Container scanning of arm64 images

johannes-engler-mw · March 28, 2024, 3:48pm

Problem to solve

We want to scan an arm64 container image with the integrated Trivy security scanner. Trivy has a parameter platform which can be used for that, but it seems this parameter is not available through the image scanner.

Steps to reproduce

Build an arm64 image in Gitlab CI

build:arm64:
  stage: build
  script:
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
    - docker buildx create --name the-builder
    - docker buildx use the-builder
    - docker buildx build
      --platform linux/arm64
      --file "${CI_PROJECT_DIR}/docker/Dockerfile"
      --build-arg ARCH=arm64
      --tag "${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}-arm64"
      --push
      .

Activate the image scan function for it

container_scanning:
  stage: build
  needs:
    - build:arm64
  variables:
    CS_IMAGE: ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}-arm64"
    TRIVY_TIMEOUT: 10m

The scan fails with the following error message:

[ERROR] [2024-03-28 11:42:06 +0000] [container-scanning]  >  Scanner has not created a file with results (tmp.json)

[INFO] [2024-03-28 11:42:06 +0000] [container-scanning]  >  Scan failed. Use `SECURE_LOG_LEVEL=debug` to see more details.

[ERROR] [2024-03-28 11:42:06 +0000] [container-scanning]  >  2024-03-28T11:42:06.328Z	INFO	Vulnerability scanning is enabled

2024-03-28T11:42:06.437Z	FATAL	image scan error: scan error: unable to initialize a scanner: unable to initialize an image scanner: 4 errors occurred:

	* docker error: unable to inspect the image (registry.gitlab.REDACTED.de/dc/hubs/content/building-blocks/builder:a15a70c23086c6b67c48a512dbaf162180230348-arm64): permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "[http://%2Fvar%2Frun%2Fdocker.sock/v1.24/images/registry.gitlab.REDACTED.de/dc/hubs/content/building-blocks/builder:a15a70c23086c6b67c48a512dbaf162180230348-arm64/json](http://%2Fvar%2Frun%2Fdocker.sock/v1.24/images/registry.REDACTED.REDACTED.de/dc/hubs/content/building-blocks/builder:a15a70c23086c6b67c48a512dbaf162180230348-arm64/json)": dial unix /var/run/docker.sock: connect: permission denied

	* containerd error: containerd socket not found: /run/containerd/containerd.sock

	* podman error: unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory

	* remote error: no child with platform linux/amd64 in index registry.gitlab.REDACTED.de/dc/hubs/content/building-blocks/builder:a15a70c23086c6b67c48a512dbaf162180230348-arm64

Is there another way to scan an arm64 image?

BR,

Johannes

Versions

Please select whether options apply, and add the version information.

Self-managed
GitLab.com SaaS
Self-hosted Runners

Versions

GitLab: v16.10.0-ee
GitLab Runner, if self-hosted: gitlab-runner 16.9.0

mjcataldi · October 26, 2024, 1:14pm

We were running into the same issue as well. After combining through the docs, it looks arm64 is not yet supported. If you’re running on a self-managed instance, you also might want to check to see if your runners are also running on amd64-based processors as well (not sure if this will effect things, but good to double check).

Hope this helps.