aquasecurity
Unable to check image from private registry from trivy docker
Hi everyone, we try to analyze our container from a private registry. We run the following command:
docker run -e "TRIVY_USERNAME=our-user" -e "TRIVY_PASSWORD=secret" aquasec/trivy image private-registry.net/org/container:a77b35e9
According to the documentation this should work, but we get
2023-01-09T10:07:16.200Z FATAL image scan error: scan error: unable to initialize a scanner: unable to initialize a docker scanner: 4 errors occurred:
* unable to inspect the image (private-registry.net/org/container:a77b35e9): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
* containerd socket not found: /run/containerd/containerd.sock
* GET https://private-registry.net/v2/org/container/manifests/a77b35e9: UNAUTHORIZED: unauthorized to access repository: org/container, action: pull: unauthorized to access repository: org/container, action: pull
If we try to access a public container it works. e.g.
docker run aquasec/trivy image aquasec/trivy
We can make it work if we run it like this:
(please note the additional -v option)
docker run -v /var/run/docker.sock:/var/run/docker.sock -e "TRIVY_USERNAME=our-user" -e "TRIVY_PASSWORD=secret" aquasec/trivy image private-registry.net/org/container:a77b35e9
This seems to be a security vulnerability itself, so do you know what needs to be done to make it work without mounting the docker socket to the container?
Any hints are very welcome. :pray:
Thank you very much in advance!
Hello @protux Sorry for waiting.
I checked this case with my private docker hub image and Trivy works correctly:
➜ ~ docker run -e "TRIVY_USERNAME=***" -e "TRIVY_PASSWORD=***" aquasec/trivy image dmitriylewen/test
2023-01-16T05:40:58.971Z INFO Need to update DB
2023-01-16T05:40:58.971Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2023-01-16T05:40:58.971Z INFO Downloading DB...
384.00 KiB / 36.05 MiB [>____________________________________________________________] 1.04% ? p/s ?3.80 MiB / 36.05 MiB [------>_______________________________________________________] 10.53% ? p/s ?10.42 MiB / 36.05 MiB [----------------->___________________________________________] 28.91% ? p/s ?16.45 MiB / 36.05 MiB [--------------------->__________________________] 45.64% 26.83 MiB p/s ETA 0s20.75 MiB / 36.05 MiB [--------------------------->____________________] 57.56% 26.83 MiB p/s ETA 0s25.42 MiB / 36.05 MiB [--------------------------------->______________] 70.52% 26.83 MiB p/s ETA 0s29.06 MiB / 36.05 MiB [-------------------------------------->_________] 80.62% 26.46 MiB p/s ETA 0s32.56 MiB / 36.05 MiB [------------------------------------------->____] 90.33% 26.46 MiB p/s ETA 0s36.05 MiB / 36.05 MiB [---------------------------------------------->] 100.00% 26.46 MiB p/s ETA 0s36.05 MiB / 36.05 MiB [---------------------------------------------->] 100.00% 25.50 MiB p/s ETA 0s36.05 MiB / 36.05 MiB [---------------------------------------------->] 100.00% 25.50 MiB p/s ETA 0s36.05 MiB / 36.05 MiB [---------------------------------------------->] 100.00% 25.50 MiB p/s ETA 0s36.05 MiB / 36.05 MiB [---------------------------------------------->] 100.00% 23.86 MiB p/s ETA 0s36.05 MiB / 36.05 MiB [---------------------------------------------->] 100.00% 23.86 MiB p/s ETA 0s36.05 MiB / 36.05 MiB [---------------------------------------------->] 100.00% 23.86 MiB p/s ETA 0s36.05 MiB / 36.05 MiB [-------------------------------------------------] 100.00% 12.43 MiB p/s 3.1s2023-01-16T05:41:03.549Z INFO Vulnerability scanning is enabled
2023-01-16T05:41:03.549Z INFO Secret scanning is enabled
2023-01-16T05:41:03.549Z INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-01-16T05:41:03.549Z INFO Please see also https://aquasecurity.github.io/trivy/v0.36/docs/secret/scanning/#recommendation for faster secret detection
2023-01-16T05:41:06.187Z INFO Detected OS: alpine
2023-01-16T05:41:06.187Z INFO Detecting Alpine vulnerabilities...
2023-01-16T05:41:06.188Z INFO Number of language-specific files: 1
2023-01-16T05:41:06.188Z INFO Detecting jar vulnerabilities...
2023-01-16T05:41:06.193Z INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file.
dmitriylewen/test (alpine 3.15.0)
...
i used 20.10.20 version of docker:
➜ ~ docker -v
Docker version 20.10.20, build 9fdeb9c
Perhaps problem is in the settings of your docker or repository?
This seems to be a security vulnerability itself, so do you know what needs to be done to make it work without mounting the docker socket to the container?
What if you are building an aquasec/trivy based image and installing docker
i mean something like that:
FROM aquasec/trivy
RUN apk add docker
Regards, Dmitriy
Hi, I have the same issue when I try it under Ubuntu 22.04.1 running in WSL2. Scanning public images from Docker 20.10.23 or podman 3.4.4 works but not local images (Same error as described above).
Hello @outsideMyBox Thanks for your information.
Looks like it is different problem. Can you create new Issue and tell more about your case(Trivy version, commands, etc...)?
Regards, Dmitriy
Seems like this is an issue. I have a common yaml config for several repos. Some of them get this error by and some goes trough. All these repos are public.
This fail but the same config works on this repo This works
Both repo have same yaml config for building and uploading the image to ghcr.
This is my config Security CI/CD The same one I used for that repo which actually works. I missing something?
I solved my issue. My package settings the image var still private/internal. I had to change it to public then it goes trough :) Even the repo is public, the package settings for the image can be privat/internal.
I have the same problem when using Trivy GitHub Action in a GitHub Self hosted Action Runner I Azure Kubernetes.
The Action Runner is using Dind and “docker ps” works fine.
