OCI image set with --policy-bundle-repository does not utilize authentication credentials

[JeffResc]

Description

OCI image set with --policy-bundle-repository does not utilize authentication credentials. I have tried setting the authentication credentials via environment variables TRIVY_USERNAME/TRIVY_PASSWORD as well as command line arguments --username/--password, but I am recieving an unauthorized error code from my private OCI container registry. I have tried with both the trivy filesystem. trivy image subcommands, but the results are the same.

Conversely, when setting the --db-repository and --java-db-repository options, these are able to pull my private OCI container registry using the credentials set with via environment variables TRIVY_USERNAME/TRIVY_PASSWORD.

Notice in the output below that ${MY_OCI_REGISTRY}/aquasecurity/trivy-db is pulled as expected, but ${MY_OCI_REGISTRY}/aquasecurity/defsec:0 fails.

$ TRIVY_USERNAME="example_user"
$ TRIVY_PASSWORD="example_pass"
$ TRIVY_NO_PROGRESS="true"
$ trivy filesystem ./ --db-repository ${MY_OCI_REGISTRY}/aquasecurity/trivy-db --java-db-repository ${MY_OCI_REGISTRY}/aquasecurity/trivy-java-db --policy-bundle-repository ${MY_OCI_REGISTRY}/aquasecurity/defsec:0 --scanners vuln,misconfig,secret,license
INFO	Need to update DB
INFO	DB Repository: ${MY_OCI_REGISTRY}/aquasecurity/trivy-db
INFO	Downloading DB...
INFO	Vulnerability scanning is enabled
INFO	Misconfiguration scanning is enabled
INFO	Need to update the built-in policies
INFO	Downloading the built-in policies...
ERROR   Falling back to embedded policies: failed to download built-in policies: download error: OCI repository error: 1 error occurred:
        * GET https://${MY_OCI_REGISTRY}/v2/aquasecurity/defsec/manifests/0: UNAUTHORIZED: access to the requested resource is not authorized
INFO	Secret scanning is enabled
INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
INFO	Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
INFO	License scanning is enabled
INFO	Number of language-specific files: 0
INFO	Detected config files: 7
INFO	Vulnerability scanning is enabled
INFO	Misconfiguration scanning is enabled
INFO	Need to update the built-in policies
INFO	Downloading the built-in policies...
ERROR   Falling back to embedded policies: failed to download built-in policies: download error: OCI repository error: 1 error occurred:
        * GET https://${MY_OCI_REGISTRY}/v2/aquasecurity/defsec/manifests/0: UNAUTHORIZED: access to the requested resource is not authorized
INFO	Secret scanning is enabled
INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
INFO	Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
INFO	License scanning is enabled
INFO	Number of language-specific files: 0
INFO	Detected config files: 7

Desired Behavior

I expect the OCI image set with --policy-bundle-repository to be pulled using the credentials specified via environment variables TRIVY_USERNAME/TRIVY_PASSWORD, similar to the functionality supported in --db-repository and --java-db-repository.

Actual Behavior

As shown in the command line output, the OCI image set with --policy-bundle-repository is not pulled using the the credentials specified via environment variables TRIVY_USERNAME/TRIVY_PASSWORD.

Reproduction Steps

1. Create an OCI registry that requires authentication and mirror the following images: `ghcr.io/aquasecurity/trivy-db` `ghcr.io/aquasecurity/trivy-java-db` and `ghcr.io/aquasecurity/defsec:0`.
2. Set `TRIVY_USERNAME` and `TRIVY_PASSWORD` environment variables to a username and password for your OCI registry.
3. Run the following Trivy command: `trivy filesystem ./ --db-repository ${MY_OCI_REGISTRY}/aquasecurity/trivy-db --java-db-repository ${MY_OCI_REGISTRY}/aquasecurity/trivy-java-db --policy-bundle-repository ${MY_OCI_REGISTRY}/aquasecurity/defsec:0 --scanners vuln,misconfig,secret,license`

Target

Filesystem

Scanner

vuln,misconfig,secret,license

Output Format

Table

Mode

Standalone

Debug Output

$ trivy filesystem ./ --db-repository ${MY_OCI_REGISTRY}/aquasecurity/trivy-db --java-db-repository ${MY_OCI_REGISTRY}/aquasecurity/trivy-java-db --policy-bundle-repository ${MY_OCI_REGISTRY}/aquasecurity/defsec:0 --scanners vuln,misconfig,secret,license --debug
DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
DEBUG   Ignore statuses {"statuses": null}
DEBUG   cache dir:  /home/scanner/.cache/trivy
DEBUG   There is no valid metadata file: unable to open a file: open /home/scanner/.cache/trivy/db/metadata.json: no such file or directory
INFO    Need to update DB
INFO    DB Repository: ${MY_OCI_REGISTRY}/aquasecurity/trivy-db
INFO    Downloading DB...
DEBUG   no metadata file
DEBUG   Updating database metadata...
DEBUG   DB Schema: 2, UpdatedAt: 2024-03-04 12:19:30.391554259 +0000 UTC, NextUpdate: 2024-03-04 18:19:30.391553979 +0000 UTC, DownloadedAt: 2024-03-04 20:23:58.631164038 +0000 UTC
INFO    Vulnerability scanning is enabled
DEBUG   Vulnerability type:  [os library]
INFO    Misconfiguration scanning is enabled
DEBUG   Failed to open the policy metadata: open /home/scanner/.cache/trivy/policy/metadata.json: no such file or directory
INFO    Need to update the built-in policies
INFO    Downloading the built-in policies...
DEBUG   Using URL: ${MY_OCI_REGISTRY}/aquasecurity/defsec:0 to load policy bundle
ERROR   Falling back to embedded policies: failed to download built-in policies: download error: OCI repository error: 1 error occurred:
        * GET https://${MY_OCI_REGISTRY}/v2/aquasecurity/defsec/manifests/0: UNAUTHORIZED: access to the requested resource is not authorized
INFO    Secret scanning is enabled
INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
INFO    Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
INFO    License scanning is enabled
DEBUG   Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
DEBUG   No secret config detected: trivy-secret.yaml
DEBUG   The nuget packages directory couldn't be found. License search disabled
DEBUG   Walk the file tree rooted at '.' in parallel
DEBUG   OS is not detected.
DEBUG   Detected OS: unknown
INFO    Number of language-specific files: 0
INFO    Detected config files: 0

Operating System

Ubuntu 22.04.3 LTS

Version

Version: 0.49.1

Checklist

• Run trivy image --reset
• Read the troubleshooting

[simar7]

Thanks for the detailed write up. We currently don't support this but I don't see any reason why we can't. So I'll convert this discussion into an feature request issue to work on.

[simar7]

Created #6266 to track.