authenticationopenshifttrivyimagestream

Trivy Scan with Openshift internal registry | how to authenticate against openshift registry with trivy


I am currently using the trivy scanner to scan images in the pipeline. This has worked very well until now. But recently it is necessary to scan the image from an internal Openshift registry.

Unfortunately I have the problem that I do not know how to authenticate trivy against the internal registry. The documentation does not give any information regarding Openshift. It describes Azure and AWS as well as github.

My scan command currently looks like this in groovy:

trivy image --ignore-unfixed --format template --template \"path for output" --output trivy_image_report.html --skip-update --offline-scan $image

Output:

INFO    Vulnerability scanning is enabled
INFO    Secret scanning is enabled
INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
INFO    Please see also https://aquasecurity.github.io/trivy/v0.31.3/docs/secret/scanning/#recommendation for faster secret detection
FATAL   image scan error: scan error: unable to initialize a scanner: unable to initialize a docker scanner: 4 errors occurred:
        * unable to inspect the image (openshiftregistry/namespace/imagestream:tag): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
        * unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
        * containerd socket not found: /run/containerd/containerd.sock
        * GET https://openshiftregistry/v2/namespace/imagestream/manifests/tag: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:namespace/imagestream Type:repository]]

The image is stored within an imageStream in Openshift. Is there something i can add to the trivy command to authenticate the service against the registry or is there something else what has to be done before i use the command in groovy?

Thanks for help


Solution

  • Thanks to Will Gordon in the comments. This link was very helpfull: Access the Registry (Openshift).

    This lines helped me (more information can be found on the linked site):

    oc login -u kubeadmin -p <password_from_install_log> https://api-int.<cluster_name>.<base_domain>:6443
    

    And

    podman login -u kubeadmin -p $(oc whoami -t) image-registry.openshift-image-registry.svc:5000
    

    Thanks