trivy icon indicating copy to clipboard operation
trivy copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

Config Scan Fails Without Internet

Open aquanne opened this issue 1 year ago • 1 comments

Description

When using trivy config without internet or with github.com unresolvable, an error occurs and the scan will not run.

What did you expect to happen?

I expect the scan to run fully without a connection to the internet, as stated in the docs.

What happened instead?

The scan does not scan any files, it only detects a file named .

Output of run with -debug:

/opt/terraform # trivy config --include-non-failures --debug --ignorefile .ignore-files/.iac-scanner-ignore --severity "HIGH,CRITICA
L" ./projects/internal-1/iam/bindings.tf
2022-11-21T15:56:29.321Z	DEBUG	Severities: ["HIGH" "CRITICAL"]
2022-11-21T15:56:29.323Z	DEBUG	cache dir:  /root/.cache/trivy
2022-11-21T15:56:29.323Z	INFO	Misconfiguration scanning is enabled
2022-11-21T15:56:30.263Z	DEBUG	OS is not detected.
2022-11-21T15:56:30.263Z	INFO	Detected config files: 1
2022-11-21T15:56:30.263Z	DEBUG	Scanned config file: .
2022-11-21T15:56:30.266Z	DEBUG	Found an ignore file .ignore-files/.iac-scanner-ignore
2022-11-21T15:56:30.267Z	DEBUG	These IDs will be ignored: []

Output of trivy -v:

/opt/terraform # trivy -v
Version: 0.34.0
Vulnerability DB:
  Version: 1
  UpdatedAt: 2022-11-21 12:50:59.415750952 +0000 UTC
  NextUpdate: 2022-11-21 18:50:59.415750553 +0000 UTC
  DownloadedAt: 0001-01-01 00:00:00 +0000 UTC

Additional details (base image name, container registry info...):

This is running inside the aquasec/trivy:latest container image. I can run the exact same command with my internet connection on and receive full scan results.

aquanne avatar Nov 22 '22 21:11 aquanne

This issue is stale because it has been labeled with inactivity.

github-actions[bot] avatar Jan 22 '23 00:01 github-actions[bot]

Hi @aquanne can you share the debug output for running the scan with the with --skip-policy-update flag?

In addition, you mentioned the scan works skip policy update flag is not passed, could you also share the debug output of that?

simar7 avatar Jan 23 '23 18:01 simar7

Also if it is possible to share your IaC config files? That way we can help you debug faster.

simar7 avatar Jan 23 '23 18:01 simar7

This issue is stale because it has been labeled with inactivity.

github-actions[bot] avatar Mar 25 '23 00:03 github-actions[bot]