Unable to Detect OS on ECS-Optimized AMI

[jbestcs]

Hello,

When running trivy-action scans on ECS-Optimized Amazon Machine Images (AMIs) in a GitHub Actions workflow, I've found Trivy fails to detect the operating system and reports a 'filesystem walk error'. The issue persists across different scan configurations, including vulnerability scans, misconfiguration scans, and attempts to skip specific directories.

Steps to reproduce the behavior:

1. Configure a GitHub Actions workflow to build ECS-Optimized AMIs.
2. Add trivy-action to the workflow to scan the AMIs.
3. Run the workflow.
4. Observe the error output indicating an inability to detect the OS and issues parsing files.

Expected behavior
Trivy should correctly detect the operating system and perform a complete scan without errors.

GitHub Actions Workflow Configuration

- name: Run Trivy Scan
  uses: aquasecurity/[email protected]
  with:
    scan-type: vm
    image-ref: "ami:${{ image_ref }}"
    format: 'json'
    output: 'trivy-results.json'
    hide-progress: false
    scanners: vuln,misconfig
    severity: HIGH,CRITICAL

Output Logs

2024-06-20T04:50:23Z	INFO	Timeout is set to less than 30 min - upgrading to 30 min for this command.
2024-06-20T04:50:23Z	INFO	Need to update DB
2024-06-20T04:50:23Z	INFO	Downloading DB...
2024-06-20T04:50:27Z	INFO	Misconfiguration scanning is enabled
2024-06-20T04:50:27Z	INFO	Need to update the built-in policies
2024-06-20T04:50:27Z	INFO	Downloading the built-in policies...
2024-06-20T04:50:29Z	INFO	[ami] Snapshot found	snapshot_id="snap-123456789abcdefgh"
2024-06-20T04:50:58Z	WARN	[vm] Partition error	err="filesystem walk error: fs.Walk error: read directory /var/lib/docker/volumes/backingFsBlockDev: failed to list directory entries inode: 58720422: failed to list entries: not found entries"
2024-06-20T04:50:58Z	INFO	Detected OS	family="none" version=""
2024-06-20T04:50:58Z	WARN	Unsupported os	family="none"
2024-06-20T04:50:58Z	INFO	Number of language-specific files	num=0
2024-06-20T04:50:58Z	INFO	Detected config files	num=0

OS Information

NAME="Amazon Linux"
VERSION="2023"
ID="amzn"
ID_LIKE="fedora"
VERSION_ID="2023"
PLATFORM_ID="platform:al2023"
PRETTY_NAME="Amazon Linux 2023.4.20240611"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2023"
HOME_URL="https://aws.amazon.com/linux/amazon-linux-2023/"
DOCUMENTATION_URL="https://docs.aws.amazon.com/linux/"
SUPPORT_URL="https://aws.amazon.com/premiumsupport/"
BUG_REPORT_URL="https://github.com/amazonlinux/amazon-linux-2023"
VENDOR_NAME="AWS"
VENDOR_URL="https://aws.amazon.com/"
SUPPORT_END="2028-03-15"

Additional context

• Trivy Action Versions: 0.23.0, master
• Flags tried: `--skip-dirs: /var/lib/docker'
• Results are consistent across different scan types (vuln, misconfig, both)
• Similar results observed in both local and GitHub Actions environments

Request for Assistance

• Guidance on resolving OS Detection issues for ECS-Optimised AMIs
• Recommendations for additional troubleshooting steps or configuration adjustments

[simar7]

Do you see the same issue if you run Trivy as a CLI tool locally? If so, it'd be an issue with Trivy itself and not the Action. In that case, could you file this as a discussion in the Trivy repo so we can take a look?

[jbestcs]

Good point! Thank you.

So when I ran it locally I got this:

2024-06-21T01:38:06.401Z        INFO    Need to update DB
2024-06-21T01:38:06.402Z        INFO    Downloading DB...
2024-06-21T01:38:17.648Z        INFO    Detected OS: unknown
2024-06-21T01:38:17.649Z        INFO    Number of PL dependency files: 1
2024-06-21T01:38:17.649Z        INFO    Detecting gobinary vulnerabilities...

and then a list of vulnerabilities. It still doesn't detect the OS, but that's much less important than the fact that it didn't hit that filesystem walk error

[simar7]

Are you able to provide an input image which we can use to reproduce this?

[jbestcs]

This image should do: ami-0fda48b6c27c921ad

[simar7]

Is this a public image? If so, where is it available? I'm unable to find it in the regions I looked at.

[jbestcs]

In other regions it's in the AWS Marketplace, but in ap-southeast2 it's a Community AMI

[aconlin-scottlogic]

seeing the same issue with a generic AL2023 image with the ECS agent installed, unfortunately the AMI isn't public but thought it worthwhile highlighting that this isn't an issue that's only affecting the ECS optimised AMI that AWS provide

however the issue is also seen when scanning using the CLI locally

currently using version 0.54.1, will try 0.55 to see if that fixes the issue...

[simar7]

however the issue is also seen when scanning using the CLI locally

Please file the discussion in the Trivy repo in this case as it would be a Trivy bug not specific to the action itself. Thank you.

[aconlin-scottlogic]

however the issue is also seen when scanning using the CLI locally

Please file the discussion in the Trivy repo in this case as it would be a Trivy bug not specific to the action itself. Thank you.

ah ok, sorry i missed that this was the action repo :)