trivy: Not able to scan image in Google Artifact Registry

Description

trivy version: 0.15.0

I have two GCP projects within our organization:

  1. trivyProject: Where aquasec/trivy:0.15.0 container is run
  2. targetProject: Has Google Artifact Registry that hosts container images to scan.

From aquasec/trivy:0.15.0 container running in trivyProject project, I want to scan images in another project targetProject. I have created a Service Account in trivyProject and have assigned it artifactregistry.reader as follows. I have already checked that:

  1. Service account has artifactregistry.reader on the target registry
  2. Service Account private key JSON file (Plain-text - not encoded) is available in GOOGLE_APPLICATION_CREDENTIALS file.
  gcloud artifacts repositories add-iam-policy-binding myRegistry \
    --project=targetProject \
    --location=us \
    --member=serviceAccount:registry-reader@trivyProject.iam.gserviceaccount.com \
    --role=roles/artifactregistry.reader

Case#1:

In the official aquasec/trivy:0.15.0 container running in trivyProject:

  export GOOGLE_APPLICATION_CREDENTIALS="$SA_KEY_JSON"
  export TRIVY_USERNAME=""

  trivy -d image us-docker.pkg.dev/targetProject/myRegistry/myImage:1.0.0

What did you expect to happen?

Expected trivy to scan the image.

What happened instead?

Got permission denied error

Output of run with -debug:

Case#1 Logs:

+ trivy --debug image --timeout 5m us-docker.pkg.dev/targetProject/myRegistry/myImage:1.0.0
2020-12-22T13:27:30.026Z    DEBUG   Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2020-12-22T13:27:30.090Z    DEBUG   cache dir:  /root/.cache/trivy
2020-12-22T13:27:30.090Z    DEBUG   DB update was skipped because DB is the latest
2020-12-22T13:27:30.090Z    DEBUG   DB Schema: 1, Type: 1, UpdatedAt: 2020-12-22 12:23:57.143363872 +0000 UTC, NextUpdate: 2020-12-23 00:23:57.143363472 +0000 UTC, DownloadedAt: 2020-12-22 13:27:27.320023833 +0000 UTC
2020-12-22T13:27:30.353Z    FATAL   unable to initialize a scanner:
    github.com/aquasecurity/trivy/internal/artifact.run
        /home/circleci/project/internal/artifact/run.go:73
  - unable to initialize a docker scanner:
    github.com/aquasecurity/trivy/internal/artifact.dockerScanner
        /home/circleci/project/internal/artifact/image.go:28
  - 2 errors occurred:
    * unable to inspect the image (us-docker.pkg.dev/targetProject/myRepi/myImage:1.0.0): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
    * GET https://us-docker.pkg.dev/v2/token?scope=repository%3AtargetProject%2FmyRegistry%2FmyImage%3Apull&service=us-docker.pkg.dev: DENIED: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects/targetProject/locations/us/repositories/myReg" (or it may not exist)

Output of trivy -v:

$ trivy -v
Version: 0.15.0

Additional details (base image name, container registry info…):

Image to be scanned - equivalent to us-docker.pkg.dev/targetProject/myRegistry/myImage:1.0.0 - is in Google Artifact Resgistry.

Any pointers on why I may be getting permission denied error?

About this issue

  • Original URL
  • State: open
  • Created 4 years ago
  • Reactions: 2
  • Comments: 17 (1 by maintainers)

Most upvoted comments

The trivy container doesn’t have gcloud, the standalone credential helper, nor docker, but we can manually set up the docker config.json file to contain the necessary authentication information.

In this gitlab job sample GCP_KEY contains the plain json key contents for the service account. Run this prior to invoking trivy in the official trivy container and it works with Google Artifact Registry. You need to replace the registry location with your one.

     # manually reproducing the effect of `docker login -u _json_key --password-stdin < $GOOGLE_APPLICATION_CREDENTIALS`
    - GCR_AUTH=$(echo "_json_key:$GCP_KEY" | base64 | tr -d '[:space:]')
    - |
      mkdir ~/.docker && cat << EOF > ~/.docker/config.json
      {"auths":
        {
          "us-central1-docker.pkg.dev":{"auth":"$GCR_AUTH"}
        }
      }
      EOF

It should be possible to auth with docker login using a Service Account key, as documented in https://cloud.google.com/artifact-registry/docs/docker/authentication#json-key

cat "${SA_KEY_JSON}" | docker login -u _json_key --password-stdin https://us-docker.pkg.dev

Official aquasec/trivy container does not have docker util.