[Bug]: Unkown Exception was hit #119
Assignees
Labels
bug
Something isn't working
Comments
|
Also worth calling out, the above was from running directly against a Push to main. Here's a PR to main: And the logs which did show errors, though they didn't show up in the PR comment: This one is really difficult to figure out for me. The individual log lines show no issues, but then the action fails saying 'Total unacceptable alerts :: 1`. So the action fails, blocking the merge, but no info given in the comment as to why. And of course not consistent with the results originally added to this Issue |
|
I mean it obviously says it failed its API calls, but this is the same workflow that ran on the push to main, so it's not clear why that was the case |
|
@Brutalbeard this might be an issue with the token permissions. Secret Scanning API might not be accessible via the normal Actions tokens. You can fix this by using and setting up a GitHub App + using this action from one of my colleagues: https://github.com/peter-murray/workflow-application-token-action You'll have to set the policy-as-code A similar example can be found here https://github.com/advanced-security/policy-as-code/blob/main/examples/workflows/appAuth.yml |
|
Testing complete, but still not happy. Not seeing any issue pulling info, and in logs it seems to be finding some issues, but nothing in the comments on PRs. Would think there'd be a link directly to the violating alert of each type? At least a count? I created an app with the following permissions:
Updated workflow file: name: Policy Testing - No General Workflow
on:
pull_request:
branches: main
push:
branches: main
jobs:
policy-check:
runs-on: ubuntu-latest
name: Policy Testing
steps:
- name: Get Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v3
with:
application_id: ${{ secrets.GHAS_APPLICATION_ID }}
application_private_key: ${{ secrets.GHAS_APPLICATION_PRIVATE_KEY }}
# Compliance
- name: Advance Security Policy as Code
uses: advanced-security/[email protected]
with:
token: ${{ steps.get_workflow_token.outputs.token }}
# The owner/repo of where the policy is stored
policy: dat-freight-and-analytics/ghas-policy-as-code
# The local (within the workspace) or repository
policy-path: policies/default.yml
# The branch you want to target
policy-branch: main
policy-repo-token: ${{ secrets.GHAS_COMPLIANCE_PAT }}
argvs: "--display --pr-comment --is-github-app-token"Results: PR Logs: Push to Main: 
|
|
Any thoughts on how I can troubleshoot? |
|
@GeekMasher pinging you now so I don't forget post holiday. Very much hoping to look at this still |
|
Hey @Brutalbeard sorry for the delay, let me check over this today and get back to you shortly |
|
Morning! Get a chance to find anything? |
|
Checking in again! Hoping to hear something before weekend |
|
Good morning! Checking in again this week. Is there anything I can do to help with troubleshooting? |
|
Hey @Brutalbeard I have been working with this composite for a while in a large FinSer company and have seen issues similar to this. I’m recently retired so I will be happy to have a look at this to see if I can reproduce. IME the main reason for this is permissions. When you access open secrets alerts in particular you need a LOT of perms (more than you showed above). I used a GitHub app and, because of the perms, restricted access to the cert and app id to a very limited scope secrets manager role & policy (in Hashicorp Vault) bound to the reusable workflow in which this action was used (via the job_workflow_ref). I assume you have tried disabling secrets scanning (--disable-secret-scanning) and each of the other capabilities per the docs, e.g. parser.add_argument("--disable-caching", action="store_false") |
|
Morning @goffinf, if you have them open still, could you toss me a link to the docs you're referencing? Happy to try whatever |
|
Hey John, it’s evening here in the UK (6p.m). The code snippet above was from the implementation. I note Mathew has recently improved the docs but when I started using this (about a year ago) they were somewhat incomplete so looking at the source was informative. The link in this case is : https://github.com/advanced-security/policy-as-code/blob/main/ghascompliance/__main__.py HtHs Fraser |
|
I'm Denver US, so I'll have the day to go through and check out what you've noted here. Will have some comments on here to see tomorrow |
|
Hey all! Appreciate your collaboration and patience here. Discussing with |
|
Hey @Brutalbeard, sorry for the delay. Turns out there was a few different issues here but they should all be fixed in |
|
Howdy! I think we're chatting about it a bit in slack, but can confirm we're getting an issue with permissions at the moment. Just dropping that note here for anyone who may be keeping an eye on this issue |
|
//This helps w clunky mess |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened?
I'm working on a test repo in my company's org (hid the name in all the screenshots that I'm going to attach. We have a policy which keeps us from interacting with outside repos using our corporate account).
This repo has several open security vulnerabilities and has had them for a long time. Was originally used as a test repo for comparing Veracode to GHAS (honestly a pointless comparison, GHAS is better by miles).
When I run the action though, with
v2.7.3I get errors that cause the action to fail, as one would expect given these security alerts on that repo, but no information about which alert caused the issue. I also get at least one of this error each run:Unknown Exception was hit, please repo this to https://github.com/advanced-security/policy-as-codeThis is the included ID that comes up in logs:
'A4D3:360A1:447E699:78AAC10:666203F8'Workflow File:
Policy Doc (which excludes licensing check):
Version
v2 (current major version)
Where are you experiencing the issue?
GitHub Actions
Relevant log output
Code of Conduct
The text was updated successfully, but these errors were encountered: