-
QuestionHello, recently trivy is having issues updating the database before scanning container images. To isolate the problem, I have introduced a separate update task which runs the update-only commands. Here is the update commands output:
From my point of view, it looks like it's a problem related to the Github container registry. I guess there is some kind of DDoS protection in place. Has anyone already faced the same issue? Or already found a solution? Best regards, TargetContainer Image ScannerNone Output FormatNone ModeStandalone Operating SystemUbuntu Version0.54.1 |
Beta Was this translation helpful? Give feedback.
Replies: 13 comments 57 replies
-
Hi @gwitsch ! We have encountered the same thing at CI and are still looking into the problem. |
Beta Was this translation helpful? Give feedback.
-
Please see https://aquasecurity.github.io/trivy/v0.55/docs/references/troubleshooting/#github-rate-limiting |
Beta Was this translation helpful? Give feedback.
-
We published trivy-db in Amazon ECR Public Gallery as well as GHCR. The following should work now. We'll update the documentation tomorrow.
|
Beta Was this translation helpful? Give feedback.
-
I've not been able to get a successful Trivy run in GitLab for the last few hours due to this issue. We've seen it on and off in the past but all of our installs fail 100% now. This is causing our pipelines to fail so we can no longer merge code.
|
Beta Was this translation helpful? Give feedback.
-
I found an option to create a local cache by setting the environment variable TRIVY_CACHE_DIR= and using the command trivy --download-db-only. It downloads the database to the specified path, and when scanning images, it won't connect to https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2. I think this could solve the issue. Doc : https://aquasecurity.github.io/trivy/v0.56/docs/advanced/air-gap/#populating-the-trivy-cache |
Beta Was this translation helpful? Give feedback.
-
But when you need to update your database the issue keep happen. I use github actions here and the solution that I had to use was cache for the db and config file changing the repository to new one that they sent here and the issues is happens much less now. |
Beta Was this translation helpful? Give feedback.
-
I tried all of the suggestions above. Running on Gitlab, enabled artifacts for the
I am scanning ~6-7 images in seperate pipelines so it makes sense that I am hitting some rate-limit, but I cannot figure out how I am supposed to be configuring this cache to work properly... I think the real issue is that Am I missing a CLI flag or something? |
Beta Was this translation helpful? Give feedback.
-
Anyone trying to run it locally as part of pre-commit checks when pushing the code upstream? default_stages:
- pre-commit
repos:
- repo: local
hooks:
- id: trivy-fs
stages:
- pre-push
name: trivy-fs
language: docker_image
entry: -v /tmp:/.cache aquasec/trivy:latest fs -c .config/trivy.yaml .
pass_filenames: false |
Beta Was this translation helpful? Give feedback.
-
We found that |
Beta Was this translation helpful? Give feedback.
-
Tried @knqyf263 's answer and it worked for the trivy db but was still getting request errors for the Java DB, tried with AWS ECR gallery and that worked. |
Beta Was this translation helpful? Give feedback.
-
v0.57.1 with |
Beta Was this translation helpful? Give feedback.
-
i get this: 2024-11-19T10:47:01Z ERROR [vulndb] Failed to download artifact repo="ghcr.io/aquasecurity/trivy-db:2" err="oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-db/blobs/sha256:d8f527b0dde6241ad3cfa63f82e6b0a8c9a64ba55571a06063dad700b3a15390: TOOMANYREQUESTS: retry-after: 426.501µs, allowed: 44000/minute" after flipping to
|
Beta Was this translation helpful? Give feedback.
-
Currrently getting an error, even with the new GCR mirror on Trivy
|
Beta Was this translation helpful? Give feedback.
I consider a delay of up to one hour in updating the DBs to be acceptable. I'd set
mirror.gcr.io
as primary and setghcr.io
as secondary.