trivy
trivy copied to clipboard
aquasecurity
Denied when trying to update trivy-db
Description
Trying to run a scan from the command line (versions 0.30.0 and 0.34.0) fails when updating the trivy-db from GHCR
¥ trivy i alpine
2022-11-11T14:24:27.306+1300 INFO Need to update DB
2022-11-11T14:24:27.306+1300 INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2022-11-11T14:24:27.306+1300 INFO Downloading DB...
2022-11-11T14:24:27.921+1300 FATAL init error: DB error: failed to download vulnerability DB: OCI artifact error: OCI artifact error: OCI repository error: GET https://ghcr.io/token?scope=repository%3Aaquasecurity%2Ftrivy-db%3Apull&service=ghcr.io: DENIED: denied
What did you expect to happen?
Expected the scan to work
¥ trivy i alpine
2022-11-11T14:22:41.871+1300 INFO Vulnerability scanning is enabled
2022-11-11T14:22:41.872+1300 INFO Secret scanning is enabled
2022-11-11T14:22:41.872+1300 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-11-11T14:22:41.872+1300 INFO Please see also https://aquasecurity.github.io/trivy/v0.34/docs/secret/scanning/#recommendation for faster secret detection
2022-11-11T14:22:42.132+1300 INFO Detected OS: alpine
2022-11-11T14:22:42.132+1300 INFO Detecting Alpine vulnerabilities...
2022-11-11T14:22:42.134+1300 INFO Number of language-specific files: 0
alpine (alpine 3.16.2)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
What happened instead?
2022-11-11T14:24:27.921+1300 FATAL init error: DB error: failed to download vulnerability DB: OCI artifact error: OCI artifact error: OCI repository error: GET https://ghcr.io/token?scope=repository%3Aaquasecurity%2Ftrivy-db%3Apull&service=ghcr.io: DENIED: denied
Output of run with -debug:
¥ trivy i -d alpine
2022-11-11T14:27:54.413+1300 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-11-11T14:27:54.416+1300 DEBUG cache dir: /home/michael/.cache/trivy
2022-11-11T14:27:54.416+1300 DEBUG There is no valid metadata file: unable to open a file: open /home/michael/.cache/trivy/db/metadata.json: no such file or directory
2022-11-11T14:27:54.416+1300 INFO Need to update DB
2022-11-11T14:27:54.416+1300 INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2022-11-11T14:27:54.416+1300 INFO Downloading DB...
2022-11-11T14:27:54.416+1300 DEBUG no metadata file
2022-11-11T14:27:55.073+1300 FATAL init error:
github.com/aquasecurity/trivy/pkg/commands/artifact.Run
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:362
- DB error:
github.com/aquasecurity/trivy/pkg/commands/artifact.NewRunner
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:121
- failed to download vulnerability DB:
github.com/aquasecurity/trivy/pkg/commands/operation.DownloadDB
/home/runner/work/trivy/trivy/pkg/commands/operation/operation.go:117
- OCI artifact error:
github.com/aquasecurity/trivy/pkg/db.(*Client).Download
/home/runner/work/trivy/trivy/pkg/db/db.go:154
- OCI artifact error:
github.com/aquasecurity/trivy/pkg/db.(*Client).initOCIArtifact
/home/runner/work/trivy/trivy/pkg/db/db.go:194
- OCI repository error:
github.com/aquasecurity/trivy/pkg/oci.NewArtifact
/home/runner/work/trivy/trivy/pkg/oci/artifact.go:69
- GET https://ghcr.io/token?scope=repository%3Aaquasecurity%2Ftrivy-db%3Apull&service=ghcr.io: DENIED: denied
Output of trivy -v:
¥ trivy i -v alpine
2022-11-11T14:28:37.703+1300 INFO Need to update DB
2022-11-11T14:28:37.703+1300 INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2022-11-11T14:28:37.703+1300 INFO Downloading DB...
2022-11-11T14:28:38.421+1300 FATAL init error: DB error: failed to download vulnerability DB: OCI artifact error: OCI artifact error: OCI repository error: GET https://ghcr.io/token?scope=repository%3Aaquasecurity%2Ftrivy-db%3Apull&service=ghcr.io: DENIED: denied
Additional details (base image name, container registry info...):
¥ docker pull ghcr.io/aquasecurity/trivy-db:2
Error response from daemon: Head "https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2": denied: denied
Using a version of the trivy client before the move to GHCR still works (i have tried 0.24.0 and 0.28.1)
Hello @stickycode thanks for your report!
It seems that your docker credentials are wrong. Can you log out of docker and try again?
And 1 more question: are you trying to pull other public images from github (I mean https://ghcr.io/v2)?
Regards, Dmitriy
This issue is stale because it has been labeled with inactivity.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
For the download of public databases to work, I needed to login to ghcr.io with docker login ghcr.io -u $MYUSERNAME --password-stdin and a Personal Access Token with just public_repo access. I otherwise don't use ghcr.io at all.
Some better documentation or error message would help.
Hello @marcinwrochna Thanks for your information.
What version of Trivy are you using?
I needed to login to ghcr.io with docker login ghcr.io -u $MYUSERNAME --password-stdin and a Personal Access Token with just public_repo access
Are you sure you haven't use PAT for ghcr before? What if just logout of ghcr? Didn't it work for you?
Related docs https://aquasecurity.github.io/trivy/v0.48/docs/references/troubleshooting/#error-downloading-vulnerability-db
You're right, docker logout ghcr.io works, and is described in FAQ, sorry about that.
(I actually probably had expired PATs for ghcr.io stored in configuration; can't verify now, but I tried reproducing the issue in other ways and logout was always enough. Trivy 0.48.3).