fix: set envs only when passed #405
Conversation
Signed-off-by: knqyf263 <[email protected]>
| set_env_var_if_provided "TRIVY_EXIT_CODE" "${{ inputs.exit-code }}" "" | ||
| set_env_var_if_provided "TRIVY_IGNORE_UNFIXED" "${{ inputs.ignore-unfixed }}" "false" | ||
| set_env_var_if_provided "TRIVY_PKG_TYPES" "${{ inputs.vuln-type }}" "os,library" | ||
| set_env_var_if_provided "TRIVY_SEVERITY" "${{ inputs.severity }}" "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" |
There was a problem hiding this comment.
Can we use inputs.severity.default? (https://docs.github.com/en/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions#inputsinput_iddefault)
There was a problem hiding this comment.
I was looking for it, but I couldn't. I'll try it. Thanks.
There was a problem hiding this comment.
Ah, this is just a document about syntax of action.yaml. I don't think it's available, but I'll give it a shot.
There was a problem hiding this comment.
It doesn't work. An empty string is filled.
1a12292
There was a problem hiding this comment.
Got it. Thanks that you checked that.
Signed-off-by: knqyf263 <[email protected]>
This reverts commit 1a12292.
| # Set environment variables, handling those with default values | ||
| # cf. https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables | ||
| set_env_var_if_provided "TRIVY_INPUT" "${{ inputs.input }}" "" | ||
| set_env_var_if_provided "TRIVY_EXIT_CODE" "${{ inputs.exit-code }}" "" |
There was a problem hiding this comment.
If it isn't set, is the default equivalent to a zero for this case?
There was a problem hiding this comment.
I'm aware that would be the default Trivy behavior (if exit code is not specified), I am just not sure how GitHub Actions interprets an empty string in this case.
There was a problem hiding this comment.
If it isn't set, is the default equivalent to a zero for this case?
The action will not set TRIVY_EXIT_CODE and Trivy CLI just uses the default value.
There was a problem hiding this comment.
I am just not sure how GitHub Actions interprets an empty string in this case.
If the input is empty or the same as a default value, it doesn't set an environment variable.
|
@knqyf263 Does your fix work for all I'm encountering the TOOMANYREQUESTS issue #389. I don't see that |
|
|
|
@knqyf263 Then how come I'm experiencing the problem when I set them? - name: Trivy vulnerability scan
uses: aquasecurity/[email protected]
with:
scan-type: image
image-ref: 'FILTERED'
trivy-config: .trivy/trivy.yaml
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
My trivy-config is ignored. |
|
What I understand is that whenever any |
No, only variables defined in |
|
I tested and it worked.
|
|
@knqyf263 Can you test it with |
|
Worked. Please create a small repository to reproduce your issue. |
|
No need if it worked :) I'll wait for your merge. Thanks! |
|
I upgraded to 0.27.0 and now a new error was raised... I know that there's an open issue (#409) about this bug. |
|
I don't think it's a bug. It just depends on your configuration. We'll fix it anyway, though. |
Problem
Currently, all
TRIVY_XXXenvironment variables are always passed toentrypoint.sh, which prevents configurations set intrivy.yamlfrom being correctly applied. This occurs because environment variables take precedence over configuration files.Proposed Solution
This PR implements a workaround to set environment variables only when values are explicitly provided. However, there's currently no reliable method to determine if a value has been passed in GitHub Actions (see actions/runner#924).
Implementation Details
TRIVY_CACHE_DIRis an exception and is always set, as it requires a value different from Trivy's default.TRIVY_CACHE_DIRcannot be controlled viatrivy.yamldue to this implementation.Testing
https://github.com/knqyf263/trivy-action-test/actions/runs/11250664411/job/31280013016