trivy: FATAL error in image scan: failed to analyze image: failed to extract files: missing signature key
BUG REPORT INFORMATION
I am running trivy installed from debian package (currently 0.1.1) instide a Gitlab CI worker. The worker is a docker container which can build images (docker socket is mounted).
Description In my pipeline I would like to scan the images before pushing the to the repository. But trivy fails with the error above although the image is currently built.
$ docker build --pull -t ${IMAGE}:${VERSION} -t ${IMAGE}:latest .
Sending build context to Docker daemon 84.48kB
Step 1/2 : FROM postgres:11-alpine
11-alpine: Pulling from library/postgres
e7c96db7181b: Already exists
ddab92d60ba9: Pulling fs layer
... snipped ...
79d684a466de: Pull complete
1929cdd74131: Pull complete
Digest: sha256:7507521549968d1506ba9748a1f86d4ac015544b07738da8d25cf670eb2a7279
Status: Downloaded newer image for postgres:11-alpine
---> 0223e4d872f4
Step 2/2 : LABEL MAINTAINER Oz123 <oz123@....de>
---> Running in 86c97c84674b
Removing intermediate container 86c97c84674b
---> a4b10056be0e
Successfully built a4b10056be0e
Successfully tagged gitlab.xxx.net:5050/tech/postgresql/docker-image:0.0.1
Successfully tagged gitlab.xxx.net:5050/tech/postgresql/docker-image:latest
$ trivy -q --auto-refresh ${IMAGE}:${VERSION}
2019-05-27T15:06:46.237Z INFO Updating vulnerability database...
2019-05-27T15:07:34.298Z INFO Updating NVD data...
2019-05-27T15:08:04.259Z INFO Updating Alpine data...
2019-05-27T15:08:05.058Z INFO Updating RedHat data...
2019-05-27T15:08:08.466Z INFO Updating Debian data...
2019-05-27T15:08:10.155Z INFO Updating Debian OVAL data...
2019-05-27T15:08:15.279Z INFO Updating Ubuntu data...
2019-05-27T15:08:20.303Z FATAL error in image scan: failed to analyze image: failed to extract files: missing signature key
ERROR: Job failed: exit code 1
Output of trivy -v
:
0.1.1
I suspect the docker image should also mount the directory where the image built files are stored, but I can’t confirm this.
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 26 (8 by maintainers)
Commits related to this issue
- add aws session token (#61) — committed to aquasecurity/trivy by tomoyamachi 5 years ago
- add aws session token (#61) — committed to aquasecurity/trivy by tomoyamachi 5 years ago
- Add display names for avd (#61) — committed to josedonizetti/trivy by liamg 2 years ago
I’d like to make the argument for keeping this issue open (or I can create a new one) as trivy is behaving unexpectedly or at least not as documented on the README.
@pascalandy it is working for most of the images, but failing for few images with error above.
After v0.6.0, trivy negotiates Docker API version automatically. You don’t have to specify
DOCKER_API_VERSION
now. Also, trivy doesn’t support Image Manifest V 2, Schema 1. v0.6.0 is supposed to display a more understandable message. Please try it out and open an issue if you have still any problem.I managed to get it running without error using:
Thank your for offering help!
I am also experiencing a similar issue when running locally on MacOS.
However if I pull the image and scan, it works every time:
I see the same behavior with AWS ECR as well, when I scan against an ECR image directly it will always fail but if I pull the image first, then scan the local image it works every time. Interestingly enough a colleague sees this issue sometimes too but not consistently. Could this be caused by some kind of race condition?
@tomoyamachi thank you for the response, here is the complete build output: