I am currently using the trivy scanner to scan images in the pipeline. This has worked very well until now. But recently it is necessary to scan the image from an internal Openshift registry.
Unfortunately I have the problem that I do not know how to authenticate trivy against the internal registry. The documentation does not give any information regarding Openshift. It describes Azure and AWS as well as github.
My scan command currently looks like this in groovy:
trivy image --ignore-unfixed --format template --template \"path for output" --output trivy_image_report.html --skip-update --offline-scan $image
Output:
INFO Vulnerability scanning is enabled
INFO Secret scanning is enabled
INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
INFO Please see also https://aquasecurity.github.io/trivy/v0.31.3/docs/secret/scanning/#recommendation for faster secret detection
FATAL image scan error: scan error: unable to initialize a scanner: unable to initialize a docker scanner: 4 errors occurred:
* unable to inspect the image (openshiftregistry/namespace/imagestream:tag): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
* containerd socket not found: /run/containerd/containerd.sock
* GET https://openshiftregistry/v2/namespace/imagestream/manifests/tag: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:namespace/imagestream Type:repository]]
The image is stored within an imageStream in Openshift. Is there something i can add to the trivy command to authenticate the service against the registry or is there something else what has to be done before i use the command in groovy?
Thanks for help
CodePudding user response:
Thanks to Will Gordon in the comments. This link was very helpfull: Access the Registry (Openshift).
This lines helped me (more information can be found on the linked site):
oc login -u kubeadmin -p <password_from_install_log> https://api-int.<cluster_name>.<base_domain>:6443
And
podman login -u kubeadmin -p $(oc whoami -t) image-registry.openshift-image-registry.svc:5000
Thanks