trivy scan prints different results on simultaneous scans #9687

RomanenkoDenys · 2025-10-19T10:42:13Z

RomanenkoDenys
Oct 19, 2025

Description

When i run trivy scan on image vex attestations randomly doesn't work.

Desired Behavior

Vex attestations should work any time.

Actual Behavior

two runs:
first:

trivy image dev-registry.deckhouse.io/sys/deckhouse-oss@sha256:f06408e2be680aa9e9526f498d8fa93f9e83da81248082e1fe3001318977c621 --vex=oci -d



2025-10-19T13:37:23+03:00	DEBUG	No plugins loaded
2025-10-19T13:37:23+03:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-10-19T13:37:23+03:00	DEBUG	Cache dir	dir="/Users/ash/Library/Caches/trivy"
2025-10-19T13:37:23+03:00	DEBUG	Cache dir	dir="/Users/ash/Library/Caches/trivy"
2025-10-19T13:37:23+03:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-10-19T13:37:23+03:00	DEBUG	Ignore statuses	statuses=[]
2025-10-19T13:37:23+03:00	DEBUG	DB update was skipped because the local DB is the latest
2025-10-19T13:37:23+03:00	DEBUG	DB info	schema=2 updated_at=2025-10-19T06:31:25.987999439Z next_update=2025-10-20T06:31:25.987999018Z downloaded_at=2025-10-19T10:31:35.891964Z
2025-10-19T13:37:23+03:00	DEBUG	[pkg] Package types	types=[os library]
2025-10-19T13:37:23+03:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-10-19T13:37:23+03:00	INFO	[vuln] Vulnerability scanning is enabled
2025-10-19T13:37:23+03:00	INFO	[secret] Secret scanning is enabled
2025-10-19T13:37:23+03:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-10-19T13:37:23+03:00	INFO	[secret] Please see https://trivy.dev/v0.67/docs/scanner/secret#recommendation for faster secret detection
2025-10-19T13:37:23+03:00	DEBUG	[notification] Running version check
2025-10-19T13:37:23+03:00	DEBUG	Initializing scan cache...	type="fs"
2025-10-19T13:37:23+03:00	DEBUG	[notification] Version check completed	latest_version="0.67.2"
2025-10-19T13:37:24+03:00	DEBUG	[image] Image found	image="dev-registry.deckhouse.io/sys/deckhouse-oss@sha256:f06408e2be680aa9e9526f498d8fa93f9e83da81248082e1fe3001318977c621" source="remote"
2025-10-19T13:37:24+03:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-10-19T13:37:24+03:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-10-19T13:37:24+03:00	DEBUG	Created process-specific temp directory	path="/var/folders/5z/wnbcfwpj1cn81svpqkq2d8y00000gn/T/trivy-12314"
2025-10-19T13:37:24+03:00	DEBUG	[image] Detected image ID	image_id="sha256:5a3453bf343d48c13d367b3b3f3e230403f56a4faac516852eed3e848e341f82"
2025-10-19T13:37:24+03:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef sha256:f45ce139e872d0d1b8295fedce6831e84c4a291d1e7450847d13a969f54c015c sha256:e89675a84b56f55b81c6d990f9415822935f585e94764775332bf5f60dcab98b sha256:85b36d99c12a91c90ff6e57145f66b706ec2de8fbf00004621c4c1c4eb6e1288 sha256:5167aac167fc05e03a9b3dcfc3e5af90935d44074e91af4082dc51ef2781cd97]
2025-10-19T13:37:24+03:00	DEBUG	[image] Detected base layers	diff_ids=[]
2025-10-19T13:37:24+03:00	DEBUG	OS is not detected.
2025-10-19T13:37:24+03:00	DEBUG	Detected OS: unknown
2025-10-19T13:37:24+03:00	INFO	Number of language-specific files	num=1
2025-10-19T13:37:24+03:00	INFO	[gobinary] Detecting vulnerabilities...
2025-10-19T13:37:24+03:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="usr/bin/kube-apiserver"
2025-10-19T13:37:24+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/kubernetes"
2025-10-19T13:37:24+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/api"
2025-10-19T13:37:24+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/apiextensions-apiserver"
2025-10-19T13:37:24+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/apimachinery"
2025-10-19T13:37:24+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/apiserver"
2025-10-19T13:37:24+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/client-go"
2025-10-19T13:37:24+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/cloud-provider"
2025-10-19T13:37:24+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/cluster-bootstrap"
2025-10-19T13:37:24+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/component-base"
2025-10-19T13:37:24+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/component-helpers"
2025-10-19T13:37:24+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/controller-manager"
2025-10-19T13:37:24+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/dynamic-resource-allocation"
2025-10-19T13:37:24+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/kms"
2025-10-19T13:37:24+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/kube-aggregator"
2025-10-19T13:37:24+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/kubelet"
2025-10-19T13:37:24+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/mount-utils"
2025-10-19T13:37:24+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/pod-security-admission"
2025-10-19T13:37:24+03:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-10-19T13:37:25+03:00	DEBUG	[vex] VEX attestation found, taking the first one	type="oci" purl="pkg:oci/deckhouse-oss@sha256%3Af06408e2be680aa9e9526f498d8fa93f9e83da81248082e1fe3001318977c621?arch=amd64&repository_url=dev-registry.deckhouse.io%2Fsys%2Fdeckhouse-oss"

Report Summary

┌────────────────────────┬──────────┬─────────────────┬─────────┐
│         Target         │   Type   │ Vulnerabilities │ Secrets │
├────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/bin/kube-apiserver │ gobinary │        1        │    -    │
└────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


usr/bin/kube-apiserver (gobinary)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌────────────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────┐
│          Library           │ Vulnerability  │ Severity │  Status  │ Installed Version │ Fixed Version │                        Title                         │
├────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ gopkg.in/square/go-jose.v2 │ CVE-2024-28180 │ MEDIUM   │ affected │ v2.6.0            │               │ jose-go: improper handling of highly compressed data │
│                            │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-28180           │
└────────────────────────────┴────────────────┴──────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────┘
2025-10-19T13:37:25+03:00	DEBUG	Cleaning up temp directory	path="/var/folders/5z/wnbcfwpj1cn81svpqkq2d8y00000gn/T/trivy-12314"

second run:

trivy image dev-registry.deckhouse.io/sys/deckhouse-oss@sha256:f06408e2be680aa9e9526f498d8fa93f9e83da81248082e1fe3001318977c621 --vex=oci -d


2025-10-19T13:38:09+03:00	DEBUG	No plugins loaded
2025-10-19T13:38:09+03:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-10-19T13:38:09+03:00	DEBUG	Cache dir	dir="/Users/ash/Library/Caches/trivy"
2025-10-19T13:38:09+03:00	DEBUG	Cache dir	dir="/Users/ash/Library/Caches/trivy"
2025-10-19T13:38:09+03:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-10-19T13:38:09+03:00	DEBUG	Ignore statuses	statuses=[]
2025-10-19T13:38:09+03:00	DEBUG	DB update was skipped because the local DB is the latest
2025-10-19T13:38:09+03:00	DEBUG	DB info	schema=2 updated_at=2025-10-19T06:31:25.987999439Z next_update=2025-10-20T06:31:25.987999018Z downloaded_at=2025-10-19T10:31:35.891964Z
2025-10-19T13:38:09+03:00	DEBUG	[pkg] Package types	types=[os library]
2025-10-19T13:38:09+03:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-10-19T13:38:09+03:00	INFO	[vuln] Vulnerability scanning is enabled
2025-10-19T13:38:09+03:00	INFO	[secret] Secret scanning is enabled
2025-10-19T13:38:09+03:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-10-19T13:38:09+03:00	INFO	[secret] Please see https://trivy.dev/v0.67/docs/scanner/secret#recommendation for faster secret detection
2025-10-19T13:38:09+03:00	DEBUG	[notification] Running version check
2025-10-19T13:38:09+03:00	DEBUG	Initializing scan cache...	type="fs"
2025-10-19T13:38:10+03:00	DEBUG	[notification] Version check completed	latest_version="0.67.2"
2025-10-19T13:38:10+03:00	DEBUG	[image] Image found	image="dev-registry.deckhouse.io/sys/deckhouse-oss@sha256:f06408e2be680aa9e9526f498d8fa93f9e83da81248082e1fe3001318977c621" source="remote"
2025-10-19T13:38:10+03:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-10-19T13:38:10+03:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-10-19T13:38:10+03:00	DEBUG	Created process-specific temp directory	path="/var/folders/5z/wnbcfwpj1cn81svpqkq2d8y00000gn/T/trivy-12862"
2025-10-19T13:38:10+03:00	DEBUG	[image] Detected image ID	image_id="sha256:5a3453bf343d48c13d367b3b3f3e230403f56a4faac516852eed3e848e341f82"
2025-10-19T13:38:10+03:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef sha256:f45ce139e872d0d1b8295fedce6831e84c4a291d1e7450847d13a969f54c015c sha256:e89675a84b56f55b81c6d990f9415822935f585e94764775332bf5f60dcab98b sha256:85b36d99c12a91c90ff6e57145f66b706ec2de8fbf00004621c4c1c4eb6e1288 sha256:5167aac167fc05e03a9b3dcfc3e5af90935d44074e91af4082dc51ef2781cd97]
2025-10-19T13:38:10+03:00	DEBUG	[image] Detected base layers	diff_ids=[]
2025-10-19T13:38:10+03:00	DEBUG	OS is not detected.
2025-10-19T13:38:10+03:00	DEBUG	Detected OS: unknown
2025-10-19T13:38:10+03:00	INFO	Number of language-specific files	num=1
2025-10-19T13:38:10+03:00	INFO	[gobinary] Detecting vulnerabilities...
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="usr/bin/kube-apiserver"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/kubernetes"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/api"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/apiextensions-apiserver"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/apimachinery"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/apiserver"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/client-go"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/cloud-provider"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/cluster-bootstrap"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/component-base"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/component-helpers"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/controller-manager"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/dynamic-resource-allocation"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/kms"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/kube-aggregator"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/kubelet"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/mount-utils"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/pod-security-admission"
2025-10-19T13:38:10+03:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-10-19T13:38:11+03:00	DEBUG	[vex] VEX attestation found, taking the first one	type="oci" purl="pkg:oci/deckhouse-oss@sha256%3Af06408e2be680aa9e9526f498d8fa93f9e83da81248082e1fe3001318977c621?arch=amd64&repository_url=dev-registry.deckhouse.io%2Fsys%2Fdeckhouse-oss"
2025-10-19T13:38:11+03:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

Report Summary

┌────────────────────────┬──────────┬─────────────────┬─────────┐
│         Target         │   Type   │ Vulnerabilities │ Secrets │
├────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/bin/kube-apiserver │ gobinary │        0        │    -    │
└────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

2025-10-19T13:38:11+03:00	DEBUG	Cleaning up temp directory	path="/var/folders/5z/wnbcfwpj1cn81svpqkq2d8y00000gn/T/trivy-12862"

So vex attestations randomly doesn't work.

Reproduction Steps

1. run trivy scan
2. repeat
3.
...

Target

Container Image

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

trivy image dev-registry.deckhouse.io/sys/deckhouse-oss@sha256:f06408e2be680aa9e9526f498d8fa93f9e83da81248082e1fe3001318977c621 --vex=oci -d
2025-10-19T13:38:09+03:00	DEBUG	No plugins loaded
2025-10-19T13:38:09+03:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-10-19T13:38:09+03:00	DEBUG	Cache dir	dir="/Users/ash/Library/Caches/trivy"
2025-10-19T13:38:09+03:00	DEBUG	Cache dir	dir="/Users/ash/Library/Caches/trivy"
2025-10-19T13:38:09+03:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-10-19T13:38:09+03:00	DEBUG	Ignore statuses	statuses=[]
2025-10-19T13:38:09+03:00	DEBUG	DB update was skipped because the local DB is the latest
2025-10-19T13:38:09+03:00	DEBUG	DB info	schema=2 updated_at=2025-10-19T06:31:25.987999439Z next_update=2025-10-20T06:31:25.987999018Z downloaded_at=2025-10-19T10:31:35.891964Z
2025-10-19T13:38:09+03:00	DEBUG	[pkg] Package types	types=[os library]
2025-10-19T13:38:09+03:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-10-19T13:38:09+03:00	INFO	[vuln] Vulnerability scanning is enabled
2025-10-19T13:38:09+03:00	INFO	[secret] Secret scanning is enabled
2025-10-19T13:38:09+03:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-10-19T13:38:09+03:00	INFO	[secret] Please see https://trivy.dev/v0.67/docs/scanner/secret#recommendation for faster secret detection
2025-10-19T13:38:09+03:00	DEBUG	[notification] Running version check
2025-10-19T13:38:09+03:00	DEBUG	Initializing scan cache...	type="fs"
2025-10-19T13:38:10+03:00	DEBUG	[notification] Version check completed	latest_version="0.67.2"
2025-10-19T13:38:10+03:00	DEBUG	[image] Image found	image="dev-registry.deckhouse.io/sys/deckhouse-oss@sha256:f06408e2be680aa9e9526f498d8fa93f9e83da81248082e1fe3001318977c621" source="remote"
2025-10-19T13:38:10+03:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-10-19T13:38:10+03:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-10-19T13:38:10+03:00	DEBUG	Created process-specific temp directory	path="/var/folders/5z/wnbcfwpj1cn81svpqkq2d8y00000gn/T/trivy-12862"
2025-10-19T13:38:10+03:00	DEBUG	[image] Detected image ID	image_id="sha256:5a3453bf343d48c13d367b3b3f3e230403f56a4faac516852eed3e848e341f82"
2025-10-19T13:38:10+03:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef sha256:f45ce139e872d0d1b8295fedce6831e84c4a291d1e7450847d13a969f54c015c sha256:e89675a84b56f55b81c6d990f9415822935f585e94764775332bf5f60dcab98b sha256:85b36d99c12a91c90ff6e57145f66b706ec2de8fbf00004621c4c1c4eb6e1288 sha256:5167aac167fc05e03a9b3dcfc3e5af90935d44074e91af4082dc51ef2781cd97]
2025-10-19T13:38:10+03:00	DEBUG	[image] Detected base layers	diff_ids=[]
2025-10-19T13:38:10+03:00	DEBUG	OS is not detected.
2025-10-19T13:38:10+03:00	DEBUG	Detected OS: unknown
2025-10-19T13:38:10+03:00	INFO	Number of language-specific files	num=1
2025-10-19T13:38:10+03:00	INFO	[gobinary] Detecting vulnerabilities...
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="usr/bin/kube-apiserver"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/kubernetes"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/api"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/apiextensions-apiserver"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/apimachinery"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/apiserver"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/client-go"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/cloud-provider"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/cluster-bootstrap"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/component-base"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/component-helpers"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/controller-manager"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/dynamic-resource-allocation"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/kms"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/kube-aggregator"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/kubelet"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/mount-utils"
2025-10-19T13:38:10+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="k8s.io/pod-security-admission"
2025-10-19T13:38:10+03:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-10-19T13:38:11+03:00	DEBUG	[vex] VEX attestation found, taking the first one	type="oci" purl="pkg:oci/deckhouse-oss@sha256%3Af06408e2be680aa9e9526f498d8fa93f9e83da81248082e1fe3001318977c621?arch=amd64&repository_url=dev-registry.deckhouse.io%2Fsys%2Fdeckhouse-oss"
2025-10-19T13:38:11+03:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

Report Summary

┌────────────────────────┬──────────┬─────────────────┬─────────┐
│         Target         │   Type   │ Vulnerabilities │ Secrets │
├────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/bin/kube-apiserver │ gobinary │        0        │    -    │
└────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

2025-10-19T13:38:11+03:00	DEBUG	Cleaning up temp directory	path="/var/folders/5z/wnbcfwpj1cn81svpqkq2d8y00000gn/T/trivy-12862"



### Operating System

Mac OS X  Tahoe

### Version

```bash
trivy --version
Version: 0.67.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-10-19 06:31:25.987999439 +0000 UTC
  NextUpdate: 2025-10-20 06:31:25.987999018 +0000 UTC
  DownloadedAt: 2025-10-19 10:31:35.891964 +0000 UTC



### Checklist

- [X] Run `trivy clean --all`
- [ ] Read [the troubleshooting](https://trivy.dev/latest/docs/references/troubleshooting/)

DmitriyLewen · 2025-10-20T04:50:32Z

DmitriyLewen
Oct 20, 2025
Maintainer

Hello @RomanenkoDenys
Thanks for your report!

Unfortunately, I don’t have access to these images.
Could you push them to a public repository so I can take a look?

Regards, Dmitriy

0 replies

RomanenkoDenys · 2025-10-20T08:06:32Z

RomanenkoDenys
Oct 20, 2025
Author

Hello, Dmitriy Docker Hub cannot work at the moment, can i get additional information for you ? If you need, we can schedule meet. If you have public docker registry, i can push images to them. пн, 20 окт. 2025 г. в 07:50, DmitriyLewen ***@***.***>:

…

Hello @RomanenkoDenys <https://github.com/RomanenkoDenys> Thanks for your report! Unfortunately, I don’t have access to these images. Could you push them to a public repository so I can take a look? Regards, Dmitriy — Reply to this email directly, view it on GitHub <#9687 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/APVV47DCLTR2GUZRGZDGHTL3YRS2ZAVCNFSM6AAAAACJTFXCJSVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTINZSGU2TEOA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

1 reply

DmitriyLewen Oct 20, 2025
Maintainer

You can use ghcr.io or wait for Docker to fix its problems.

RomanenkoDenys · 2025-10-20T09:13:58Z

RomanenkoDenys
Oct 20, 2025
Author

Please use ***@***.***:f06408e2be680aa9e9526f498d8fa93f9e83da81248082e1fe3001318977c621 пн, 20 окт. 2025 г. в 11:46, DmitriyLewen ***@***.***>:

…

You can use ghcr.io or wait for Docker to fix its problems. — Reply to this email directly, view it on GitHub <#9687 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/APVV47D3SEIWZBI4EJJK2QL3YSONBAVCNFSM6AAAAACJTFXCJSVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTINZSG4YTENY> . You are receiving this because you were mentioned.Message ID: ***@***.***>

1 reply

DmitriyLewen Oct 21, 2025
Maintainer

Please use
@.***:f06408e2be680aa9e9526f498d8fa93f9e83da81248082e1fe3001318977c621

Is this typo?

RomanenkoDenys · 2025-10-21T06:18:25Z

RomanenkoDenys
Oct 21, 2025
Author

No, that's not mistake. It's like we store images in our registry. That's simple copy of image and vex attestation image. Scan results: ``` ***@***.***  ~  trivy image ***@***.***:f06408e2be680aa9e9526f498d8fa93f9e83da81248082e1fe3001318977c621 2025-10-21T09:16:42+03:00 INFO [vuln] Vulnerability scanning is enabled 2025-10-21T09:16:42+03:00 INFO [secret] Secret scanning is enabled 2025-10-21T09:16:42+03:00 INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2025-10-21T09:16:42+03:00 INFO [secret] Please see https://trivy.dev/v0.67/docs/scanner/secret#recommendation for faster secret detection 2025-10-21T09:16:43+03:00 INFO Number of language-specific files num=1 2025-10-21T09:16:43+03:00 INFO [gobinary] Detecting vulnerabilities... Report Summary ┌────────────────────────┬──────────┬─────────────────┬─────────┐ │ Target │ Type │ Vulnerabilities │ Secrets │ ├────────────────────────┼──────────┼─────────────────┼─────────┤ │ usr/bin/kube-apiserver │ gobinary │ 1 │ - │ └────────────────────────┴──────────┴─────────────────┴─────────┘ Legend: - '-': Not scanned - '0': Clean (no security findings detected) usr/bin/kube-apiserver (gobinary) Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0) ┌────────────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────┤ │ gopkg.in/square/go-jose.v2 │ CVE-2024-28180 │ MEDIUM │ affected │ v2.6.0 │ │ jose-go: improper handling of highly compressed data │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-28180 │ └────────────────────────────┴────────────────┴──────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────┘ ***@***.***  ~  trivy image ***@***.***:f06408e2be680aa9e9526f498d8fa93f9e83da81248082e1fe3001318977c621 --vex=oci 2025-10-21T09:16:50+03:00 INFO [vuln] Vulnerability scanning is enabled 2025-10-21T09:16:50+03:00 INFO [secret] Secret scanning is enabled 2025-10-21T09:16:50+03:00 INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2025-10-21T09:16:50+03:00 INFO [secret] Please see https://trivy.dev/v0.67/docs/scanner/secret#recommendation for faster secret detection 2025-10-21T09:16:51+03:00 INFO Number of language-specific files num=1 2025-10-21T09:16:51+03:00 INFO [gobinary] Detecting vulnerabilities... 2025-10-21T09:16:53+03:00 INFO Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them. Report Summary ┌────────────────────────┬──────────┬─────────────────┬─────────┐ │ Target │ Type │ Vulnerabilities │ Secrets │ ├────────────────────────┼──────────┼─────────────────┼─────────┤ │ usr/bin/kube-apiserver │ gobinary │ 0 │ - │ └────────────────────────┴──────────┴─────────────────┴─────────┘ Legend: - '-': Not scanned - '0': Clean (no security findings detected) ``` вт, 21 окт. 2025 г. в 08:26, DmitriyLewen ***@***.***>:

…

Please use *@*.***:f06408e2be680aa9e9526f498d8fa93f9e83da81248082e1fe3001318977c621 Is this typo? — Reply to this email directly, view it on GitHub <#9687 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/APVV47ALHWTUAHJJWAADHXL3YW72HAVCNFSM6AAAAACJTFXCJSVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTINZTGYYTENI> . You are receiving this because you were mentioned.Message ID: ***@***.***>

1 reply

DmitriyLewen Oct 21, 2025
Maintainer

I need the image itself.
Without it, I can't help you figure out why Trivy isn't applying Vex rules.

Docker has fixed their issues. You can push images to Dockerhub.

RomanenkoDenys · 2025-10-21T06:46:49Z

RomanenkoDenys
Oct 21, 2025
Author

Sorry Dmitriy, i do not understand your question. What image you need ? The image we are scanning? It's ***@***.***:f06408e2be680aa9e9526f498d8fa93f9e83da81248082e1fe3001318977c621 Vex attestation image ? It's ghcr.io/romanenkodenys/trivy-image:sha256-f06408e2be680aa9e9526f498d8fa93f9e83da81248082e1fe3001318977c621.att All of them are public images. WBR, Denis Romanenko вт, 21 окт. 2025 г. в 09:42, DmitriyLewen ***@***.***>:

…

I need the image itself. Without it, I can't help you figure out why Trivy isn't applying Vex rules. Docker has fixed their issues. You can push images to Dockerhub. — Reply to this email directly, view it on GitHub <#9687 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/APVV47AHMNZQLHPXFLHZNZL3YXIVVAVCNFSM6AAAAACJTFXCJSVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTINZTGY3DMNY> . You are receiving this because you were mentioned.Message ID: ***@***.***>

4 replies

DmitriyLewen Oct 21, 2025
Maintainer

@.***:f06408e2be680aa9e9526f498d8fa93f9e83da81248082e1fe3001318977c621

Repository of this image is ***

RomanenkoDenys Oct 21, 2025
Author

Dmitriy, sorry. It's github joke. Original image - ghcr.io/romanenkodenys/trivy-image@sha256:f06408e2be680aa9e9526f498d8fa93f9e83da81248082e1fe3001318977c621

DmitriyLewen Oct 21, 2025
Maintainer

Your image contains multiple attestations.
cosign returns them in a random order.

➜ cosign download attestation ghcr.io/romanenkodenys/trivy-image@sha256:f06408e2be680aa9e9526f498d8fa93f9e83da81248082e1fe3001318977c621 | jq -r .payload | base64 -d | jq . | grep '"products":' -A 3
        "products": [
          {
            "@id": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful"
          }
--
        "products": [
          {
            "@id": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
          }
--
        "products": [
          {
            "@id": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
          }
--
        "products": [
          {
            "@id": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful"
          }
--
        "products": [
          {
            "@id": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
          }
--
        "products": [
          {
            "@id": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
          }
--
        "products": [
          {
            "@id": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful"
          }
--
        "products": [
          {
            "@id": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
          }
--
        "products": [
          {
            "@id": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
          }
--
        "products": [
          {
            "@id": "pkg:golang/gopkg.in/square/go-jose.v2"
          }
--
        "products": [
          {
            "@id": "pkg:golang/gopkg.in/square/go-jose.v2"
          }
➜ cosign download attestation ghcr.io/romanenkodenys/trivy-image@sha256:f06408e2be680aa9e9526f498d8fa93f9e83da81248082e1fe3001318977c621 | jq -r .payload | base64 -d | jq . | grep '"products":' -A 3
        "products": [
          {
            "@id": "pkg:golang/gopkg.in/square/go-jose.v2"
          }
--
        "products": [
          {
            "@id": "pkg:golang/gopkg.in/square/go-jose.v2"
          }
--
        "products": [
          {
            "@id": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful"
          }
--
        "products": [
          {
            "@id": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
          }
--
        "products": [
          {
            "@id": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
          }
--
        "products": [
          {
            "@id": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful"
          }
--
        "products": [
          {
            "@id": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
          }
--
        "products": [
          {
            "@id": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
          }
--
        "products": [
          {
            "@id": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful"
          }
--
        "products": [
          {
            "@id": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
          }
--
        "products": [
          {
            "@id": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
          }

However, Trivy only takes the first attestation.
@knqyf263 IIUC we we take only first doc because we should take latest VEX, but correct if i am wrong.

That’s why it shows different results.
Therefore, to get a stable result, you need to keep only one VEX.

knqyf263 Oct 21, 2025
Maintainer

Yes. I also considered the idea of sorting by timestamp, but since the timestamp was not mandatory (though I’m not sure about the current situation), and because VEX attestation discovery is an experimental feature, the implementation is kept simple to just retrieve the first attestation.

RomanenkoDenys · 2025-10-21T08:14:04Z

RomanenkoDenys
Oct 21, 2025
Author

Thanks, this will solve my problem

0 replies

trivy scan prints different results on simultaneous scans #9687

Uh oh!

RomanenkoDenys Oct 19, 2025

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Replies: 6 comments · 7 replies

Uh oh!

DmitriyLewen Oct 20, 2025 Maintainer

Uh oh!

RomanenkoDenys Oct 20, 2025 Author

Uh oh!

DmitriyLewen Oct 20, 2025 Maintainer

Uh oh!

RomanenkoDenys Oct 20, 2025 Author

Uh oh!

DmitriyLewen Oct 21, 2025 Maintainer

Uh oh!

RomanenkoDenys Oct 21, 2025 Author

Uh oh!

Uh oh!

DmitriyLewen Oct 21, 2025 Maintainer

Uh oh!

RomanenkoDenys Oct 21, 2025 Author

Uh oh!

DmitriyLewen Oct 21, 2025 Maintainer

Uh oh!

RomanenkoDenys Oct 21, 2025 Author

Uh oh!

Uh oh!

DmitriyLewen Oct 21, 2025 Maintainer

Uh oh!

knqyf263 Oct 21, 2025 Maintainer

Uh oh!

RomanenkoDenys Oct 21, 2025 Author

RomanenkoDenys
Oct 19, 2025

Replies: 6 comments 7 replies

DmitriyLewen
Oct 20, 2025
Maintainer

RomanenkoDenys
Oct 20, 2025
Author

DmitriyLewen Oct 20, 2025
Maintainer

RomanenkoDenys
Oct 20, 2025
Author

DmitriyLewen Oct 21, 2025
Maintainer

RomanenkoDenys
Oct 21, 2025
Author

DmitriyLewen Oct 21, 2025
Maintainer

RomanenkoDenys
Oct 21, 2025
Author

DmitriyLewen Oct 21, 2025
Maintainer

RomanenkoDenys Oct 21, 2025
Author

DmitriyLewen Oct 21, 2025
Maintainer

knqyf263 Oct 21, 2025
Maintainer

RomanenkoDenys
Oct 21, 2025
Author