Trivy scans itself when scanning target image when running inside docker #6690
-
DescriptionWhen I use Trivy for scanning a docker image it also reports its own vulnerabilities, which is unexpected. Desired BehaviorTrivy does not scan itself Actual BehaviorTrivy scans itself Reproduction StepsRun the following script:
#!/bin/bash
LOCAL_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
TRIVY_IMAGE=aquasec/trivy:0.51.1
TARGET_IMAGE=amazonlinux
function download_image_if_needed() {
TARGET_IMAGE=$1
if [[ "$(docker images -q $TARGET_IMAGE 2> /dev/null)" == "" ]]; then
echo "Downloading '$TARGET_IMAGE' image"
docker pull $TARGET_IMAGE
fi
}
echo "Target docker image: $TARGET_IMAGE"
download_image_if_needed "$TARGET_IMAGE"
download_image_if_needed "$TRIVY_IMAGE"
LOCAL_CACHE="$LOCAL_DIR/cache"
mkdir -p "$LOCAL_CACHE"
LOCAL_TMP="$LOCAL_DIR/tmp"
mkdir -p "$LOCAL_TMP"
IMAGE_ID=$(docker images -q "$TARGET_IMAGE")
IMAGE_ARCHIVE="$LOCAL_TMP/$IMAGE_ID.tar"
if [ ! -f "$IMAGE_ARCHIVE" ]; then
echo "Exporting $IMAGE_ID as $IMAGE_ARCHIVE archive"
docker image save "$IMAGE_ID" -o "$IMAGE_ARCHIVE"
fi
DOCKER_IMAGE_ARCHIVE="/$(basename "$IMAGE_ARCHIVE")"
docker run \
-v "$LOCAL_CACHE":/root/.cache/trivy \
-v "$IMAGE_ARCHIVE":"$DOCKER_IMAGE_ARCHIVE" \
"$TRIVY_IMAGE" \
image --input "$DOCKER_IMAGE_ARCHIVE" \
--scanners vuln \
--severity MEDIUM,HIGH,CRITICAL
|
Beta Was this translation helpful? Give feedback.
Answered by
knqyf263
May 15, 2024
Replies: 1 comment 2 replies
-
Your $TARGET_IMAGE is overwritten here and your script is exporting
You can check it.
|
Beta Was this translation helpful? Give feedback.
2 replies
Answer selected by
knqyf263
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Your $TARGET_IMAGE is overwritten here and your script is exporting
aquasec/trivy:0.51.1
.You can check it.