Text File Busy

[EricAverittTMNA]

In my current setup, I have Trivy scanning Terraform repos and checking for any vulnerabilities. There are a lot of terraform repos and to make things common, I am using a reusable workflow that will scan a terraform repo via the Trivy Action. During the scan, there are different environments that have different configurations so the scan results will differ based on the terraform but around 20+ environments are scanned at the same time.

This worked without any issues in Trivy Action 0.24.0 however after updating recently to 0.28.0 I am intermittently receiving an error that says "Text file busy". Simply rerunning the failed jobs causes the GitHub CI to succeed however I have to do this almost every time and the environment that fails is different almost every time.

Something has changed with the entrypoint.sh file such that my jobs continue to fail periodically. There has not been any update to the entrypoint.sh file since 0.28.0 so I have not updated to 0.29.0 just yet. Can anyone assist with this issue?

CI Preview Setup with failed jobs:

GitHub Failed Job Step Description: (Sensitive information redacted)

Run aquasecurity/[email protected]
Run aquasecurity/[email protected]
Run echo "dir=$HOME/.local/bin/trivy-bin" >> $GITHUB_OUTPUT
Run actions/cache@v4
Cache Size: ~36 MB (37525339 B)
/usr/bin/tar -xf /mnt/vol1/actions-runner01/_work/_temp/8b[24](https://github.com/org/repo/actions/runs/12403531563/job/34627178933?pr=745#step:13:25)82cc-ca20-40e8-b248-861cf35c7862/cache.tzst -P -C /mnt/vol1/actions-runner01/_work/reponame/reponame --use-compress-program unzstd
Cache restored successfully
Cache restored from key: trivy-binary-v0.56.1-Linux-X[64](https://github.com/org/reponame/actions/runs/12403531563/job/34627178933?pr=745#step:13:68)
Run echo /home/ec2-user/.local/bin/trivy-bin >> $GITHUB_PATH
Run echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
Run actions/cache@v4
Cache Size: ~0 MB (177764 B)
/usr/bin/tar -xf /mnt/vol1/actions-runner01/_work/_temp/918fe2bc-a25e-4124-9105-9bd050fa0dff/cache.tzst -P -C /mnt/vol1/actions-runner01/_work/reponame/reponame --use-compress-program unzstd
Cache restored successfully
Cache restored from key: cache-trivy-2024-12-18
Run echo "$GITHUB_ACTION_PATH" >> $GITHUB_PATH
Run # Note: There is currently no way to distinguish between undefined variables and empty strings in GitHub Actions.
Run entrypoint.sh
  entrypoint.sh
  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
  env:
    AWS_REGION: us-east-1
    TARGET_ASSUME_ROLE_NAME: #####
    AWS_DEFAULT_REGION: us-east-1
    AWS_ACCESS_KEY_ID: ***
    AWS_SECRET_ACCESS_KEY: ***
    AWS_SESSION_TOKEN: ***
    TERRAFORM_CLI_PATH: /mnt/vol1/actions-runner01/_work/_temp/5f930761-3e63-4d16-880b-a67c6451497a
    TRIVY_EXIT_CODE: 0
    TRIVY_IGNORE_UNFIXED: true
    TRIVY_SEVERITY: CRITICAL,HIGH,MEDIUM
    TRIVY_OUTPUT: trivy.txt
    TRIVY_QUIET: true
    INPUT_SCAN_TYPE: config
    INPUT_IMAGE_REF: 
    INPUT_SCAN_REF: env/cm/ty/na
    INPUT_TRIVYIGNORES: 
    INPUT_GITHUB_PAT: 
    INPUT_LIMIT_SEVERITIES_FOR_SARIF: 
    TRIVY_CACHE_DIR: /mnt/vol1/actions-runner01/_work/reponame/reponame/.cache/trivy
Running Trivy with options: trivy config env/cm/ty/na
/mnt/vol1/actions-runner01/_work/_actions/aquasecurity/trivy-action/0.28.0/entrypoint.sh: line 44: /home/ec2-user/.local/bin/trivy-bin/trivy: Text file busy
Error: Process completed with exit code 126.

The reusable workflow that contains the trivy action code:

      # Check With Trivy
      - name: Aqua Security Trivy
        uses: aquasecurity/[email protected]
        with:
          scan-type: "config"
          hide-progress: true
          ignore-unfixed: true
          exit-code: "0"
          severity: "CRITICAL,HIGH,MEDIUM"
          output: trivy.txt
          scan-ref: ${{ matrix.target_directory }}

      - name: Publish Trivy Output to Summary
        if: ${{ always() }}
        run: |
          if [[ -s trivy.txt ]]; then
            {
              echo "###  ${{ matrix.target_directory}} Security Output"
              echo "<details><summary>Click to expand</summary>"
              echo ""
              echo '```terraform'
              cat trivy.txt
              echo '```'
              echo "</details>"
            } >> $GITHUB_STEP_SUMMARY
          fi

[EricAverittTMNA]

As an update, I have also tried to do random file names instead of using trivy.txt but still have received the same message about text file being busy.

      - name: Setup Unique Trivy File Name
        run: |
          echo TRIVY_FILE_NAME=$(cat /dev/urandom | tr -cd 'a-f0-9' | head -c 32).txt >> $GITHUB_ENV

      # Check With Trivy
      - name: Aqua Security Trivy
        uses: aquasecurity/[email protected]
        with:
          scan-type: "config"
          hide-progress: true
          ignore-unfixed: true
          exit-code: "0"
          severity: "CRITICAL,HIGH,MEDIUM"
          output: ${{ env.TRIVY_FILE_NAME }}
          scan-ref: ${{ matrix.target_directory }}

      - name: Publish Trivy Output to Summary
        if: ${{ always() }}
        run: |
          if [[ -s ${{ env.TRIVY_FILE_NAME }} ]]; then
            {
              echo "###  ${{ matrix.target_directory}} Security Output"
              echo "<details><summary>Click to expand</summary>"
              echo ""
              echo '```terraform'
              cat ${{ env.TRIVY_FILE_NAME }}
              echo '```'
              echo "</details>"
            } >> $GITHUB_STEP_SUMMARY
          fi

These jobs run on self-hosted runners (AWS EC!2 instances). Could the reason for the failure being too many parallel jobs are trying to use trivy from the same location /home/ec2-user/.local/bin/trivy-bin/trivy at the same time?

[EricAverittTMNA]

Another update is I downgraded to [email protected] and had no issues with my CI run.
With [email protected], it fails every time with a random environment without fail.
Testing the upgrade to [email protected], failed with the same text file busy error.

Since the change in this PR for entrypoint.sh my CI runs will fail at least once every time: #399

Would appreciate some support regarding this issue as I don't believe it's due to any setup/configuration issues on my end but rather something that isn't working properly in entrypoint.sh.

[lbvffvbl]

Hi @EricAverittTMNA Try to add env like TRIVY_CACHE_DIR: /tmp/trivy-cache-${{ github.run_id }}

[EricAverittTMNA]

@lbvffvbl Thank you for your suggestion. I am calling the trivy workflow from a reusable workflow so the github run_id will be the same for all items in the matrix. So I added the directory path to make it unique but I'm still receiving the same error (/home/ec2-user/.local/bin/trivy-bin/trivy: Text file busy). Is it because these are all running on the same self-hosted runner?
Also, I did notice that the restore-keys variable is not correct in the cache section but it worked for other workflows so maybe that is a non-issue. Would appreciate some more help regarding this when you get a chance. Thanks.

Calling workflow:

      - name: Sets MODIFIED_BRANCH_NAME
        run: |
          echo "MODIFIED_BRANCH_NAME=$( echo ${{ matrix.target_directory }} | tr -d '/' )" >> $GITHUB_ENV

      # Check With Trivy
      - name: Aqua Security Trivy
        uses: aquasecurity/[email protected]
        with:
          scan-type: "config"
          hide-progress: true
          ignore-unfixed: true
          exit-code: "0"
          severity: "CRITICAL,HIGH,MEDIUM"
          output: trivy.txt
          scan-ref: ${{ matrix.target_directory }}
        env:
          TRIVY_CACHE_DIR: /tmp/trivy-cache-${{ env.MODIFIED_BRANCH_NAME }}-${{ github.run_id }}

matrix.target_directory is something like env/pp/sz/in for example.

Error log:

Run actions/cache@v4
  with:
    path: /mnt/vol1/actions-runner05/_work/reponame/reponame/.cache/trivy
    key: cache-trivy-2025-01-02
    restore-keys: cache-trivy-
    enableCrossOsArchive: false
    fail-on-cache-miss: false
    lookup-only: false
    save-always: false
  env:
    AWS_REGION: ***
    TARGET_ASSUME_ROLE_NAME: ***
    AWS_DEFAULT_REGION: ***
    AWS_ACCESS_KEY_ID: ***
    AWS_SECRET_ACCESS_KEY: ***
    AWS_SESSION_TOKEN: ***
    TERRAFORM_CLI_PATH: /mnt/vol1/actions-runner05/_work/_temp/470fb504-14c0-42d1-8dbc-fa2cf63fa8ab
    MODIFIED_BRANCH_NAME: envppszin
    TRIVY_CACHE_DIR: /tmp/trivy-cache-envppszin-12586144996
Cache Size: ~0 MB (177416 B)
/usr/bin/tar -xf /mnt/vol1/actions-runner05/_work/_temp/71822a9c-72c5-43fc-bdb4-aa079a49a3e9/cache.tzst -P -C /mnt/vol1/actions-runner05/_work/reponame/reponame --use-compress-program unzstd
Cache restored successfully
Cache restored from key: cache-trivy-2025-01-02
Run echo "$GITHUB_ACTION_PATH" >> $GITHUB_PATH
Run # Note: There is currently no way to distinguish between undefined variables and empty strings in GitHub Actions.
Run entrypoint.sh
Running Trivy with options: trivy config env/pp/sz/in
/mnt/vol1/actions-runner05/_work/_actions/aquasecurity/trivy-action/0.29.0/entrypoint.sh: line 44: /home/ec2-user/.local/bin/trivy-bin/trivy: Text file busy

[lbvffvbl]

also in my case helped skipping installation of trivy (but install it in self-hosted runner yourself before)

       with:
          image-ref: ${{matrix.matrix.repo }}:${{ matrix.matrix.tag }}
          #ignore-unfixed: true
          severity: 'CRITICAL,HIGH'
          skip-setup-trivy: true
          exit-code: '1'
        env:
          TRIVY_CACHE_DIR: /tmp/trivy-cache-${{ github.run_id }}

[EricAverittTMNA]

@lbvffvbl
Manually installing it to the self-hosted runners and adding skip-setup-trivy: true to my yaml file worked with no failures.
It seems that the trivy installation was running multiple times and causing issues since the change to the entrypoint.sh file in 0.25.0.
It worked just fine before the change in 0.25.0 so I'm not exactly sure what is the root issue of my problem but at least I have a workaround and can just manually update trivy on a regular cadence.

Thank you very much for your support.