Issue with uploading the SARIF report to GitHub

[uRhos]

Hello,

We're facing issues with the Using Trivy to scan your Git repo setup, the action is working fine and creates a SARIF report, however that report is not accepted by GithHub in the Upload Trivy scan results to GitHub Security tab step. Here's our workflow.yaml config:

  - name: Run Trivy vulnerability scanner in repo mode
    uses: aquasecurity/trivy-action@master
    env:
      TRIVY_USERNAME: ${{ secrets.TRIVY_USERNAME }}
      TRIVY_PASSWORD: ${{ secrets.TRIVY_PASSWORD }}
      TRIVY_DB_REPOSITORY: ${{ secrets.TRIVY_REPOSITORY }}
    with:
      scan-type: 'fs'
      ignore-unfixed: true
      format: 'sarif'
      output: 'trivy-results.sarif'
      timeout: '10m'
      severity: 'CRITICAL,HIGH'
      scanners: "vuln,misconfig"
      limit-severities-for-sarif: true

  - name: Upload Trivy scan results to GitHub Security tab
    uses: github/codeql-action/upload-sarif@v3
    with:
      sarif_file: 'trivy-results.sarif'

The error from the Upload Trivy scan results to GitHub Security tab is:
Error: Code Scanning could not process the submitted SARIF file: locationFromSarifResult: expected artifact location, locationFromSarifResult: expected artifact location
We're using the latest version supported in the trivy-action.

[simar7]

@uRhos that's interesting. I tested this earlier as you can see here and it was fine.

Is it possible for you run the same scan locally with the Trivy CLI to see what output you get? It might be a bug with the SARIF output being generated incorrectly.

Were the reports correctly being generated and uploaded in prior versions of Trivy action?

[richardrobarth]

I had similar issue since yesterday, had to revert to 0.25.0.
Our problem was that result was generated in table format (not sarif).
From the looks of it the action isnt picking up the correct config (from trivy.yaml).

[uRhos]

@uRhos that's interesting. I tested this earlier as you can see here and it was fine.

Is it possible for you run the same scan locally with the Trivy CLI to see what output you get? It might be a bug with the SARIF output being generated incorrectly.

Were the reports correctly being generated and uploaded in prior versions of Trivy action?

Yes, after setting version: 'v0.55.0' the workflow is completed correctly, but I agree with @richardrobarth the trivy.yaml config is not being picked up, so we had to change from using it to using the inputs and env vars

[JackDallas]

Also hitting this in multiple repos, pinning to 0.24.0 fixes it for us

[simar7]

@uRhos could you try with the latest release https://github.com/aquasecurity/trivy-action/releases/tag/0.27.0 we had an issue where env var were not getting set and it should be addressed hopefully in this release. Let us know how it goes.

[mat-sylvia-mark43]

Also having issues with SARIF upload. Confirmed the SARIF is there after the trivy scan, but didn't confirm its contents. Errors from the upload-sarif action attached. I changed no working directory settings or anything like that.

git call failed. Continuing with commit SHA from user input or environment. Error: The checkout path provided to the action does not appear to be a git repository. git call failed. Will calculate the base branch SHA on the server. Error: The checkout path provided to the action does not appear to be a git repository.

[nikpivkin]

Hi @mat-sylvia-mark43 ! Can you give me an example of your workflow?

[uRhos]

Hi @uRhos ! Can you give me an example of your workflow?

The workflow we use is pretty much in the description, we just have one more step to checkout the code first

[nikpivkin]

@uRhos Ah, I accidentally mentioned you

[uRhos]

@uRhos could you try with the latest release https://github.com/aquasecurity/trivy-action/releases/tag/0.27.0 we had an issue where env var were not getting set and it should be addressed hopefully in this release. Let us know how it goes.

so we tried it with the 0.27.0 version of trivy-action and 0.56.2 version of trivy and got the same error, after setting the trivy version to 0.55.2 it works, so it's probably a bug in the latest trivy release

[mat-sylvia-mark43]

@nikpivkin Here you go!

[mat-sylvia-mark43]

@nikpivkin any thoughts? The action appears to be completely broken by this.

[mdemers-cobank]

We are also running into this issue using aquasecurity/[email protected]. Here is our GitHub Action:

  - name: Run Trivy vulnerability scanner in IaC mode and publish to Secuirty Tab
    uses: aquasecurity/[email protected]
    with:
      scan-type: 'fs'
      scan-ref: '.'
      scanners: 'vuln,misconfig'
      hide-progress: true
      format: 'sarif'
      output: 'trivy-results.sarif' 
      ignore-unfixed: true
      severity: 'CRITICAL,HIGH,MEDIUM,LOW'
      
  - name: Upload Trivy scan results to GitHub Security tab
    uses: github/codeql-action/[email protected]
    if: failure()  || success()
    with:
      sarif_file: 'trivy-results.sarif'         

[obounaim]

Hi, we are also facing the same issue.

Github action:

jobs:
  security:
    name: security
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner in IaC mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'config'
          severity: 'CRITICAL,HIGH'
          hide-progress: false
          format: 'sarif'
          output: 'trivy-results.sarif'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'

It seems that we are not have issues with our AWS Terraform repositories, however, it is failing with our GCP mono-repo repository.