scout-action icon indicating copy to clipboard operation
scout-action copied to clipboard
verified publisher icon docker

1.13.0 broke our workflow, downstream auth error

Open jessfraz opened this issue 1 year ago • 2 comments

1.12.0 does not have this issue

our workflow goes:

  1. login to ghcr.io
  2. login to docker hub where we have scout access
  3. build image
  4. push image to ghcr.io
  5. scan image

this is the error we see on 1.13.0 we are not seeing on 1.12.0

cves
      ...Storing image for indexing
      ✓ Image stored for indexing
      ...Indexing
      ✓ Indexed 412 packages
      ✓ Provenance obtained from attestation
  Error: could not list CVEs for the image: API operation failed: Message: Not allowed, Locations: [], Extensions: map[arguments:map[context:$context query:map[imageCoords:map[digest:$digest hostname:$hostname repository:$repository] includeExcepted:$includeExcepted packageUrls:$purls]] code:DOWNSTREAM_SERVICE_ERROR status:FORBIDDEN], Path: [vulnerabilitiesByPackageForImageCoords]
Screenshot 2024-08-06 at 11 57 44 PM

jessfraz avatar Aug 07 '24 03:08 jessfraz

Thanks @jessfraz for the report. I'm able to reproduce it, looking at it and will keep you posted once fixed.

eunomie avatar Aug 07 '24 07:08 eunomie

@jessfraz It looks like the organisation you're using is not enrolled to docker scout and that causes the issue. As it's not enrolled we can't get specific data based on it. This is due to the inclusion of vulnerability exceptions that are now tight to organizations (so they can be defined in the UI).

So either you can enroll your organisation using docker scout enroll <your-org> or not set organization in the action parameters.

In the mean time we are working at improving the error handling and messages so that the problem will be more understandable and the user experience better.

Hope this will solve your issue.

eunomie avatar Aug 07 '24 10:08 eunomie