trivy: FATAL error in image scan: failed to analyze image: failed to extract files: missing signature key

BUG REPORT INFORMATION

I am running trivy installed from debian package (currently 0.1.1) instide a Gitlab CI worker. The worker is a docker container which can build images (docker socket is mounted).

Description In my pipeline I would like to scan the images before pushing the to the repository. But trivy fails with the error above although the image is currently built.

$ docker build --pull -t ${IMAGE}:${VERSION} -t ${IMAGE}:latest .
Sending build context to Docker daemon  84.48kB
Step 1/2 : FROM postgres:11-alpine
11-alpine: Pulling from library/postgres
e7c96db7181b: Already exists
ddab92d60ba9: Pulling fs layer
... snipped ...
79d684a466de: Pull complete
1929cdd74131: Pull complete
Digest: sha256:7507521549968d1506ba9748a1f86d4ac015544b07738da8d25cf670eb2a7279
Status: Downloaded newer image for postgres:11-alpine
 ---> 0223e4d872f4
Step 2/2 : LABEL MAINTAINER Oz123 <oz123@....de>
 ---> Running in 86c97c84674b
Removing intermediate container 86c97c84674b
 ---> a4b10056be0e
Successfully built a4b10056be0e
Successfully tagged gitlab.xxx.net:5050/tech/postgresql/docker-image:0.0.1
Successfully tagged gitlab.xxx.net:5050/tech/postgresql/docker-image:latest
$ trivy -q --auto-refresh ${IMAGE}:${VERSION}
2019-05-27T15:06:46.237Z	INFO	Updating vulnerability database...
2019-05-27T15:07:34.298Z	INFO	Updating NVD data...
2019-05-27T15:08:04.259Z	INFO	Updating Alpine data...
2019-05-27T15:08:05.058Z	INFO	Updating RedHat data...
2019-05-27T15:08:08.466Z	INFO	Updating Debian data...
2019-05-27T15:08:10.155Z	INFO	Updating Debian OVAL data...
2019-05-27T15:08:15.279Z	INFO	Updating Ubuntu data...
2019-05-27T15:08:20.303Z	FATAL	error in image scan: failed to analyze image: failed to extract files: missing signature key
ERROR: Job failed: exit code 1

Output of trivy -v: 0.1.1

I suspect the docker image should also mount the directory where the image built files are stored, but I can’t confirm this.

About this issue

Original URL
State: closed
Created 5 years ago
Comments: 26 (8 by maintainers)

Commits related to this issue

add aws session token (#61) — committed to aquasecurity/trivy by tomoyamachi 5 years ago
add aws session token (#61) — committed to aquasecurity/trivy by tomoyamachi 5 years ago
Add display names for avd (#61) — committed to josedonizetti/trivy by liamg 2 years ago

Most upvoted comments

I’d like to make the argument for keeping this issue open (or I can create a new one) as trivy is behaving unexpectedly or at least not as documented on the README.

travispaul on Jun 25, 2019

@pascalandy it is working for most of the images, but failing for few images with error above.

saravanan30erd on Jul 22, 2019

After v0.6.0, trivy negotiates Docker API version automatically. You don’t have to specify DOCKER_API_VERSION now. Also, trivy doesn’t support Image Manifest V 2, Schema 1. v0.6.0 is supposed to display a more understandable message. Please try it out and open an issue if you have still any problem.

knqyf263 on Apr 20, 2020

I managed to get it running without error using:

 docker run --rm -v /var/run/docker.sock:/var/run/docker.sock knqyf263/trivy:latest -q -d --exit-code 1 ${IMAGE}:${VERSION}

Thank your for offering help!

oz123 on Jun 25, 2019

I am also experiencing a similar issue when running locally on MacOS.

$ docker run --rm -v $HOME/Library/Caches:/root/.cache/ knqyf263/trivy python:3.4-alpine
2019-06-21T17:19:11.702Z	INFO	Updating vulnerability database...
2019-06-21T17:19:20.739Z	FATAL	error in image scan: failed to analyze image: failed to extract files: Could not extract the archive


$ docker run --rm -v $HOME/Library/Caches:/root/.cache/ knqyf263/trivy -d python:3.4-alpine
2019-06-21T17:13:53.458Z	DEBUG	cache dir:  /root/.cache/trivy
2019-06-21T17:13:53.459Z	DEBUG	db path: /root/.cache/trivy/db/trivy.db
2019-06-21T17:13:53.500Z	INFO	Updating vulnerability database...
2019-06-21T17:13:53.501Z	DEBUG	git pull
2019-06-21T17:13:55.627Z	DEBUG	total updated files: 1
2019-06-21T17:13:55.629Z	DEBUG	Vulnerability type:  [os library]
2019-06-21T17:14:02.420Z	FATAL	error in image scan:
    github.com/knqyf263/trivy/pkg.Run
        /app/pkg/run.go:166
  - failed to analyze image:
    github.com/knqyf263/trivy/pkg/scanner.ScanImage
        /app/pkg/scanner/scan.go:34
  - failed to extract files:
    github.com/knqyf263/fanal/analyzer.Analyze
        /go/pkg/mod/github.com/knqyf263/fanal@v0.0.0-20190521154631-a2dde7e171c6/analyzer/analyzer.go:123
  - Could not extract the archive
    github.com/knqyf263/fanal/extractor.init.ializers
    	/go/pkg/mod/github.com/knqyf263/fanal@v0.0.0-20190521154631-a2dde7e171c6/extractor/extractor.go:12
    runtime.main
    	/usr/local/go/src/runtime/proc.go:188
    runtime.goexit
    	/usr/local/go/src/runtime/asm_amd64.s:1337

However if I pull the image and scan, it works every time:

$ docker pull python:3.4-alpine

$ docker images
REPOSITORY                                              TAG                 IMAGE ID            CREATED             SIZE
knqyf263/trivy                                          latest              c725ebce5e73        36 hours ago        74.3MB
python                                                  3.4-alpine          c06adcf62f6e        3 months ago        72.9MB

$ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/Library/Caches:/root/.cache/ knqyf263/trivy c06adcf62f6e
2019-06-21T17:15:21.366Z	INFO	Updating vulnerability database...
2019-06-21T17:15:23.341Z	WARN	You should avoid using the :latest tag as it is cached. You need to specify '--clear-cache' option when :latest image is changed
2019-06-21T17:15:25.146Z	INFO	Detecting Alpine vulnerabilities...

c06adcf62f6e (alpine 3.9.2)
===========================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl | CVE-2019-1543    | MEDIUM   | 1.1.1a-r1         | 1.1.1b-r1     | openssl: ChaCha20-Poly1305     |
|         |                  |          |                   |               | with long nonces               |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| sqlite  | CVE-2019-8457    | HIGH     | 3.26.0-r3         | 3.28.0-r0     | sqlite3: heap out-of-bound     |
|         |                  |          |                   |               | read in function rtreenode()   |
+         +------------------+----------+                   +               +--------------------------------+
|         | CVE-2019-5018    | MEDIUM   |                   |               | sqlite3: use-after-free in     |
|         |                  |          |                   |               | window function leading to     |
|         |                  |          |                   |               | remote code execution          |
+---------+------------------+----------+-------------------+---------------+--------------------------------+

I see the same behavior with AWS ECR as well, when I scan against an ECR image directly it will always fail but if I pull the image first, then scan the local image it works every time. Interestingly enough a colleague sees this issue sometimes too but not consistently. Could this be caused by some kind of race condition?

travispaul on Jun 24, 2019

@tomoyamachi thank you for the response, here is the complete build output:

Running with gitlab-runner 11.10.1 (1f513601)
  on gitlab-ci01vp.mon.noris.de 1e30761c
Using Docker executor with image hadolint/hadolint:latest-debian ...
Pulling docker image hadolint/hadolint:latest-debian ...
Using docker image sha256:bd169a7179839fe0afa923311c2e5299d8eb823afaee2190b7a0400403313a25 for hadolint/hadolint:latest-debian ...
Running on runner-1e30761c-project-1899-concurrent-0 via gitlab-ci01vp...
Reinitialized existing Git repository in /builds/tech/postgresql/docker-image/.git/
Fetching changes...
Checking out 79aa5403 as master...

Skipping Git submodules setup
$ apt update && apt-get install -qq -y apt-transport-https gnupg wget git
... snipped ...
Setting up libnpth0:amd64 (1.3-1) ...
Setting up libncurses5:amd64 (6.0+20161126-1+deb9u2) ...
Setting up readline-common (7.0-3) ...
Setting up perl-modules-5.24 (5.24.1-3+deb9u5) ...
Setting up libgdbm3:amd64 (1.8.3-14) ...
Setting up libperl5.24:amd64 (5.24.1-3+deb9u5) ...
Setting up libnettle6:amd64 (3.3-1+b2) ...
Setting up git-man (1:2.11.0-3+deb9u4) ...
Setting up libpopt0:amd64 (1.16-10+b2) ...
Setting up libexpat1:amd64 (2.2.0-2+deb9u1) ...
Setting up less (481-2.1) ...
Setting up libnghttp2-14:amd64 (1.18.1-1) ...
Setting up libgpm2:amd64 (1.20.4-6.2+b1) ...
Setting up libldap-common (2.4.44+dfsg-5+deb9u2) ...
Setting up libreadline7:amd64 (7.0-3) ...
Setting up libsasl2-modules-db:amd64 (2.1.27~101-g0780600+dfsg-3) ...
Setting up libsasl2-2:amd64 (2.1.27~101-g0780600+dfsg-3) ...
Setting up libksba8:amd64 (1.3.5-2) ...
Setting up libbsd0:amd64 (0.8.3-1) ...
Setting up libtasn1-6:amd64 (4.10-1.1+deb9u1) ...
Setting up gnupg-l10n (2.1.18-8~deb9u4) ...
Setting up rsync (3.1.2-1+deb9u2) ...
invoke-rc.d: could not determine current runlevel
invoke-rc.d: policy-rc.d denied execution of restart.
Setting up perl (5.24.1-3+deb9u5) ...
update-alternatives: using /usr/bin/prename to provide /usr/bin/rename (rename) in auto mode
update-alternatives: warning: skip creation of /usr/share/man/man1/rename.1.gz because associated file /usr/share/man/man1/prename.1.gz (of link group rename) doesn't exist
Setting up libssl1.0.2:amd64 (1.0.2r-1~deb9u1) ...
Setting up libgmp10:amd64 (2:6.1.2+dfsg-1) ...
Setting up libssh2-1:amd64 (1.7.0-1+deb9u1) ...
Setting up patch (2.7.5-1+deb9u1) ...
Setting up krb5-locales (1.15-1+deb9u1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Setting up publicsuffix (20190415.1030-0+deb9u1) ...
Setting up libunistring0:amd64 (0.9.6+really0.9.3-0.1) ...
Setting up libssl1.1:amd64 (1.1.0j-1~deb9u1) ...
Setting up openssl (1.1.0j-1~deb9u1) ...
Setting up libsqlite3-0:amd64 (3.16.2-5+deb9u1) ...
Setting up libffi6:amd64 (3.2.1-6) ...
Setting up libxdmcp6:amd64 (1:1.1.2-3) ...
Setting up libkeyutils1:amd64 (1.5.9-9) ...
Setting up libsasl2-modules:amd64 (2.1.27~101-g0780600+dfsg-3) ...
Setting up ca-certificates (20161130+nmu1+deb9u1) ...
debconf: unable to initialize frontend: Dialog
debconf: (TERM is not set, so the dialog frontend is not usable.)
debconf: falling back to frontend: Readline
Updating certificates in /etc/ssl/certs...
151 added, 0 removed; done.
Setting up libassuan0:amd64 (2.4.3-2) ...
Setting up libx11-data (2:1.6.4-3+deb9u1) ...
Setting up libxau6:amd64 (1:1.0.8-1) ...
Setting up libidn11:amd64 (1.33-1) ...
Setting up netbase (5.4) ...
Setting up libedit2:amd64 (3.1-20160903-3) ...
Setting up libidn2-0:amd64 (0.16-1+deb9u1) ...
Setting up liberror-perl (0.17024-1) ...
Setting up rename (0.20-4) ...
update-alternatives: using /usr/bin/file-rename to provide /usr/bin/rename (rename) in auto mode
update-alternatives: warning: skip creation of /usr/share/man/man1/rename.1.gz because associated file /usr/share/man/man1/file-rename.1p.gz (of link group rename) doesn't exist
Setting up libpsl5:amd64 (0.17.0-3) ...
Setting up libkrb5support0:amd64 (1.15-1+deb9u1) ...
Setting up libhogweed4:amd64 (3.3-1+b2) ...
Setting up libp11-kit0:amd64 (0.23.3-2) ...
Setting up pinentry-curses (1.0.0-2) ...
Setting up gnupg-agent (2.1.18-8~deb9u4) ...
Setting up libxcb1:amd64 (1.12-1) ...
Setting up libk5crypto3:amd64 (1.15-1+deb9u1) ...
Setting up gnupg (2.1.18-8~deb9u4) ...
Setting up libgnutls30:amd64 (3.5.8-5+deb9u4) ...
Setting up libx11-6:amd64 (2:1.6.4-3+deb9u1) ...
Setting up librtmp1:amd64 (2.4+20151223.gitfa8646d.1-1+b1) ...
Setting up libxmuu1:amd64 (2:1.1.2-2) ...
Setting up libldap-2.4-2:amd64 (2.4.44+dfsg-5+deb9u2) ...
Setting up wget (1.18-5+deb9u3) ...
Setting up libkrb5-3:amd64 (1.15-1+deb9u1) ...
Setting up dirmngr (2.1.18-8~deb9u4) ...
Setting up libxext6:amd64 (2:1.3.3-1+b2) ...
Setting up libgssapi-krb5-2:amd64 (1.15-1+deb9u1) ...
Setting up xauth (1:1.0.9-1+b2) ...
Setting up openssh-client (1:7.4p1-10+deb9u6) ...
Setting up libcurl3-gnutls:amd64 (7.52.1-5+deb9u9) ...
Setting up git (1:2.11.0-3+deb9u4) ...
Setting up apt-transport-https (1.4.9) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Processing triggers for ca-certificates (20161130+nmu1+deb9u1) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
$ wget -qO - https://knqyf263.github.io/trivy-repo/deb/public.key | apt-key add -
Warning: apt-key output should not be parsed (stdout is not a terminal)
OK
$ echo deb https://knqyf263.github.io/trivy-repo/deb stretch main | tee -a /etc/apt/sources.list.d/trivy.list
deb https://knqyf263.github.io/trivy-repo/deb stretch main
$ apt-get install -y apt-transport-https ca-certificates curl gnupg2 software-properties-common
Reading package lists...
Building dependency tree...
Reading state information...
apt-transport-https is already the newest version (1.4.9).
ca-certificates is already the newest version (20161130+nmu1+deb9u1).
ca-certificates set to manually installed.
... snipped ...
Need to get 46.9 MB of archives.
... snipped ...
Setting up python-apt-common (1.4.0~beta3) ...
Setting up libapt-inst2.0:amd64 (1.4.9) ...
Setting up libip4tc0:amd64 (1.6.0+snapshot20161117-6) ...
Setting up psmisc (22.21-2.1+b2) ...
Setting up exim4-config (4.89-2+deb9u3) ...
debconf: unable to initialize frontend: Dialog
debconf: (TERM is not set, so the dialog frontend is not usable.)
debconf: falling back to frontend: Readline
Adding system-user for exim (v4)
Setting up mime-support (3.60) ...
Setting up iso-codes (3.75-1) ...
Setting up libcurl3:amd64 (7.52.1-5+deb9u9) ...
Setting up apt-utils (1.4.9) ...
Setting up libelf1:amd64 (0.168-1) ...
Setting up libglib2.0-0:amd64 (2.50.3-2) ...
No schema files found: doing nothing.
Setting up mysql-common (5.8+1.0.2) ...
update-alternatives: using /etc/mysql/my.cnf.fallback to provide /etc/mysql/my.cnf (my.cnf) in auto mode
Setting up libcap2:amd64 (1:2.25-1) ...
Setting up libgc1c2:amd64 (1:7.4.2-8) ...
Setting up distro-info-data (0.36) ...
Setting up libmariadbclient18:amd64 (10.1.38-0+deb9u1) ...
Setting up libpackagekit-glib2-18:amd64 (1.1.5-2+deb9u1) ...
Setting up sgml-base (1.29) ...
Setting up libicu57:amd64 (57.1-6+deb9u2) ...
Setting up libprocps6:amd64 (2:3.3.12-3+deb9u1) ...
Setting up ucf (3.0036) ...
debconf: unable to initialize frontend: Dialog
debconf: (TERM is not set, so the dialog frontend is not usable.)
debconf: falling back to frontend: Readline
Setting up libgirepository-1.0-1:amd64 (1.50.0-1+b1) ...
Setting up libkmod2:amd64 (23-2) ...
Setting up libxml2:amd64 (2.9.4+dfsg1-2.2+deb9u2) ...
Setting up libmagic-mgc (1:5.30-1+deb9u2) ...
Setting up bzip2 (1.0.6-8.1) ...
Setting up libmagic1:amd64 (1:5.30-1+deb9u2) ...
Setting up procps (2:3.3.12-3+deb9u1) ...
update-alternatives: using /usr/bin/w.procps to provide /usr/bin/w (w) in auto mode
update-alternatives: warning: skip creation of /usr/share/man/man1/w.1.gz because associated file /usr/share/man/man1/w.procps.1.gz (of link group w) doesn't exist
Setting up gnupg2 (2.1.18-8~deb9u4) ...
Setting up libntlm0:amd64 (1.4-8) ...
Setting up gir1.2-glib-2.0:amd64 (1.50.0-1+b1) ...
Setting up libglib2.0-data (2.50.3-2) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Setting up libseccomp2:amd64 (2.3.1-2.1+deb9u1) ...
Setting up libapparmor1:amd64 (2.11.0-3+deb9u2) ...
Setting up xz-utils (5.2.2-1.2+b1) ...
Setting up libltdl7:amd64 (2.4.6-2) ...
Setting up libfribidi0:amd64 (0.19.7-1+b1) ...
Setting up shared-mime-info (1.8-1+deb9u1) ...
Setting up gir1.2-packagekitglib-1.0 (1.1.5-2+deb9u1) ...
Setting up xml-core (0.17) ...
Setting up libpython2.7-minimal:amd64 (2.7.13-2+deb9u3) ...
Setting up libglib2.0-bin (2.50.3-2) ...
Setting up cron (3.0pl1-128+deb9u1) ...
Adding group `crontab' (GID 103) ...
Done.
Created symlink /etc/systemd/system/multi-user.target.wants/cron.service → /lib/systemd/system/cron.service.
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
invoke-rc.d: could not determine current runlevel
invoke-rc.d: policy-rc.d denied execution of start.
Setting up xdg-user-dirs (0.15-2+b1) ...
Setting up libnih1 (1.0.3-8) ...
Setting up libpython2.7-stdlib:amd64 (2.7.13-2+deb9u3) ...
Setting up libmpdec2:amd64 (2.4.2-1) ...
Setting up libpolkit-gobject-1-0:amd64 (0.105-18+deb9u1) ...
Setting up libdbus-1-3:amd64 (1.10.26-0+deb9u1) ...
Setting up liblzo2-2:amd64 (2.08-1.2+b2) ...
Setting up libnih-dbus1 (1.0.3-8) ...
Setting up libwrap0:amd64 (7.6.q-26) ...
Setting up mailutils-common (1:3.1.1-1) ...
Setting up libcgmanager0:amd64 (0.41-2) ...
Setting up libgsasl7 (1.8.0-8+b2) ...
Setting up libpam-cap:amd64 (1:2.25-1) ...
Setting up curl (7.52.1-5+deb9u9) ...
Setting up libcap2-bin (1:2.25-1) ...
Setting up libdbus-glib-1-2:amd64 (0.108-2) ...
Setting up libpolkit-agent-1-0:amd64 (0.105-18+deb9u1) ...
Setting up libpython3.5-stdlib:amd64 (3.5.3-1+deb9u1) ...
Setting up exim4-base (4.89-2+deb9u3) ...
exim: DB upgrade, deleting hints-db
Setting up file (1:5.30-1+deb9u2) ...
Setting up tcpd (7.6.q-26) ...
Setting up cgmanager (0.41-2) ...
invoke-rc.d: could not determine current runlevel
invoke-rc.d: policy-rc.d denied execution of start.
invoke-rc.d: could not determine current runlevel
invoke-rc.d: policy-rc.d denied execution of start.
Setting up libpolkit-backend-1-0:amd64 (0.105-18+deb9u1) ...
Setting up guile-2.0-libs:amd64 (2.0.13+1-4) ...
Setting up libpython2.7:amd64 (2.7.13-2+deb9u3) ...
Setting up exim4-daemon-light (4.89-2+deb9u3) ...
invoke-rc.d: could not determine current runlevel
invoke-rc.d: policy-rc.d denied execution of start.
Initializing GnuTLS DH parameter file
Setting up dbus (1.10.26-0+deb9u1) ...
invoke-rc.d: could not determine current runlevel
invoke-rc.d: policy-rc.d denied execution of start.
Setting up libkyotocabinet16v5:amd64 (1.2.76-4.2+b1) ...
Setting up systemd-shim (10-3) ...
Setting up python3.5 (3.5.3-1+deb9u1) ...
Setting up libpython3-stdlib:amd64 (3.5.3-1) ...
Setting up libmailutils5:amd64 (1:3.1.1-1) ...
Setting up libgstreamer1.0-0:amd64 (1.10.4-1) ...
Setcap worked! gst-ptp-helper is not suid!
Setting up mailutils (1:3.1.1-1) ...
Setting up exim4 (4.89-2+deb9u3) ...
Setting up python3 (3.5.3-1) ...
running python rtupdate hooks for python3.5...
running python post-rtupdate hooks for python3.5...
Setting up libdevmapper1.02.1:amd64 (2:1.02.137-2) ...
Setting up python3-gi (3.22.0-2) ...
Setting up lsb-release (9.20161125) ...
Setting up dmsetup (2:1.02.137-2) ...
Setting up dh-python (2.20170125) ...
Setting up libcryptsetup4:amd64 (2:1.7.3-4) ...
Setting up python3-pycurl (7.43.0-2) ...
Setting up python3-apt (1.4.0~beta3) ...
Setting up python3-dbus (1.2.4-1+b1) ...
Setting up systemd (232-25+deb9u11) ...
Setting up python3-software-properties (0.96.20.2-1) ...
Setting up software-properties-common (0.96.20.2-1) ...
Setting up libpam-systemd:amd64 (232-25+deb9u11) ...
Setting up policykit-1 (0.105-18+deb9u1) ...
Setting up packagekit (1.1.5-2+deb9u1) ...
invoke-rc.d: could not determine current runlevel
invoke-rc.d: policy-rc.d denied execution of force-reload.
Failed to open connection to "system" message bus: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory
Setting up packagekit-tools (1.1.5-2+deb9u1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Processing triggers for sgml-base (1.29) ...
Processing triggers for dbus (1.10.26-0+deb9u1) ...
Processing triggers for systemd (232-25+deb9u11) ...
$ curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
Warning: apt-key output should not be parsed (stdout is not a terminal)
OK
$ add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
$ apt-get update && apt install -qq -y trivy docker-ce docker-ce-cli containerd.io
... snipped ...
The following additional packages will be installed:
  aufs-dkms aufs-tools binutils cgroupfs-mount cpp cpp-6 debugedit dkms
  fakeroot gcc gcc-6 iptables kmod libarchive13 libasan3 libatomic1
  libc-dev-bin libc6-dev libcc1-0 libcilkrts5 libfakeroot libgcc-6-dev
  libgomp1 libip6tc0 libiptc0 libisl15 libitm1 liblsan0 liblua5.2-0 libmnl0
  libmpc3 libmpfr4 libmpx2 libnetfilter-conntrack3 libnfnetlink0 libnspr4
  libnss3 libquadmath0 librpm3 librpmbuild3 librpmio3 librpmsign3 libtsan0
  libubsan0 libxtables12 linux-compiler-gcc-6-x86 linux-headers-4.9.0-9-amd64
  linux-headers-4.9.0-9-common linux-headers-amd64 linux-kbuild-4.9
  linux-libc-dev make manpages manpages-dev pigz rpm rpm-common rpm2cpio sudo
... snipped ...

Setting up libmpfr4:amd64 (3.1.5-1) ...
Setting up libnfnetlink0:amd64 (1.0.1-3) ...
Setting up libmpc3:amd64 (1.0.3-1+b2) ...
Setting up binutils (2.28-5) ...
Setting up cpp-6 (6.3.0-18+deb9u1) ...
Setting up libc-dev-bin (2.24-11+deb9u4) ...
Setting up liblua5.2-0:amd64 (5.2.4-1.1+b2) ...
Setting up docker-ce-cli (5:18.09.6~3-0~debian-stretch) ...
Setting up manpages-dev (4.10-2) ...
Setting up libc6-dev:amd64 (2.24-11+deb9u4) ...
Setting up libmnl0:amd64 (1.0.4-2) ...
Setting up pigz (2.3.4-1) ...
Setting up libitm1:amd64 (6.3.0-18+deb9u1) ...
Setting up libip6tc0:amd64 (1.6.0+snapshot20161117-6) ...
Setting up cpp (4:6.3.0-4) ...
Setting up libgcc-6-dev:amd64 (6.3.0-18+deb9u1) ...
Setting up libnetfilter-conntrack3:amd64 (1.0.6-2) ...
Setting up libiptc0:amd64 (1.6.0+snapshot20161117-6) ...
Setting up libnss3:amd64 (2:3.26.2-1.1+deb9u1) ...
Setting up fakeroot (1.21-3.1) ...
Setting up gcc-6 (6.3.0-18+deb9u1) ...
Setting up iptables (1.6.0+snapshot20161117-6) ...
Setting up librpmio3 (4.12.0.2+dfsg1-2) ...
Setting up docker-ce (5:18.09.6~3-0~debian-stretch) ...
Setting up debugedit (4.12.0.2+dfsg1-2) ...
Setting up gcc (4:6.3.0-4) ...
Setting up linux-compiler-gcc-6-x86 (4.9.168-1+deb9u2) ...
Setting up linux-headers-4.9.0-9-amd64 (4.9.168-1+deb9u2) ...
Setting up dkms (2.3-2) ...
Setting up librpm3 (4.12.0.2+dfsg1-2) ...
Setting up linux-headers-amd64 (4.9+80+deb9u7) ...
Setting up rpm-common (4.12.0.2+dfsg1-2) ...
Setting up librpmbuild3 (4.12.0.2+dfsg1-2) ...
Setting up aufs-dkms (4.9+20161219-1) ...
... snipped ...
Setting up librpmsign3 (4.12.0.2+dfsg1-2) ...
Setting up rpm2cpio (4.12.0.2+dfsg1-2) ...
Setting up rpm (4.12.0.2+dfsg1-2) ...
Setting up trivy (0.1.2) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Processing triggers for systemd (232-25+deb9u11) ...
$ VERSION=$(cat VERSION)
$ docker login -u ${CI_REGISTRY_USER} -p ${CI_JOB_TOKEN} ${CI_REGISTRY}
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
$ docker build --pull -t ${IMAGE}:${VERSION} -t ${IMAGE}:latest .
Sending build context to Docker daemon  104.4kB

Step 1/2 : FROM postgres:11-alpine
11-alpine: Pulling from library/postgres
Digest: sha256:7507521549968d1506ba9748a1f86d4ac015544b07738da8d25cf670eb2a7279
Status: Image is up to date for postgres:11-alpine
 ---> 0223e4d872f4
Step 2/2 : LABEL MAINTAINER Oz Tiram <oz.tiram@noris.de>
 ---> Using cache
 ---> cf2f7c085be0
Successfully built cf2f7c085be0
Successfully tagged gitlab.noris.net:5050/tech/postgresql/docker-image:0.0.2
Successfully tagged gitlab.noris.net:5050/tech/postgresql/docker-image:latest
$ docker images
REPOSITORY                                                  TAG                 IMAGE ID            CREATED             SIZE
hadolint/hadolint                                           latest-debian       bd169a717983        13 hours ago        58.9MB
gitlab.noris.net:5050/tech/postgresql/docker-image          0.0.1               cf2f7c085be0        42 hours ago        70.8MB
gitlab.noris.net:5050/tech/postgresql/docker-image          0.0.2               cf2f7c085be0        42 hours ago        70.8MB
gitlab.noris.net:5050/tech/postgresql/docker-image          latest              cf2f7c085be0        42 hours ago        70.8MB
gitlab.noris.net:5050/otiram/foobster                       0.0.1               027027a18878        42 hours ago        5.53MB
gitlab.noris.net:5050/otiram/foobster                       latest              027027a18878        42 hours ago        5.53MB
<none>                                                      <none>              a2b5b5f9d681        43 hours ago        311MB
docker-registry.noris.net/openstack/docker-ubuntu-ansible   master              c6c0c8e5d232        3 days ago          778MB
docker-registry.noris.net/oci/debbuilder                    xenial              2f2807a1462b        3 days ago          504MB
gitlab.noris.net:5050/agopi/docker-docusaurus               1.10.0              6066a9085a82        3 days ago          299MB
gitlab.noris.net:5050/agopi/docker-docusaurus               latest              6066a9085a82        3 days ago          299MB
gitlab/gitlab-runner-helper                                 x86_64-1f513601     2c45994d778c        3 days ago          52.3MB
node                                                        slim                fb3f89cc0eb5        5 days ago          152MB
docker-registry.noris.net/oci/debbuilder                    <none>              382c30133ccc        10 days ago         504MB
ubuntu                                                      bionic              7698f282e524        13 days ago         69.9MB
postgres                                                    11-alpine           0223e4d872f4        2 weeks ago         70.8MB
docker                                                      latest              af42f41a7d73        2 weeks ago         171MB
alpine                                                      3.9                 055936d39205        2 weeks ago         5.53MB
python                                                      3.6-stretch         0668df180a32        3 weeks ago         924MB
oz123/koris-image                                           0.2                 846f336193ad        7 weeks ago         1.22GB
oz123/piepster                                              latest              e807e5c2f869        4 months ago        287MB
oz123/sphinx-server                                         0.2                 00dca4643a83        6 months ago        267MB
postgres                                                    11.0                7a2907672aab        7 months ago        311MB
ruby                                                        2.4.4               ea906befcee0        7 months ago        868MB
$ echo ${CI_PROJECT_PATH}
tech/postgresql/docker-image

$ trivy -d --auto-refresh ${IMAGE}:${VERSION}
2019-05-29T08:58:05.371Z	DEBUG	cache dir:  /root/.cache/trivy
2019-05-29T08:58:05.372Z	DEBUG	db path: /root/.cache/trivy/db/trivy.db
2019-05-29T08:58:05.372Z	INFO	Updating vulnerability database...
2019-05-29T08:58:05.374Z	DEBUG	remove an existed directory
[                    ] It will take a while for the first time... 
... snipped ...
DEBUG	total updated files: 271736
2019-05-29T08:59:04.129Z	INFO	Updating debian-oval data...
2019-05-29T08:59:04.199Z	DEBUG	Debian OVAL updated files: 59870

 0 / 59870    0.00%
 2493 / 59870    4.16% 00m04s
 ... snipped...
 53586 / 59870   89.50%
 56407 / 59870   94.22%
 58945 / 59870   98.45%2019-05-29T08:59:08.906Z	DEBUG	Saving Debian OVAL
 59870 / 59870  100.00% 6s
2019-05-29T08:59:10.670Z	INFO	Updating ubuntu data...
2019-05-29T08:59:10.725Z	DEBUG	Ubuntu OVAL updated files: 30259
 27490 / 30259   90.85%
 29165 / 30259   96.38%2019-05-29T08:59:15.266Z	DEBUG	Saving Ubuntu DB
 30259 / 30259  100.00% 5s
2019-05-29T08:59:16.264Z	INFO	Updating nvd data...
2019-05-29T08:59:16.368Z	DEBUG	NVD updated files: 123044

 0 / 123044    0.00%
 2099 / 123044    1.71% 00m11s
 ... snipped...
 121594 / 123044   98.82%
 122061 / 123044   99.20%
 122953 / 123044   99.93%2019-05-29T08:59:43.215Z	DEBUG	NVD batch update

 123044 / 123044  100.00%
 ... snipped ...
 123044 / 123044  100.00% 30s
2019-05-29T08:59:46.410Z	INFO	Updating alpine data...
2019-05-29T08:59:46.440Z	DEBUG	Alpine updated files: 11124
 0 / 11124    0.00%
 2858 / 11124   25.69%
 6622 / 11124   59.53%2019-05-29T08:59:47.030Z	DEBUG	Saving Alpine DB
 11124 / 11124  100.00% 0s
2019-05-29T08:59:47.291Z	INFO	Updating redhat data...
2019-05-29T08:59:47.323Z	DEBUG	Red Hat updated files: 19460
 0 / 19460    0.00%
 2383 / 19460   12.25% 00m01s
...snipped...
 16819 / 19460   86.43%
 18170 / 19460   93.37%2019-05-29T08:59:49.697Z	DEBUG	Saving RedHat DB
 19460 / 19460  100.00% 3s
2019-05-29T08:59:50.692Z	INFO	Updating debian data...
2019-05-29T08:59:50.733Z	DEBUG	Debian updated files: 27953
 0 / 27953    0.00%
 3204 / 27953   11.46% 00m01s
... snip ...
 23537 / 27953   84.20%
 26383 / 27953   94.38%2019-05-29T08:59:52.431Z	DEBUG	Saving Debian DB
 27953 / 27953  100.00% 2s
2019-05-29T08:59:53.014Z	FATAL	error in image scan:
    github.com/knqyf263/trivy/pkg.Run
        /root/project/pkg/run.go:160
  - failed to analyze image:
    github.com/knqyf263/trivy/pkg/scanner.ScanImage
        /root/project/pkg/scanner/scan.go:34
  - failed to extract files:
    github.com/knqyf263/fanal/analyzer.Analyze
        /go/pkg/mod/github.com/knqyf263/fanal@v0.0.0-20190521154631-a2dde7e171c6/analyzer/analyzer.go:123
  - missing signature key
ERROR: Job failed: exit code 1

oz123 on May 29, 2019