trivy: Trivy filesystem scan not working
Description
I am using an ubuntu-based container and want to check my Python dependency manged by Pipenv. I installed trivy like its documentend here.
wget https://github.com/aquasecurity/trivy/releases/download/v0.17.0/trivy_0.17.0_Linux-64bit.deb sudo dpkg -i trivy_0.17.0_Linux-64bit.deb
I am executing the check like it’s documented here:
trivy fs .
or
trivy fs ./path/to/my/dir
I get the following error:
2022-08-23T14:19:58.496Z FATAL scan error: image scan failed: failed analysis: walk dir: failed to analyze file: analyze file (.): unable to open a file (.): unable to read file: read .: is a directory
If I try the file explicitly, like this:
trivy fs ./Pipfile.lock
I get:
2022-08-23T14:33:05.500Z WARN OS is not detected and vulnerabilities in OS packages are not detected. 2022-08-23T14:33:05.500Z INFO Trivy skips scanning programming language libraries because no supported file was detected
What did you expect to happen?
I expect the scan to work.
What happened instead?
It’s not scanning 😅
Output of run with -debug
:
2022-08-23T14:33:53.527Z DEBUG Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2022-08-23T14:33:53.533Z DEBUG cache dir: /root/.cache/trivy
2022-08-23T14:33:53.533Z DEBUG DB update was skipped because DB is the latest
2022-08-23T14:33:53.533Z DEBUG DB Schema: 1, Type: 1, UpdatedAt: 2022-08-23 12:48:24.234559609 +0000 UTC, NextUpdate: 2022-08-23 18:48:24.234559009 +0000 UTC, DownloadedAt: 2022-08-23 14:12:15.8669641 +0000 UTC
2022-08-23T14:33:53.533Z DEBUG Vulnerability type: [os library]
2022-08-23T14:33:53.550Z DEBUG Artifact ID: sha256:3404e98968ad338dc60ef74c0dd5bdd893478415cd2296b0c265a5650b3ae4d6
2022-08-23T14:33:53.550Z DEBUG Blob IDs: [sha256:3404e98968ad338dc60ef74c0dd5bdd893478415cd2296b0c265a5650b3ae4d6]
2022-08-23T14:33:53.550Z WARN OS is not detected and vulnerabilities in OS packages are not detected.
2022-08-23T14:33:53.550Z INFO Trivy skips scanning programming language libraries because no supported file was detected
Output of trivy -v
:
Version: 0.17.0
Vulnerability DB:
Type: Light
Version: 1
UpdatedAt: 2022-08-23 12:48:24.234559609 +0000 UTC
NextUpdate: 2022-08-23 18:48:24.234559009 +0000 UTC
DownloadedAt: 2022-08-23 14:12:15.8669641 +0000 UTC
Additional details (base image name, container registry info…):
Thanks for the support!
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 17
Ok, sorry 'bout that. 👍
Awesome! I’ll try this out!
Here is my Lockfile. I had to rename it so Github allows me to post it here: Pipfile.lock.txt
The command is not working 😟