CODEWITHSUNDEEP
githubcirclecitrivy
Lord Riley
Lord Riley

Reputation: 61

Trivy Scan Always fails : failed to download vulnerability DB

I am trying to run a Trivy Scan from within CircleCI and always get the same problem. I keep disabling this, but clearly scanning the containers is useful.

Suggestions on 'google' say that you need to use a GITHUB_TOKEN to stop rate limiting, but, I am using a GITHUB_TOKEN, as you can see in the debug - maybe it is the wrong one, as it is my TOKEN for my (Private GitHub) project. How do you get around this issue? Can I download and install the DB with a curl or similar first?

Version:

aquasecurity/trivy info found version: 0.16.0 for v0.16.0/Linux/64bit

Command:

trivy --light --token dummy -d -s "UNKNOWN,MEDIUM,HIGH,CRITICAL" --exit-code 1 ${IMAGE}

Error:

2021-03-14T21:05:47.652Z    INFO    Using your github token
2021-03-14T21:05:47.652Z    INFO    Need to update DB
2021-03-14T21:05:47.652Z    INFO    Downloading DB...
2021-03-14T21:05:47.729Z    FATAL   failed to download vulnerability DB: failed to download vulnerability DB: failed to list releases: GET https://api.github.com/repos/aquasecurity/trivy-db/releases: 401 Bad credentials []
make: *** [Makefile:46: scan] Error 1

And with Debug:

trivy --light -d -s "UNKNOWN,MEDIUM,HIGH,CRITICAL" --exit-code 1 image...
2021-03-14T20:36:49.316Z    DEBUG   Severities: UNKNOWN,MEDIUM,HIGH,CRITICAL
2021-03-14T20:36:49.317Z    DEBUG   cache dir:  /root/.cache/trivy
2021-03-14T20:36:49.317Z    INFO    Using your github token
2021-03-14T20:36:49.317Z    DEBUG   There is no valid metadata file: unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory
2021-03-14T20:36:49.317Z    INFO    Need to update DB
2021-03-14T20:36:49.317Z    INFO    Downloading DB...
2021-03-14T20:36:49.317Z    DEBUG   no metadata file
2021-03-14T20:36:49.416Z    FATAL   failed to download vulnerability DB:
    github.com/aquasecurity/trivy/internal/operation.DownloadDB
        /home/circleci/project/internal/operation/operation.go:91
  - failed to download vulnerability DB:
    github.com/aquasecurity/trivy/pkg/db.Client.Download
        /home/circleci/project/pkg/db/db.go:169
  - failed to list releases:
    github.com/aquasecurity/trivy/pkg/github.Client.DownloadDB
        /home/circleci/project/pkg/github/github.go:89
  - GET https://api.github.com/repos/aquasecurity/trivy-db/releases: 401 Bad credentials []
make: *** [Makefile:45: scan] Error 1

Exited with code exit status 2
CircleCI received exit code 2

Upvotes: 6

Views: 10147

Answers (1)

EduardoFernandes
EduardoFernandes

Reputation: 3439

As a workaround you may use AWS official mirror

trivy image \
  --db-repository public.ecr.aws/aquasecurity/trivy-db \
  --java-db-repository public.ecr.aws/aquasecurity/trivy-java-db \
  --scanners vuln \
  ghcr.io/cloudogu/gitops-playground:0.7.0

Credits to: https://github.com/orgs/community/discussions/139074#discussioncomment-10808081

Upvotes: 1

Related Questions