Scan Local Image using Trivy

[bhuvi11]

I am trying to use trivy to scan a image locally built in my desktop
I used the command trivy image <image_name> and got the below error

-12-22T14:25:30.920Z FATAL scan error: unable to initialize a scanner: unable to initialize a docker scanner: 3 errors occurred:
* unable to inspect the image (index.docker.io/library/pipe-test8:latest): Error: No such image: index.docker.io/library/pipe-test8:latest
* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
* GET https://index.docker.io/v2/library/pipe-test8/manifests/latest: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/pipe-test8 Type:repository]]
Can someone help me

[knqyf263]

Seems like your image doesn't exist in your local Docker daemon. Please make sure the image name and tag is correct.

[sbrinkerhoff]

Working here with a local image present (MacOS, Docker Desktop, Trivy)

❯ trivy stan:latest
2021-12-22T17:47:40.450-0500	FATAL	scan error: unable to initialize a scanner: unable to initialize a docker scanner: 3 errors occurred:
	* unable to inspect the image (index.docker.io/library/stan:latest): Error: No such image: index.docker.io/library/stan:latest
	* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
	* GET https://index.docker.io/v2/library/stan/manifests/latest: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/stan Type:repository]]
	
❯ echo "FROM nginx:latest" >> Dockerfile
❯ docker build . -t stan:latest

❯ trivy stan:latest
2021-12-22T17:48:05.992-0500	INFO	Detected OS: debian
2021-12-22T17:48:05.992-0500	INFO	Detecting Debian vulnerabilities...
2021-12-22T17:48:06.032-0500	INFO	Number of language-specific files: 1
2021-12-22T17:48:06.032-0500	INFO	Detecting jar vulnerabilities...

stan:latest (debian 11.2)
=========================
Total: 98 (UNKNOWN: 0, LOW: 83, MEDIUM: 5, HIGH: 6, CRITICAL: 4)

[hazcod]

Works for me too.

[PenelopeFudd]

Ok, I think I've got the same problem:

# docker image ls 

REPOSITORY                                                               TAG       IMAGE ID       CREATED         SIZE
999999999999.dkr.ecr.us-west-2.amazonaws.com/foobar2-edge-cache-server   latest    6626baea4fd6   2 weeks ago     3.55GB
aquasec/trivy                                                            0.22.0    51c32101009b   4 weeks ago     61MB
<none>                                                                   <none>    9eeb7053d381   2 months ago    921MB
nginx                                                                    latest    ea335eea17ab   2 months ago    141MB
999999999999.dkr.ecr.us-west-2.amazonaws.com/foobar2-edge-cache-server   <none>    00d3704627b8   2 months ago    1.16GB
<none>                                                                   <none>    ecea4ed288b9   2 months ago    1.16GB
localhost:5000/ansible-base                                              latest    84bbce9e6c36   2 months ago    922MB
ansible-base                                                             latest    cbeaf85279a5   3 months ago    855MB
osdk-foobar2:5000/docker/ansible-base                                    latest    cbeaf85279a5   3 months ago    855MB
vagrant-mutate                                                           latest    cf0d30e2a697   3 months ago    354MB
vagrantlibvirt/vagrant-libvirt                                           latest    9e33cc799237   3 months ago    732MB
ubuntu                                                                   18.04     5a214d77f5d7   3 months ago    63.1MB
registry                                                                 2         b2cb11db9d3d   4 months ago    26.2MB
ubuntu                                                                   16.04     b6f507652425   4 months ago    135MB
ubuntu                                                                   latest    1318b700e415   6 months ago    72.8MB
ubuntu                                                                   14.04     13b66b487594   10 months ago   197MB
hello-world                                                              latest    d1165f221234   10 months ago   13.3kB
node                                                                     12.16.3   bdca973cfa07   20 months ago   916MB

I can run trivy image node, trivy image node:12.6.3, or trivy image localhost:5000/ansible-base, but not trivy image "<none>" (makes no sense) or trivy image ecea4ed288b9:

# trivy image ecea4ed288b9

2022-01-26T15:47:49.322-0800	FATAL	scan error: unable to initialize a scanner: unable to initialize a docker scanner: 3 errors occurred:
	* unable to inspect the image (index.docker.io/library/ecea4ed288b9:latest): Error: No such image: index.docker.io/library/ecea4ed288b9:latest
	* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
	* GET https://index.docker.io/v2/library/ecea4ed288b9/manifests/latest: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/ecea4ed288b9 Type:repository]]

Is there a way to scan images by image id? In a forensic investigation of a live system, it would be a bad idea to modify the docker image metadata, as that would alter the evidence and could jeopardize the case.

Thanks.

[tatulea]

I'm also interested in scanning the image using image id

[github-actions]

This issue is stale because it has been labeled with inactivity.

[davehodg]

I have built a named local image and I get:

% trivy i platform    
2022-06-09T14:34:15.794+0100	FATAL	image scan error: scan error: unable to initialize a scanner: unable to initialize a docker scanner: 3 errors occurred:
	* unable to inspect the image (platform): Error: No such image: platform
	* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
	* GET https://index.docker.io/v2/library/platform/manifests/latest: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/platform Type:repository]]

Freshly brew updated trivy.

[apankowski]

TL;DR

You might have not exported the image to your local docker image cache. Without providing information on your exact setup used to build the images it's hard to tell (OS, do you use containerd, docker, buildx, which versions, etc.).

Longer version

Today I decided to include Trivy scan of docker images built for my project with GitHub Actions. Built images are local to the GitHub Actions runner host. I got (pretty much) the same error in my initial build:

2022-12-03T11:10:36.407Z	FATAL	image scan error: scan error: unable to initialize a scanner: unable to initialize a docker scanner: 4 errors occurred:
	* unable to inspect the image (apankowski/garcon:07776268f3b753caa640f474ab41eac29c25a554): Error: No such image: apankowski/garcon:07776268f3b753caa640f474ab41eac29c25a554
	* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
	* containerd socket not found: /run/containerd/containerd.sock
	* GET https://index.docker.io/v2/apankowski/garcon/manifests/07776268f3b753caa640f474ab41eac29c25a554: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:apankowski/garcon Type:repository]]

Initially I thought it was because I used apankowski/ prefix but that wasn't it. Inspecting the logs carefully I found this output from my image building command:

WARNING: No output specified with docker-container driver. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load

This made sense -- I'm using docker buildx for building.
So, following advice in the warning message, I added --load to the build command which made buildx export the image to local docker image cache, making it visible to Trivy.

So: I suggest verifying that your build image is visible to docker using docker image ls. Also provide the exact setup you're using to build the image (OS, do you use containerd, docker, buildx, which versions, etc.)

[autarchprinceps]

I have exactly the same issue, but no --load doesn't help. Trivy doesn't use the local version, but always tries to pull from docker hub:

❯ docker images | grep test
test                                                     latest            c33738aa1932   4 minutes ago   744MB
❯ trivy i test
2023-01-11T15:50:41.776+0100	INFO	Vulnerability scanning is enabled
2023-01-11T15:50:41.777+0100	INFO	Secret scanning is enabled
2023-01-11T15:50:41.777+0100	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-01-11T15:50:41.777+0100	INFO	Please see also https://aquasecurity.github.io/trivy/v0.36/docs/secret/scanning/#recommendation for faster secret detection
2023-01-11T15:50:43.258+0100	FATAL	image scan error: scan error: unable to initialize a scanner: unable to initialize a docker scanner: 4 errors occurred:
	* unable to inspect the image (test): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
	* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
	* containerd socket not found: /run/containerd/containerd.sock
	* GET https://index.docker.io/v2/library/test/manifests/latest: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/test Type:repository]]

But testing a docker hub image works on the same machine, so clearly non of the other problems it considers are there.

❯ trivy --version
Version: 0.36.1
On Mac

[knqyf263]

@autarchprinceps Your issue is different from others. Trivy can't connect to the Docker daemon. Do you have special DOCKER_HOST?

• unable to inspect the image (test): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?