trivy-action attempts to run sudo on the local machine (!?) #403
Description
It looks like #399 changed trivy-action to use "composite" instead of "docker", and it attempts to install trivy via a curl [url]/install.sh | sudo sh - style method. This seems a bit dangerous to run on the local system outside of docker.
Am I misunderstanding what "composite" is supposed to do? I'm not going to grant sudo access to the github action runner user.
When running the latest, action, I get this in the log output:
Run aquasecurity/trivy-action@master
with:
image-ref: [redacted]
exit-code: 1
severity: MEDIUM,HIGH,CRITICAL
format: table
scan-type: image
scan-ref: .
ignore-unfixed: false
vuln-type: os,library
cache-dir: /run/github-runner/argo-2/argo/argo/.cache/trivy
list-all-pkgs: false
version: v0.56.1
cache: true
Run curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.56.1
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.56.1
shell: /nix/store/516kai7nl5dxr792c0nzq0jp8m4zvxpi-bash-5.2p32/bin/bash --noprofile --norc -e -o pipefail {0}
/run/github-runner/argo-2/_temp/1455b404-12e8-4243-bcd6-0e695ee57cfc.sh: line 1: curl: command not found
/run/github-runner/argo-2/_temp/1455b404-12e8-4243-bcd6-0e695ee57cfc.sh: line 1: sudo: command not found
Error: Process completed with exit code 127.
I left a comment on the relevant code change:
https://github.com/aquasecurity/trivy-action/pull/399/files#r1792533665