Image scan ends with no result/summary of findings

[Dileep17]

Question

Hi! Im new to Trivy. Based on my understanding of the trivy image scan, after scan is completed, we would get the vulnerability report. If no vulnerabilities are found, summary would be as below

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

I build a docker image with base image as golang:1.21.11-alpine.
Trivy image scan of the image is not printing summary!

Logs

➜  ~ trivy -d image xray-docker-1.21.11
2024-06-21T17:49:26+08:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-06-21T17:49:26+08:00	DEBUG	Ignore statuses	statuses=[]
2024-06-21T17:49:26+08:00	DEBUG	Cache dir	dir="/Users/dileep/Library/Caches/trivy"
2024-06-21T17:49:26+08:00	DEBUG	DB update was skipped because the local DB is the latest
2024-06-21T17:49:26+08:00	DEBUG	DB info	schema=2 updated_at=2024-06-21T06:12:43.970221161Z next_update=2024-06-21T12:12:43.97022092Z downloaded_at=2024-06-21T09:10:54.857905Z
2024-06-21T17:49:26+08:00	INFO	Vulnerability scanning is enabled
2024-06-21T17:49:26+08:00	DEBUG	Vulnerability type	type=[os library]
2024-06-21T17:49:26+08:00	INFO	Secret scanning is enabled
2024-06-21T17:49:26+08:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-21T17:49:26+08:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-21T17:49:26+08:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-06-21T17:49:26+08:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-06-21T17:49:26+08:00	DEBUG	[nuget] The nuget packages directory couldn't be found. License search disabled
2024-06-21T17:49:26+08:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-06-21T17:49:26+08:00	DEBUG	[image] Detected image ID	image_id="sha256:8b2ae480c5c35cf45487a5a356c80f7817402df5a7b7dc4725c7a34af65756f7"
2024-06-21T17:49:26+08:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:23adb073c60cf2ad71909ab0d70f1cd636d4511389cfd814af777aa5976b770e sha256:7b26c5cdb0b98b95648038c82b684ee35a0c4767597645aa2e29834f74fea0f7 sha256:981d39aae5d8f5c86adc978359c47f35775193abade2f51318e2e3cb1390248e sha256:f617648764654a3fac6fdd5f9497d7a595b25df865ba8b34cf0264749b7d2e2b]
2024-06-21T17:49:26+08:00	DEBUG	[image] Detected base layers	diff_ids=[]
2024-06-21T17:49:26+08:00	DEBUG	OS is not detected.
2024-06-21T17:49:26+08:00	DEBUG	Detected OS: unknown
2024-06-21T17:49:26+08:00	INFO	Number of language-specific files	num=1
2024-06-21T17:49:26+08:00	INFO	[gobinary] Detecting vulnerabilities...
2024-06-21T17:49:26+08:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="xray"
2024-06-21T17:49:26+08:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/aws/aws-xray-daemon"

Note, there is no summary after the image scan completed.

I have two questions

1. [gobinary] Skipping vulnerability scan as no version is detected for the package name="github.com/aws/aws-xray-daemon" what does this mean ?
2. Why there is no summary at the end of the scan ? (am I doing something wrong?)

Thank you in advance.

Target

Container Image

Scanner

None

Output Format

Table

Mode

Standalone

Operating System

macOS Monterey (12.5.1)

Version

Version: 0.52.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-06-21 06:12:43.970221161 +0000 UTC
  NextUpdate: 2024-06-21 12:12:43.97022092 +0000 UTC
  DownloadedAt: 2024-06-21 09:10:54.857905 +0000 UTC

[DmitriyLewen]

Hello @Dileep17
Thanks for your interest to Trivy!

[gobinary] Skipping vulnerability scan as no version is detected for the package name="github.com/aws/aws-xray-daemon" what does this mean ?

We can't always determine version for gobinary (https://aquasecurity.github.io/trivy/v0.52/docs/coverage/language/golang/#empty-versions).
If the version is not found, Trivy doesn't look for vulnerabilities for this package.

Why there is no summary at the end of the scan ? (am I doing something wrong?)

Looks like your (xray-docker-1.21.11) image doesn't contain info about OS:

2024-06-21T17:49:26+08:00	DEBUG	OS is not detected.
2024-06-21T17:49:26+08:00	DEBUG	Detected OS: unknown

Trivy doesn't show summary table if OS is not found.

UPD
Trivy works correctly for golang:1.21.11-alpine:

➜  trivy -q image golang:1.21.11-alpine

golang:1.21.11-alpine (alpine 3.20.1)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Regards, Dmitriy

[Dileep17]

Trivy doesn't show summary table if OS is not found.
ah! that makes sense as I copied the go binary built in golang to scratch. My bad I mentioned base image is golang!
Thank you @DmitriyLewen

I feel it would be great to show message/summary that suggests the scan ended incomplete as OS not found, instead of no summary.

[DmitriyLewen]

FYI:
We are planning to add summary table - #8177

[sohail7867]

Hi @DmitriyLewen,

I'm experiencing a similar issue when running the trivy image scan using github actions. There is no output, and the scan fails with exit code 1. I'm looking for detailed vulnerability information. Could you please guide me on how to resolve this?

Github actions:

 - name: Build Container
    run: |
      docker build -t trivy:scan .
          
  - name: Trivy Scan (Container) - Critical & High
    uses: aquasecurity/trivy-action@master
    env:
      TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
      TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
      TRIVY_DISABLE_VEX_NOTICE: true
      TRIVY_DEBUG: "true"
    # TRIVY_SKIP_DB_UPDATE: "true"
      TRIVY_CACHE_DIR: ${{ github.workspace }}/.cache/trivy
    with:
      image-ref: "trivy:scan"
      exit-code: "1"
      ignore-unfixed: true
      vuln-type: "os,library"
      severity: "CRITICAL,HIGH"
      hide-progress: false
      format: "table"
      output: trivy.txt

2025-01-21T18:00:52Z	INFO	Detected OS	family="debian" version="11.10"
217
2025-01-21T18:00:52Z	INFO	[debian] Detecting vulnerabilities...	os_version="11" pkg_num=3
218
2025-01-21T18:00:52Z	INFO	Number of language-specific files	num=1
219
2025-01-21T18:00:52Z	INFO	[gobinary] Detecting vulnerabilities...
220
2025-01-21T18:00:52Z	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="root/main"
221
2025-01-21T18:00:52Z	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/associations"
222
2025-01-21T18:00:52Z	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.57/docs/scanner/vulnerability#severity-selection for details.
223
2025-01-21T18:00:52Z	DEBUG	Found an ignore file	file_path=".trivyignore"
224
2025-01-21T18:00:52Z	DEBUG	[vex] VEX filtering is disabled
225
Error: Process completed with exit code 1.

[DmitriyLewen]

hi @sohail7867
You save the vulnerability table to trivy.txt.

That's why you only see Trivy logs in the logs.

You need to remove output: trivy.txt or check trivy.txt in another step.