Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Input formats not respected if env var is already set #438

Open
david-marconis opened this issue Nov 28, 2024 · 2 comments
Open

Input formats not respected if env var is already set #438

david-marconis opened this issue Nov 28, 2024 · 2 comments

Comments

@david-marconis
Copy link

Problem

There is an issue with the current action if you run multiple Trivy actions in a row. It will not respect the inputs as it will not set the env var if the env var if the input value is a different value. However, if the env var already has a different value than the default and you try to set it to a default value, it will not work.

Scenario

Here is a scenario: You first run Trivy scan with sarif format, and then you run with table format:

        - uses: aquasecurity/[email protected]
          with:
            image-ref: node:23.2.0-alpine3.20
            severity: CRITICAL,HIGH
            exit-code: 0
            format: sarif
        - uses: aquasecurity/[email protected]
          with:
            image-ref: node:23.2.0-alpine3.20
            severity: CRITICAL,HIGH
            exit-code: 1
            format: table

Then then the second scan will not use format table, as it uses the previously set env var: TRIVY_FORMAT: sarif.

Tests

Here is a workflow run that shows the issue:
input format: table
https://github.com/david-marconis/trivy-ignore-bug/actions/runs/12065562387/job/33644593462#step:3:6
env TRIVY_FORMAT: sarif
https://github.com/david-marconis/trivy-ignore-bug/actions/runs/12065562387/job/33644593462#step:3:20
log indicating sarif mode:
https://github.com/david-marconis/trivy-ignore-bug/actions/runs/12065562387/job/33644593462#step:3:159

Fixed by this PR:
#437

@hi-artem
Copy link

hi-artem commented Dec 14, 2024

This is a big issue since it doesn't allow to run the action multiple times in the same workflow. If you do multiple types of scans separately using this action, it requires sanitizing GITHUB_ENV separately.

For example:

echo "TRIVY_OUTPUT=" >> $GITHUB_ENV
echo "TRIVY_SKIP_DIRS=" >> $GITHUB_ENV
echo "TRIVY_SKIP_FILES=" >> $GITHUB_ENV
echo "TRIVY_SKIP_FILES=table" >> $GITHUB_ENV

@jtl-novatec
Copy link

Likely related to what I encountered some time ago here #422

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants