trivy: Trivy filesystem scan not working

Description

I am using an ubuntu-based container and want to check my Python dependency manged by Pipenv. I installed trivy like its documentend here.

wget https://github.com/aquasecurity/trivy/releases/download/v0.17.0/trivy_0.17.0_Linux-64bit.deb sudo dpkg -i trivy_0.17.0_Linux-64bit.deb

I am executing the check like it’s documented here:

trivy fs .

or

trivy fs ./path/to/my/dir

I get the following error:

2022-08-23T14:19:58.496Z FATAL scan error: image scan failed: failed analysis: walk dir: failed to analyze file: analyze file (.): unable to open a file (.): unable to read file: read .: is a directory

If I try the file explicitly, like this:

trivy fs ./Pipfile.lock

I get:

2022-08-23T14:33:05.500Z WARN OS is not detected and vulnerabilities in OS packages are not detected. 2022-08-23T14:33:05.500Z INFO Trivy skips scanning programming language libraries because no supported file was detected

What did you expect to happen?

I expect the scan to work.

What happened instead?

It’s not scanning 😅

Output of run with -debug:

2022-08-23T14:33:53.527Z        DEBUG   Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2022-08-23T14:33:53.533Z        DEBUG   cache dir:  /root/.cache/trivy
2022-08-23T14:33:53.533Z        DEBUG   DB update was skipped because DB is the latest
2022-08-23T14:33:53.533Z        DEBUG   DB Schema: 1, Type: 1, UpdatedAt: 2022-08-23 12:48:24.234559609 +0000 UTC, NextUpdate: 2022-08-23 18:48:24.234559009 +0000 UTC, DownloadedAt: 2022-08-23 14:12:15.8669641 +0000 UTC
2022-08-23T14:33:53.533Z        DEBUG   Vulnerability type:  [os library]
2022-08-23T14:33:53.550Z        DEBUG   Artifact ID: sha256:3404e98968ad338dc60ef74c0dd5bdd893478415cd2296b0c265a5650b3ae4d6
2022-08-23T14:33:53.550Z        DEBUG   Blob IDs: [sha256:3404e98968ad338dc60ef74c0dd5bdd893478415cd2296b0c265a5650b3ae4d6]
2022-08-23T14:33:53.550Z        WARN    OS is not detected and vulnerabilities in OS packages are not detected.
2022-08-23T14:33:53.550Z        INFO    Trivy skips scanning programming language libraries because no supported file was detected

Output of trivy -v:

Version: 0.17.0
Vulnerability DB:
  Type: Light
  Version: 1
  UpdatedAt: 2022-08-23 12:48:24.234559609 +0000 UTC
  NextUpdate: 2022-08-23 18:48:24.234559009 +0000 UTC
  DownloadedAt: 2022-08-23 14:12:15.8669641 +0000 UTC

Additional details (base image name, container registry info…):

Thanks for the support!

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 17

Most upvoted comments

Ok, sorry 'bout that. 👍

Awesome! I’ll try this out!

Here is my Lockfile. I had to rename it so Github allows me to post it here: Pipfile.lock.txt

The command is not working 😟

user@bf5096a508ba:/srv/holz-logistiksystem# wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null bash: sudo: command not found gpg: [stdout]: write error: Broken pipe gpg: filter_flush failed on close: Broken pipe