Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

trivy cannot find pnpm-lock.yaml #395

Open
FanYuan0208 opened this issue Sep 30, 2024 · 2 comments
Open

trivy cannot find pnpm-lock.yaml #395

FanYuan0208 opened this issue Sep 30, 2024 · 2 comments

Comments

@FanYuan0208
Copy link

My project directory is like:
image

And i run the Actions like:

    
    steps:
      - uses: actions/checkout@v4
      - uses: pnpm/action-setup@v3
        with:
          version: 8
          run_install: false
      - name: Set node version to ${{ matrix.node_version }}
        uses: actions/setup-node@v4
        with:
          node-version: ${{ matrix.node_version }}
          cache: pnpm
          registry-url: "https://npm.pkg.github.com"

      - name: Install
        run: pnpm i

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'repo'
          scan-ref: '.'
          format: 'table'
          exit-code: '1'
          ignore-unfixed: false
          severity: 'CRITICAL,HIGH'
          timeout: 20m0s
        continue-on-error: true

But I got a result of

30T04:03:48Z	INFO	Vulnerability scanning is enabled
2024-09-30T04:03:48Z	INFO	Secret scanning is enabled
2024-09-30T04:03:48Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
20[24](https://github.com/YMC-GROUP/yna-g3-front-blank/actions/runs/11099159562/job/30832937580#step:7:25)-09-30T04:03:48Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-09-30T04:03:48Z	INFO	Number of language-specific files	num=0

so no report is generated.
@FanYuan0208
Copy link
Author

FanYuan0208 commented Oct 1, 2024
edited
Loading

after setting pnpm version to 9, the pnpm-lock.yaml seems to be found.

2024-10-01T00:04:49Z	INFO	Secret scanning is enabled
2024-10-01T00:04:49Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-01T00:04:49Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-10-01T00:04:50Z	INFO	Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2024-10-01T00:04:50Z	INFO	Number of language-specific files	num=1

But still no result is generated.
Should I specify --include-dev-deps? I tried like:

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'repo'
          scan-ref: '.'
          trivy-config: trivy-config.yaml
        continue-on-error: true
timeout: 20m0s
include-dev-deps: true
exit-code: 1
format: 'table'
ignore-unfixed: false
severity: 'CRITICAL,HIGH'

but it's not working. and also adding the extra trivy-config.yaml causes github to treat it as an action definition and runs a failed job.

@FanYuan0208
Copy link
Author

FanYuan0208 commented Oct 7, 2024
edited
Loading

I've tried to use trivy directly, and report seems to be emtpy without the parameter of --include-dev-deps.
So the issue turns into how to set --include-dev-deps in github actions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@FanYuan0208