trivy

Trivy Image scan ends with no result/summary of findings

Based on my understanding of the trivy image scan, after scan is completed, we would get the vulnerability report.

If no vulnerabilities are found, end result/summary would be as below

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

I have build a docker image with golang:1.21.11-alpine baseimage.

Trivy image scan of this image is not printing summary!

➜  ~ trivy -d image xray-docker-1.21.11
2024-06-21T17:49:26+08:00   DEBUG   Parsed severities   severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-06-21T17:49:26+08:00   DEBUG   Ignore statuses statuses=[]
2024-06-21T17:49:26+08:00   DEBUG   Cache dir   dir="/Users/dileep/Library/Caches/trivy"
2024-06-21T17:49:26+08:00   DEBUG   DB update was skipped because the local DB is the latest
2024-06-21T17:49:26+08:00   DEBUG   DB info schema=2 updated_at=2024-06-21T06:12:43.970221161Z next_update=2024-06-21T12:12:43.97022092Z downloaded_at=2024-06-21T09:10:54.857905Z
2024-06-21T17:49:26+08:00   INFO    Vulnerability scanning is enabled
2024-06-21T17:49:26+08:00   DEBUG   Vulnerability type  type=[os library]
2024-06-21T17:49:26+08:00   INFO    Secret scanning is enabled
2024-06-21T17:49:26+08:00   INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-21T17:49:26+08:00   INFO    Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-21T17:49:26+08:00   DEBUG   Enabling misconfiguration scanners  scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-06-21T17:49:26+08:00   DEBUG   [secret] No secret config detected  config_path="trivy-secret.yaml"
2024-06-21T17:49:26+08:00   DEBUG   [nuget] The nuget packages directory couldn't be found. License search disabled
2024-06-21T17:49:26+08:00   DEBUG   [secret] No secret config detected  config_path="trivy-secret.yaml"
2024-06-21T17:49:26+08:00   DEBUG   [image] Detected image ID   image_id="sha256:8b2ae480c5c35cf45487a5a356c80f7817402df5a7b7dc4725c7a34af65756f7"
2024-06-21T17:49:26+08:00   DEBUG   [image] Detected diff ID    diff_ids=[sha256:23adb073c60cf2ad71909ab0d70f1cd636d4511389cfd814af777aa5976b770e sha256:7b26c5cdb0b98b95648038c82b684ee35a0c4767597645aa2e29834f74fea0f7 sha256:981d39aae5d8f5c86adc978359c47f35775193abade2f51318e2e3cb1390248e sha256:f617648764654a3fac6fdd5f9497d7a595b25df865ba8b34cf0264749b7d2e2b]
2024-06-21T17:49:26+08:00   DEBUG   [image] Detected base layers    diff_ids=[]
2024-06-21T17:49:26+08:00   DEBUG   OS is not detected.
2024-06-21T17:49:26+08:00   DEBUG   Detected OS: unknown
2024-06-21T17:49:26+08:00   INFO    Number of language-specific files   num=1
2024-06-21T17:49:26+08:00   INFO    [gobinary] Detecting vulnerabilities...
2024-06-21T17:49:26+08:00   DEBUG   [gobinary] Scanning packages for vulnerabilities    file_path="xray"
2024-06-21T17:49:26+08:00   DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package    name="github.com/aws/aws-xray-daemon"

Note, there is no summary after the image scan completed.

Im not able to understand why there is no summary at the end of the scan. am I doing something wrong?

Solution

  • Thanks to Trivy maintainers.. got answered in github.

    https://github.com/aquasecurity/trivy/discussions/6989