Add examples for scanning when using docker/setup-buildx-action

[audunsolemdal]

I am struggling to integrate copa-action with my current Workflow.

The workflow fails as I am trying to get copa to scan a local image, while it attempts to pull the image from a private registry where the workflow does not have access

#1 resolve image config for docker-image://xxxx.azurecr.io/testteam1/testapp1:05-06-2024.744
Error: failed to resolve source metadata for xxxx.azurecr.io/testteam1/testapp1:05-06-2024.744: failed to authorize: failed to fetch anonymous token: unexpected status from GET request to https://xxxx.azurecr.io/oauth2/token?scope=repository%3Atestteam1%2Ftestapp1%3Apull&service=xxxx.azurecr.io: 403 Forbidden

I would appreciate ideas on how to fix this workflow while still using the docker/setup-buildx-action with the docker-container driver.

I set up with the following

    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v3
      id: buildx
      with:
        driver: docker-container # required for writing to github actions cache
        # probably not the correct way to attempt to configure this..
        buildkitd-config-inline: |
          debug = true
          [features]
          containerd-snapshotter = true

    - name: Build docker image using cache
      uses: docker/build-push-action@v5
      with:
        cache-from: type=gha
        cache-to: type=gha,mode=max #requires docker-container driver
        outputs: type=docker,dest=./image.tar
(...)

Scan it with trivy this way

      - name: Load container image to docker daemon
        run: docker load -i ./image.tar

      - name: Run Trivy vulnerability scanner for OS vulerabilities
        if: "${{ inputs.run-image-scan == 'true' && steps.build.outputs.cache-hit != 'true'}}"
        uses: aquasecurity/[email protected]
        with:
          #input: ./image.tar
          image-ref: "${{ steps.env.outputs.full-image-name-tagless }}:${{ steps.env.outputs.tag }}"
          format: "json"
          output: "report.json"
          severity: ${{inputs.image-scan-severity}}
          ignore-unfixed: true
          scanners: "vuln"
          vuln-type: "os"

      # check whether there are any OS package vulnerabilities 
      - name: Check vulnerability count 
        if: "${{ inputs.run-image-scan == 'true' && steps.build.outputs.cache-hit != 'true' }}"
        id: vuln_count 
        run: | 
          report_file="report.json" 
          vuln_count=$(jq 'if .Results then [.Results[] | select(.Class=="os-pkgs" and .Vulnerabilities!=null) | .Vulnerabilities[]] | length else 0 end' "$report_file") 
          echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT
          echo "Vulnerability count: $vuln_count"

      - name: Get socket path
        if: steps.vuln_count.outputs.vuln_count != '0' 
        id: socket_path
        run: |
            url=$(docker context inspect | jq -r .[0].Endpoints.docker.Host)
            socket_path=$(echo "$url" | awk -F// '{print $2}')
            echo "$socket_path"
            echo "SOCKET=$socket_path" >> $GITHUB_ENV

      - name: Run Copa action 
        if: steps.vuln_count.outputs.vuln_count != '0' 
        id: copa 
        uses: project-copacetic/copa-action@v1 
        with: 
          image: "${{ steps.env.outputs.full-image-name-tagless }}:${{ steps.env.outputs.tag }}"
          image-report: "report.json" 
          patched-tag: "patched" 
          timeout: "5m" # optional, default is 5m 
          custom-socket: "${{ steps.socket_path.outputs.socket_path }}"

[sozercan]

@audunsolemdal https://github.com/project-copacetic/copa-action?tab=readme-ov-file#option-2-connect-using-defaults-through-a-custom-socket has the details on how to set up containerd image store. If you are trying to patch a local image that's not pushed to a registry, you cannot do that with docker-container driver, it must be docker driver with containerd image store enabled.

Another example is here: https://github.com/sozercan/copa-test/blob/main/.github/workflows/patch-action-containerd.yaml

[audunsolemdal]

So I've noticed the images in the examples are all pre-built. I am trying to first build my own image before running trivy-action followed by copa-action

Essentially something like this works, but this causes copa-action to fail due to containerd-snapshotter not being enabled

aquasecurity/trivy-action#278 (comment)

     - name: Build image
        id: build
        uses: docker/build-push-action@v5
        with:
          file: Dockerfile
          load: true
          platforms: linux/amd64
          push: false

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ steps.build.outputs.imageid }} # or full image name with tag
          format: table
          exit-code: 1
          ignore-unfixed: true
          vuln-type: os,library
          severity: CRITICAL,HIGH

But if you add this step at the top of the workflow, I get the contiainer build working, docker image ls shows the image wit h tags, but I can't get trivy action to work.

    - name: Set up docker
      uses: crazy-max/ghaction-setup-docker@v3
      with:
        version: latest
        daemon-config: |
          {
            "experimental": true,
            "features": {
              "containerd-snapshotter": true
            }
          }

I tried a lot of variants but have failed.

If trying to input docker-host to trivy-action:

* docker error: unable to inspect the image (�xxxx.azurecr.io/testteam1/testapp1:06-06-2024.788): Cannot connect to the Docker daemon at unix:///home/runner/setup-docker-action-e59d331d/docker.sock. Is the docker daemon running?

Without docker-host: specified I end up with Error: No such image:

[ashnamehrotra]

@audunsolemdal @sozercan

This is an issue related to the Trivy Github action. When using containerd image store, we create a custom socket and need to be able supply that to Trivy. We can do this with the --docker-host flag when installing Trivy locally.

For example:

          - name: Install Trivy
            run: |
                echo "Downloading Latest Trivy Version"
                curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b . latest

                ./trivy image --ignore-unfixed --vuln-type os -f json -o report.json  --docker-host unix:///${SOCKET} nginx:local     

${SOCKET} is the custom socket as we got in the example.

This will allow you to scan the local images before you patch with Copa Action.

It looks like the Trivy action also recently released support for a docker-host argument to the action, but I have not been able to get that to work so far. I will let you know if I can figure out why it works when using Trivy locally but not through the action.

I created an issue ( #46) so this can be better documented along with a workflow that uses a locally built image.