Trivy Config Fatal Scan Error - Failed to initialize built-in policies (OPA bundle error, OCI repository error) #1254
Comments
|
Thanks for the report. It looks like https://ghcr.io was down or unstable. Are you still facing the same issue? |
|
Hi @knqyf263, yes I'm still seeing the same error. Here's the latest |
|
Hi @knqyf263, so I've made another discovery that may/may not help determine the root cause. I've run That's the only difference. Interestingly, the Microsoft-hosted agent did not have any issues, whereas the self-hosted agent did. The latest run attempt threw this error: 2021-10-05T00:06:22.974Z FATAL scan error: failed to initialize built-in policies: failed to download built-in policies: OPA bundle error: OCI repository error: Get "https://ghcr.io/v2/": net/http: TLS handshake timeoutAny thoughts as to why that would be? Any specifics that might need to be accounted for with self-hosted agents? |
|
The error seems to be irrelevant to Trivy. Again, looks like the network issue. Does the following command work in your environment? |
|
Hey @knqyf263, it doesn't look like the {"errors":[{"code":"UNAUTHORIZED","message":"authentication required"}]} |
|
UNAUTHORIZED is ok since it means it is reachable. If you cannot reach GHCR from your env, you should investigate your network. |
|
@knqyf263 Can you tell us the exact URL (or even a glob) that trivy is trying to reach out to for policy updates? I'm having a similar problem but I need to whitelist this URL in my firewall. |
|
@jpinkham, I'm in the same situation (RE: firewall). Based on the Built-In Policies documentation...
I'm just not sure if there's more to it. Appreciate any clarity/guidance you can provide to us, @knqyf263 |
|
This issue is stale because it has been labeled with inactivity. |
github-actions
bot
added
the
lifecycle/stale
|
I'm sorry I missed your messages. We have a list here, but this is for the vulnerability database. As for builtin policies, |
github-actions
bot
removed
the
lifecycle/stale
|
@AErmie : You may find this very recent update helpful in https://github.com/aquasecurity/trivy/blob/main/docs/advanced/air-gap.md . It now contains info on downloading policies for offline use. Also https://github.com/aquasecurity/trivy/blob/main/docs/getting-started/troubleshooting.md has a new additional site that needs whitelisting (i think it's only needed if you're on the most recent version of trivy). The PR #1539 has a bunch of stuff related to the DBs, including the document updates. Specific to doing offline scans in a fully air-gapped environment, there are changes in #1511 and #1512 I verified that using the "--offline-scan" option works beautifully for java (though it of course cannot detect anything for java as a result). Combined with "--debug", you can see what dependencies are trying to be resolved and then skipped because they couldn't be found locally nor online....and no delay waiting for a timeout. Thanks so much @knqyf263!!!!! |
|
@jpinkham the mentioned documentations are not available anymore and there is an issue accessing with gchr.io again. |
Description
When running Trivy config (using the Docker container method), to scan a Dockerfile, a fatal error is thrown about the OPA policies.
Command Used
What did you expect to happen?
Trivy to complete the scan of the Dockerfile.
What happened instead?
The following error is thrown:
FATAL scan error: failed to initialize built-in policies: failed to download built-in policies: OPA bundle error: OCI repository error: Get "https://ghcr.io/v2/": net/http: TLS handshake timeoutOutput of run with
-debug:Output of
trivy -v:Additional details (base image name, container registry info...):
The text was updated successfully, but these errors were encountered: