Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question] Errors for vulnerability scanning when using kubernetes scanning #5310

Open
chen-keinan opened this issue Oct 3, 2023 Discussed in #5284 · 0 comments
Open

[Question] Errors for vulnerability scanning when using kubernetes scanning #5310

chen-keinan opened this issue Oct 3, 2023 Discussed in #5284 · 0 comments
Labels
target/kubernetes Issues relating to kubernetes cluster scanning triage/support Indicates an issue that is a support question.

Comments

@chen-keinan
Copy link
Contributor

Discussed in #5284

Originally posted by Mo0rBy October 1, 2023

Question

When using trivy kubernetes scanning, I am unable to see any vulnerabilities detection and I can see a bunch of errors (1 for each microservice deployment). I'm not sure why I'm getting this error, so any help to point me in the right directorion would be appreciated.

Here is an example of 1 of the errors:

2023-10-01T09:37:45.720+0100	ERROR	Error during vulnerabilities or misconfiguration scan: scan error: unable to initialize a scanner: unable to initialize a docker scanner: 4 errors occurred:
	* unable to inspect the image (<my-aws-registry>/<my-microservice>:<image-tag>): Error response from daemon: No such image: <my-aws-registry>/<my-microservice>:<image-tag>
	* containerd socket not found: /run/containerd/containerd.sock
	* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
	* GET https://<my-aws-registry>/v2/<project>/<microservice>/manifests/<tag>: DENIED: Your authorization token has expired. Reauthenticate and try again.

It looks like Trivy is attempting to send a request to pull images, but the images are stored inside a private AWS ECR and are not publicly available. Am I missing something?

Screenshot 2023-10-01 at 09 46 45

It looks like I can get vulnerability scanning results for publicly available images that we have deployed, so I think this is just Trivy trying to reach out to the internet to get information about the deployed images, and it obviously can't as they are created by my team and stored in private registries.

Is there any way to get Trivy to ignore vulnerability scanning on these images so that I don't see the errors for these, but still scan for vulnerabilities so I can get results for the publicly available images that we use?

Target

Kubernetes

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Operating System

macOS Ventura 13.6

Version

Version: 0.45.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-10-01 06:16:26.188715325 +0000 UTC
  NextUpdate: 2023-10-01 12:16:26.188714825 +0000 UTC
  DownloadedAt: 2023-10-01 08:27:44.609875 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-09-11 00:53:00.064262708 +0000 UTC
  NextUpdate: 2023-09-14 00:53:00.064262008 +0000 UTC
  DownloadedAt: 2023-09-11 09:45:53.490486 +0000 UTC
Policy Bundle:
  Digest: sha256:24b38cdf646f0e5becf55a709ae9a3c4e819a348c28990cec0b6aabe4637d8b1
  DownloadedAt: 2023-10-01 08:27:45.485939 +0000 UTC
</div>
@chen-keinan chen-keinan added triage/support Indicates an issue that is a support question. target/kubernetes Issues relating to kubernetes cluster scanning labels Oct 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
target/kubernetes Issues relating to kubernetes cluster scanning triage/support Indicates an issue that is a support question.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@chen-keinan