Try fixing the trivy command execution (#16)

cybcon · web-flow · commit 6c05ee3cd450 · 2023-06-10T16:35:32.000+02:00
Using artifact uload and download to transport container images for scans and start trivy as root
diff --git a/.github/workflows/container-vulnerability-scan.yaml b/.github/workflows/container-vulnerability-scan.yaml
@@ -2,10 +2,18 @@ name: Container vulnerability scan
 on:
   workflow_call:
     inputs:
-      image:
+      image_name:
         type: string
         description: Container image name and tag to scan
         required: true
+      image_artifact_name:
+        type: string
+        description: Container image artifact name to identify the container image file from artifacts
+        required: false
+      image_artifact_filename:
+        type: string
+        description: Container image file that needs to be downloaded from artifacts
+        required: false
       login_dockerhub:
         type: boolean
         description: "Login to DockerHub, requires the secrets DOCKERHUB_USERNAME and DOCKERHUB_PASSWORD (default: false)"
@@ -41,6 +49,31 @@ jobs:
       - name: Pull aquasec/trivy
         run: |
           docker pull aquasec/trivy:${{ inputs.trivy_tag }}
+      - name: Download container image from artifacts if uploaded
+        if: ${{ inputs.image_artifact_name }} && ${{ inputs.image_artifact_filename }}
+        uses: actions/download-artifact@v2
+        with:
+          name: ${{ inputs.image_artifact_name }}
+          path: /tmp
+      - name: Load container image file if one is shipped via artifacts
+        if: ${{ inputs.image_artifact_name }} && ${{ inputs.image_artifact_filename }}
+        run: |
+          docker load --input /tmp/${{ inputs.image_artifact_filename }}
+          RC=$?
+          if [ ${RC} -gt 0 ]; then
+            exit ${RC}
+          fi
+      - name: Pull container image that should be scanned if no container image is shipped via artifacts
+        if: ! ${{ inputs.image_artifact_name }} && ! ${{ inputs.image_artifact_filename }}
+        run: |
+          docker pull ${{ inputs.image_name }}
+          RC=$?
+          if [ ${RC} -gt 0 ]; then
+            exit ${RC}
+          fi
+      - name: List available container images in local repository
+        run: |
+          docker image ls -a
       - name: Vulnerability scan
         run: |
-          docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy:${{ inputs.trivy_tag }} -q image ${{ inputs.image }} | tee -a ${GITHUB_STEP_SUMMARY}
+          docker run -u 0 --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy:${{ inputs.trivy_tag }} -q image ${{ inputs.image_name }} >> ${GITHUB_STEP_SUMMARY} 2>&1
