Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

trivy-action attempts to run sudo on the local machine (!?) #403

Closed
mattnakama-skytap opened this issue Oct 8, 2024 · 5 comments · Fixed by #406
Closed

trivy-action attempts to run sudo on the local machine (!?) #403

mattnakama-skytap opened this issue Oct 8, 2024 · 5 comments · Fixed by #406

Comments

@mattnakama-skytap
Copy link

It looks like #399 changed trivy-action to use "composite" instead of "docker", and it attempts to install trivy via a curl [url]/install.sh | sudo sh - style method. This seems a bit dangerous to run on the local system outside of docker.

Am I misunderstanding what "composite" is supposed to do? I'm not going to grant sudo access to the github action runner user.

When running the latest, action, I get this in the log output:

Run aquasecurity/trivy-action@master
  with:
    image-ref: [redacted]
    exit-code: 1
    severity: MEDIUM,HIGH,CRITICAL
    format: table
    scan-type: image
    scan-ref: .
    ignore-unfixed: false
    vuln-type: os,library
    cache-dir: /run/github-runner/argo-2/argo/argo/.cache/trivy
    list-all-pkgs: false
    version: v0.56.1
    cache: true
Run curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.56.1
  curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.56.1
  shell: /nix/store/516kai7nl5dxr792c0nzq0jp8m4zvxpi-bash-5.2p32/bin/bash --noprofile --norc -e -o pipefail {0}
/run/github-runner/argo-2/_temp/1455b404-12e8-4243-bcd6-0e695ee57cfc.sh: line 1: curl: command not found
/run/github-runner/argo-2/_temp/1455b404-12e8-4243-bcd6-0e695ee57cfc.sh: line 1: sudo: command not found
Error: Process completed with exit code 127.

I left a comment on the relevant code change:
https://github.com/aquasecurity/trivy-action/pull/399/files#r1792533665

@wallies
Copy link

wallies commented Oct 8, 2024

Been getting this with the new version as well. Definitely cant have sudo running, goes against openssf security practice for github actions

@simar7
Copy link
Member

simar7 commented Oct 8, 2024

cc @knqyf263 @DmitriyLewen

@portswigger-tim
Copy link

This is not good on unprivileged self-hosted runners 😬

Run curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.56.1
sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.
Error: Process completed with exit code 1.

@DmitriyLewen
Copy link
Contributor

Hello all
We are already working on this task.

@DmitriyLewen
Copy link
Contributor

Hello all!
We merged #406
trivy-action installs Trivy from release page now. So we don't need to use curl and sudo.

Fill free to write here if you still have problems/questions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants