Troubleshooting
Scan
Timeout
Error
$ trivy image ...
...
analyze error: timeout: context deadline exceeded
Your scan may time out. Java takes a particularly long time to scan. Try increasing the value of the ---timeout option such as --timeout 15m
.
Unable to initialize an image scanner
Error
$ trivy image ...
...
2024-01-19T08:15:33.288Z FATAL image scan error: scan error: unable to initialize a scanner: unable to initialize an image scanner: 4 errors occurred:
* docker error: unable to inspect the image (ContainerImageName): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
* containerd error: containerd socket not found: /run/containerd/containerd.sock
* podman error: unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
* remote error: GET https://index.docker.io/v2/ContainerImageName: MANIFEST_UNKNOWN: manifest unknown; unknown tag=0.1
It means Trivy is unable to find the container image in the following places:
- Docker Engine
- containerd
- Podman
- A remote registry
Please see error messages for details of each error.
Common mistakes include the following, depending on where you are pulling images from:
Common
- Typos in the image name
- Common mistake :)
- Forgetting to specify the registry
- By default, it is considered to be Docker Hub (
index.docker.io
).
- By default, it is considered to be Docker Hub (
Docker Engine
- Incorrect Docker host
- If the Docker daemon's socket path is not
/var/run/docker.sock
, you need to specify the--docker-host
flag or theDOCKER_HOST
environment variable. The same applies when using TCP; you must specify the correct host address.
- If the Docker daemon's socket path is not
containerd
- Incorrect containerd address
- If you are using a non-default path, you need to specify the
CONTAINERD_ADDRESS
environment variable. Please refer to this documentation.
- If you are using a non-default path, you need to specify the
- Incorrect namespace
- If you are using a non-default namespace, you need to specify the
CONTAINERD_NAMESPACE
environment variable. Please refer to this documentation.
- If you are using a non-default namespace, you need to specify the
Podman
- Podman socket configuration
- You need to enable the Podman socket. Please refer to this documentation.
Container Registry
- Unauthenticated
- If you are using a private container registry, you need to authenticate. Please refer to this documentation.
- Using a proxy
- If you are using a proxy within your network, you need to correctly set the
HTTP_PROXY
,HTTPS_PROXY
, etc., environment variables.
- If you are using a proxy within your network, you need to correctly set the
- Use of a self-signed certificate in the registry
- Because certificate verification will fail, you need to either trust that certificate or use the
--insecure
flag (not recommended in production).
- Because certificate verification will fail, you need to either trust that certificate or use the
Certification
Error
Error: x509: certificate signed by unknown authority
TRIVY_INSECURE
can be used to allow insecure connections to a container registry when using SSL.
$ TRIVY_INSECURE=true trivy image [YOUR_IMAGE]
GitHub Rate limiting
Error
$ trivy image ...
...
API rate limit exceeded for xxx.xxx.xxx.xxx.
Specify GITHUB_TOKEN for authentication https://developer.github.com/v3/#rate-limiting
$ GITHUB_TOKEN=XXXXXXXXXX trivy alpine:3.10
Unable to open JAR files
Error
$ trivy image ...
...
failed to analyze file: failed to analyze usr/lib/jvm/java-1.8-openjdk/lib/tools.jar: unable to open usr/lib/jvm/java-1.8-openjdk/lib/tools.jar: failed to open: unable to read the file: stream error: stream ID 9; PROTOCOL_ERROR; received from peer
Currently, we're investigating this issue. As a temporary mitigation, you may be able to avoid this issue by downloading the Java DB in advance.
$ trivy image --download-java-db-only
2023-02-01T16:57:04.322+0900 INFO Downloading the Java DB...
$ trivy image [YOUR_JAVA_IMAGE]
Running in parallel takes same time as series run
When running trivy on multiple images simultaneously, it will take same time as running trivy in series. This is because of a limitation of boltdb.
Bolt obtains a file lock on the data file so multiple processes cannot open the same database at the same time. Opening an already open Bolt database will cause it to hang until the other process closes it.
Reference : boltdb: Opening a database.
Multiple Trivy servers
Error
$ trivy image --server http://xxx.com:xxxx test-image
...
- twirp error internal: failed scan, test-image: failed to apply layers: layer cache missing: sha256:*****
To run multiple Trivy servers, you need to use Redis as the cache backend so that those servers can share the cache. Follow this instruction to do so.
Problems with /tmp
on remote Git repository scans
Error
FATAL repository scan error: scan error: unable to initialize a scanner: unable to initialize a filesystem scanner: git clone error: write /tmp/fanal-remote...
Trivy clones remote Git repositories under the /tmp
directory before scanning them. If /tmp
doesn't work for you, you can change it by setting the TMPDIR
environment variable.
Try:
$ TMPDIR=/my/custom/path trivy repo ...
Running out of space during image scans
Error
image scan failed:
failed to copy the image:
write /tmp/fanal-3323732142: no space left on device
Trivy uses the /tmp
directory during image scan, if the image is large or /tmp
is of insufficient size then the scan fails You can set the TMPDIR
environment variable to use redirect trivy to use a directory with adequate storage.
Try:
$ TMPDIR=/my/custom/path trivy image ...
DB
Old DB schema
Error
--skip-update cannot be specified with the old DB schema.
Trivy v0.23.0 or later requires Trivy DB v2. Please update your local database or follow the instruction of air-gapped environment.
Error downloading vulnerability DB
Error
FATAL failed to download vulnerability DB
If trivy is running behind corporate firewall, you have to add the following urls to your allowlist.
- ghcr.io
- pkg-containers.githubusercontent.com
Denied
Error
GET https://ghcr.io/token?scope=repository%3Aaquasecurity%2Ftrivy-db%3Apull&service=ghcr.io: DENIED: denied
Your local GHCR (GitHub Container Registry) token might be expired. Please remove the token and try downloading the DB again.
docker logout ghcr.io
Homebrew
Scope error
Error
Error: Your macOS keychain GitHub credentials do not have sufficient scope!
$ brew tap aquasecurity/trivy
Error: Your macOS keychain GitHub credentials do not have sufficient scope!
Scopes they need: none
Scopes they have:
Create a personal access token:
https://github.com/settings/tokens/new?scopes=gist,public_repo&description=Homebrew
echo 'export HOMEBREW_GITHUB_API_TOKEN=your_token_here' >> ~/.zshrc
Try:
$ printf "protocol=https\nhost=github.com\n" | git credential-osxkeychain erase
Already installed
Error
Error: aquasecurity/trivy/trivy 64 already installed
$ brew upgrade
...
Error: aquasecurity/trivy/trivy 64 already installed
Try:
$ brew unlink trivy && brew uninstall trivy
($ rm -rf /usr/local/Cellar/trivy/64)
$ brew install aquasecurity/trivy/trivy
Others
Unknown error
Try again with --reset
option:
$ trivy image --reset