Ratelimiting error when downloading vulnerability db from ghcr.io #389
Comments
|
Thanks for the report, we will look into it. |
|
I also saw this right now :/ Any ideas why? |
|
I believe this is currently causing problems with anyone using the trivy action. We have had to turn it off on some workflows. I'm not sure what the long term solution might be - if GH cannot increase the global rate limit for the artifact pull then maybe it needs to be in a public AWS S3 bucket or something similar? |
|
From My PR above, a workaround suggested by someone else: |
|
Does anyone know how to get trivy-action to auth with a privately hosted trivy-db repo? I can get it working fine with normal trivy on local, but trivy-action does not work with either
|
|
I was able to get it to work with ECR only using an OIDC login via the configure-aws-credentials action used right before the trivy action. It is not using docker to pull the artifact as it is not a docker image. |
|
I am poor student |
|
I have no long-term tests yet, but from my understanding of GH's rate limiting, just providing a token of any sort will give you higher quotas? If that's the case, the following should help: - name: Run Trivy scan on image
uses: aquasecurity/[email protected]
with:
[... your config ...]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
I've tried logging in to GHCR via docker/login-action before running Trivy CLI (not action), and I am still getting lots of 429 errors. |
So, if I understand this correctly: I, as the consumer of this action, must download copies of these DBs and store them on my own registry. Then, I must pass environment variables to the action which point at my copies of the DBs. Is that correct? How often are these DBs updated? |
|
@nnellanspdl think its at 00:00 every day? but im not sure. But anyway this workaround is a hustle to host them self if u need to update them every day |
Same for me, it doesn't seem to have significant effects. |
I'm trying with: env:
ACTIONS_RUNTIME_TOKEN: ${{ secrets.GITHUB_TOKEN }}I spawned multiple parallel ci/cd actions, and this seems more reliable. |
|
If anyone is going the route of uploading the Trivy DB to their own registry, I've had success using https://github.com/oras-project/setup-oras Something like: |
|
I setup AWS ECR pull-throuhg cache for trivy-db and trivy-java-db , modified action: but pulling of trivy-db fails with: Docker is logged-in. Has somebody tried to pull trivy-db from AWS ECR using action? |
|
Yes so you can pull from ECR pull through but only if you do an OIDC set-aws-credentials action first before the trivy action. Im not sure why yet that you cannot use anything but OIDC, or at least I can't seem to get regular role assumption to work. Docker login doesnt help you as the container doesnt try to pull the DB using docker commands. If you try a docker pull you will get the unsupported media type error as the above post, as the artifact isnt an 'image' |
|
Ah, thanks. I was logged in under the incorrect account when I posted originally. That's what I was wondering, @billhammond-dev ! |
|
This was my error, for anyone else who runs into it: |
Thanks. Yes, this is a lot to ask of consumers of your action. |
|
I'm guessing it would be too much work to update the logic for pulling the file to allow passing it the file directly? We could setup a workflow to pull and stash the image every X hours, and then in the workflow that uses the image, we pull the file from the stash to use. It'd lower the amount of hits by users, and we wouldn't need to host it in AWS and pay |
@NicholasFiorentini that's interesting, would you mind creating a PR to document this in the repo? If possible, could you also reference where this environment variable is documented? |
|
FWIW, here's a sample snippet for using AWS ECR pull through cache repositories using OIDC for AWS auth. Pull through cache ECR repositories (for hosting the cached trivy DB artifacts) must be configured prior to running this workflow, see documentation. Per AWS documentation:
|
|
I also started to use aws public ecr so I set the following env vars: However for helm chart scanning with Because trivy-checks repository is empty on aws ecr: https://gallery.ecr.aws/aquasecurity/trivy-checks |
The Trivy github action is currently experiencing a GCR rating limiting issue pulling its vulnerability DB (aquasecurity/trivy-action#389). Until that issue is resolved, or we work out a way to host it ourselves, this commit will disable the scans. In the meantime, we will have to run these scans manually.
This is a workaround for aquasecurity/trivy-action#389 Signed-off-by: Steffen Scheib <[email protected]>
|
We are using trivy operator and upgraded to chart 0.24.1 and came across the same rate limit error from GHCR and I wanted to pull images from AWS ECR instead but trivy checks doesn't have any images now. Can anyone please publish trivy-checks to aws ecr? |
aquasecurity/trivy-action#389 (comment) Signed-off-by: Michael Beemer <[email protected]>
|
I find the apparent(!) lack of attention this issue is getting from Aqua security to be a little frustrating to be honest. |
|
We've had good luck using this as a workaround: Basically it's just using oras to pull the trivy-db and java-db into the Github Workflows cache and have trivy-action only use the cache. |
|
We used our own container registry in Azure and "artifact caching rules". (Admittedly, not a solution for all, but I respect that this open-source solution is provided for free by Aqua and that the infrastructure must be hosted somewhere...) |
|
In case it is useful to anyone else, I was working on a project where we encountered this issue. One workaround that was pretty straightforward (but not 100% robust) was to set up a simple GitHub Action that would pull the Trivy DB images once per day and publish them to GHCR in our organization. That way there was significantly lower chance of encountering a name: Cache Trivy DBs
on:
schedule:
- cron: '0 0 * * *'
workflow_dispatch:
permissions:
packages: write
id-token: write
jobs:
lint:
name: Cache Trivy DBs
runs-on: ubuntu-latest
steps:
- name: Install ORAS
id: oras
uses: oras-project/setup-oras@v1
- name: Authenticate to GHCR
id: ghcr
run: |
oras login ghcr.io \
-u ${{ github.actor }} \
-p ${{ github.token }}
- name: Pull Trivy Images
id: pull
run: |
oras pull ghcr.io/aquasecurity/trivy-db:2
oras pull ghcr.io/aquasecurity/trivy-java-db:1
- name: Push Trivy Images
id: push
run: |
oras push ghcr.io/<owner>/<repo>/trivy-db:2 \
db.tar.gz:application/vnd.aquasec.trivy.db.layer.v1.tar+gzip \
--artifact-type application/vnd.aquasec.trivy.config.v1+json
oras push ghcr.io/<owner>/<repo>/trivy-java-db:1 \
javadb.tar.gz:application/vnd.aquasec.trivy.javadb.layer.v1.tar+gzip \
--artifact-type application/vnd.aquasec.trivy.config.v1+jsonFrom there, it's just a matter of ensuring calling workflows have runs:
steps:
- name: Install ORAS
id: oras
uses: oras-project/setup-oras@v1
- name: Authenticate to GHCR
id: ghcr
shell: bash
run: |
oras login ghcr.io \
-u ${{ github.actor }} \
-p ${{ github.token }}
- name: Pull Trivy DBs from GHCR
id: pull
shell: bash
run: |
oras pull ghcr.io/<owner>/<repo>/trivy-db:2
oras pull ghcr.io/<owner>/<repo>/trivy-java-db:1
- name: Scan Container Image
id: scan
uses: aquasecurity/[email protected]
env:
TRIVY_DB_REPOSITORY: ghcr.io/<owner>/<repo>/trivy-db,public.ecr.aws/aquasecurity/trivy-db,ghcr.io/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/<owner>/<repo>/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db
# Not 100% sure if these are required, but so far no issues.
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ github.token }}
with:
cache: true
exit-code: 0
format: table |
Workaround for aquasecurity/trivy-action#389
This is a workaround for aquasecurity/trivy-action#389
and others
Hi, we're using trivy to scan our containers, lately we've been seeing an increase number of rate-limiting errors when trivy is downloading the vulnerability database.
My guess is this is a global ratelimit as i can't imagine our low number of devs are causing 700+ requests a second.
I have in the meantime discovered that these scans are only used for SBOM generation on our end so we don't need to download the vulnerability database everytime, but i though this issue should be raised as i can't imagine we are the only ones seeing these errors.
The text was updated successfully, but these errors were encountered: