Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot run trivy as of today, problem with dependency #409

Open
romanbsd opened this issue Oct 10, 2024 · 12 comments
Open

Cannot run trivy as of today, problem with dependency #409

romanbsd opened this issue Oct 10, 2024 · 12 comments

Comments

@romanbsd
Copy link

Starting today, the job fails with:

Bad request - jaxxstorm/[email protected] is not allowed to be used in xxx/yyy.
Actions in this workflow must be: within a repository owned by xxx, created by GitHub, or verified in the GitHub Marketplace.
@cafesanu
Copy link

cafesanu commented Oct 10, 2024
edited
Loading

@DmitriyLewen I think this PR is the culprit #406

I think this action needs to add aquasecurity/setup-trivy to this repo's allowed actions?

Here is my issue:

Error: Bad request - aquasecurity/[email protected] is not allowed to be used in xxx/yyy

PS: adding aquasecurity/setup-trivy to our allowed actions did NOT fix the issue

@markbaird
Copy link

@cafesanu I'm getting the same error: jaxxstorm/[email protected] is not allowed to be used in xxx/yyy.. It is on a repo that has been running this action fine for a long time. The issue isn't with allowing aquasecurity/setup-trivy it is with allowing this other third-party action jaxxstorm/action-install-gh-release that Trivy suddenly depends on. My organization only allows verified GitHub Actions to be used in our repos. Trivy is a verified action, but jaxxstorm/action-install-gh-release is not. Depending on jaxxstorm/action-install-gh-release essentially makes Trivy a non-verified action now.

@mmguero
Copy link

mmguero commented Oct 10, 2024
edited
Loading

Here's the offending commit, at least in the setup-trivy action that is now a dependency of trivy-action.

@DmitriyLewen
Copy link
Contributor

Hello all!
setup-trivy uses jaxxstorm/action-install-gh-release.
jaxxstorm/action-install-gh-release is not verified in GH marketplace.
Some actions do not allow actions to be used without verification.

We are already working on setup-trivy v0.2.0 without using jaxxstorm/action-install-gh-release.

@ukho-cfreeman
Copy link

ukho-cfreeman commented Oct 11, 2024
edited
Loading

Using actions from unverified repositories is a major security concern for us so your work is appreciated @DmitriyLewen .

@Roy-Gal-Git Roy-Gal-Git mentioned this issue Oct 13, 2024
Merged
@Roy-Gal-Git
Copy link

Encountered in v0.27.0 too.
#405

@DmitriyLewen
Copy link
Contributor

FYI - i created aquasecurity/setup-trivy#5 to use git package instead of jaxxstorm/action-install-gh-release

@Roy-Gal-Git
Copy link

FYI - @DmitriyLewen opened a PR where he bumped the setup-trivy version #411.
Waiting for @simar7 's approval.

@avnes
Copy link

avnes commented Oct 15, 2024

This way this is bundled is the blueprint for how supply chain attacks works. I hope this get fixed soon.

@avnes avnes mentioned this issue Oct 15, 2024
Merged
4 tasks
@simar7
Copy link
Member

simar7 commented Oct 15, 2024

New (v0.28.0) release of trivy-action should address this. Please give it a try.

@Roy-Gal-Git
Copy link

Solved in https://github.com/aquasecurity/trivy-action/releases/tag/0.28.0.
Thank you @DmitriyLewen, @simar7

@DmitriyLewen
Copy link
Contributor

Looks like v0.28.0 fixes this problem.
@simar7 i think we can close this issue.

@DmitriyLewen DmitriyLewen mentioned this issue Dec 13, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@romanbsd @simar7 @markbaird @cafesanu @mmguero @avnes @Roy-Gal-Git @DmitriyLewen @ukho-cfreeman