Scanning local docker image for vulnerability using Trivy gives unauthorized

Asked 29/12, 2021 at 8:28 Answered 16/10, 2023 at 20:55

I've pulled a docker image from a private repository to local and trying to scan the local image with trivy image command. It is pulling the database but showing Unauthorized error to access the local image

scan error: unable to initialize a scanner: unable to initialize a docker scanner: 3 errors occurred:
        * unable to inspect the image (index.docker.io/library/58625f3e2b28:latest): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
        * unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
        * GET https://index.docker.io/v2/library/58625f3e2b28/manifests/latest: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/58625f3e2b28 Type:repository]]

Docker deamon is running and the image is also in local. Trivy version: 0.22.0
I'm running Trivy as a docker container and using below command to scan the local image

docker run aquasec/trivy image <<imagename>>

Ringhals answered 29/12, 2021 at 8:28 Comment(5)

maybe because it's a private image it has no data on it? also from user and type of machine\OS are you running this? – Dinner 29/12, 2021 at 11:12

@NoamYizraeli it has data.. i've pulled that to local using my credentials. And I tried scanning it in WSL2 ubuntu and windows powershell, git bash. All were giving same error – Ringhals 29/12, 2021 at 12:40

how did you install trivy and how did you run the scanning command? also, maybe it's a permissions thing, try running cmd as admin and run docker ps to make sure the daemon is running (I know you've checked that, I'm making sure anyway by running a command that needs to talk to the daemon) – Dinner 29/12, 2021 at 17:35

@NoamYizraeli actually I'm running trivy as a docker container.. it is pulling CVE results to its database and then throwing this error. I'm running this inside a wsl2 ubuntu with sudo access. It is showing the type as registry in the error msg even though i'm trying to run a image in my local – Ringhals 30/12, 2021 at 7:32

command used to scan is docker run aquasec/trivy image <<imagename>> – Ringhals 30/12, 2021 at 7:50

The official documentation states that you have to mount the Docker socket if you wish to scan an image on your host machine.

The command would then look like this:

docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image <<imagename>>

Harkey answered 20/5, 2022 at 8:23 Comment(0)

In my case I had "userns-remap": "default" in /etc/docker/daemon.json, so I just had to add --userns=host to Trivy:

docker run \
    --userns=host \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v /opt/trivy_cache:/tmp/trivy \
    aquasec/trivy \
    --cache-dir /tmp/trivy/ \
    image my-local-image

This issue is also discussed here: https://github.com/aquasecurity/trivy/issues/580

Adequate answered 16/10, 2023 at 20:55 Comment(0)

Recommended topics

Hot tags