Dockerfile Scan Error - Azure DevOps Pipeline

[3rk1n]

Question

Hi,

We are using Azure DevOps Pipeline with Trivy to scan images as bellowed task. I changed "version" value from "latest" to "v51.1" nothing was changed.

Agent Pool: Azure Pipelines
Image: ubuntu-latest

    - task: trivy@1
      displayName: 'Trivy Dockerfile Scan'
      inputs:
        version: 'latest'
        docker: false
        debug: true
        path: '$(Build.sourcesdirectory)/Dockerfile'
        severities: 'CRITICAL,HIGH'

The task has an error, the full debug log is bellowed. How can we solve this error on task.

Starting: Trivy Dockerfile Scan
==============================================================================
Task         : Trivy: Take control of your application security
Description  : Trivy is the world’s most popular open source vulnerability and misconfiguration scanner. It is reliable, fast, extremely easy to use, and it works wherever you need it.
Version      : 1.4.1
Author       : Aqua Security
Help         : [Learn more about this task](https://github.com/aquasecurity/trivy-azure-pipelines-task)
==============================================================================
Preparing output location...
Run requested using local Trivy binary...
Finding correct Trivy version to install...
Required Trivy version is v0.38.2
Downloading Trivy...
Downloading: https://github.com/aquasecurity/trivy/releases/download/v0.38.2/trivy_0.38.2_Linux-64bit.tar.gz
Extracting Trivy...
Extracting archive
/usr/bin/tar xC /tmp/ -f /tmp/trivy
Setting permissions...
/usr/bin/chmod +x /tmp/trivy
Configuring options for image scan...
Running Trivy...
/tmp/trivy --debug fs --exit-code 1 --format json --output /tmp/trivy-results-0.5232651528510008.json --security-checks vuln,config,secret --severity CRITICAL,HIGH /home/vsts/work/1/s/Dockerfile
2024-05-20T08:21:42.954Z	WARN	'--security-checks' is deprecated. Use '--scanners' instead.
2024-05-20T08:21:42.957Z	DEBUG	Severities: ["CRITICAL" "HIGH"]
2024-05-20T08:21:42.960Z	DEBUG	cache dir:  /home/vsts/.cache/trivy
##[error]Failed: Trivy detected problems.
2024-05-20T08:21:42.960Z	DEBUG	There is no valid metadata file: unable to open a file: open /home/vsts/.cache/trivy/db/metadata.json: no such file or directory
2024-05-20T08:21:42.960Z	INFO	Need to update DB
2024-05-20T08:21:42.960Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2024-05-20T08:21:42.960Z	INFO	Downloading DB...
2024-05-20T08:21:42.960Z	DEBUG	no metadata file
30.16 MiB / 46.60 MiB [--------------------------------------->_____________________] 64.72% ? p/s ?46.60 MiB / 46.60 MiB [----------------------------------------------------------->] 100.00% ? p/s ?46.60 MiB / 46.60 MiB [----------------------------------------------------------->] 100.00% ? p/s ?46.60 MiB / 46.60 MiB [---------------------------------------------->] 100.00% 27.37 MiB p/s ETA 0s46.60 MiB / 46.60 MiB [---------------------------------------------->] 100.00% 27.37 MiB p/s ETA 0s46.60 MiB / 46.60 MiB [---------------------------------------------->] 100.00% 27.37 MiB p/s ETA 0s46.60 MiB / 46.60 MiB [---------------------------------------------->] 100.00% 25.60 MiB p/s ETA 0s46.60 MiB / 46.60 MiB [---------------------------------------------->] 100.00% 25.60 MiB p/s ETA 0s46.60 MiB / 46.60 MiB [---------------------------------------------->] 100.00% 25.60 MiB p/s ETA 0s46.60 MiB / 46.60 MiB [---------------------------------------------->] 100.00% 23.95 MiB p/s ETA 0s46.60 MiB / 46.60 MiB [-------------------------------------------------] 100.00% 25.85 MiB p/s 2.0s2024-05-20T08:21:45.560Z	DEBUG	Updating database metadata...
2024-05-20T08:21:45.560Z	DEBUG	DB Schema: 2, UpdatedAt: 2024-05-20 06:11:26.044925266 +0000 UTC, NextUpdate: 2024-05-20 12:11:26.044924905 +0000 UTC, DownloadedAt: 2024-05-20 08:21:45.560616418 +0000 UTC
2024-05-20T08:21:45.560Z	INFO	Vulnerability scanning is enabled
2024-05-20T08:21:45.560Z	DEBUG	Vulnerability type:  [os library]
2024-05-20T08:21:45.560Z	INFO	Misconfiguration scanning is enabled
2024-05-20T08:21:45.560Z	DEBUG	Failed to open the policy metadata: open /home/vsts/.cache/trivy/policy/metadata.json: no such file or directory
2024-05-20T08:21:45.560Z	INFO	Need to update the built-in policies
2024-05-20T08:21:45.560Z	INFO	Downloading the built-in policies...
44.66 KiB / 44.66 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-20T08:21:46.149Z	DEBUG	Digest of the built-in policies: sha256:1df8ade71efc830877ca3b1130f83e0c6368e3a45b0d4c0f0418955501644054
2024-05-20T08:21:46.150Z	DEBUG	Policies successfully loaded from disk
2024-05-20T08:21:46.150Z	INFO	Secret scanning is enabled
2024-05-20T08:21:46.150Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-20T08:21:46.150Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.38/docs/secret/scanning/#recommendation for faster secret detection
2024-05-20T08:21:46.150Z	DEBUG	No secret config detected: trivy-secret.yaml
2024-05-20T08:21:46.150Z	DEBUG	Walk the file tree rooted at '/home/vsts/work/1/s/Dockerfile' in parallel
2024-05-20T08:21:46.582Z	FATAL	filesystem scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:431
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:266
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:669
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:146
  - failed to call hooks:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:179
  - post handler error:
    github.com/aquasecurity/trivy/pkg/fanal/handler.Manager.PostHandle
        /home/runner/work/trivy/trivy/pkg/fanal/handler/handler.go:75
  - misconfiguration scan error:
    github.com/aquasecurity/trivy/pkg/fanal/handler/misconf.misconfPostHandler.Handle
        /home/runner/work/trivy/trivy/pkg/fanal/handler/misconf/misconf.go:45
  - scan config error:
    github.com/aquasecurity/trivy/pkg/misconf.(*Scanner).Scan
        /home/runner/work/trivy/trivy/pkg/misconf/scanner.go:300
  - 4 errors occurred:
policies/cloud/policies/aws/rds/disable_cluster_skip_final_snapshot.rego:26: rego_type_error: undefined ref: cluster.skipfinalsnapshot.value
	cluster.skipfinalsnapshot.value
	        ^
	        have: "skipfinalsnapshot"
	        want (one of): ["backupretentionperioddays" "encryption" "engine" "instances" "performanceinsights" "publicaccess" "replicationsourcearn"]
policies/cloud/policies/aws/rds/disable_cluster_skip_final_snapshot.rego:27: rego_type_error: undefined ref: cluster.skipfinalsnapshot
	cluster.skipfinalsnapshot
	        ^
	        have: "skipfinalsnapshot"
	        want (one of): ["backupretentionperioddays" "encryption" "engine" "instances" "performanceinsights" "publicaccess" "replicationsourcearn"]
policies/cloud/policies/aws/rds/enable_cluster_deletion_protection.rego:26: rego_type_error: undefined ref: cluster.deletionprotection.value
	cluster.deletionprotection.value
	        ^
	        have: "deletionprotection"
	        want (one of): ["backupretentionperioddays" "encryption" "engine" "instances" "performanceinsights" "publicaccess" "replicationsourcearn"]
policies/cloud/policies/aws/rds/enable_cluster_deletion_protection.rego:27: rego_type_error: undefined ref: cluster.deletionprotection
	cluster.deletionprotection
	        ^
	        have: "deletionprotection"
	        want (one of): ["backupretentionperioddays" "encryption" "engine" "instances" "performanceinsights" "publicaccess" "replicationsourcearn"]
Publishing JSON results...
Done!

If we change the Trviy scan like bellowed, everything works properly.

    - script: |
        sudo apt-get install rpm
        wget https://github.com/aquasecurity/trivy/releases/download/v0.51.1/trivy_0.51.1_Linux-64bit.deb
        sudo dpkg -i trivy_0.51.1_Linux-64bit.deb
        trivy -v
      displayName: 'Download and Install Trivy'

    - task: Bash@3
      displayName: "Trivy Image Scan"
      inputs:
        targetType: 'inline'
        script: |
          trivy fs --scanners vuln,secret,misconfig $(Build.sourcesdirectory)/Dockerfile

Target

Filesystem

Scanner

Vulnerability

Output Format

None

Mode

None

Operating System

No response

Version

No response

[nikpivkin]

Hi @3rk1n !

According to the logs, you are using v0.38.2. Can you show the scan logs from the docker with v51.1?

[nikpivkin]

Duplicate of #6680