Git Product home page Git Product logo

scout-action's Introduction

About

GitHub Action to run the Docker Scout CLI as part of your workflows.

You can pick one of the following commands to run:

  • quickview: get a quick overview of an image, base image and available recommendations
  • compare: compare an image to a second one (for instance to latest)
  • cves: display vulnerabilities of an image
  • recommendations: display available base image updates and remediation recommendations
  • sbom: generate the SBOM of the image
  • environment: record an image to an environment
  • attestation-add: add attestation to an existing image

Screenshot

Inputs

Command

You can run one or multiple commands in the same GitHub Action run. Use a comma separated list to run several commands.
command required string Single command to run or comma separated list of commands to run in order.
Possible values:
  • quickview
  • compare
  • cves
  • recommendations
  • sbom
  • environment

The commands will be run in the order of the value, and will share the same parameters.

For instance, if you built an image and want to display a quickview as well as to compare it against the latest indexed one, set the action as following:

command: quickview,compare
image: ${{ steps.meta.outputs.tags }}
to-latest: true

Authentication

Login to Docker Hub

To use scout features you need to be authenticated against Docker Hub.

You can use the parameters below to authenticate, or you can use the docker/login-action.
dockerhub-user optional string Docker Hub user id
dockerhub-password optional string Docker Hub password or PAT

Login to a registry to pull private images (non Docker Hub)
registry-user required to pull from other private registry string Registry user id to pull images
registry-password required to pull from other private registry string Registry password or PAT to pull images

Common Inputs

Image
image optional (*) string Prefixed name of the image, directory or archive to operate on
platform optional current platform by default string Platform of the image to analyze (or the current platform)
ref optional default is empty string Reference to use if the provided tarball containers multiple images, only with archives

(*) If image is not set (or empty) the most recently built image, if any, will be used instead.

Prefix

The image field can be prefixed to indicate the type of content to analyse. If no prefix is set, the image:// prefix is used.

Available prefixes:

  • image://: optional prefix, the target is an image that first will be resolved locally then, if not found, will be resolved to the associated registry
  • local://: only resolve the image from the local image store
  • registry://: do not use the local image store, only use the registry
  • oci-dir://: local directory to be read as an OCI directory
  • archive://: image archive generated by docker save command, as a tar file
  • fs://: local directory or file
  • sbom:// SPDX file or in-toto attestation file with SPDX predicate or syft json SBOM file

Organization namespace

Namespace of the Docker Organization is required to match the query with the right data.

When using environments (for instance to compare an image to the one from a defined environment, or when comparing to the latest indexed) organization parameter is required.
organization required to compare to environments/latest indexed
required to manage environments
optional in other cases, default empty		 string Namespace of the Docker organization

Step Summary

By default the Markdown output of the command (if supported) will be displayed as a Job Summary. This can be disabled if needed.
summary optional default is true boolean Display output as Job Summary

Pull Request Comments

When triggered by a pull_request event, the output of the scout command can be written as a comment.

This behaviour is enabled by default.

By default one single comment per job step will be kept and updated at each run. If you prefer to keep previous comments but hide them, set the keep-previous-comments parameter to true.

pull-requests: write permission is required to allow the GitHub action to create the comment.
github-token optional default is github.token string GitHub Token to create the comment
write-comment optional default is true boolean Boolean, write a comment with scout output
keep-previous-comments optional default is false boolean If set, keep but hide previous comment. If not set, keep and update one single comment per job

Output

The text version of the command output will be displayed in the logs. The markdown version (if exists) of the command output will be set as an output of the step, using the command name as identifier, and will be displayed as Pull Request comment or Step Summary.

compare Inputs

Compare to an image
to required string Prefixed name of the image, directory or archive to compare with
to-ref optional default is empty string Reference to use if the provided tarball containers multiple images, only with archives

See Prefix above about the available prefixes for the to argument.

Compare to an environment
to-env (*) string Name of the environment to compare with
to-stream deprecated (*) string Name of the stream to compare with
to-latest (*) boolean Compare to latest indexed image

(*) One and only one needs to be defined.

Common Inputs
ignore-unchanged optional default is false boolean Filter out unchanged packages
only-severities optional default is empty (all severities) string Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by
only-package-types optional default is empty (all types) string Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc)
only-fixed optional default is false boolean Filter to fixable CVEs
only-unfixed optional default is false boolean Filter to unfixed CVEs
only-cisa-kev optional default is false boolean Filter to CVEs listed in the CISA Known Exploited Vulnerabilities catalog
exit-code optional default is false boolean Return exit code 2 if vulnerability changes are detected
exit-on optional default is empty string "(compare only) Comma separated list of conditions to fail the action step if worsened, options are: vulnerability, policy"

cves Inputs
only-severities optional default is empty (all severities) string Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by
only-package-types optional default is empty (all types) string Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc)
only-fixed optional default is false boolean Filter to fixable CVEs
only-unfixed optional default is false boolean Filter to unfixed CVEs
ignore-base optional default is false boolean Ignore base image vulnerabilities
sarif-file optional default is empty (no output file) string Write output to a SARIF file for further processing or upload into GitHub code scanning
only-vex-affected optional default is false boolean Filter out CVEs that are marked not affected by a VEX statement
vex-author optional default is empty string File location of directory or file containing VEX statement
vex-location optional default is empty string List of VEX statement authors to accept

sbom Inputs
format optional default is json string Format of the SBOM to generate (json, list, spdx)
output optional default is empty string Path of the output file to write the SBOM

recommendations Inputs
only-refresh optional default is false boolean Only display base image refresh recommendations
only-update optional default is false boolean Only display base image update recommendations

environment Inputs

The image input must be an image in your local image store or in a registry. You can use prefixes to control whether to use a local or remote image. The following prefixes are supported:

  • image:// (optional)
  • local://
  • registry://
environment required string Name of the environment to record the image

See Environment example

attestation-add Inputs
file optional default is empty string File path to the attestation file
predicate-type optional default is empty string Predicate type of the attestation

Example usage

Build an image, push and compare

name: Docker

on:
  push:
    tags: [ "*" ]
    branches:
      - 'main'
  pull_request:
    branches: [ "**" ]

env:
  # Use docker.io for Docker Hub if empty
  REGISTRY: docker.io
  IMAGE_NAME: ${{ github.repository }}
  SHA: ${{ github.event.pull_request.head.sha || github.event.after }}
  # Use `latest` as the tag to compare to if empty, assuming that it's already pushed
  COMPARE_TAG: latest

jobs:
  build:

    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      pull-requests: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
        with:
          ref: ${{ env.SHA }}

      - name: Setup Docker buildx
        uses: docker/[email protected]
        with:
          driver-opts: |
            image=moby/buildkit:v0.10.6

      # Login against a Docker registry except on PR
      # https://github.com/docker/login-action
      - name: Log into registry ${{ env.REGISTRY }}
        uses: docker/[email protected]
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_PAT }}

      # Extract metadata (tags, labels) for Docker
      # https://github.com/docker/metadata-action
      - name: Extract Docker metadata
        id: meta
        uses: docker/[email protected]
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          labels: |
            org.opencontainers.image.revision=${{ env.SHA }}
          tags: |
            type=edge,branch=$repo.default_branch
            type=semver,pattern=v{{version}}
            type=sha,prefix=,suffix=,format=short

      # Build and push Docker image with Buildx (don't push on PR)
      # https://github.com/docker/build-push-action
      - name: Build and push Docker image
        id: build-and-push
        uses: docker/[email protected]
        with:
          context: .
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Docker Scout
        id: docker-scout
        if: ${{ github.event_name == 'pull_request' }}
        uses: docker/scout-action@v1
        with:
          command: compare
          image: ${{ steps.meta.outputs.tags }}
          to: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.COMPARE_TAG }}
          ignore-unchanged: true
          only-severities: critical,high
          write-comment: true
          github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment

All-in-one

For the latest built image, display:

  • the vulnerabilities (ignoring the base image, only displaying vulnerabilities with a fix available)
  • the available recommendations
  • compare it to the latest image indexed for the same repository (only displaying unchanged packages and vulnerabilities that already have a fix)
        - name: Docker Scout
          id: docker-scout
          uses: docker/scout-action@v1
          with:
            command: cves,recommendations,compare
            to-latest: true
            ignore-base: true
            ignore-unchanged: true
            only-fixed: true

Analyze vulnerabilities and upload report to GitHub code scanning

When GitHub code scanning is enabled, the sarif-file input can be used to upload the vulnerabilities to GitHub.

      - name: Analyze for critical and high CVEs
        id: docker-scout-cves
        if: ${{ github.event_name != 'pull_request_target' }}
        uses: docker/scout-action@v1
        with:
          command: cves
          image: ${{ steps.meta.outputs.tags }}
          sarif-file: sarif.output.json
          summary: true

      - name: Upload SARIF result
        id: upload-sarif
        if: ${{ github.event_name != 'pull_request_target' }}
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: sarif.output.json

Record an image deployed to an environment

      - name: Build and push Docker image
        id: build-and-push
        uses: docker/[email protected]
        with:
          context: .
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Docker Scout
        id: docker-scout-environment
        uses: docker/scout-action@v1
        with:
          command: environment
          image: ${{ steps.meta.outputs.tags }}
          environment: prod
          organization: my-docker-org

License

The Docker Scout CLI is licensed under the Terms and Conditions of the Docker Subscription Service Agreement.

scout-action's People

Contributors

billytom avatar cdupuis avatar chrischinchilla avatar docker-scout-ci[bot] avatar eunomie avatar felipecruz91 avatar mcapell avatar mikeparker avatar spodjasek avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

maltif enosix billytom developer-guy lukeb36 dkalxkqkdi felipecruz91 ai2hub rnorton5432 damaso-dd kipz snowcittysolutions ballalkhan inway atomicmas3b9 sherfeyinv agrocrypto cresl1 enzoxic ffaa3dd lin-ss-git-mav-jen-sona rockyspade io-xi happymu2 nobodyiam95

scout-action's Issues

feature request: do not leak image names that use secrets in github comments

If the image uses a secret the value of the secret is leaked in the github comment.

In the example image below the image reference leaks the value of secrets (if they are used for the image name).
In case a secret is used as part of the image name the image reference should display *** for the secrets instead of leaking them.

some examples: ***/scout-demo-service:main, docker/scout-demo-service:***, ***/***:latest

image

Recommendations is generating an error

Hi there! I have the following steps in my action:

      - name: Docker Login
        id: docker-login
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Docker Scout
        id: docker-scout
        uses: docker/[email protected]
        with:
          command: quickview,cves,recommendations
          image: ${{ env.IMAGE_NAME }}:${{ steps.prep.outputs.BUILD_ID }}
          ignore-unchanged: true
          write-comment: false
          sarif-file: docker-scout-results.output.json

      - name: Upload Docker Scout scan results as artifact
        id: upload-docker-scout-results
        uses: actions/upload-artifact@v2
        with:
          name: docker-scout-results-${{ github.run_id }}.json
          path: docker-scout-results.output.json

And it's generating the following error for recommendations:

recommendations
      ✓ SBOM of image already cached, 1718 packages indexed
  panic: runtime error: invalid memory address or nil pointer dereference
  [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x17a7adc]
  
  goroutine 1 [running]:
  github.com/docker/scout-cli-plugin/internal/mk.DiffVulnSummaryVertical(0xc02078a630, 0x0)
  	/home/runner/work/scout-cli-plugin/scout-cli-plugin/internal/mk/mk.go:294 +0x3c
  github.com/docker/scout-cli-plugin/internal/format/recommendations.fillCurrentTag({0xc026e4b9f0, 0xe}, {0xc0123f4718?, 0x8, 0x2?}, 0xc01f325950)
  	/home/runner/work/scout-cli-plugin/scout-cli-plugin/internal/format/recommendations/markdown.go:217 +0xad5
  github.com/docker/scout-cli-plugin/internal/format/recommendations.genMk(0xc01dcfd170, 0xc01dd71720, 0xc00006c800?, {0x20?, 0x11?, {0x0?, 0xc01f325c10?}}, {0xc021513040, 0x3b}, {0x210f51f, ...}, ...)
  	/home/runner/work/scout-cli-plugin/scout-cli-plugin/internal/format/recommendations/markdown.go:81 +0x565
  github.com/docker/scout-cli-plugin/internal/format/recommendations.PrintMarkdown({0x2b021a0, 0xc0207d1120}, 0xc000136080?, 0xc02023c000?, 0x0?, {0x0?, 0x0?, {0x0?, 0x0?}}, {0xc021513040, ...}, ...)
  	/home/runner/work/scout-cli-plugin/scout-cli-plugin/internal/format/recommendations/markdown.go:54 +0x87
  github.com/docker/scout-cli-plugin/internal/gha.(*recommendationsCmd).Run(0x1e5d9a0?, {0x2b15a70, 0xc0005b9e90}, 0xc0008ec000, 0x50b668?, 0xc0003e85b0)
  	/home/runner/work/scout-cli-plugin/scout-cli-plugin/internal/gha/recommendations.go:50 +0x23d
  github.com/docker/scout-cli-plugin/internal/gha.Run({0x2b15a70, 0xc0005b9e90}, 0xc0008ec000, {0xc00004443d, 0xf}, 0xc0005f4170?, 0xc0004e8278?)
  	/home/runner/work/scout-cli-plugin/scout-cli-plugin/internal/gha/commands.go:116 +0x9f
  main.run()
  	/home/runner/work/scout-cli-plugin/scout-cli-plugin/cmd/github-action/main.go:72 +0x4a5
  main.main()
  	/home/runner/work/scout-cli-plugin/scout-cli-plugin/cmd/github-action/main.go:83 +0x13

I'm happy to provide you with any additional information you need, if I can provide it.

Thank you for your help!

Error: could not authenticate: user githubactions not entitled to use Docker Scout

i have this error if i use Login to a registry to pull private images (non Docker Hub. I add here registry-user and registry-password Service principle, Access key and user name, PAT and name of PAT. It always do not work.Byt if I use dockerhub user and dockerhub password it is work. What is problem? I tried use also login-action witt ACR and I had login succeeded but docker scout always failed. My action
name: Build and Scan Docker Image

on: [push, pull_request]

jobs:
build:
runs-on: ubuntu-latest

steps:
 - name: Checkout code
   uses: actions/checkout@v2
   
 - name: Login to ACR
   uses: docker/login-action@v3
   with:
      registry: test.azurecr.io
      username: test
      password: test123

 - name: Build and Push Bckend
   shell: bash
   run: |
    docker build -t my-node-app .
 - name: Docker Scout
   id: docker-scout
   if: ${{ github.event_name != 'pull_request_target' }}
   uses: docker/[email protected]
   with:
      command: cves
      image: my-node-app
      only-severities: low
      exit-code: true                          how to fix?

panic: runtime error: invalid memory address or nil pointer dereference

For this Docker Scout code snippet facing the mentioned below error.

      - name: Docker Scout for image vulnerabilities 
        id: docker-scout
        uses: docker/[email protected]
        with:
          command: quickview,cves,sbom,recommendations
          image: ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
        env:
          IMAGE_NAME: ${{ inputs.ECR_REPOSITORY_NAME }}
          IMAGE_TAG: ${{ github.sha }}

getting this error logs at the run time

      ✓ SBOM of image already cached, 902 packages indexed
  panic: runtime error: invalid memory address or nil pointer dereference
  [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x198c3e2]
  
  goroutine 1 [running]:
  github.com/docker/scout-cli-plugin/internal/mk.DiffVulnSummaryVertical(0xc02ccde870, 0x0)
  	/home/runner/work/scout-cli-plugin/scout-cli-plugin/internal/mk/mk.go:295 +0x42
  github.com/docker/scout-cli-plugin/internal/format/recommendations.fillCurrentTag({0xc02cb435a0, 0x9}, {0xc012088718?, 0xa, 0x2?}, 0xc02ce779b8)
  	/home/runner/work/scout-cli-plugin/scout-cli-plugin/internal/format/recommendations/markdown.go:216 +0xaf8
  github.com/docker/scout-cli-plugin/internal/format/recommendations.genMk(0xc02cb20750, 0xc02bcb0820, 0xc000076800?, {0xc0?, 0x8c?, {0x0?, 0xc02ce77c78?}}, {0xc00004240c, 0x2d}, {0x1db32ae, ...}, ...)
  	/home/runner/work/scout-cli-plugin/scout-cli-plugin/internal/format/recommendations/markdown.go:80 +0x545
  github.com/docker/scout-cli-plugin/internal/format/recommendations.PrintMarkdown({0x2650d60, 0xc02cde8cc0}, 0x4af960?, 0xc00004c110?, 0xc028f4dcc8?, {0x48?, 0xdd?, {0x0?, 0xc0000920c0?}}, {0xc00004240c, ...}, ...)
  	/home/runner/work/scout-cli-plugin/scout-cli-plugin/internal/format/recommendations/markdown.go:53 +0x8d
  github.com/docker/scout-cli-plugin/internal/gha.(*recommendationsCmd).Run(0x1b65f60?, {0x265d210, 0xc00004c1f0}, 0xc000bd8840, 0xc00047b6d8?, 0xc0006d2000)
  	/home/runner/work/scout-cli-plugin/scout-cli-plugin/internal/gha/recommendations.go:49 +0x279
  github.com/docker/scout-cli-plugin/internal/gha.Run({0x265d210, 0xc00004c1f0}, 0xc000bd8840, {0xc0000423e2, 0xf}, 0xc000006101?, 0xc000072690?)
  	/home/runner/work/scout-cli-plugin/scout-cli-plugin/internal/gha/commands.go:101 +0xb0
  main.run()
  	/home/runner/work/scout-cli-plugin/scout-cli-plugin/cmd/github-action/main.go:68 +0x4a5
  main.main()
  	/home/runner/work/scout-cli-plugin/scout-cli-plugin/cmd/github-action/main.go:79 +0x19

How to troubleshoot, getting stuck after first line of `...Storing image for indexing`

My job gets stuck/fails (repeatedly after reruns/retries) after outputting:
...Storing image for indexing

I'm using it like this:

name: Docker image

on:
  push:
    branches:
      - master
  pull_request:
  merge_group:

env:
  IMAGE: my.regist.ry/my/image

jobs:
  build:
    runs-on: ubuntu-latest
    name: Build & test
    permissions:
      contents: read
      id-token: write
      statuses: write
      checks: write
      pull-requests: write
    steps:

      - name: Setup Docker (Buildx)
        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3

      # [...]

      - name: Setup Docker (Docker Hub login, for Docker Scout)
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
        with:
          username: ${{ vars.SECRET_USERNAME }}
          password: ${{ secrets.SECRET_TOKEN }}

      - name: Build image
        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5
        with:
          push: false
          tags: ${{ env.IMAGE }}:${{ github.sha }},${{ env.IMAGE }}:latest
          cache-from: type=gha
          cache-to: type=gha,mode=max
          load: true # so we can run tests on the image, here in the same workflow

      # [...]

      - name: Docker Scout
        if: ${{ github.event_name == 'pull_request' && !cancelled() }}
        uses: docker/scout-action@b7413c99043c2a9131c0fa39cedaece80f285788 # v1.2.2
        with:
          command: compare
          image: ${{ env.IMAGE }}:${{ github.sha }}
          to: ${{ env.IMAGE }}:latest
          ignore-unchanged: true
          only-severities: critical,high
          write-comment: true

And this is what it looks like when it gets stuck:

Skärmavbild 2023-12-19 kl 09 57 52

Followed by:
The runner has received a shutdown signal. This can happen when the runner service is stopped, or a manually started runner is canceled.

Change Github API URL (support Gitea/Forgejo)

Hi!

I wanted to use this action for my Gitea/Forgejo instance. It started pretty well but failed when it tried to fetch comments.

::group::compare
    ...Storing image for indexing
    ✓ Image stored for indexing
    ...Indexing
    ✓ Indexed 1179 packages
    ✓ Provenance obtained from attestation
    ...Pulling
    ✓ Pulled
    ...Storing image for indexing
    ✓ Image stored for indexing
    ...Indexing
    ✓ Indexed 837 packages
    ...Pulling
    ✓ Pulled
::error::GET https://api.github.com/repos/kody/atw-watcher/issues/4/comments?direction=desc&per_page=10&sort=updated: 401 Bad credentials []

The GET would have worked if it was with my instance's domain and base path.

Would adding an input to specify the base API URL be possible?
It would be to replace https://api.github.com with https://<gitea domain>/api/v1.
The comments endpoints should work the same as GitHub's, but just in case here's Gitea's swagger from the demo instance.

This could also make it work with other GitHub API-compatible software.

EDIT: I see some actions use this in their inputs inside action.yml:

inputs:
  github-url:
    description: 'Base url of GitHub API'
    required: false
    default: ${{ github.api_url }}

False positive for `sudo` on Alpine

Using the following, we seem to be getting a false positive on a CVE (CVE-2021-3156):

Dockerfile:

FROM alpine:3.14

RUN apk add --no-cache 'sudo>1.9.5'

Commands:

docker build --pull -t test:latest .
docker scout cves test:latest

Result:

Analyzing image test:latest
    v SBOM of image already cached, 19 packages indexed
    x Detected 1 vulnerable package with 1 vulnerability

  0C    1H    0M    0L  sudo 1.9.12_p2-r0
pkg:alpine/[email protected]_p2-r0?os_name=alpine&os_version=3.14

    x HIGH CVE-2021-3156 [Off-by-one Error]
      https://dso.docker.com/cve/CVE-2021-3156
      Affected range : <1.9.5p2-r0
      Fixed version  : 1.9.5p2-r0
      CVSS Score     : 7.8
      CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Notice how the image is using sudo version 1.9.12_p2-r0 (newer than the vulnerable version) but the vulnerable version is <1.9.5p2-r0.
Is it possible the _ after 12 is causing an issue in comparing the version numbers?

Having PR comments using workflow_dispatch

Hello, I'm executing docker scout action by REST from another CI system (which releases the artifacts),
will it be possible to write PR comments also for event.type=workflow_dispatch.

Thanks

`403 Forbidden` errors in `cves` command

Hi everyone! 👋

We are using the docker/scout-action in our CD pipeline, and we started getting 403 errors from the cves command today. The error looks like this:

Error: API operation failed: Message: 403 Forbidden; body: "\n<html><head>\n<meta http-equiv=\"content-type\" content=\"text/html;charset=utf-8\">\n<title>403 Forbidden</title>\n</head>\n<body text=#000000 bgcolor=#ffffff>\n<h1>Error: Forbidden</h1>\n<h2>Your client does not have permission to get URL <code>/v1/graphql</code> from this server.</h2>\n<h2></h2>\n</body></html>\n", Locations: [], Extensions: map[code:request_error], Path: []

This does not happen on every image. I am getting cves for some of our images (logs, comments, the works), and errors for others. Couldn't find any system. This makes me think that it's not an issue with our secrets (PAT).

❓ Could you help me understand what could lead to this error?
Which service does the action tries to reach in this case? (Our registry, something internal in scout, github? What should I double check in our access credentials?)

What I tried?

I tried running docker scout cves with the same configuration on the same images locally on v1.9.3 — the command runs, and I am receiving correct output in all cases. This makes me think the error is related to the actions specifically. 🤔

I also tried setting the version of the action to v1.9.1, this did not change the error.

Runners

We run our actions on self-hosted x86 ubuntu

Output

Here is the full output of the action including the configuration

Run docker/scout-action@v1
  with:
    command: cves
    dockerhub-user: ***
    dockerhub-password: ***
    image: ***redacted***
    only-severities: critical,high
    exit-code: false
    only-fixed: true
    summary: true
    format: json
    github-token: ***
    write-comment: true
/usr/bin/docker exec  ***there_was_a_long_hash_here*** sh -c "cat /etc/*release | grep ^ID"
cves
      ...Pulling
      ✓ Pulled
      ...Storing image for indexing
      ✓ Image stored for indexing
      ...Indexing
      ✓ Indexed 647 packages
      ✓ Provenance obtained from attestation
  Error: API operation failed: Message: 403 Forbidden; body: "\n<html><head>\n<meta http-equiv=\"content-type\" content=\"text/html;charset=utf-8\">\n<title>403 Forbidden</title>\n</head>\n<body text=#000000 bgcolor=#ffffff>\n<h1>Error: Forbidden</h1>\n<h2>Your client does not have permission to get URL <code>/v1/graphql</code> from this server.</h2>\n<h2></h2>\n</body></html>\n", Locations: [], Extensions: map[code:request_error], Path: []

Please let me know if you need additional information

Compare to Repo: Unable to Parse Repo URL

Desc

I get this error when trying to compare my image to the latest released version.

Error

Error: could not get the image ghcr.io/Org/Repo:latest: failed to parse reference ghcr.io/Org/Repo:latest: could not parse reference: ghcr.io/Org/Repo:latest

I believe the issue has to do with the name of the Github Organization and or Repo having capital letters in them.

When I tried to run the step with the to: flag being all lowercase characters instead of using ghcr.io/${{github.repository}} (which could return capital letters depending on the name of the User/Org and Repo) it worked without issue.

Job Step (Not Working)

- name: Docker Scout Recommendations
  id: docker-scout-recs
  if: ${{ github.event_name == 'pull_request' }}
  uses: docker/[email protected]
  with:
    command: recommendations,compare
    image: ${{ steps.meta.outputs.tags }}
    to: ghcr.io/${{ github.repository }}:latest
    write-comment: true
    github-token: ${{ secrets.GITHUB_TOKEN }}

I'd expect the above to work every time but since my org and repo name include capital letters it throws the error stated.

Job Step (Working)

- name: Docker Scout Recommendations
  id: docker-scout-recs
  if: ${{ github.event_name == 'pull_request' }}
  uses: docker/[email protected]
  with:
    command: recommendations,compare
    image: ${{ steps.meta.outputs.tags }}
    # lowercase characters ONLY in repo url
    to: ghcr.io/org-or-user/repo:latest
    write-comment: true
    github-token: ${{ secrets.GITHUB_TOKEN }}

Recommendation

My recommendation would be to convert the to: flag to all lowercase characters before it attempts to pull the repo.

How to Upload Vulns to Github Code Scanning?

I cannot for the life of me make the findings upload to Code Scanning. I am scanning a Dockerfile that builds using the base image of python:3. This image does contain at least 2 high vulns and many mediums and lows. I dont understand why tho it will not upload the vulns to code scanning. I have tried using both v1 and v2 of the sarif upload action in case that was the issue. But right now I am lost.

Yaml file below.

name: Docker

on:
  pull_request:
    branches: ["main"]

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}

jobs:

  Scout:
    if: github.event_name == 'pull_request'

    runs-on: ubuntu-latest

    permissions:
      contents: read
      packages: read
      pull-requests: write

    steps:

      -
        name: Checkout
        uses: actions/checkout@v3

      -
        name: Setup Docker Buildx
        uses: docker/[email protected]

      -
        name: Extract Metadata
        id: meta
        uses: docker/metadata-action@v4
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          flavor: |
            latest=auto

      -
        name: Build Scout Image
        id: build
        uses: docker/build-push-action@v4
        if: ${{ github.event_name == 'pull_request' }}
        with:
          platforms: linux/amd64
          context: ./app
          load: true
          # push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      -
        name: Docker Scout
        id: docker-scout
        if: ${{ github.event_name == 'pull_request' }}
        uses: docker/[email protected]
        with:
          command: recommendations
          image: ${{ steps.meta.outputs.tags }}
          only-severities: critical,high
          write-comment: true
          github-token: ${{ secrets.GITHUB_TOKEN }}

      - name: Analyze for critical and high CVEs
        id: docker-scout-cves
        # if: ${{ github.event_name != 'pull_request_target' }}
        # Version that supports Sarif File Output
        uses: docker/scout-action@main
        with:
          command: cves
          write-comment: false
          image: ${{ steps.meta.outputs.tags }}
          sarif-file: ./sarif.output.json.sarif
          summary: true

      - name: Print Sarif File
        run: cat ./sarif.output.json.sarif
      
      - name: Upload SARIF result
        id: upload-sarif
        # if: ${{ github.event_name != 'pull_request_target' }}
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: ./sarif.output.json.sarif

Version 0.19.0 Authentication Issue

Desc

Unable to run the action in its basic state because it fails to authenticate.

Bug

Error: could not authenticate: user githubactions not entitled to use Docker Scout

Job Step

-       name: Docker Scout Recommendations
        id: docker-scout-recs
        if: ${{ github.event_name == 'pull_request' }}
        uses: docker/[email protected]
        with:
          command: recommendations
          image: ${{ steps.meta.outputs.tags }}
          write-comment: true
          github-token: ${{ secrets.GITHUB_TOKEN }}

Recommendation

IDK guys I can't see the source code. But I can tell you that this works fine in v0.18.1 and in this commit.

1.13.0 broke our workflow, downstream auth error

1.12.0 does not have this issue

our workflow goes:

  1. login to ghcr.io
  2. login to docker hub where we have scout access
  3. build image
  4. push image to ghcr.io
  5. scan image

this is the error we see on 1.13.0 we are not seeing on 1.12.0

cves
      ...Storing image for indexing
      ✓ Image stored for indexing
      ...Indexing
      ✓ Indexed 412 packages
      ✓ Provenance obtained from attestation
  Error: could not list CVEs for the image: API operation failed: Message: Not allowed, Locations: [], Extensions: map[arguments:map[context:$context query:map[imageCoords:map[digest:$digest hostname:$hostname repository:$repository] includeExcepted:$includeExcepted packageUrls:$purls]] code:DOWNSTREAM_SERVICE_ERROR status:FORBIDDEN], Path: [vulnerabilitiesByPackageForImageCoords]
Screenshot 2024-08-06 at 11 57 44 PM

Running action with multiple image input

I'm using the provided example here: https://github.com/docker/scout-action#build-an-image-push-and-compare to run docker scout, but if the output from metadata-action steps.meta.outputs.tags contains multiple tags it's output as a multi-line string and this leads to the scout action giving an error:

Error: could not get the image <image-name-redacted>:latest
  <image-name-redacted>:<some-version>: failed to parse reference <image-name-redacted>:latest
  <image-name-redacted>:<some-version>:

Is this supposed to work?

`v1` tag not updated since `v1.1.0`

Currently v1 tag action doesn't match latest v1.*.* action such as v1.4.1.
IMO v1 also syncs with latest v1.*.* version like other GitHub actions.

If you did that, I could use just docker/scout-action@v1 instead of docker/scout-action@v1.*.* every updates.

Could you tell me any reasons if v1 action has to consist in v1.1.0?
If there are the reasons, I will use specific version and detect updates through dependabots.
Then feel free to close this issue.

Not usable for PRs from forks

Currently this action is not usable for PRs from forks because secrets are not available in this case – and you currently enforce a login to Docker Hub.

The recommended solution (see Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests) is to split this up in two parts. For this action this probably would mean:

  1. Work without credentials for PRs from forks in on pull_request:
    • Build the image with outputs: type=oci,dest=image.tar
    • Upload the PR number and the image tarball as artifacts
  2. In on workflow_run:
    • Download the artifacts
    • Log in to Docker Hub
    • Run docker/scout-action with image: archive://image.tar and giving the PR number as an option

Actually, most of this should be doable today already. But I don't see how the action gets the correct PR to comment on in this case. This probably will need a new config to pass the PR number.

(Of course it would be a lot easier if the Scout service had a different way to authenticate. Maybe via the "Docker Inc" GitHub app?)

0.23.2 - panic: runtime error: invalid memory address or nil pointer dereference

I upgraded to 0.23.2, and now get the following when I run the following action:


      - name: Docker Scout
        id: docker-scout
        uses: docker/[email protected]
        with:
          command: quickview,cves,compare
          image: ${{ steps.extract-tag.outputs.first_tag }}
          to: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:master
          ignore-unchanged: true
          write-comment: false
          sarif-file: sarif.output.json

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xf9ece6]

goroutine 1 [running]:
github.com/docker/scout-cli-plugin/internal/configuration.(*Configuration).List(0x0)
	/home/runner/work/scout-cli-plugin/scout-cli-plugin/internal/configuration/configuration.go:47 +0x26
github.com/docker/scout-cli-plugin/internal/configuration.(*Configuration).Get(0x30?, {0x1f5ad57, 0xc})
	/home/runner/work/scout-cli-plugin/scout-cli-plugin/internal/configuration/configuration.go:69 +0x93
github.com/docker/scout-cli-plugin/internal/configuration.Get(...)
	/home/runner/work/scout-cli-plugin/scout-cli-plugin/internal/configuration/configuration.go:75
github.com/docker/scout-cli-plugin/organization.Select({0xc0000480c0?, 0xc000a7fda0?})
	/home/runner/work/scout-cli-plugin/scout-cli-plugin/organization/context.go:34 +0x37
github.com/docker/scout-cli-plugin/organization.Store({0x[28](https://github.com/[redacted]/[redacted]/actions/runs/6009338742/job/16298562690?pr=12700#step:10:29)632b0, 0xc000aaec[30](https://github.com/snap-mobile/raise/actions/runs/6009338742/job/16298562690?pr=12700#step:10:31)}, {0xc0000480c0?, 0x38e6[34](https://github.com/[redacted]/[redacted]/actions/runs/6009338742/job/16298562690?pr=12700#step:10:35)0?})
	/home/runner/work/scout-cli-plugin/scout-cli-plugin/organization/context.go:23 +0x28
main.run()
	/home/runner/work/scout-cli-plugin/scout-cli-plugin/cmd/github-action/main.go:64 +0x289
main.main()
	/home/runner/work/scout-cli-plugin/scout-cli-plugin/cmd/github-action/main.go:83 +0x13

I don't know what else to tell you other than that I'm not doing anything wild. I was forced to log into docker, which is new. I'm not thrilled about that, but fine.

`command: compare` with `sbom://`

I'd like to be able to use the new sbom:// syntax, but it seems it's not (yet) supported with the command: compare mode.

Steps to reproduce:

  1. Run a workflow with a step like this:
      - name: Generate SBOM for image
        id: sbom
        uses: anchore/sbom-action@719133684c7d294116626d1344fe64f0d2ff3e9e # v0.15.2
        with:
          image: ${{ env.IMAGE }}:${{ github.sha }}
          output-file: sbom.spdx.json

      - name: Docker Scout
        if: ${{ github.event_name == 'pull_request' && !cancelled() }}
        uses: docker/scout-action@c01629436921e4c567967cbfa14764f4b6113237 # v1.6.4
        with:
          command: compare
          image: sbom://sbom.spdx.json
          to: ${{ env.IMAGE }}:latest
          ignore-unchanged: true
          only-fixed: true
          write-comment: true

Expected results:

  1. Same kind of output as in my non-SBOM example below.

Actual results:

  1. The step fails with Error: missing or wrong "image" input

non-SBOM example (for comparison):

      - name: Docker Scout
        if: ${{ github.event_name == 'pull_request' && !cancelled() }}
        uses: docker/scout-action@c01629436921e4c567967cbfa14764f4b6113237 # v1.6.4
        with:
          command: compare
          image: ${{ env.IMAGE }}:${{ github.sha }}
          to: ${{ env.IMAGE }}:latest
          ignore-unchanged: true
          only-fixed: true
          write-comment: true

For reference, this should be supported upstream nowadays, as per:

And here's using it without the action:

$ syft alpine:latest -o syft-json > sbom.spdx.json
$ docker scout compare --to alpine:latest sbom://sbom.spdx.json
[...]

PR comment not working on self-hosted GHES instance

Summary

This action is not respecting the GitHub API URL provided from the context / environment.

Details

Running this action on a self-hosted GitHub Enterprise Server (GHES) instance with a pull_request trigger fails with the following log entry:

quickview
      ✓ Provenance obtained from attestation
      ✓ SBOM obtained from attestation, 265 packages indexed
      ! Policy evaluation skipped: %w no organization configured, use --org or run 'docker scout config' to view policy results
  Error: GET https://api.github.com/repos/<org_name>/<repo_name>/issues/56/comments?direction=desc&per_page=10&sort=updated: 401 Bad credentials []

The issue is that it tries to access api.github.com with the job credentials for our private GHES instance.

Proposed Solutions

Solution 1

This action should not not hardcode the API URL, but use the GitHub context variable ${{ github.api_url }} or its respective mapped environment variable $GITHUB_API_URL. See the GitHub Actions documentaion for further details.

Solution 2

Add an input to configure the API URL and default it to ${{ github.api_url }} as suggested in #15

Upgrade to Node 20

Currently this action is using Node.js version 16. Warning messages are appearing in the action for the run. Consider upgrading to Node20.

could not authenticate: user githubactions not entitled to use Docker Scout

Why if I use

- name: Analyze for critical and high CVEs
      id: docker-scout-cves
      uses: docker/scout-action@788bd7991dd23939af62db37c4b77ec009021e17
      with:
        command: cves
        image: ${{ steps.meta.outputs.tags }}
        sarif-file: sarif.output.json
        only-severities: critical,high
        only-fixed: true
        platform: "linux/arm64"

like in the repo

https://github.com/docker/scout-demo-service

https://github.com/docker/scout-demo-service/blob/main/.github/workflows/docker-build.yaml

everything seems to work fine, but if I use any other release (0.18,0.19,0.20)
it gives me this error?

Error: could not authenticate: user githubactions not entitled to use Docker Scout

Run docker/scout-action@v0.[2](https://github.com/n-essio/scout-demo-service/actions/runs/5645918105/job/15292721485#step:7:2)0.0
  with:
    command: cves
    image: ghcr.io/n-essio/scout-demo-service:main
    sarif-file: sarif.output.json
    only-severities: critical,high
    only-fixed: true
    platform: linux/arm64
    summary: true
    github-token: ***
    write-comment: true
  env:
    REGISTRY: ghcr.io
    IMAGE_NAME: n-essio/scout-demo-service
    SHA: 
    DOCKERFILE_PATH: Dockerfile
    DOCKER_METADATA_OUTPUT_VERSION: main
    DOCKER_METADATA_OUTPUT_TAGS: ghcr.io/n-essio/scout-demo-service:main
    DOCKER_METADATA_OUTPUT_LABELS: org.opencontainers.image.title=scout-demo-service
  org.opencontainers.image.description=
  org.opencontainers.image.url=https://github.com/n-essio/scout-demo-service
  org.opencontainers.image.source=https://github.com/n-essio/scout-demo-service
  org.opencontainers.image.version=main
  org.opencontainers.image.created=202[3](https://github.com/n-essio/scout-demo-service/actions/runs/5645918105/job/15292721485#step:7:3)-07-2[4](https://github.com/n-essio/scout-demo-service/actions/runs/5645918105/job/15292721485#step:7:4)T14:11:[5](https://github.com/n-essio/scout-demo-service/actions/runs/5645918105/job/15292721485#step:7:5)0.873Z
  org.opencontainers.image.revision=cf1c7b17f72[6](https://github.com/n-essio/scout-demo-service/actions/runs/5645918105/job/15292721485#step:7:6)15121d4c9fb2f9b98bfef0b04306
  org.opencontainers.image.licenses=
  org.opencontainers.image.revision=
  com.docker.image.source.entrypoint=Dockerfile
    DOCKER_METADATA_OUTPUT_JSON: {"tags":["ghcr.io/n-essio/scout-demo-service:main"],"labels":{"org.opencontainers.image.title":"scout-demo-service","org.opencontainers.image.description":"","org.opencontainers.image.url":"https://github.com/n-essio/scout-demo-service","org.opencontainers.image.source":"https://github.com/n-essio/scout-demo-service","org.opencontainers.image.version":"main","org.opencontainers.image.created":"2023-0[7](https://github.com/n-essio/scout-demo-service/actions/runs/5645918105/job/15292721485#step:7:7)-24T14:11:50.[8](https://github.com/n-essio/scout-demo-service/actions/runs/5645918105/job/15292721485#step:7:8)73Z","org.opencontainers.image.revision":"","org.opencontainers.image.licenses":"","com.docker.image.source.entrypoint":"Dockerfile"}}
    DOCKER_METADATA_OUTPUT_BAKE_FILE: /tmp/docker-actions-toolkit-yKofRp/docker-metadata-action-bake.json
Error: could not authenticate: user githubactions not entitled to use Docker Scout

Someone managed to get it work?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.