Image Registry credentials required ?

[adeniyistephen]

Hello Trivy team, I'm Stephen a mentee of LFX(Linux foundation) summer 21', I'm working on a project for my program which is to develop an Image Vulnerability scanner and output the result in Kubernetes Policy Report CRD. here is the issue: kubernetes-sigs/wg-policy-prototypes#54, also the discussion is on the Kubernetes wg-policy channel https://kubernetes.slack.com/archives/C906A4GAF.
I have a quick question concerning image registry credentials - why are Image Registry credentials required? Does Trivy actually download the image or does it use the one available in the cluster? (I had to scan the image in my cluster when I pushed the image to docker hub first).
Thank you, please feel free to join the slack channel.

[knqyf263]

First of all, if an image is in a local Docker (or Podman) daemon, Trivy simply uses it. If it doesn't exist locally, Trivy needs to pull the image from a registry. Kubernetes is most likely not using Docker, so Trivy can't scan local images.

FYI: Starboard is able to levarage imagePullSecrets for pulling an image.

[knqyf263]

Could you give me what commands did you run and an error message?

[adeniyistephen]

yes I can, I'm currently running trivy on a docker container tho. so: docker run ghcr.io/aquasecurity/trivy:0.18.3 image shipa:1.0 but now that I have pushed it to docker hub I can run it docker run ghcr.io/aquasecurity/trivy:0.18.3 image adeniyistephen/shipa:1.0 so as other images

[adeniyistephen]

@knqyf263 are you there?

[knqyf263]

You have to mount docker socket if the image is in your host machine.
https://aquasecurity.github.io/trivy/v0.18.3/installation/#docker

[adeniyistephen]

Thank you for this, I'm using docker image so I have been trying to find a way to get my cache dir :) .