Fetching database through ECR seems to fail starting with release 0.66.0

[eldondevat]

Description

Previous authentication strategy no longer works to download database images from ECR. 0.65.0 successfully downloads the database. Possibly related to #9322 ? If I perform a trivy registry login using aws ecr get-login-password beforehand 0.66.0 can auth, but that means I have to install the aws cli into the container.

Desired Behavior

2025-09-03T19:19:17Z INFO [vulndb] Downloading artifact... repo=".dkr.ecr..amazonaws.com/github/aquasecurity/trivy-db:2"
27.49 MiB / 69.90 MiB [----------------------->_________] 39.33% ? p/s ?40.43 MiB / 69.90 MiB [----------------------------------->] 57.83% ? p/s ?65.55 MiB / 69.90 MiB [--------------------------------------------------------->] 93.77% ? p/s ?69.90 MiB / 69.90 MiB [---------------------------------------------->] 100.00% 70.61 MiB p/s ETA 0s69.90 MiB / 69.90 MiB [---------------------------------------------->] 100.00% 70.61 MiB p/s ETA 0s69.90 MiB / 69.90 MiB [---------------------------------------------->] 100.00% 70.61 MiB p/s ETA 0s69.90 MiB / 69.90 MiB [---------------------------------------------->] 100.00% 66.06 MiB p/s ETA 0s69.90 MiB / 69.90 MiB [---------------------------------------------->] 100.00% 66.06 MiB p/s ETA 0s69.90 MiB / 69.90 MiB [---------------------------------------------->] 100.00% 66.06 MiB p/s ETA 0s69.90 MiB / 69.90 MiB [---------------------------------------------->] 100.00% 61.80 MiB p/s ETA 0s69.90 MiB / 69.90 MiB [---------------------------------------------->] 100.00% 61.80 MiB p/s ETA 0s69.90 MiB / 69.90 MiB [---------------------------------------------->] 100.00% 61.80 MiB p/s ETA 0s69.90 MiB / 69.90 MiB [---------------------------------------------->] 100.00% 57.81 MiB p/s ETA 0s69.90 MiB / 69.90 MiB [---------------------------------------------->] 100.00% 57.81 MiB p/s ETA 0s69.90 MiB / 69.90 MiB [---------------------------------------------->] 100.00% 57.81 MiB p/s ETA 0s69.90 MiB / 69.90 MiB [---------------------------------------------->] 100.00% 54.08 MiB p/s ETA 0s69.90 MiB / 69.90 MiB [---------------------------------------------->] 100.00% 54.08 MiB p/s ETA 0s69.90 MiB / 69.90 MiB [-------------------------------------------------] 100.00% 21.75 MiB p/s 3.4s2025-09-03T19:19:24Z INFO [vulndb] Artifact successfully downloaded repo=".dkr.ecr..amazonaws.com/github/aquasecurity/trivy-db:2"

Actual Behavior

2025-09-03T16:59:59Z FATAL Fatal error run error: init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from .dkr.ecr..amazonaws.com/github/aquasecurity/trivy-db:2: OCI repository error: 1 error occurred:
GET https://.dkr.ecr..amazonaws.com/v2/github/aquasecurity/trivy-db/manifests/2: unexpected status code 401 Unauthorized: Not Authorized

Reproduction Steps

1.Run on a gitlab runner in the docker executor, with the execution image as the container image published on docker hub for trivy 0.66.0, and an IAM role assigned to the execution environment that allows access to the specified ECR repositories via a pull-through cache.
2. Run trivy inside the image with the following command: trivy fs . --exit-code 1 --ignorefile .trivyignore.yaml --db-repository <redacted>.dkr.ecr.<redacted>.amazonaws.com/github/aquasecurity/trivy-db:2 --java-db-repository <redacted>.dkr.ecr.<redacted>.amazonaws.com/github/aquasecurity/trivy-java-db:1

Target

None

Scanner

None

Output Format

None

Mode

None

Debug Output

2025-09-03T19:54:59Z	DEBUG	No plugins loaded
2025-09-03T19:54:59Z	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-09-03T19:54:59Z	DEBUG	Cache dir	dir="/root/.cache/trivy"
2025-09-03T19:54:59Z	DEBUG	Cache dir	dir="/root/.cache/trivy"
2025-09-03T19:54:59Z	DEBUG	Parsed severities	severities=[HIGH CRITICAL]
2025-09-03T19:54:59Z	DEBUG	Ignore statuses	statuses=[]
2025-09-03T19:54:59Z	DEBUG	[vulndb] There is no db file
2025-09-03T19:54:59Z	DEBUG	[vulndb] There is no valid metadata file	err.message="file open error" err.err="file open error: open /root/.cache/trivy/db/metadata.json: no such file or directory" err.time=2025-09-03T19:54:59.100258545Z err.trace="01K48JB4MW2VTDZK35Q9Y3F9KS" err.context.file_path="/root/.cache/trivy/db/metadata.json" err.stacktrace="Oops: file open error\n  --- at /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/metadata/metadata.go:43 Client.Get()\n  --- at /home/runner/work/trivy/trivy/pkg/db/db.go:105 Client.NeedsUpdate()\n  --- at /home/runner/work/trivy/trivy/pkg/commands/operation/operation.go:33 DownloadDB()\n  --- at /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:324 runner.initDB()\n  --- at /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:135 NewRunner()\n  --- at /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:426 run()\n  --- at /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:412 Run()\n  --- at /home/runner/work/trivy/trivy/pkg/commands/app.go:379 NewFilesystemCommand.func2()\n  --- at /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1015 Command.execute()\n  --- at /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1148 Command.ExecuteC()"
2025-09-03T19:54:59Z	INFO	[vulndb] Need to update DB
2025-09-03T19:54:59Z	INFO	[vulndb] Downloading vulnerability DB...
2025-09-03T19:54:59Z	INFO	[vulndb] Downloading artifact...	repo="<redacted>.dkr.ecr.<redacted>.amazonaws.com/github/aquasecurity/trivy-db:2"
2025-09-03T19:55:04Z	DEBUG	Credential error	err="failed to get authorization token: operation error ECR: GetAuthorizationToken, get identity: get credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, canceled, context deadline exceeded"
2025-09-03T19:55:04Z	FATAL	Fatal error
  - run error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:414
  - init error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:431
  - DB error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.NewRunner
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:136
  - failed to download vulnerability DB:
    github.com/aquasecurity/trivy/pkg/commands/operation.DownloadDB
        /home/runner/work/trivy/trivy/pkg/commands/operation/operation.go:41
  - OCI artifact error:
    github.com/aquasecurity/trivy/pkg/db.(*Client).Download
        /home/runner/work/trivy/trivy/pkg/db/db.go:178
  - failed to download vulnerability DB:
    github.com/aquasecurity/trivy/pkg/db.(*Client).downloadDB
        /home/runner/work/trivy/trivy/pkg/db/db.go:227
  - failed to download artifact from <redacted>.dkr.ecr.<redacted>.amazonaws.com/github/aquasecurity/trivy-db:2:
    github.com/aquasecurity/trivy/pkg/oci.Artifacts.Download
        /home/runner/work/trivy/trivy/pkg/oci/artifact.go:240
  - OCI repository error:
    github.com/aquasecurity/trivy/pkg/oci.(*Artifact).populate
        /home/runner/work/trivy/trivy/pkg/oci/artifact.go:99
  - 1 error occurred:
	* GET https://<redacted>.dkr.ecr.<redacted>.amazonaws.com/v2/github/aquasecurity/trivy-db/manifests/2: unexpected status code 401 Unauthorized: Not Authorized

Operating System

Linux on AWS

Version

$ trivy --version
Version: 0.66.0

Checklist

• Run trivy clean --all
• Read the troubleshooting

[eldondevat]

Probably related to #9429 which didn't exist when I started writing this up, and seems to be slightly different given that it is pulling a container to scan, and this is pulling the DB

[DmitriyLewen]

We use the same logic for aws authentication for all images (trivy-db/scannedimage etc.)

[DmitriyLewen]

Hello @eldondevat
I created fix - can you test?
#9429 (reply in thread)

[DmitriyLewen]

duplicate of #9429