upload-sarif does not handle relative paths when trivy runs on a subfolder #2904

rofreytag · 2025-05-23T15:15:37Z

Originally posted by @rofreytag in #2215

I run into an issue when using trivy config scan on a subfolder. The reported issues appear in the security tab, but the folder/path reference of files inside the repo is not correctly presented.

Example finding:

The expected path should be terraform/01-bootstrap/eks.tf.

The generated sarif file by trivy:

uses URLs relative to terraform/some-module (i.e. main.tf)
uses relative URLs for module invocations like ../modules/other-module/main.tf.
includes the correct uriBaseId

GitHub interprets all these URls relative to the repo root without using uriBaseId.

I am happy to try a workaround, but currently

I can not yet find a way to make trivy generate absolute URLs, which I believe resolves the issue.
Neither can I tell the upload-action that I am using relative URLs in my repo

expected behavior

Either have the upload-action use the uriBaseId of the sarif file, or

have an existing param like checkout_path (or a new param) in the action, to respect and transform relative URLs, so that they correctly appear in the report.

Example:

     - name: Upload Trivy scan results to GitHub Security tab
       uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
       with:
         sarif_file: 'trivy-results.sarif'
         category: trivy-my-module
         checkout_path: ${{ github.workspace }}/terraform/01-bootstrap/

Here an excerpt of the generated sarif file that shows the URLs of each finding

          "message": {
            "text": "Artifact: eks.tf\nType: terraform\nVulnerability aws-vpc-add-description-to-security-group-rule\nSeverity: LOW\nMessage: Security group rule does not have a description.\nLink: [aws-vpc-add-description-to-security-group-rule](https://avd.aquasec.com/misconfig/aws-vpc-add-description-to-security-group-rule)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "eks.tf",
                  "uriBaseId": "ROOTPATH"
                },

          "message": {
            "text": "Artifact: ../modules/rdb/main.tf\nType: terraform\nVulnerability AVD-AWS-0098\nSeverity: LOW\nMessage: Secret explicitly uses the default key.\nLink: [AVD-AWS-0098](https://avd.aquasec.com/misconfig/avd-aws-0098)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "../modules/rdb/main.tf",
                  "uriBaseId": "ROOTPATH"
                },

and the originalUriBaseId section at the end:

      "originalUriBaseIds": {
        "ROOTPATH": {
          "uri": "file:///home/runner/work/redacted/redacted/terraform/01-bootstrap/"
        }
      }
    }
  ]
}

Here is my full workflow file

name: Code Scan

on:
  push:
    branches: [ "main" ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ "main" ]
  schedule:
    - cron: '27 23 * * 2'

permissions:
  contents: read # for actions/checkout to fetch code
  security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
  actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status

jobs:
  analyze-tf:
    runs-on: ubuntu-latest
    name: Analyze (${{ matrix.config.path }})
    strategy:
      matrix:
        config:
        - path: terraform/00-shared
          varfile: configs/sai-shared-prod.tfvars
        - path: terraform/01-bootstrap
          varfile: configs/sai-prod.tfvars
        - path: terraform/02-k8s
          varfile: configs/sai-prod.tfvars
        - path: terraform/03-services
          varfile: configs/sai-prod.tfvars

    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Run Trivy scanner
        uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 #v0.30.0
        with:
          scan-type: 'config'
          scan-ref: ${{ matrix.config.path }}
          tf-vars: ${{ matrix.config.path }}/${{ matrix.config.varfile }}
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH,MEDIUM'
          version: v0.61.1

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
        with:
          sarif_file: 'trivy-results.sarif'
          # need to add unique category, so the results in one commit do not overwrite each other
          category: trivy-${{ matrix.config.path }}
          # I tried this with no luck
          # checkout_path: ${{ github.workspace }}/${{ matrix.config.path }}/

The text was updated successfully, but these errors were encountered:

jketema · 2025-05-23T18:48:19Z

Hi @rofreytag,

This is a known limitation. Note also the conspicuous absence of uriBaseId from this document. I've added link to this issue in the internal issue in which we're tracking this.

rofreytag mentioned this issue May 23, 2025

Upload-sarif action doesn't seem to respect "uriBaseId" in SARIF files #2215

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

upload-sarif does not handle relative paths when trivy runs on a subfolder #2904

upload-sarif does not handle relative paths when trivy runs on a subfolder #2904

rofreytag commented May 23, 2025

jketema commented May 23, 2025

Uh oh!

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

upload-sarif does not handle relative paths when trivy runs on a subfolder #2904

upload-sarif does not handle relative paths when trivy runs on a subfolder #2904

Comments

rofreytag commented May 23, 2025

expected behavior

jketema commented May 23, 2025

Uh oh!

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.