trivy: Not able to scan image in Google Artifact Registry
Description
trivy version: 0.15.0
I have two GCP projects within our organization:
trivyProject
: Whereaquasec/trivy:0.15.0
container is runtargetProject
: Has Google Artifact Registry that hosts container images to scan.
From aquasec/trivy:0.15.0
container running in trivyProject
project, I want to scan images in another project targetProject
.
I have created a Service Account in trivyProject and have assigned it artifactregistry.reader
as follows. I have already checked that:
- Service account has
artifactregistry.reader
on the target registry - Service Account private key JSON file (Plain-text - not encoded) is available in
GOOGLE_APPLICATION_CREDENTIALS
file.
gcloud artifacts repositories add-iam-policy-binding myRegistry \
--project=targetProject \
--location=us \
--member=serviceAccount:registry-reader@trivyProject.iam.gserviceaccount.com \
--role=roles/artifactregistry.reader
Case#1:
In the official aquasec/trivy:0.15.0
container running in trivyProject
:
export GOOGLE_APPLICATION_CREDENTIALS="$SA_KEY_JSON"
export TRIVY_USERNAME=""
trivy -d image us-docker.pkg.dev/targetProject/myRegistry/myImage:1.0.0
What did you expect to happen?
Expected trivy to scan the image.
What happened instead?
Got permission denied error
Output of run with -debug
:
Case#1 Logs:
+ trivy --debug image --timeout 5m us-docker.pkg.dev/targetProject/myRegistry/myImage:1.0.0
2020-12-22T13:27:30.026Z DEBUG Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2020-12-22T13:27:30.090Z DEBUG cache dir: /root/.cache/trivy
2020-12-22T13:27:30.090Z DEBUG DB update was skipped because DB is the latest
2020-12-22T13:27:30.090Z DEBUG DB Schema: 1, Type: 1, UpdatedAt: 2020-12-22 12:23:57.143363872 +0000 UTC, NextUpdate: 2020-12-23 00:23:57.143363472 +0000 UTC, DownloadedAt: 2020-12-22 13:27:27.320023833 +0000 UTC
2020-12-22T13:27:30.353Z FATAL unable to initialize a scanner:
github.com/aquasecurity/trivy/internal/artifact.run
/home/circleci/project/internal/artifact/run.go:73
- unable to initialize a docker scanner:
github.com/aquasecurity/trivy/internal/artifact.dockerScanner
/home/circleci/project/internal/artifact/image.go:28
- 2 errors occurred:
* unable to inspect the image (us-docker.pkg.dev/targetProject/myRepi/myImage:1.0.0): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
* GET https://us-docker.pkg.dev/v2/token?scope=repository%3AtargetProject%2FmyRegistry%2FmyImage%3Apull&service=us-docker.pkg.dev: DENIED: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects/targetProject/locations/us/repositories/myReg" (or it may not exist)
Output of trivy -v
:
$ trivy -v
Version: 0.15.0
Additional details (base image name, container registry info…):
Image to be scanned - equivalent to us-docker.pkg.dev/targetProject/myRegistry/myImage:1.0.0
- is in Google Artifact Resgistry.
Any pointers on why I may be getting permission denied error?
About this issue
- Original URL
- State: open
- Created 4 years ago
- Reactions: 2
- Comments: 17 (1 by maintainers)
The trivy container doesn’t have gcloud, the standalone credential helper, nor docker, but we can manually set up the docker config.json file to contain the necessary authentication information.
In this gitlab job sample
GCP_KEY
contains the plain json key contents for the service account. Run this prior to invoking trivy in the official trivy container and it works with Google Artifact Registry. You need to replace the registry location with your one.Official
aquasec/trivy
container does not havedocker
util.