-
Notifications
You must be signed in to change notification settings - Fork 246
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: set envs only when passed #405
Conversation
Signed-off-by: knqyf263 <knqyf263@gmail.com>
set_env_var_if_provided "TRIVY_EXIT_CODE" "${{ inputs.exit-code }}" "" | ||
set_env_var_if_provided "TRIVY_IGNORE_UNFIXED" "${{ inputs.ignore-unfixed }}" "false" | ||
set_env_var_if_provided "TRIVY_PKG_TYPES" "${{ inputs.vuln-type }}" "os,library" | ||
set_env_var_if_provided "TRIVY_SEVERITY" "${{ inputs.severity }}" "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we use inputs.severity.default
? (https://docs.github.com/en/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions#inputsinput_iddefault)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was looking for it, but I couldn't. I'll try it. Thanks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, this is just a document about syntax of action.yaml. I don't think it's available, but I'll give it a shot.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It doesn't work. An empty string is filled.
1a12292
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it. Thanks that you checked that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a bummer.... 🫤
Signed-off-by: knqyf263 <knqyf263@gmail.com>
This reverts commit 1a12292.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
# Set environment variables, handling those with default values | ||
# cf. https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables | ||
set_env_var_if_provided "TRIVY_INPUT" "${{ inputs.input }}" "" | ||
set_env_var_if_provided "TRIVY_EXIT_CODE" "${{ inputs.exit-code }}" "" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it isn't set, is the default equivalent to a zero for this case?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm aware that would be the default Trivy behavior (if exit code is not specified), I am just not sure how GitHub Actions interprets an empty string in this case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it isn't set, is the default equivalent to a zero for this case?
The action will not set TRIVY_EXIT_CODE
and Trivy CLI just uses the default value.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am just not sure how GitHub Actions interprets an empty string in this case.
If the input is empty or the same as a default value, it doesn't set an environment variable.
@knqyf263 Does your fix work for all I'm encountering the TOOMANYREQUESTS issue #389. I don't see that |
|
@knqyf263 Then how come I'm experiencing the problem when I set them? - name: Trivy vulnerability scan
uses: aquasecurity/trivy-action@0.26.0
with:
scan-type: image
image-ref: 'FILTERED'
trivy-config: .trivy/trivy.yaml
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
My trivy-config is ignored. |
What I understand is that whenever any |
No, only variables defined in |
I tested and it worked. |
@knqyf263 Can you test it with |
Worked. Please create a small repository to reproduce your issue. |
No need if it worked :) I'll wait for your merge. Thanks! |
I upgraded to 0.27.0 and now a new error was raised...
I know that there's an open issue (#409) about this bug. |
I don't think it's a bug. It just depends on your configuration. We'll fix it anyway, though. |
Problem
Currently, all
TRIVY_XXX
environment variables are always passed toentrypoint.sh
, which prevents configurations set intrivy.yaml
from being correctly applied. This occurs because environment variables take precedence over configuration files.Proposed Solution
This PR implements a workaround to set environment variables only when values are explicitly provided. However, there's currently no reliable method to determine if a value has been passed in GitHub Actions (see actions/runner#924).
Implementation Details
TRIVY_CACHE_DIR
is an exception and is always set, as it requires a value different from Trivy's default.TRIVY_CACHE_DIR
cannot be controlled viatrivy.yaml
due to this implementation.Testing
https://github.com/knqyf263/trivy-action-test/actions/runs/11250664411/job/31280013016