0

I am currently using the trivy scanner to scan images in the pipeline. This has worked very well until now. But recently it is necessary to scan the image from an internal Openshift registry.

Unfortunately I have the problem that I do not know how to authenticate trivy against the internal registry. The documentation does not give any information regarding Openshift. It describes Azure and AWS as well as github.

My scan command currently looks like this in groovy:

trivy image --ignore-unfixed --format template --template \"path for output" --output trivy_image_report.html --skip-update --offline-scan $image

Output:

INFO    Vulnerability scanning is enabled
INFO    Secret scanning is enabled
INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
INFO    Please see also https://aquasecurity.github.io/trivy/v0.31.3/docs/secret/scanning/#recommendation for faster secret detection
FATAL   image scan error: scan error: unable to initialize a scanner: unable to initialize a docker scanner: 4 errors occurred:
        * unable to inspect the image (openshiftregistry/namespace/imagestream:tag): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
        * unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
        * containerd socket not found: /run/containerd/containerd.sock
        * GET https://openshiftregistry/v2/namespace/imagestream/manifests/tag: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:namespace/imagestream Type:repository]]

The image is stored within an imageStream in Openshift. Is there something i can add to the trivy command to authenticate the service against the registry or is there something else what has to be done before i use the command in groovy?

Thanks for help

Karlito Brigante
  • 28
  • 5
  • I had this happen to me as well, the `UNAUTHORIZED` is likely a red herring, and the true issue is the `Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?` error message. Are you on MacOS by chance? – Will Gordon Dec 12 '22 at 15:04
  • This is executed in a jenkins pipeline in a jenkins slave. The script which performs the scan is written in groovy. OS inside the Jenkins slave is rhel. – Karlito Brigante Dec 12 '22 at 15:13
  • And your podman socket is enabled? `systemctl enable --now podman.socket` – Will Gordon Dec 12 '22 at 16:12
  • The problem with this errors is that it throws generally all errors when trivy dont can access the image. Iam pretty sure the authentication is the problem. It worked before i had to use the internal openshift registry. I used Quay.io before with no problems. – Karlito Brigante Dec 12 '22 at 16:27
  • Ok, sorry, that's my fault. I didn't realize that the switch to the OpenShift registry was new First thing, make you [expose the registry](https://docs.openshift.com/container-platform/4.11/registry/securing-exposing-registry.html) if you haven't. Secondly, I recommend setting up a Service Account with the ["registry-viewer" role](https://docs.openshift.com/container-platform/4.11/registry/accessing-the-registry.html). Finally, create a token for that SA to be able to authenticate with the registry. – Will Gordon Dec 12 '22 at 18:19
  • Then you would authenticate with `podman login -u -p $(oc sa get-token )`. Presumably this should all work fine, and gives you the authentication piece that's missing – Will Gordon Dec 12 '22 at 18:21
  • Thanks @WillGordon. Your links were very helpfull. It works now as expected. – Karlito Brigante Dec 14 '22 at 11:45

1 Answers1

0

Thanks to Will Gordon in the comments. This link was very helpfull: Access the Registry (Openshift).

This lines helped me (more information can be found on the linked site):

oc login -u kubeadmin -p <password_from_install_log> https://api-int.<cluster_name>.<base_domain>:6443

And

podman login -u kubeadmin -p $(oc whoami -t) image-registry.openshift-image-registry.svc:5000

Thanks

Karlito Brigante
  • 28
  • 5