-
Notifications
You must be signed in to change notification settings - Fork 242
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ratelimiting error when downloading vulnerability db from ghcr.io #389
Comments
Thanks for the report, we will look into it. |
I also saw this right now :/ Any ideas why? |
I believe this is currently causing problems with anyone using the trivy action. We have had to turn it off on some workflows. I'm not sure what the long term solution might be - if GH cannot increase the global rate limit for the artifact pull then maybe it needs to be in a public AWS S3 bucket or something similar? |
From My PR above, a workaround suggested by someone else:
|
Does anyone know how to get trivy-action to auth with a privately hosted trivy-db repo? I can get it working fine with normal trivy on local, but trivy-action does not work with either
|
I was able to get it to work with ECR only using an OIDC login via the configure-aws-credentials action used right before the trivy action. It is not using docker to pull the artifact as it is not a docker image. |
I am poor student |
I have no long-term tests yet, but from my understanding of GH's rate limiting, just providing a token of any sort will give you higher quotas? If that's the case, the following should help: - name: Run Trivy scan on image
uses: aquasecurity/[email protected]
with:
[... your config ...]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
I've tried logging in to GHCR via docker/login-action before running Trivy CLI (not action), and I am still getting lots of 429 errors. |
So, if I understand this correctly: I, as the consumer of this action, must download copies of these DBs and store them on my own registry. Then, I must pass environment variables to the action which point at my copies of the DBs. Is that correct? How often are these DBs updated? |
@nnellanspdl think its at 00:00 every day? but im not sure. But anyway this workaround is a hustle to host them self if u need to update them every day |
Same for me, it doesn't seem to have significant effects. |
I'm trying with: env:
ACTIONS_RUNTIME_TOKEN: ${{ secrets.GITHUB_TOKEN }} I spawned multiple parallel ci/cd actions, and this seems more reliable. |
If anyone is going the route of uploading the Trivy DB to their own registry, I've had success using https://github.com/oras-project/setup-oras Something like:
|
I setup AWS ECR pull-throuhg cache for trivy-db and trivy-java-db , modified action:
but pulling of trivy-db fails with:
Docker is logged-in.
Has somebody tried to pull trivy-db from AWS ECR using action? |
Yes so you can pull from ECR pull through but only if you do an OIDC set-aws-credentials action first before the trivy action. Im not sure why yet that you cannot use anything but OIDC, or at least I can't seem to get regular role assumption to work. Docker login doesnt help you as the container doesnt try to pull the DB using docker commands. If you try a docker pull you will get the unsupported media type error as the above post, as the artifact isnt an 'image' |
Ah, thanks. I was logged in under the incorrect account when I posted originally. That's what I was wondering, @billhammond-dev ! |
This was my error, for anyone else who runs into it:
|
Thanks. Yes, this is a lot to ask of consumers of your action. |
I'm guessing it would be too much work to update the logic for pulling the file to allow passing it the file directly? We could setup a workflow to pull and stash the image every X hours, and then in the workflow that uses the image, we pull the file from the stash to use. It'd lower the amount of hits by users, and we wouldn't need to host it in AWS and pay |
@NicholasFiorentini that's interesting, would you mind creating a PR to document this in the repo? If possible, could you also reference where this environment variable is documented? |
FWIW, here's a sample snippet for using AWS ECR pull through cache repositories using OIDC for AWS auth. Pull through cache ECR repositories (for hosting the cached trivy DB artifacts) must be configured prior to running this workflow, see documentation.
Per AWS documentation:
|
I tried referencing the Trivy database from the ECR Public Gallery, without needing to modify GitHub token permissions or add additional AWS ECR login steps. Thanks to the conversation above. just added 2 env variables to my existing workflows-
This setup works seamlessly without extra configuration changes or permissions updates. One question I have is about the update frequency of the Trivy database on ECR Public. Based on my checks, it appears actively maintained, but it would be great to know if there’s a set schedule for updates, or if users should be aware of any potential delays. |
As per the workflow here: https://github.com/aquasecurity/trivy-db/blob/main/.github/workflows/cron.yml The DB is updated every 6 hours, on all 3 repositories - https://github.com/aquasecurity/trivy-db/blob/main/.github/workflows/cron.yml#L88-L90:
|
Is is the same with trivy java db ? |
Yes, the same logic seems to be used for With the small difference of the workflow running once every day at midnight, instead of every 6 hours. |
Cache is is restored, but Java DB still unavailable and provoking the crash Why ? I love trivy when it works, but since september it became an unreliable tool randomly failing CI jobs, I'm afraid you are slowly killing your great product by doing nothing permanent to solve the issue :/ Cache Size: ~36 MB (37525328 B)
/usr/bin/tar -xf /home/runner/work/_temp/66eda285-1ded-4727-8d16-b1924fbba231/cache.tzst -P -C /home/runner/work/megalinter/megalinter --use-compress-program unzstd
Cache restored successfully
Cache restored from key: trivy-binary-v0.56.1-Linux-X64
Run echo /home/runner/.local/bin/trivy-bin >> $GITHUB_PATH
echo /home/runner/.local/bin/trivy-bin >> $GITHUB_PATH
shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
env:
DOCKER_METADATA_OUTPUT_VERSION: beta
DOCKER_METADATA_OUTPUT_TAGS: ghcr.io/oxsecurity/megalinter-worker-ci_light:beta
DOCKER_METADATA_OUTPUT_LABELS: org.opencontainers.image.created=2024-11-11T19:59:35.390Z
org.opencontainers.image.description=🦙 MegaLinter analyzes 50 languages, 22 formats, 21 tooling formats, excessive copy-pastes, spelling mistakes and security issues in your repository sources with a GitHub Action, other CI tools or locally.
org.opencontainers.image.licenses=AGPL-3.0
org.opencontainers.image.revision=ba3542f4a4e7a5848cb09b030dcd919d8acfcb9f
org.opencontainers.image.source=https://github.com/oxsecurity/megalinter
org.opencontainers.image.title=megalinter
org.opencontainers.image.url=https://github.com/oxsecurity/megalinter
org.opencontainers.image.version=beta
DOCKER_METADATA_OUTPUT_ANNOTATIONS: manifest:org.opencontainers.image.created=2024-11-11T19:59:35.390Z
manifest:org.opencontainers.image.description=🦙 MegaLinter analyzes 50 languages, 22 formats, 21 tooling formats, excessive copy-pastes, spelling mistakes and security issues in your repository sources with a GitHub Action, other CI tools or locally.
manifest:org.opencontainers.image.licenses=AGPL-3.0
manifest:org.opencontainers.image.revision=ba3542f4a4e7a5848cb09b030dcd919d8acfcb9f
manifest:org.opencontainers.image.source=https://github.com/oxsecurity/megalinter
manifest:org.opencontainers.image.title=megalinter
manifest:org.opencontainers.image.url=https://github.com/oxsecurity/megalinter
manifest:org.opencontainers.image.version=beta
DOCKER_METADATA_OUTPUT_JSON: {"tags":["ghcr.io/oxsecurity/megalinter-worker-ci_light:beta"],"labels":{"org.opencontainers.image.created":"2024-11-11T19:59:35.390Z","org.opencontainers.image.description":"🦙 MegaLinter analyzes 50 languages, 22 formats, 21 tooling formats, excessive copy-pastes, spelling mistakes and security issues in your repository sources with a GitHub Action, other CI tools or locally.","org.opencontainers.image.licenses":"AGPL-3.0","org.opencontainers.image.revision":"ba3542f4a4e7a5848cb09b030dcd919d8acfcb9f","org.opencontainers.image.source":"https://github.com/oxsecurity/megalinter","org.opencontainers.image.title":"megalinter","org.opencontainers.image.url":"https://github.com/oxsecurity/megalinter","org.opencontainers.image.version":"beta"},"annotations":["manifest:org.opencontainers.image.created=2024-11-11T19:59:35.390Z","manifest:org.opencontainers.image.description=🦙 MegaLinter analyzes 50 languages, 22 formats, 21 tooling formats, excessive copy-pastes, spelling mistakes and ..
DOCKER_METADATA_OUTPUT_BAKE_FILE_TAGS: /home/runner/work/_temp/docker-actions-toolkit-hg7FBQ/docker-metadata-action-bake-tags.json
DOCKER_METADATA_OUTPUT_BAKE_FILE_LABELS: /home/runner/work/_temp/docker-actions-toolkit-hg7FBQ/docker-metadata-action-bake-labels.json
DOCKER_METADATA_OUTPUT_BAKE_FILE_ANNOTATIONS: /home/runner/work/_temp/docker-actions-toolkit-hg7FBQ/docker-metadata-action-bake-annotations.json
DOCKER_METADATA_OUTPUT_BAKE_FILE: /home/runner/work/_temp/docker-actions-toolkit-hg7FBQ/docker-metadata-action-bake.json
ACTIONS_RUNTIME_TOKEN: ***
Run echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
Run actions/cache@v4
Received 197132288 of 686605845 (28.7%), 188.0 MBs/sec
Received 507510784 of 686605845 (73.9%), 241.9 MBs/sec
Cache Size: ~655 MB (686605845 B)
/usr/bin/tar -xf /home/runner/work/_temp/d3fa340d-df56-445e-852c-eb69c086518a/cache.tzst -P -C /home/runner/work/megalinter/megalinter --use-compress-program unzstd
Received 686605845 of 686605845 (100.0%), 218.1 MBs/sec
Cache restored successfully
Cache restored from key: cache-trivy-2024-11-11
Run echo "$GITHUB_ACTION_PATH" >> $GITHUB_PATH
Run # Note: There is currently no way to distinguish between undefined variables and empty strings in GitHub Actions.
Run entrypoint.sh
Running Trivy with options: trivy image ghcr.io/oxsecurity/megalinter-ci_light:beta
2024-11-11T20:03:11Z INFO [vuln] Vulnerability scanning is enabled
2024-11-11T20:03:12Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="pip" version="24.3.1"
2024-11-11T20:03:12Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="distlib" version="0.3.9"
2024-11-11T20:03:12Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="pip" version="24.3.1"
2024-11-11T20:03:12Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="PyYAML" version="6.0.2"
2024-11-11T20:03:12Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="pip" version="24.3.1"
2024-11-11T20:03:12Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="yamllint" version="1.35.1"
2024-11-11T20:03:13Z INFO [javadb] Downloading Java DB...
2024-11-11T20:03:13Z INFO [javadb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-java-db:1"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="DataProperty" version="1.0.1"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="Deprecated" version="1.2.14"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="GitPython" version="3.1.43"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="PyJWT" version="2.9.0"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="PyYAML" version="6.0.2"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="azure-devops" version="6.0.0b4"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="certifi" version="2024.8.30"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="cffi" version="1.17.1"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="chardet" version="5.2.0"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="charset-normalizer" version="3.4.0"
2024-11-11T20:03:14Z ERROR [javadb] Failed to download artifact repo="ghcr.io/aquasecurity/trivy-java-db:1" err="oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-java-db/blobs/sha256:b5c382f3eeef336fb5fa8c7eeacb9e4b3ef39348c5821f45[157](https://github.com/oxsecurity/megalinter/actions/runs/11785106494/job/32826338548#step:12:161)49f34feaef83a: TOOMANYREQUESTS: retry-after: 508.189µs, allowed: 44000/minute"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="cryptography" version="43.0.3"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="gitdb" version="4.0.11"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="isodate" version="0.7.2"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="lark-parser" version="0.7.8"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="mbstrdecoder" version="1.1.3"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="msrest" version="0.6.21"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="multiprocessing-logging" version="0.3.4"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="oauthlib" version="3.2.2"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="pathvalidate" version="3.2.1"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="pychalk" version="2.0.1"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="pycparser" version="2.22"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="pytablewriter" version="1.2.0"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="python-dateutil" version="2.9.0.post0"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="python-gitlab" version="5.0.0"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="pytz" version="2024.2"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="redis" version="5.2.0"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="regex" version="2024.11.6"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="requests" version="2.32.3"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="requests-oauthlib" version="2.0.0"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="requests-toolbelt" version="1.0.0"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="autocommand" version="2.2.2"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="typeguard" version="4.3.0"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="six" version="1.16.0"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="smmap" version="5.0.1"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="tabledata" version="1.3.3"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="tcolorpy" version="0.1.6"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="terminaltables" version="3.1.10"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="typepy" version="1.3.2"
2024-11-11T20:03:14Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="wrapt" version="1.16.0"
2024-11-11T20:03:15Z FATAL Fatal error image scan error: scan error: scan failed: failed analysis: analyze error: pipeline error: failed to analyze layer (sha256:d7b18301204574bcfb563ac3192b4a13c33a82dc0d54be8314ec1d793a965c7f): post analysis error: post analysis error: Unable to initialize the Java DB: Java DB update failed: OCI artifact error: failed to download Java DB: failed to download artifact from any source |
Trivy was recently updated to Edit, specifically it uses these: However, the trivy action has not been updated quite yet. The latest action version at this time is - name: 'Run Trivy'
uses: aquasecurity/[email protected]
with:
version: 'v0.57.1' This worked successfully for me. I did not have to specify any custom registries by |
There is a PR in progress for this ... but it needs a little love and then approval. |
FWIW, with v0.29.0 of this action (that uses v0.57.1 by default), I get:
|
Pulling the trivy DB of CVE leaded to several of failures due to ghcr limitations [1]. trivy was modified to use other repositories as mirrors for the DB, this change landed in 0.57.1 [2]. The trivy-action was updated recently to 0.57.1, thus pulling from the mirrors [3]. Signed-off-by: Francis Laniel <[email protected]> [1]: aquasecurity/trivy-action#389 [2]: aquasecurity/trivy#7951 [3]: aquasecurity/trivy-action@18f2510ee396
Hi, we're using trivy to scan our containers, lately we've been seeing an increase number of rate-limiting errors when trivy is downloading the vulnerability database.
My guess is this is a global ratelimit as i can't imagine our low number of devs are causing 700+ requests a second.
I have in the meantime discovered that these scans are only used for SBOM generation on our end so we don't need to download the vulnerability database everytime, but i though this issue should be raised as i can't imagine we are the only ones seeing these errors.
The text was updated successfully, but these errors were encountered: