github-action icon indicating copy to clipboard operation
github-action copied to clipboard
verified publisher icon kubescape

Impossible to scan private image from Github registry

Open FloRichardAloeCorp opened this issue 1 year ago • 5 comments

Hello, I can't scan a private image that is stored in ghcr.io.

I've verified the credentials.

Here is the pipeline:

name: Deploy to dev env

on:
  push:
    branches: ["dev"]
  pull_request:
    branches: ["dev"]

jobs:
  build-and-push-image:
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: read
      security-events: write
      actions: read
    steps:
      - uses: actions/checkout@v4

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - uses: kubescape/github-action@main
        continue-on-error: true
        with:
          image: ghcr.io/beltsecurity/fleet-qc:dev
          format: sarif
          outputFile: results.sarif
          registryUsername: ${{ github.actor }}
          registryPassword: ${{ secrets.GITHUB_TOKEN }}

      - name: Upload Kubescape scan results to Github Code Scanning
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

      - name: Build and push
        uses: docker/build-push-action@v5
        with:
          push: true
          tags: ghcr.io/beltsecurity/fleet-qc:dev

The pipeline step kubescape/github-action@main outputs the following error:

Error: unable to load image: unable to use OciRegistry source: failed to get image descriptor from registry: GET https://auth.docker.io/token?scope=repository%3A%2F%2Fghcr.io%2Fbeltsecurity%2Ffleet-qc%3Apull&service=registry.docker.io: unexpected status code 401 Unauthorized: {"details":"incorrect username or password"}

I think that URL of the targeted registry is wrong.

FloRichardAloeCorp avatar Jun 19 '24 15:06 FloRichardAloeCorp

@FloRichardAloeCorp can you check which version of the kubescape image is running? I believe if you use quay.io/kubescape/kubescape-cli:v3.0.15 it should work. Then I should check if we need to change action.yml...

matthyx avatar Aug 08 '24 09:08 matthyx

@matthyx the current main of the action uses 3.0.5

Would be nice if the action version gets updates more frequently.

bf-thomas avatar Aug 29 '24 12:08 bf-thomas

@matthyx the current main of the action uses 3.0.5

Would be nice if the action version gets updates more frequently.

do you think we can use dependabot or renovate for that?

matthyx avatar Aug 29 '24 13:08 matthyx

yes, pretty sure. Depandabot would create a PR which bumps the baseimage image. Dependabot for Docker

I'm not sure how aligns with your PR-agent though.

bf-thomas avatar Aug 29 '24 18:08 bf-thomas

Another update on this. I had the same issue with a private gcp container registry. I got it solved by updating the kubescape-cli version to 3.0.16 and removing the registry:// here: https://github.com/kubescape/github-action/blob/main/entrypoint.sh#L149

Otherwise, it seems that kubescape is requesting the image from docker.io what is wrong in this case.

bf-thomas avatar Sep 03 '24 13:09 bf-thomas

Any update to this issue?

I am facing issue scanning private GHCR images with the same behavior as others.

The last comment, hinting to remove registry:// and upgrading the base docker image fixed my issue. :pray:

But, it would be nice to officially fix this.

meysam81 avatar Nov 07 '24 11:11 meysam81