Troubleshooting

Scan

Timeout

Error

  1. $ trivy image ...
  2. ...
  3. analyze error: timeout: context deadline exceeded

Your scan may time out. Java takes a particularly long time to scan. Try increasing the value of the —-timeout option such as --timeout 15m.

Certification

Error

Error: x509: certificate signed by unknown authority

TRIVY_INSECURE can be used to allow insecure connections to a container registry when using SSL.

  1. $ TRIVY_INSECURE=true trivy image [YOUR_IMAGE]

GitHub Rate limiting

Error

  1. $ trivy image ...
  2. ...
  3. API rate limit exceeded for xxx.xxx.xxx.xxx.

Specify GITHUB_TOKEN for authentication https://developer.github.com/v3/#rate-limiting

  1. $ GITHUB_TOKEN=XXXXXXXXXX trivy alpine:3.10

Maven rate limiting

Error

  1. $ trivy image ...
  2. ...
  3. status 403 Forbidden from http://search.maven.org/solrsearch/select

Trivy calls Maven API for better detection of JAR files, but many requests may exceed rate limiting. If it happens frequently, try the --offline-scan option to stop Trivy from making API requests. This option affects only vulnerability scanning. The vulnerability database and builtin policies are downloaded as usual. If you want to skip them as well, you can try --skip-update and --skip-policy-update.

Note that a number of vulnerabilities might be fewer than without the --offline-scan option.

Running in parallel takes same time as series run

When running trivy on multiple images simultaneously, it will take same time as running trivy in series.
This is because of a limitation of boltdb.

Bolt obtains a file lock on the data file so multiple processes cannot open the same database at the same time. Opening an already open Bolt database will cause it to hang until the other process closes it.

Reference : boltdb: Opening a database.

Error downloading vulnerability DB

Error

FATAL failed to download vulnerability DB

If trivy is running behind corporate firewall try to whitelist urls below:

  • api.github.com
  • github.com
  • github-releases.githubusercontent.com

Homebrew

Scope error

Error

Error: Your macOS keychain GitHub credentials do not have sufficient scope!

  1. $ brew tap aquasecurity/trivy
  2. Error: Your macOS keychain GitHub credentials do not have sufficient scope!
  3. Scopes they need: none
  4. Scopes they have:
  5. Create a personal access token:
  6. https://github.com/settings/tokens/new?scopes=gist,public_repo&description=Homebrew
  7. echo 'export HOMEBREW_GITHUB_API_TOKEN=your_token_here' >> ~/.zshrc

Try:

  1. $ printf "protocol=https\nhost=github.com\n" | git credential-osxkeychain erase

Already installed

Error

Error: aquasecurity/trivy/trivy 64 already installed

  1. $ brew upgrade
  2. ...
  3. Error: aquasecurity/trivy/trivy 64 already installed

Try:

  1. $ brew unlink trivy && brew uninstall trivy
  2. ($ rm -rf /usr/local/Cellar/trivy/64)
  3. $ brew install aquasecurity/trivy/trivy

Others

Unknown error

Try again with --reset option:

  1. $ trivy image --reset