Description
Originally posted by @rofreytag in #2215
I run into an issue when using trivy config scan on a subfolder. The reported issues appear in the security tab, but the folder/path reference of files inside the repo is not correctly presented.
Example finding:
The expected path should be terraform/01-bootstrap/eks.tf.
The generated sarif file by trivy:
- uses URLs relative to
terraform/some-module(i.e.main.tf) - uses relative URLs for module invocations like
../modules/other-module/main.tf. - includes the correct
uriBaseId
GitHub interprets all these URls relative to the repo root without using uriBaseId.
I am happy to try a workaround, but currently
- I can not yet find a way to make trivy generate absolute URLs, which I believe resolves the issue.
- Neither can I tell the upload-action that I am using relative URLs in my repo
expected behavior
Either have the upload-action use the uriBaseId of the sarif file, or
have an existing param like checkout_path (or a new param) in the action, to respect and transform relative URLs, so that they correctly appear in the report.
Example:
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
with:
sarif_file: 'trivy-results.sarif'
category: trivy-my-module
checkout_path: ${{ github.workspace }}/terraform/01-bootstrap/
Here an excerpt of the generated sarif file that shows the URLs of each finding
"message": {
"text": "Artifact: eks.tf\nType: terraform\nVulnerability aws-vpc-add-description-to-security-group-rule\nSeverity: LOW\nMessage: Security group rule does not have a description.\nLink: [aws-vpc-add-description-to-security-group-rule](https://avd.aquasec.com/misconfig/aws-vpc-add-description-to-security-group-rule)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "eks.tf",
"uriBaseId": "ROOTPATH"
},
"message": {
"text": "Artifact: ../modules/rdb/main.tf\nType: terraform\nVulnerability AVD-AWS-0098\nSeverity: LOW\nMessage: Secret explicitly uses the default key.\nLink: [AVD-AWS-0098](https://avd.aquasec.com/misconfig/avd-aws-0098)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "../modules/rdb/main.tf",
"uriBaseId": "ROOTPATH"
},
and the originalUriBaseId section at the end:
"originalUriBaseIds": {
"ROOTPATH": {
"uri": "file:///home/runner/work/redacted/redacted/terraform/01-bootstrap/"
}
}
}
]
}
Here is my full workflow file
name: Code Scan
on:
push:
branches: [ "main" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "main" ]
schedule:
- cron: '27 23 * * 2'
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
jobs:
analyze-tf:
runs-on: ubuntu-latest
name: Analyze (${{ matrix.config.path }})
strategy:
matrix:
config:
- path: terraform/00-shared
varfile: configs/sai-shared-prod.tfvars
- path: terraform/01-bootstrap
varfile: configs/sai-prod.tfvars
- path: terraform/02-k8s
varfile: configs/sai-prod.tfvars
- path: terraform/03-services
varfile: configs/sai-prod.tfvars
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Run Trivy scanner
uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 #v0.30.0
with:
scan-type: 'config'
scan-ref: ${{ matrix.config.path }}
tf-vars: ${{ matrix.config.path }}/${{ matrix.config.varfile }}
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH,MEDIUM'
version: v0.61.1
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
with:
sarif_file: 'trivy-results.sarif'
# need to add unique category, so the results in one commit do not overwrite each other
category: trivy-${{ matrix.config.path }}
# I tried this with no luck
# checkout_path: ${{ github.workspace }}/${{ matrix.config.path }}/