Trivy SARIF output includes non-existent file paths causing GitHub Code Scanning upload failures

[gabrielss4ntos]

Hi,

We are encountering two distinct issues when trying to perform IaC scanning with Trivy and subsequently upload the results to GitHub Security Code Scanning.

Issue 1: When attempting to upload SARIF results generated by aquasecurity/trivy-action to GitHub Security Code Scanning, the github/codeql-action/upload-sarif action consistently fails with the error message: Code Scanning could not process the submitted SARIF file:

Code Scanning could not process the submitted SARIF file: locationFromSarifResult: expected artifact location

I Think the issue occurs because Trivy generates SARIF entries for file paths that do not exist in the repository filesystem, causing GitHub Code Scanning to fail when attempting to compute fingerprints for these non-existent files.

Issue 2: In some executions, in this same Trivy repo, the scan fails with a fatal error indicating a timeout. I don't know if this timeout is specifically linked to the inability to download remote Terraform modules, I see several "Failed to load module" errors in the logs.

 - fs scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:402
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:261
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:629
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:158
  - post analysis error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:205
  - post analysis error:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:510
  - terraform scan error:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer/config.(*Analyzer).PostAnalyze
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/config/config.go:46
  - scan config error:
    github.com/aquasecurity/trivy/pkg/misconf.(*Scanner).Scan
        /home/runner/work/trivy/trivy/pkg/misconf/scanner.go:158
  - context deadline exceeded

Has anyone encountered these two distinct issues and know how to fix them?

Any recommended way to run trivy+code-scanning in pipelines?

Environment

• Trivy action version: aquasecurity/trivy-action@0.30.0
• GitHub Actions runner: ubuntu-latest
• Scan type: config
• Output format: SARIF
• Trigger: Pull Request workflows
• Checkout: actions/checkout@v4

[DmitriyLewen]

Hello @gabrielss4ntos
Thanks for your report!

the github/codeql-action/upload-sarif action consistently fails with the error message: Code Scanning could not process the submitted SARIF file:

Can you share "wrong" sarif file? It looks like one (or more) result doens't contain location.

Issue 2: In some executions, in this same Trivy repo, the scan fails with a fatal error indicating a timeout.

Did you try to increase timeout?

I see several "Failed to load module" errors in the logs.

@nikpivkin @simar7 Could this have a big impact on Trivy's execution time?

[simar7]

Issue 2: In some executions, in this same Trivy repo, the scan fails with a fatal error indicating a timeout.

Are you able to share the repo with us? Do you have a lot of external modules in your terraform code? It would be helpful to see the Trivy log output of running the scan with the --debug option.

I see several "Failed to load module" errors in the logs.

Can you share the full log output?

[nikpivkin]

@nikpivkin @simar7 Could this have a big impact on Trivy's execution time?

Do you mean module loading? If the infrastructure has a large number of modules and there is an unstable/slow network connection, then yes.

[simar7]

@DmitriyLewen should we exclude references to external modules in SARIF output as references to them won't be processable by GitHub anyway? Maybe we can optionally combine this with --tf-exclude-downloaded-modules, if passed in.

[DmitriyLewen]

as references to them won't be processable by GitHub anyway?

Can you clarify why? (Unfortunately, I don't know the nuances of how GitHub processes information from Terraform and its modules).

Maybe we can optionally combine this with --tf-exclude-downloaded-modules, if passed in.

I think we can enable this flag for sarif format here:

trivy-action/entrypoint.sh

Lines 39 to 47 in 77137e9

	# Handle SARIF
	if [ "${TRIVY_FORMAT:-}" = "sarif" ]; then
	if [ "${INPUT_LIMIT_SEVERITIES_FOR_SARIF:-false,,}" != "true" ]; then
	echo "Building SARIF report with all severities"
	unset TRIVY_SEVERITY
	else
	echo "Building SARIF report"
	fi
	fi

[gabrielss4ntos]

Hi Guys,

Thanks for the answer.

I don't know how to get these SARIF files directly from the action, I'll check this.

I'll see if I can generate a SARIF and obfuscate the sensitive information.

@DmitriyLewen I didn't change the timeout, I left the default value.

In this case, I have a dedicated repo for terraform modules, with more than 50 modules.

I can't share the full log, but I have more than 1000 error entries with "Failed to load module".

But here's part of the error until it times out:

2025-06-27T00:25:41.1733860Z 2025-06-27T00:25:41Z	DEBUG	[module resolver] Downloading module	source="git::https://github.com/template/sample-terraform?depth=1&ref=v1.11.0"
2025-06-27T00:25:41.2879474Z 2025-06-27T00:25:41Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="failed to download: error downloading 'https://github.com/template/sample-terraform?depth=1&ref=v1.11.0': /usr/bin/git exited with 128: Cloning into '/tmp/.aqua/cache/111'...\nfatal: could not read Username for 'https://github.com': terminal prompts disabled\n"

Additionally, I'm using this actions as step within a GitHub App. Could this be a Git authentication configuration issue? The workflow has the correct permissions on the terraform modules repository, but maybe Trivy's git clone command isn't using the GITHUB_TOKEN properly?

Is it possible to skip downloading the module directly in the workflow?

[DmitriyLewen]

Is it possible to skip downloading the module directly in the workflow?

IIUC you can use --tf-exclude-downloaded-modules flag (as env or in config file)