Troubleshooting Trivy Scans in CircleCI

When running Trivy scans within CircleCI, you may encounter issues related to GitHub token authentication and downloading the vulnerability database. This guide provides steps to troubleshoot and resolve these issues.

Common Issue: Failed to Download Vulnerability Database

If you see errors indicating a failure to download the vulnerability database, it may be due to incorrect GitHub token usage. Ensure you are using a valid token that has the necessary permissions to access the Trivy database.

Example Command

Here’s an example command to run a Trivy scan:

trivy --light --token YOUR_GITHUB_TOKEN -d -s "UNKNOWN,MEDIUM,HIGH,CRITICAL" --exit-code 1 ${IMAGE}

Debugging Steps

  1. Check Your GitHub Token: Make sure that the token you are using has the correct permissions. If you are using a token for a private repository, ensure it has access to the necessary resources.
  2. Inspect Error Messages: Look for error messages in the output. For example, a 401 Bad credentials error indicates that the token is invalid or lacks the required permissions.
  3. Database Update: Trivy needs to update its vulnerability database before scanning. If the database is not accessible, you might see messages like:
    INFO    Need to update DB
INFO    Downloading DB...
FATAL   failed to download vulnerability DB: failed to list releases: GET https://api.github.com/repos/aquasecurity/trivy-db/releases: 401 Bad credentials
  4. Manual Database Installation: If issues persist, consider manually downloading the vulnerability database using curl or similar tools. This can be done by fetching the database directly from the Trivy repository.

Example of Manual Download

You can manually download the database using:

curl -L -o trivy-db.tar.gz https://github.com/aquasecurity/trivy-db/releases/latest/download/trivy.db.gz

Conclusion

By ensuring your GitHub token is valid and has the necessary permissions, and by following the debugging steps outlined above, you can effectively troubleshoot and resolve issues when running Trivy scans in CircleCI.