-
Notifications
You must be signed in to change notification settings - Fork 245
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
trivy-action attempts to run sudo on the local machine (!?) #403
Comments
Been getting this with the new version as well. Definitely cant have sudo running, goes against openssf security practice for github actions |
This is not good on unprivileged self-hosted runners 😬
|
Hello all |
Hello all! Fill free to write here if you still have problems/questions. |
It looks like #399 changed trivy-action to use "composite" instead of "docker", and it attempts to install trivy via a
curl [url]/install.sh | sudo sh -
style method. This seems a bit dangerous to run on the local system outside of docker.Am I misunderstanding what "composite" is supposed to do? I'm not going to grant sudo access to the github action runner user.
When running the latest, action, I get this in the log output:
I left a comment on the relevant code change:
https://github.com/aquasecurity/trivy-action/pull/399/files#r1792533665
The text was updated successfully, but these errors were encountered: