Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Impossible to scan private image from Github registry #67

Open
FloRichardAloeCorp opened this issue Jun 19, 2024 · 5 comments
Open

Impossible to scan private image from Github registry #67

FloRichardAloeCorp opened this issue Jun 19, 2024 · 5 comments
Assignees
@matthyx

Comments

@FloRichardAloeCorp
Copy link

Hello, I can't scan a private image that is stored in ghcr.io.

I've verified the credentials.

Here is the pipeline:

name: Deploy to dev env

on:
  push:
    branches: ["dev"]
  pull_request:
    branches: ["dev"]

jobs:
  build-and-push-image:
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: read
      security-events: write
      actions: read
    steps:
      - uses: actions/checkout@v4

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - uses: kubescape/github-action@main
        continue-on-error: true
        with:
          image: ghcr.io/beltsecurity/fleet-qc:dev
          format: sarif
          outputFile: results.sarif
          registryUsername: ${{ github.actor }}
          registryPassword: ${{ secrets.GITHUB_TOKEN }}

      - name: Upload Kubescape scan results to Github Code Scanning
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

      - name: Build and push
        uses: docker/build-push-action@v5
        with:
          push: true
          tags: ghcr.io/beltsecurity/fleet-qc:dev

The pipeline step kubescape/github-action@main outputs the following error:

Error: unable to load image: unable to use OciRegistry source: failed to get image descriptor from registry: GET https://auth.docker.io/token?scope=repository%3A%2F%2Fghcr.io%2Fbeltsecurity%2Ffleet-qc%3Apull&service=registry.docker.io: unexpected status code 401 Unauthorized: {"details":"incorrect username or password"}

I think that URL of the targeted registry is wrong.
@matthyx
Copy link

matthyx commented Aug 8, 2024

@FloRichardAloeCorp can you check which version of the kubescape image is running?
I believe if you use quay.io/kubescape/kubescape-cli:v3.0.15 it should work.
Then I should check if we need to change action.yml...

@matthyx matthyx self-assigned this Aug 8, 2024
@bf-thomas
Copy link

@matthyx the current main of the action uses 3.0.5

Would be nice if the action version gets updates more frequently.

@matthyx
Copy link

matthyx commented Aug 29, 2024

@matthyx the current main of the action uses 3.0.5

Would be nice if the action version gets updates more frequently.

do you think we can use dependabot or renovate for that?

@bf-thomas
Copy link

yes, pretty sure. Depandabot would create a PR which bumps the baseimage image.
Dependabot for Docker

I'm not sure how aligns with your PR-agent though.

@bf-thomas
Copy link

bf-thomas commented Sep 3, 2024
edited
Loading

Another update on this. I had the same issue with a private gcp container registry.
I got it solved by updating the kubescape-cli version to 3.0.16 and removing the registry:// here:
https://github.com/kubescape/github-action/blob/main/entrypoint.sh#L149

Otherwise, it seems that kubescape is requesting the image from docker.io what is wrong in this case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@matthyx matthyx

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@matthyx @bf-thomas @FloRichardAloeCorp