Container_scanning FATAL scan error / unable to initialize a scanner

GitLab CI/CD
1

Container_scanning FATAL scan error / unable to initialize a scanner

Describe your question in as much detail as possible:

gitlab container_scanning fails with errors on docker deamon, then fails to upload the artifact.

  • What are you seeing, and how does that differ from what you expect to see?

vulnerability_report not updated for docker container_scanning

  • Consider including screenshots, error messages, and/or other helpful visuals
    cf. logs from CI container_scanning job failure

  • What version are you on? Are you using self-managed or GitLab.com?

    • GitLab (Hint: /help): : GitLab.com
    • Runner (Hint: /admin/runners): custom runners or gitlab-org runners failing with the same error.

  • Add the CI configuration from .gitlab-ci.yml and other configuration if relevant (e.g. docker-compose.yml)

.gitlab-ci.yml file :

include:
- template: Security/Secret-Detection.gitlab-ci.yml
- template: Security/SAST.gitlab-ci.yml
- template: Security/License-Scanning.gitlab-ci.yml
- template: Security/Dependency-Scanning.gitlab-ci.yml
- template: Security/SAST-IaC.latest.gitlab-ci.yml
- template: Security/Container-Scanning.gitlab-ci.yml
stages:
- test
- secret_detection
- sast
secret_detection:
  stage: test
container_scanning:
  variables:
    GIT_STRATEGY: fetch
    DOCKERFILE_PATH: "/nomadic-labs/umami-wallet/umami-stack-orchestration/build/indexer-db-schema/"
    SECURE_LOG_LEVEL: "debug"
    CS_DEFAULT_BRANCH_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
  before_script:
    - export DOCKER_IMAGE="$CI_REGISTRY_IMAGE/$CI_COMMIT_BRANCH:$CI_COMMIT_SHA"
    - |
      if [ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]; then
        export DOCKER_IMAGE="$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
      fi
sast:
  stage: test
  artifacts:
    paths:
    - gl-sast-report.json
    - gl-secret-detection-report.json
    - gl-dependency-scanning-report.json
    - gl-container-scanning-report.json
    expire_in: 1 week

and it fails with this output :slight_smile:


Executing "step_script" stage of the job script 00:03
Using docker image sha256:d5891c7c7edd9d929958801440bb595bf307a2ecbfa8873f6408f3124f876a4e for registry.gitlab.com/security-products/container-scanning:4 with digest registry.gitlab.com/security-products/container-scanning@sha256:d88ec29755c8d6afa6011a908a08d44a238dbe0564e7818b19a7a6792a95784f ...
$ export DOCKER_IMAGE="$CI_REGISTRY_IMAGE/$CI_COMMIT_BRANCH:$CI_COMMIT_SHA"
$ if [ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]; then # collapsed multi-line command
$ gtcs scan
[INFO] [2022-01-05 21:02:01 +0000] []  ▶  Remediation is disabled; /nomadic-labs/umami-wallet/umami-stack-orchestration/build/indexer-db-schema/ cannot be found. Have you set `GIT_STRATEGY` and
`DOCKERFILE_PATH`?
See https://docs.gitlab.com/ee/user/application_security/container_scanning/#solutions-for-vulnerabilities-auto-remediation
[DEBUG] [2022-01-05 21:02:01 +0000] []  ▶  
trivy --version 00:00
[DEBUG] [2022-01-05 21:02:01 +0000] []  ▶  trivy --version
[DEBUG] [2022-01-05 21:02:01 +0000] []  ▶  Version: 0.21.2
Vulnerability DB:
  Type: Full
  Version: 1
  UpdatedAt: 2022-01-05 12:46:15.498337796 +0000 UTC
  NextUpdate: 2022-01-05 18:46:15.498337296 +0000 UTC
  DownloadedAt: 0001-01-01 00:00:00 +0000 UTC
[DEBUG] [2022-01-05 21:02:01 +0000] []  ▶  
[DEBUG] [2022-01-05 21:02:01 +0000] []  ▶  
[DEBUG] [2022-01-05 21:02:01 +0000] []  ▶  
trivy --version 00:00
[DEBUG] [2022-01-05 21:02:01 +0000] []  ▶  trivy --version
[DEBUG] [2022-01-05 21:02:01 +0000] []  ▶  Version: 0.21.2
Vulnerability DB:
  Type: Full
  Version: 1
  UpdatedAt: 2022-01-05 12:46:15.498337796 +0000 UTC
  NextUpdate: 2022-01-05 18:46:15.498337296 +0000 UTC
  DownloadedAt: 0001-01-01 00:00:00 +0000 UTC
[DEBUG] [2022-01-05 21:02:01 +0000] []  ▶  
[DEBUG] [2022-01-05 21:02:01 +0000] []  ▶  
[INFO] [2022-01-05 21:02:01 +0000] []  ▶  Scanning container from registry registry.gitlab.com/nomadic-labs/umami-wallet/umami-stack-orchestration:871e75d0227e4b61358bb1f56b5d1fb69d25b427 for vulnerabilities with severity level UNKNOWN or higher, with gcs 4.5.10 and Trivy Version: 0.21.2, advisories updated at 2022-01-05T12:46:15+00:00
[DEBUG] [2022-01-05 21:02:01 +0000] []  ▶  
trivy i  --skip-update --vuln-type os --no-progress --format template -t @/usr/local/bundle/gems/gcs-4.5.10/lib/template/trivy.tpl -o tmp.json registry.gitlab.com/nomadic-labs/umami-wallet/umami-stack-orchestration:871e75d0227e4b61358bb1f56b5d1fb69d25b427 00:02
[DEBUG] [2022-01-05 21:02:01 +0000] []  ▶  trivy i  --skip-update --vuln-type os --no-progress --format template -t @/usr/local/bundle/gems/gcs-4.5.10/lib/template/trivy.tpl -o tmp.json registry.gitlab.com/nomadic-labs/umami-wallet/umami-stack-orchestration:871e75d0227e4b61358bb1f56b5d1fb69d25b427
[DEBUG] [2022-01-05 21:02:03 +0000] []  ▶  2022-01-05T21:02:01.405Z	DEBUG	Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2022-01-05T21:02:01.406Z	DEBUG	cache dir:  /home/gitlab/.cache/trivy
2022-01-05T21:02:01.406Z	DEBUG	DB Schema: 1, Type: 1, UpdatedAt: 2022-01-05 12:46:15.498337796 +0000 UTC, NextUpdate: 2022-01-05 18:46:15.498337296 +0000 UTC, DownloadedAt: 0001-01-01 00:00:00 +0000 UTC
2022-01-05T21:02:02.895Z	DEBUG	Vulnerability type:  [os]
[DEBUG] [2022-01-05 21:02:03 +0000] []  ▶  2022-01-05T21:02:03.164Z	FATAL	scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.runWithTimeout
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:71
  - unable to initialize a scanner:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:210
  - unable to initialize a docker scanner:
    github.com/aquasecurity/trivy/pkg/commands/artifact.dockerScanner
        /home/runner/work/trivy/trivy/pkg/commands/artifact/image.go:30
  - 3 errors occurred:
	* unable to inspect the image (registry.gitlab.com/nomadic-labs/umami-wallet/umami-stack-orchestration:871e75d0227e4b61358bb1f56b5d1fb69d25b427): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
	* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
	* GET https://registry.gitlab.com/v2/nomadic-labs/umami-wallet/umami-stack-orchestration/manifests/871e75d0227e4b61358bb1f56b5d1fb69d25b427: MANIFEST_UNKNOWN: manifest unknown; map[Tag:871e75d0227e4b61358bb1f56b5d1fb69d25b427]
[DEBUG] [2022-01-05 21:02:03 +0000] []  ▶  
[INFO] [2022-01-05 21:02:03 +0000] []  ▶  2022-01-05T21:02:01.405Z	DEBUG	Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2022-01-05T21:02:01.406Z	DEBUG	cache dir:  /home/gitlab/.cache/trivy
2022-01-05T21:02:01.406Z	DEBUG	DB Schema: 1, Type: 1, UpdatedAt: 2022-01-05 12:46:15.498337796 +0000 UTC, NextUpdate: 2022-01-05 18:46:15.498337296 +0000 UTC, DownloadedAt: 0001-01-01 00:00:00 +0000 UTC
2022-01-05T21:02:02.895Z	DEBUG	Vulnerability type:  [os]
[INFO] [2022-01-05 21:02:03 +0000] []  ▶  Scan failed. Use `SECURE_LOG_LEVEL=debug` to see more details.
[ERROR] [2022-01-05 21:02:03 +0000] []  ▶  The image registry.gitlab.com/nomadic-labs/umami-wallet/umami-stack-orchestration:871e75d0227e4b61358bb1f56b5d1fb69d25b427 could not be found. To change the image being scanned, use the DOCKER_IMAGE environment variable. For details, see https://docs.gitlab.com/ee/user/application_security/container_scanning/#available-cicd-variables
[ERROR] [2022-01-05 21:02:03 +0000] []  ▶  2022-01-05T21:02:01.405Z	DEBUG	Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2022-01-05T21:02:01.406Z	DEBUG	cache dir:  /home/gitlab/.cache/trivy
2022-01-05T21:02:01.406Z	DEBUG	DB Schema: 1, Type: 1, UpdatedAt: 2022-01-05 12:46:15.498337796 +0000 UTC, NextUpdate: 2022-01-05 18:46:15.498337296 +0000 UTC, DownloadedAt: 0001-01-01 00:00:00 +0000 UTC
2022-01-05T21:02:02.895Z	DEBUG	Vulnerability type:  [os]
  • What troubleshooting steps have you already taken? Can you link to any docs or other resources so we know where you have been?

I tried adding some configuration found to specify the runner, but it failed with the same message when using the gitlab-org tagged runner

I understand that there must be something wrong along those lines, but I am not sure what :

container_scanning:
  variables:
    GIT_STRATEGY: fetch
    DOCKERFILE_PATH: "/nomadic-labs/umami-wallet/umami-stack-orchestration/build/indexer-db-schema/"
    SECURE_LOG_LEVEL: "debug"

Thanks for taking the time to be thorough in your request, it really helps! :blush:

Thanks in advance for any suggestions around this CI integration !

2

Hi @comeh
DOCKERFILE_PATH must be a full path to a Dockerfile, not just a path to a directory and it can’t contain your group/subgroup/project names. It is supposed to be a path within your repository. I guess in your case it should be build/indexer-db-schema/Dockerfile or what is your Dockerfile called.

GET https://registry.gitlab.com/v2/nomadic-labs/umami-wallet/umami-stack-orchestration/manifests/871e75d0227e4b61358bb1f56b5d1fb69d25b427: MANIFEST_UNKNOWN: manifest unknown; map[Tag:871e75d0227e4b61358bb1f56b5d1fb69d25b427]

You also need to actually build the image and push it to the GitLab registry.

2 Likes
3

What @balonik write is correct but I wanted to note that the Dockerfile presence is optional. You only need this if you want to use auto-remediation.

For the actual scan, this is the log line that tells you what the problem is:

And the solution :point_down:

1 Like
4

Thanks for your recommendations !
I managed to get it working by building the Docker image into the gitlab container, and then scanning it :

include:
- template: Security/Container-Scanning.gitlab-ci.yml
stages:
- docker-build-indexer-db
- test

docker-build-indexer-db:
  image: docker:latest
  stage: docker-build-indexer-db
  services:
    - docker:dind
  variables:
    IMAGE: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG/indexer-db-schema:latest
    DOCKERFILE_PATH: "umami-stack-compose/build/indexer-db-schema/Dockerfile"
  script:
    - docker info
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
    - docker build --build-arg image_ref=registry.gitlab.com/nomadic-labs/tezos-indexer/tezos-indexer:latest --tag $IMAGE -f $DOCKERFILE_PATH .
    - docker push $IMAGE

container_scanning:
  variables:
    GIT_STRATEGY: fetch
    DOCKERFILE_PATH: "umami-stack-compose/build/indexer-db-schema/Dockerfile"
    DOCKER_IMAGE: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG/indexer-db-schema:latest
    SECURE_LOG_LEVEL: "debug"