我正在尝试从 CircleCI 中运行 Trivy Scan 并且总是遇到同样的问题。我一直禁用它,但显然扫描容器很有用。
关于“谷歌”的建议说您需要使用 GITHUB_TOKEN 来停止速率限制,但是,正如您在调试中看到的那样,我使用的是 GITHUB_TOKEN - 也许它是错误的,因为它是我的令牌(私人GitHub)项目。你如何解决这个问题?我可以先下载并安装带有 curl 或类似功能的数据库吗?
版本:
aquasecurity/trivy info found version: 0.16.0 for v0.16.0/Linux/64bit
命令:
trivy --light --token dummy -d -s "UNKNOWN,MEDIUM,HIGH,CRITICAL" --exit-code 1 ${IMAGE}
错误:
2021-03-14T21:05:47.652Z INFO Using your github token
2021-03-14T21:05:47.652Z INFO Need to update DB
2021-03-14T21:05:47.652Z INFO Downloading DB...
2021-03-14T21:05:47.729Z FATAL failed to download vulnerability DB: failed to download vulnerability DB: failed to list releases: GET https://api.github.com/repos/aquasecurity/trivy-db/releases: 401 Bad credentials []
make: *** [Makefile:46: scan] Error 1
并使用调试:
trivy --light -d -s "UNKNOWN,MEDIUM,HIGH,CRITICAL" --exit-code 1 image...
2021-03-14T20:36:49.316Z DEBUG Severities: UNKNOWN,MEDIUM,HIGH,CRITICAL
2021-03-14T20:36:49.317Z DEBUG cache dir: /root/.cache/trivy
2021-03-14T20:36:49.317Z INFO Using your github token
2021-03-14T20:36:49.317Z DEBUG There is no valid metadata file: unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory
2021-03-14T20:36:49.317Z INFO Need to update DB
2021-03-14T20:36:49.317Z INFO Downloading DB...
2021-03-14T20:36:49.317Z DEBUG no metadata file
2021-03-14T20:36:49.416Z FATAL failed to download vulnerability DB:
github.com/aquasecurity/trivy/internal/operation.DownloadDB
/home/circleci/project/internal/operation/operation.go:91
- failed to download vulnerability DB:
github.com/aquasecurity/trivy/pkg/db.Client.Download
/home/circleci/project/pkg/db/db.go:169
- failed to list releases:
github.com/aquasecurity/trivy/pkg/github.Client.DownloadDB
/home/circleci/project/pkg/github/github.go:89
- GET https://api.github.com/repos/aquasecurity/trivy-db/releases: 401 Bad credentials []
make: *** [Makefile:45: scan] Error 1
Exited with code exit status 2
CircleCI received exit code 2