fix: respect GITHUB_TOKEN to download artifacts from GHCR (#7580)

Signed-off-by: knqyf263 <[email protected]>
aquasecurity · Dec 4, 2024 · 21b68e1 · 21b68e1
1 parent 71391a5
commit 21b68e1
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 10 deletions.
diff --git a/docs/docs/references/troubleshooting.md b/docs/docs/references/troubleshooting.md
@@ -79,21 +79,25 @@ $ TRIVY_INSECURE=true trivy image [YOUR_IMAGE]
 ```
 
 ### GitHub Rate limiting
+Trivy uses GitHub API for [VEX repositories](../supply-chain/vex/repo.md).
 
 !!! error
     ``` bash
-    $ trivy image ...
+    $ trivy image --vex repo ...
     ...
     API rate limit exceeded for xxx.xxx.xxx.xxx.
     ```
 
-Specify GITHUB_TOKEN for authentication
-https://developer.github.com/v3/#rate-limiting
+Specify GITHUB_TOKEN for [authentication](https://docs.github.com/en/rest/using-the-rest-api/rate-limits-for-the-rest-api?apiVersion=2022-11-28)
 
 ```
-$ GITHUB_TOKEN=XXXXXXXXXX trivy alpine:3.10
+$ GITHUB_TOKEN=XXXXXXXXXX trivy image --vex repo [YOUR_IMAGE]
 ```
 
+!!! note
+    `GITHUB_TOKEN` doesn't help with the rate limit for the vulnerability database and other assets.
+    See https://github.com/aquasecurity/trivy/discussions/8009
+
 ### Unable to open JAR files
 
 !!! error
@@ -217,6 +221,11 @@ Please remove the token and try downloading the DB again.
 docker logout ghcr.io
 ```
 
+or
+
+```shell
+unset GITHUB_TOKEN
+```
 
 ## Homebrew
 ### Scope error

diff --git a/magefiles/fixture.go b/magefiles/fixture.go
@@ -7,6 +7,8 @@ import (
 	"path/filepath"
 	"strings"
 
+	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/authn/github"
 	"github.com/google/go-containerregistry/pkg/crane"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/magefile/mage/sh"
@@ -16,13 +18,15 @@ import (
 
 const dir = "integration/testdata/fixtures/images/"
 
+var auth = crane.WithAuthFromKeychain(authn.NewMultiKeychain(authn.DefaultKeychain, github.Keychain))
+
 func fixtureContainerImages() error {
 	var testImages = testutil.ImageName("", "", "")
 
 	if err := os.MkdirAll(dir, 0750); err != nil {
 		return err
 	}
-	tags, err := crane.ListTags(testImages)
+	tags, err := crane.ListTags(testImages, auth)
 	if err != nil {
 		return err
 	}
@@ -53,7 +57,7 @@ func saveImage(subpath, tag string) error {
 	}
 	fmt.Printf("Downloading %s...\n", imgName)
 
-	img, err := crane.Pull(imgName)
+	img, err := crane.Pull(imgName, auth)
 	if err != nil {
 		return err
 	}
@@ -64,7 +68,6 @@ func saveImage(subpath, tag string) error {
 	if err = sh.Run("gzip", tarPath); err != nil {
 		return err
 	}
-
 	return nil
 }
 
@@ -77,12 +80,12 @@ func fixtureVMImages() error {
 	if err := os.MkdirAll(dir, 0750); err != nil {
 		return err
 	}
-	tags, err := crane.ListTags(testVMImages)
+	tags, err := crane.ListTags(testVMImages, auth)
 	if err != nil {
 		return err
 	}
 	for _, tag := range tags {
-		img, err := crane.Pull(fmt.Sprintf("%s:%s", testVMImages, tag))
+		img, err := crane.Pull(fmt.Sprintf("%s:%s", testVMImages, tag), auth)
 		if err != nil {
 			return err
 		}

diff --git a/pkg/remote/remote.go b/pkg/remote/remote.go
@@ -9,6 +9,7 @@ import (
 	"time"
 
 	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/authn/github"
 	"github.com/google/go-containerregistry/pkg/name"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
@@ -166,7 +167,7 @@ func authOptions(ctx context.Context, ref name.Reference, option types.RegistryO
 		return []remote.Option{remote.WithAuth(&bearer)}
 	default:
 		// Use the keychain anyway at the end
-		opts = append(opts, remote.WithAuthFromKeychain(authn.DefaultKeychain))
+		opts = append(opts, remote.WithAuthFromKeychain(authn.NewMultiKeychain(authn.DefaultKeychain, github.Keychain)))
 		return opts
 	}
 }