hr. Below full logs of a failed pipeline.
"/tmp/trivy --debug image --exit-code 0 --format json --output /tmp/trivy-results-0.6494861920786035.json --security-checks vuln,config,secret --severity CRITICAL,HIGH --timeout 15m0s tpo-optimisation-core:402f8b74
2023-11-16T13:18:02.090Z WARN '--security-checks' is deprecated. Use '--scanners' instead.
2023-11-16T13:18:02.094Z DEBUG Severities: ["CRITICAL" "HIGH"]
2023-11-16T13:18:02.099Z DEBUG cache dir: /home/vsts/.cache/trivy
##[error]Failed: Trivy detected problems.
2023-11-16T13:18:02.099Z DEBUG There is no valid metadata file: unable to open a file: open /home/vsts/.cache/trivy/db/metadata.json: no such file or directory
2023-11-16T13:18:02.099Z INFO Need to update DB
Publishing JSON results...
2023-11-16T13:18:02.099Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2023-11-16T13:18:02.099Z INFO Downloading DB...
Done!
2023-11-16T13:18:02.099Z DEBUG no metadata file
2023-11-16T13:18:04.617Z DEBUG DB Schema: 2, UpdatedAt: 2023-11-16 12:11:26.83817481 +0000 UTC, NextUpdate: 2023-11-16 18:11:26.838174399 +0000 UTC, DownloadedAt: 2023-11-16 13:18:04.617435101 +0000 UTC
2023-11-16T13:18:04.617Z INFO Vulnerability scanning is enabled
2023-11-16T13:18:04.617Z DEBUG Vulnerability type: [os library]
2023-11-16T13:18:04.617Z INFO Misconfiguration scanning is enabled
2023-11-16T13:18:04.617Z DEBUG Failed to open the policy metadata: open /home/vsts/.cache/trivy/policy/metadata.json: no such file or directory
2023-11-16T13:18:04.617Z INFO Need to update the built-in policies
2023-11-16T13:18:04.617Z INFO Downloading the built-in policies...
44.66 KiB / 44.66 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2023-11-16T13:18:05.299Z DEBUG Digest of the built-in policies: sha256:1df8ade71efc830877ca3b1130f83e0c6368e3a45b0d4c0f0418955501644054
2023-11-16T13:18:05.299Z DEBUG Policies successfully loaded from disk
2023-11-16T13:18:05.299Z INFO Secret scanning is enabled
2023-11-16T13:18:05.299Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-16T13:18:05.299Z INFO Please see also https://aquasecurity.github.io/trivy/v0.38/docs/secret/scanning/#recommendation for faster secret detection
2023-11-16T13:18:05.304Z DEBUG No secret config detected: trivy-secret.yaml
2023-11-16T13:18:05.304Z DEBUG Image ID: sha256:d9d5d90bc2c689f48e34cd6f738f5fcd4834ea622466a45499c40841ef26a15a
2023-11-16T13:18:05.304Z DEBUG Diff IDs: [sha256:74c0af6e02274b54b88f851843ae69880a234694dede8ff9fb93bfa076af45ed sha256:baf87c49ca6b8d40680760e3af0fbf2339b0dbabb7dff90c0ef426df32ac20de sha256:04d613b891f57ce67806043e739eea4dd94c5f7b5c76431972bb1a6af11a0316 sha256:b6356273eecdbe218c689e81de59c757c3b9354c27e724f4587a15f610cd3ed8 sha256:6569c6d67963fe3261e23a3fc921acafb55740bff1b62db6a495838acec66f8c sha256:22020866532fd5ae4480d02e57c8d4a5b1d7a59fb0f6752872bf6593114056a1 sha256:ba362af1da9704b92ed6e40a5d63629098d80b0ddef50cfe29ced635588abd16 sha256:b66487139c561c78ae031f8a4de0cf579000607abb6ab5a72f15156151c9ed3e sha256:e40861124aa48470a83fc3ca4b82883ba2f8315595f26954f9e9e82a47d33ad3 sha256:78be68b31a389ae567fc1ad87bbb88d2af5640204464ed4b215d6863c6e9c9b3 sha256:7e49dcf422145072095c3cb94458d14661903d78241466d2e8c084d42ed9b2b3 sha256:4f841799b5f27f938f948c212b3aa6b9d281c94070855acb01ca86b461107cce sha256:d82c713e0285bd996c27c8cecd5c354a23d5ee4ac5bb6430416933e872bb392e sha256:244f669b40109e7369aa56d038d2ec4dcb683513a3cf4f7e18978cb8330325c7]
2023-11-16T13:18:05.304Z DEBUG Base Layers: [sha256:74c0af6e02274b54b88f851843ae69880a234694dede8ff9fb93bfa076af45ed sha256:baf87c49ca6b8d40680760e3af0fbf2339b0dbabb7dff90c0ef426df32ac20de sha256:04d613b891f57ce67806043e739eea4dd94c5f7b5c76431972bb1a6af11a0316 sha256:b6356273eecdbe218c689e81de59c757c3b9354c27e724f4587a15f610cd3ed8 sha256:6569c6d67963fe3261e23a3fc921acafb55740bff1b62db6a495838acec66f8c sha256:22020866532fd5ae4480d02e57c8d4a5b1d7a59fb0f6752872bf6593114056a1 sha256:ba362af1da9704b92ed6e40a5d63629098d80b0ddef50cfe29ced635588abd16]
2023-11-16T13:18:05.401Z DEBUG Missing image ID in cache: sha256:d9d5d90bc2c689f48e34cd6f738f5fcd4834ea622466a45499c40841ef26a15a
2023-11-16T13:18:05.401Z DEBUG Missing diff ID in cache: sha256:6569c6d67963fe3261e23a3fc921acafb55740bff1b62db6a495838acec66f8c
2023-11-16T13:18:05.401Z DEBUG Missing diff ID in cache: sha256:baf87c49ca6b8d40680760e3af0fbf2339b0dbabb7dff90c0ef426df32ac20de
2023-11-16T13:18:05.401Z DEBUG Missing diff ID in cache: sha256:74c0af6e02274b54b88f851843ae69880a234694dede8ff9fb93bfa076af45ed
2023-11-16T13:18:05.401Z DEBUG Missing diff ID in cache: sha256:b6356273eecdbe218c689e81de59c757c3b9354c27e724f4587a15f610cd3ed8
2023-11-16T13:18:05.402Z DEBUG Missing diff ID in cache: sha256:04d613b891f57ce67806043e739eea4dd94c5f7b5c76431972bb1a6af11a0316
2023-11-16T13:18:28.141Z DEBUG Missing diff ID in cache: sha256:22020866532fd5ae4480d02e57c8d4a5b1d7a59fb0f6752872bf6593114056a1
2023-11-16T13:18:28.761Z DEBUG Missing diff ID in cache: sha256:ba362af1da9704b92ed6e40a5d63629098d80b0ddef50cfe29ced635588abd16
2023-11-16T13:18:29.264Z DEBUG Missing diff ID in cache: sha256:b66487139c561c78ae031f8a4de0cf579000607abb6ab5a72f15156151c9ed3e
2023-11-16T13:18:29.435Z DEBUG Missing diff ID in cache: sha256:e40861124aa48470a83fc3ca4b82883ba2f8315595f26954f9e9e82a47d33ad3
2023-11-16T13:18:30.569Z DEBUG Missing diff ID in cache: sha256:78be68b31a389ae567fc1ad87bbb88d2af5640204464ed4b215d6863c6e9c9b3
2023-11-16T13:18:31.552Z DEBUG Missing diff ID in cache: sha256:7e49dcf422145072095c3cb94458d14661903d78241466d2e8c084d42ed9b2b3
2023-11-16T13:18:31.555Z DEBUG Missing diff ID in cache: sha256:4f841799b5f27f938f948c212b3aa6b9d281c94070855acb01ca86b461107cce
2023-11-16T13:18:32.171Z DEBUG Analysis error: go binary (filepath: usr/local/lib/python3.11/site-packages/numpy.libs/libgfortran-040039e1.so.5.0.0) parse error: EOF
2023-11-16T13:18:32.297Z DEBUG Analysis error: go binary (filepath: usr/local/lib/python3.11/site-packages/numpy.libs/libopenblas64_p-r0-0cf96a72.3.23.dev.so) parse error: EOF
2023-11-16T13:18:32.318Z DEBUG Analysis error: go binary (filepath: usr/local/lib/python3.11/site-packages/numpy.libs/libquadmath-96973f99.so.0.0.0) parse error: EOF
2023-11-16T13:18:32.338Z DEBUG Analysis error: go binary (filepath: usr/local/lib/python3.11/site-packages/numpy/core/_multiarray_umath.cpython-311-x86_64-linux-gnu.so) parse error: EOF
2023-11-16T13:18:32.367Z DEBUG Analysis error: go binary (filepath: usr/local/lib/python3.11/site-packages/numpy/linalg/lapack_lite.cpython-311-x86_64-linux-gnu.so) parse error: EOF
2023-11-16T13:18:32.393Z DEBUG Analysis error: go binary (filepath: usr/local/lib/python3.11/site-packages/numpy/linalg/_umath_linalg.cpython-311-x86_64-linux-gnu.so) parse error: EOF
2023-11-16T13:18:32.574Z DEBUG Analysis error: go binary (filepath: usr/local/lib/python3.11/site-packages/pyodbc.cpython-311-x86_64-linux-gnu.so) parse error: EOF
2023-11-16T13:33:02.350Z WARN Increase --timeout value
2023-11-16T13:33:02.350Z FATAL image scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.Run
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:427
scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:266
scan failed:
github.com/aquasecurity/trivy/pkg/commands/artifact.scan
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:669
failed analysis:
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
/home/runner/work/trivy/trivy/pkg/scanner/scan.go:146
analyze error:
github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.Inspect
/home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:139
semaphore acquire:
github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.inspect
/home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:223
context deadline exceeded
Finishing: Scan DEV image for vulnerabilities"
Hi
When trying to use Trivy Azure Pipelines Task using the following:
- task: trivy@1
inputs:
version: 0.34.0
debug: true
docker: false
image: myImage:1.0The following error log is shown:
Run requested using local Trivy binary...
Finding correct Trivy version to install...
Required Trivy version is 0.34.0
Downloading Trivy...
Downloading: https://github.com/aquasecurity/trivy/releases/download/0.34.0/trivy_0.34.0_Linux-64bit.tar.gz
##[error]Unexpected HTTP response: 404
When trying to download manually using the above URL, "Not Found" will also be shown.
The correct URL would probably be:
https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz
Note the missing "v" in the URL path before the version number.
I am trying to make the trivy azure devops plugin work on azure devops :
with the following config
It seem it don't scan my build/libs folder
When i configure the following task :
Can someone give me insight to make the plugin work for scanning a folder that contains war file with java dependencies ?
It doesn't work on windows self-hosted build agent . Error : Unable to locate executable file: 'docker'
Means it's expecting docker configuration on windows selfhosted build agent rather downloading windows trivy packages.
Tfsec works better in both windows and linux selfhosted agents.
When we use the devops task on a fresh agent, it leaves an $HOME/.docker directory with invalid permissions
in my case /home/AzDevOps/.docker/ with root permissions
When we run on the same agent a new container job (https://learn.microsoft.com/en-us/azure/devops/pipelines/process/container-phases?view=azure-devops) the container job fails with the following error:
Error saving credentials: open /home/AzDevOps/.docker/config.json1181007158: permission denied
On the fresh agent the .docker directory doesn't exist, the trivy-azure-pipelines-task is creating the .docker directory under the root user. We use self-hosted agents based on https://github.com/actions/runner-images (releases/ubuntu22/20230129).
I could correct the issue by adding a additional bash task after the trivy task, relevant part of my azure-pipeline.yml:
...
- task: trivy@1
displayName: Trivy - Scan Image
inputs:
version: 'latest'
debug: true
exitCode: 0
image: $(acr-repo)/$(Build.Repository.Name):$(Build.SourceVersion)
continueOnError: true
- bash: |
if [ -d "$(HOME)/.docker" ] ; then
sudo chown $(USER):$(USER) -R $HOME/.docker
fi
displayName: Trivy - Correct Permissions on .docker directory
continueOnError: true
...
Hi !
I'm trying this product and i'm stuck by those errors (seems it want to call something not there ?)
What did i do wrong ?
2022-09-27T16:24:20.941+0200 WARN Increase --timeout value
2022-09-27T16:24:20.941+0200 FATAL filesystem scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.run
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:359
scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:217
image scan failed:
github.com/aquasecurity/trivy/pkg/commands/artifact.scan
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:515
failed analysis:
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
/home/runner/work/trivy/trivy/pkg/scanner/scan.go:112
failed to call hooks:
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect
/home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:126
post handler error:
github.com/aquasecurity/trivy/pkg/fanal/handler.Manager.PostHandle
/home/runner/work/trivy/trivy/pkg/fanal/handler/handler.go:75
scan config error:
github.com/aquasecurity/trivy/pkg/fanal/handler/misconf.misconfPostHandler.Handle
/home/runner/work/trivy/trivy/pkg/fanal/handler/misconf/misconf.go:239
context deadline exceeded
Here is build yml
trigger:
- master
resources:- repo: self
variables:
tag: '$(Build.BuildId)'
stages:- stage: Scan
displayName: Scan Repo
jobs:
- job: Scan
displayName: Scan
pool: Ubuntu
steps:
- task: trivy@1
inputs:
version: 'latest'
docker: false
debug: true
exitCode: '0'
devMode: true
path: $(Build.SourcesDirectory)
When running the trivy@1 task in azure pipeline we get the following error:
2023-10-31T09:48:39.445Z FATAL image scan error: scan error: scan failed: failed analysis: analyze error: failed to analyze layer (sha256:06e8ff95eef50e87c0efa960886dfc4e82c916ea611b8d4591dd8de4e6aacd08): post handler error: post handler error: misconfiguration scan error: scan config error: 4 errors occurred:
##[error]Failed: Trivy detected problems.
Publishing JSON results...
Done!
policies/cloud/policies/aws/rds/disable_cluster_skip_final_snapshot.rego:26: rego_type_error: undefined ref: cluster.skipfinalsnapshot.value
cluster.skipfinalsnapshot.value
^
have: "skipfinalsnapshot"
want (one of): ["backupretentionperioddays" "encryption" "engine" "instances" "performanceinsights" "publicaccess" "replicationsourcearn"]
policies/cloud/policies/aws/rds/disable_cluster_skip_final_snapshot.rego:27: rego_type_error: undefined ref: cluster.skipfinalsnapshot
cluster.skipfinalsnapshot
^
have: "skipfinalsnapshot"
want (one of): ["backupretentionperioddays" "encryption" "engine" "instances" "performanceinsights" "publicaccess" "replicationsourcearn"]
policies/cloud/policies/aws/rds/enable_cluster_deletion_protection.rego:26: rego_type_error: undefined ref: cluster.deletionprotection.value
cluster.deletionprotection.value
^
have: "deletionprotection"
want (one of): ["backupretentionperioddays" "encryption" "engine" "instances" "performanceinsights" "publicaccess" "replicationsourcearn"]
policies/cloud/policies/aws/rds/enable_cluster_deletion_protection.rego:27: rego_type_error: undefined ref: cluster.deletionprotection
cluster.deletionprotection
^
have: "deletionprotection"
want (one of): ["backupretentionperioddays" "encryption" "engine" "instances" "performanceinsights" "publicaccess" "replicationsourcearn"]
It fails scanning a layer as seen above, unclear why.
Hi,
we are trying to scan images in a private Azure Container Registry. According to the marketplace page, it simply requires the docker login task.
We already have a docker login task in our pipeline and a docker push into that registry is also working fine.
But when we then try to scan that image trivy fails with an UNAUTHORIZED: authentication required error.
We are using the trivy docker image option for the scan.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.