gitlab container_scanning fails with thoses 4 errors on docker deamon, initialize Podman client, containerd deamon and repository authentication.
Thais is the log:
....
trivy image --vuln-type os --no-progress --offline-scan --skip-update --security-checks vuln --format template --template @/usr/local/bundle/gems/gcs-5.2.7/lib/template/trivy.tpl --output tmp.json registry.gitlab.com/xxxx/temp:1442 00:04
[DEBUG] [2023-02-22 16:39:59 +0000] [container-scanning] > trivy image --vuln-type os --no-progress --offline-scan --skip-update --security-checks vuln --format template --template @/usr/local/bundle/gems/gcs-5.2.7/lib/template/trivy.tpl --output tmp.json registry.gitlab.com/xxxx/temp:1442
[DEBUG] [2023-02-22 16:40:03 +0000] [container-scanning] > 2023-02-22T16:39:59.813Z DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-02-22T16:39:59.820Z DEBUG cache dir: /home/gitlab/.cache/trivy/ce
2023-02-22T16:39:59.820Z DEBUG Skipping DB update...
2023-02-22T16:39:59.820Z DEBUG DB Schema: 2, UpdatedAt: 2023-02-21 12:07:46.494248011 +0000 UTC, NextUpdate: 2023-02-21 18:07:46.494247711 +0000 UTC, DownloadedAt: 0001-01-01 00:00:00 +0000 UTC
2023-02-22T16:40:02.898Z INFO Vulnerability scanning is enabled
2023-02-22T16:40:02.898Z DEBUG Vulnerability type: [os]
2023-02-22T16:40:03.337Z FATAL image scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.Run
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:397
- scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:257
- unable to initialize a scanner:
github.com/aquasecurity/trivy/pkg/commands/artifact.scan
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:582
- unable to initialize a docker scanner:
github.com/aquasecurity/trivy/pkg/commands/artifact.imageStandaloneScanner
/home/runner/work/trivy/trivy/pkg/commands/artifact/scanner.go:22
- 4 errors occurred:
* unable to inspect the image (registry.gitlab.com/xxxx/temp:1442): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
* containerd socket not found: /run/containerd/containerd.sock
* GET https://registry.gitlab.com/v2/xxxx/temp/manifests/1442: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:xxxx/temp Type:repository]]
[DEBUG] [2023-02-22 16:40:03 +0000] [container-scanning] >
[INFO] [2023-02-22 16:40:03 +0000] [container-scanning] > Scan failed. Use `SECURE_LOG_LEVEL=debug` to see more details.
[ERROR] [2023-02-22 16:40:03 +0000] [container-scanning] > The credentials set in CS_REGISTRY_USER and CS_REGISTRY_PASSWORD are either empty or not valid. Please set valid credentials.
....
include:
- template: Jobs/Container-Scanning.gitlab-ci.yml
stages:
- Build Image
- test
Build_Docker:
tags:
- xxxx-runner
image:
name: amazon/aws-cli
entrypoint: [""]
services:
- docker:18-dind
stage: Build Image
variables:
APP_NAME: xxxx/temp
before_script:
- amazon-linux-extras install docker
- aws --version
- docker --version
script:
- docker build -f xxxx/Dockerfile -t $DOCKER_REGISTRY/$APP_NAME:$CI_PIPELINE_IID .
- docker login -u $CI_REGISTRY_USER -p $CI_JOB_TOKEN $CI_REGISTRY
- docker push $DOCKER_REGISTRY/$APP_NAME:$CI_PIPELINE_IID
rules:
- !reference [.rules_script, rules]
container_scanning:
image: "$CS_ANALYZER_IMAGE$CS_IMAGE_SUFFIX"
stage: test
needs: ["Build_Docker"]
variables:
APP_NAME: xxxx/temp
GIT_STRATEGY: none
SECURE_LOG_LEVEL: 'debug'
CI_GITLAB_FIPS_MODE: "false"
CS_IMAGE: $CI_REGISTRY_IMAGE/$APP_NAME:$CI_PIPELINE_IID
CS_REGISTRY_USER: "xxxx"
CS_REGISTRY_PASSWORD: "$xxxxx"
I tried adding those variables but still facing same error.
CS_REGISTRY_USER: "xxxx"
CS_REGISTRY_PASSWORD: "$xxxxx"
I also tried this but facing same error
container_scanning:
extends: .job_aws
stage: test
needs: ["Build_Docker"]
variables:
GIT_STRATEGY: none
TRIVY_USERNAME: "$CI_REGISTRY_USER"
TRIVY_PASSWORD: "$TrivyPassword"
TRIVY_AUTH_URL: "$CI_REGISTRY"
FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE/$APP_NAME:$CI_PIPELINE_IID
DOCKER_TLS_CERTDIR: ''
before_script:
- !reference [.before_script.docker, before_script]
- yum install -y gettext
- yum install -y tar gzip
- docker login -u $CI_REGISTRY_USER -p $CI_JOB_TOKEN $CI_REGISTRY
script:
- curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
- trivy --version
- time trivy image --clear-cache
- time trivy image --download-db-only --no-progress --cache-dir .trivycache/
# Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there
- time trivy image --exit-code 0 --debug --cache-dir .trivycache/ --no-progress --format template --template "@/contrib/gitlab.tpl"
--output "$CI_PROJECT_DIR/gl-container-scanning-report.json" "$FULL_IMAGE_NAME"
# - time trivy image --exit-code 0 --debug --cache-dir .trivycache/ --no-progress --output "$CI_PROJECT_DIR/gl-container-scanning-report.json" "$FULL_IMAGE_NAME"
# # Fail on critical vulnerabilities
# - time trivy image --exit-code 1 --debug --cache-dir .trivycache/ --no-progress --severity CRITICAL "$FULL_IMAGE_NAME"
cache:
paths:
- .trivycache/
artifacts:
when: always
reports:
container_scanning: gl-container-scanning-report.json
Thanks for any help?