Regarding Copa for scanning the docker image

[ofschnai]

Hello

I am trying to use Copa for scanning the build docker image using its GitHub action, but getting below error.

As the action states, we have to give the names of docker images to scan in the matrix and Copa action will try to download those images from docker, then scans and patch it.

Is it possible to scan the docker image which is build in previous github action step? Like below example-

`

  - name: Set up Docker Buildx
    uses: docker/setup-buildx-action@v2

  - name: Build Docker image
    run: |
      docker build -t pythonworld:${{ github.sha }} .

  - name: Generate Trivy Report
    uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # 0.16.1
    with:
      scan-type: "image"
      format: "json"
      output: "report.json"
      ignore-unfixed: true
      vuln-type: "os"
      image-ref: "pythonworld:${{ github.sha }}"

      
  - name: Check vulnerability count
    id: vuln_count
    run: |
      report_file="report.json"
      vuln_count=$(jq 'if .Results then [.Results[] | select(.Class=="os-pkgs" and .Vulnerabilities!=null) | .Vulnerabilities[]] | length else 0 end' "$report_file")
      echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT

  - name: Log in to Azure Container Registry
    uses: azure/docker-login@v2
    with:
      username: ${{ secrets.CONTAINER_REGISTRY_USERNAME }}
      password: ${{ secrets.CONTAINER_REGISTRY_PASSWORD }}
      login-server: ${{ secrets.CONTAINER_REGISTRY_URL }}

  - name: Run Copa action
    if: steps.vuln_count.outputs.vuln_count != '0'
    id: copa
      # using main for testing purposes
      # use a tag (such as v1 or v1.0.1) at a bare minimum
      # recommendation is to pin to a digest for security and stability
      # and rely on dependabot for digest/version updates
    uses: project-copacetic/copa-action@main
    with:
      image: "pythonworld:${{ github.sha }}"
      image-report: "report.json"
      patched-tag: ${{ github.sha }}
      timeout: "5m" # optional, default is 5m
      output: vex.json # optional
      format: "openvex" # optional, default is openvex`

[ofschnai]

Need help @sozercan @ashnamehrotra
Also when using socket configuration for local docker images,

`
- name: Set up Docker
uses: crazy-max/ghaction-setup-docker@v3
with:
daemon-config: |
{
"debug": true,
"experimental": true,
"features": {
"containerd-snapshotter": true
}
}

  - name: Get socket path
    run: |
        url=$(docker context inspect | jq -r .[0].Endpoints.docker.Host)
        socket_path=$(echo "$url" | awk -F// '{print $2}')
        echo "$socket_path"
        echo "SOCKET=$socket_path" >> $GITHUB_ENV
  
  
  - name: Run Copa action
    if: steps.vuln_count.outputs.vuln_count != '0'
    id: copa
      # using main for testing purposes
      # use a tag (such as v1 or v1.0.1) at a bare minimum
      # recommendation is to pin to a digest for security and stability
      # and rely on dependabot for digest/version updates
    uses: project-copacetic/copa-action@main
    with:
      image: "pythonworld:${{ github.sha }}"
      image-report: "report.json"
      patched-tag: ${{ github.sha }}
      timeout: "5m" # optional, default is 5m
      output: vex.json # optional
      format: "openvex" # optional, default is openvex
      custom-socket: ${SOCKET}`

I am getting below error

After using latest docker setup action, I am getting below authentication error

[ashnamehrotra]

@ofschnai after authenticating to the registry, can you confirm if you are able to pull the image in a separate step?

[sozercan]

@ofschnai here's an example of copa action running on a local image:

https://github.com/sozercan/copa-test/blob/main/.github/workflows/patch-action-containerd-local.yaml
https://github.com/sozercan/copa-test/actions/runs/13399370009

I am not sure if trivy action runs with containerd image store, but that's a separate issue on trivy action side if you are using trivy as a scanner

[ofschnai]

@ashnamehrotra Thank you so much for your reply.
Is it possible to build the image in a action and scan/patch it in next github action?

Like below

`- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

  - name: Build Docker image
    run: |
      docker build -t pythonworld:${{ github.sha }} .
      

  - name: Run Trivy Scanner
    uses: aquasecurity/trivy-action@master
    with:
      scan-type: "image"
      format: "json"
      output: "report.json"
      ignore-unfixed: true
      vuln-type: "os,library"
      image-ref: "pythonworld:${{ github.sha }}"
    
  - name: Check vulnerability count
    id: vuln_count
    run: |
      report_file="report.json"
      vuln_count=$(jq 'if .Results then [.Results[] | select(.Class=="os-pkgs" and .Vulnerabilities!=null) | .Vulnerabilities[]] | length else 0 end' "$report_file")
      echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT

       
        
  - name: Run Copa action 
     
    id: copa 
     # using main for testing purposes 
     # use a tag (such as v1 or v1.0.1) at a bare minimum 
     # recommendation is to pin to a digest for security and stability 
     # and rely on dependabot for digest/version updates 
    uses: project-copacetic/copa-action@v1.2.1
    with: 
      image: "pythonworld:${{ github.sha }}"
      image-report: "report.json" 
      patched-tag: "patched" 
      timeout: "5m" # optional, default is 5m `

[ashnamehrotra]

@ofschnai yes, if it would just be a local image after building, you can follow option 2 here: https://github.com/project-copacetic/copa-action?tab=readme-ov-file#option-2-connect-using-defaults-through-a-custom-socket to ensure containerd image store is enabled in your setup

[ofschnai]

@ashnamehrotra I have already tried the Option 2, but I am getting below error in Trivy Scan step

And the Github Actions which I am using are as follows -

`

name: Build, Scan, and Deploy Python Docker Image to AKS

on:
push:
branches:
- master # Trigger on pushes to main branch

jobs:

patch:
runs-on: ubuntu-latest
# used for pushing patched image to GHCR
permissions:
contents: read
packages: write
steps:
- name: Checkout
uses: actions/checkout@v4

  - name: Set up Docker
    uses: docker/setup-docker-action@v4
    with:
      daemon-config: |
          {
          "debug": true,
          "experimental": true,
              "features": {
              "containerd-snapshotter": true
              }
          }

  - name: Build Docker image
    run: |
      docker buildx build --load -t docker.io/local/pythonworld:${{ github.sha }} -f Dockerfile .
      docker images

  - name: Get socket path
    run: |
      url=$(docker context inspect | jq -r .[0].Endpoints.docker.Host)
      socket_path=$(echo "$url" | awk -F// '{print $2}')
      echo "$socket_path"
      echo "SOCKET=$socket_path" >> $GITHUB_ENV
  
  - name: Run Trivy Scanner
    uses: aquasecurity/trivy-action@master
    with:
      scan-type: "image"
      format: "json"
      output: "pythonworld_report.json"
      ignore-unfixed: true
      vuln-type: "os,library"
      image-ref: "docker.io/local/pythonworld:${{ github.sha }}"
      DOCKER-HOST: "/home/runner/setup-docker-action-cd960e80/docker.sock"
  

    # copa action will only run if there are vulnerabilities
  - name: Run Copa action
    id: copa
    uses: project-copacetic/copa-action@v1.2.1
    with:
      image: "docker.io/local/pythonworld:${{ github.sha }}"
      image-report: "pythonworld_report.json"
      patched-tag: "patched"
      timeout: 5m
      custom-socket: ${SOCKET}
      output: out.json

  - run: sudo cat out.json `

[ofschnai]

@sozercan @ashnamehrotra Also When I am trying to scan image from ACR, I am getting below error, even though ACR Login is successful in the previous step -

Below are the github actions -

` - name: Log in to Docker Hub
uses: azure/docker-login@v2
with:
login-server: ${{ secrets.CONTAINER_REGISTRY_URL }}
username: ${{ secrets.CONTAINER_REGISTRY_USERNAME }}
password: ${{ secrets.CONTAINER_REGISTRY_PASSWORD }}

  - name: Run Trivy Scanner
    uses: aquasecurity/trivy-action@master
    with:
      scan-type: "image"
      format: "json"
      output: "pythonworld_report.json"
      ignore-unfixed: true
      vuln-type: "os,library"
      image-ref: ${{ secrets.CONTAINER_REGISTRY_URL }}/test/devops-template-api:3.1.1
      severity: 'CRITICAL,HIGH,MEDIUM,LOW'
    env:
        TRIVY_USERNAME: ${{ secrets.CONTAINER_REGISTRY_USERNAME }}
        TRIVY_PASSWORD: ${{ secrets.CONTAINER_REGISTRY_PASSWORD }} 
            

    # copa action will only run if there are vulnerabilities
  - name: Run Copa action
    id: copa
    uses: project-copacetic/copa-action@v1.2.1
    with:
      image: "${{ secrets.CONTAINER_REGISTRY_URL }}/test/devops-template-api:3.1.1"
      image-report: "pythonworld_report.json"
      patched-tag: "patched"
      timeout: 5m
      output: out.json`

[ashnamehrotra]

@ofschnai rather than using the Trivy github aciton, can you try installing Trivy and then passing the --docker-host flag? #46. For the ACR image, can you confirm that you can pull the image after the login step?

[ofschnai]

@ashnamehrotra I tried that it is working with ACR image but not with the local image which I am trying to build in previous step,but getting same error. Below are the attached logs and script.

`- name: Checkout
uses: actions/checkout@v4

  - name: Set up Docker
    uses: docker/setup-docker-action@v4
    with:
      daemon-config: |
          {
          "debug": true,
          "experimental": true,
              "features": {
              "containerd-snapshotter": true
              }
          }
  - name: Build Docker image
    run: |
      docker buildx build --load -t docker.io/local/pythonworld -f Dockerfile .
      docker images

  - name: Get socket path
    run: |
      url=$(docker context inspect | jq -r .[0].Endpoints.docker.Host)
      socket_path=$(echo "$url" | awk -F// '{print $2}')
      echo "$socket_path"
      echo "SOCKET=$socket_path" >> $GITHUB_ENV
  

  - name: Download Trivy
    run: |    
      sudo apt-get install wget gnupg
      wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
      echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
      sudo apt-get update
      sudo apt-get install trivy

  - name: Get Trivy report
    run: |
      sudo trivy image --format json --output pythonworld.json docker.io/local/pythonworld --docker-host $SOCKET
      sudo cat pythonworld.json

  

  - name: Run Copa action
    id: copa
    uses: project-copacetic/copa-action@v1.2.1
    with:
      image: "docker.io/local/pythonworld"
      image-report: "pythonworld.json"
      patched-tag: "patched"
      timeout: 5m
      custom-socket: ${SOCKET}
      output: out.json

`

[ashnamehrotra]

@ofschnai are you still having this issue? what do you see for the output of "docker images"?