trivy fails its own security scan #9524

flegelleicht · 2025-09-24T19:32:27Z

flegelleicht
Sep 24, 2025

Description

I followed the guide at https://trivy.dev/v0.66/docs/advanced/container/embed-in-dockerfile/ to scan my self-built trivy image.

Desired Behavior

trivy passes its own security check

Actual Behavior

When I build my image with the current trivy version (0.66.0), it fails its security check with the following output:

$ docker build -t trivy --build-arg TRIVY_RELEASE_VERSION=0.66.0 --target=vulnscan .  
[...]
 > [vulnscan 3/4] RUN trivy rootfs     --skip-java-db-update     --disable-telemetry     --skip-version-check     --exit-code 1     --no-progress     /:                                                                                                                                  
0.910 2025-09-24T19:06:29Z      INFO    [vuln] Vulnerability scanning is enabled
0.910 2025-09-24T19:06:29Z      INFO    [secret] Secret scanning is enabled
0.910 2025-09-24T19:06:29Z      INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
0.910 2025-09-24T19:06:29Z      INFO    [secret] Please see https://trivy.dev/v0.66/docs/scanner/secret#recommendation for faster secret detection
1.014 2025-09-24T19:06:29Z      INFO    Detected OS     family="alpine" version="3.22.1"
1.014 2025-09-24T19:06:29Z      INFO    [alpine] Detecting vulnerabilities...   os_version="3.22" repository="3.22" pkg_num=29
1.016 2025-09-24T19:06:29Z      INFO    Number of language-specific files       num=1
1.016 2025-09-24T19:06:29Z      INFO    [gobinary] Detecting vulnerabilities...
1.025 2025-09-24T19:06:29Z      WARN    Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.66/docs/scanner/vulnerability#severity-selection for details.
1.026 
1.026 Report Summary
1.026 
1.026 ┌───────────────────────────┬──────────┬─────────────────┬─────────┐
1.026 │          Target           │   Type   │ Vulnerabilities │ Secrets │
1.026 ├───────────────────────────┼──────────┼─────────────────┼─────────┤
1.026 │ localhost (alpine 3.22.1) │  alpine  │        0        │    -    │
1.026 ├───────────────────────────┼──────────┼─────────────────┼─────────┤
1.026 │ usr/local/bin/trivy       │ gobinary │        3        │    -    │
1.026 └───────────────────────────┴──────────┴─────────────────┴─────────┘
1.026 Legend:
1.026 - '-': Not scanned
1.026 - '0': Clean (no security findings detected)
1.026 
1.026 
1.026 usr/local/bin/trivy (gobinary)
1.026 ==============================
1.026 Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 0)
1.026 
1.026 ┌─────────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬─────────────────┬───────────────────────────────────────────────────────────┐
1.026 │               Library               │    Vulnerability    │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                           │
1.026 ├─────────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼─────────────────┼───────────────────────────────────────────────────────────┤
1.026 │ github.com/go-viper/mapstructure/v2 │ GHSA-2464-8j7c-4cjm │ MEDIUM   │ fixed  │ v2.3.0            │ 2.4.0           │ go-viper's mapstructure May Leak Sensitive Information in │
1.026 │                                     │                     │          │        │                   │                 │ Logs When Processing Malformed Data...                    │
1.026 │                                     │                     │          │        │                   │                 │ https://github.com/advisories/GHSA-2464-8j7c-4cjm         │
1.026 ├─────────────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┼─────────────────┼───────────────────────────────────────────────────────────┤
1.026 │ stdlib                              │ CVE-2025-47906      │ HIGH     │        │ v1.24.4           │ 1.23.12, 1.24.6 │ If the PATH environment variable contains paths which are │
1.026 │                                     │                     │          │        │                   │                 │ executables ......                                        │
1.026 │                                     │                     │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-47906                │
1.026 │                                     ├─────────────────────┤          │        │                   │                 ├───────────────────────────────────────────────────────────┤
1.026 │                                     │ CVE-2025-47907      │          │        │                   │                 │ database/sql: Postgres Scan Race Condition                │
1.026 │                                     │                     │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-47907                │
1.026 └─────────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴─────────────────┴───────────────────────────────────────────────────────────┘

Reproduction Steps

This Dockerfile reproduces the issue:

FROM alpine:3.22.1 AS build

ARG TRIVY_RELEASE_VERSION=0.66.0

RUN apk add --update --no-cache wget \
    && wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_RELEASE_VERSION}/trivy_${TRIVY_RELEASE_VERSION}_Linux-64bit.tar.gz -O - | tar -zxvf - \
    && apk del wget \
    && mv trivy /usr/local/bin \
    && mkdir -p /usr/local/share/trivy/templates \
    && mv contrib /usr/local/share/trivy/templates/ \
    && mkdir -p /usr/local/share/trivy/dbs \
    && trivy image --download-db-only \
    && trivy image --download-java-db-only

FROM build AS vulnscan
COPY --from=aquasec/trivy:0.66.0 /usr/local/bin/trivy /usr/local/bin/trivy
COPY .trivyignore /.trivyignore
WORKDIR /
RUN trivy rootfs \
    --skip-java-db-update \
    --disable-telemetry \
    --skip-version-check \
    --exit-code 1 \
    --no-progress \
    /

FROM build AS final

Build it with docker build -t trivy-minimal-example --target=vulnscan .

Target

Filesystem

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

$ docker build -t trivy-minimal-example . 
$ docker run trivy-minimal-example trivy rootfs / --debug
2025-09-24T19:29:53Z    DEBUG   No plugins loaded
2025-09-24T19:29:53Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-09-24T19:29:53Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-09-24T19:29:53Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-09-24T19:29:53Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-09-24T19:29:53Z    DEBUG   Ignore statuses statuses=[]
2025-09-24T19:29:53Z    DEBUG   DB update was skipped because the local DB is the latest
2025-09-24T19:29:53Z    DEBUG   DB info schema=2 updated_at=2025-09-24T18:30:49.675123524Z next_update=2025-09-25T18:30:49.675123273Z downloaded_at=2025-09-24T19:17:01.113498923Z
2025-09-24T19:29:54Z    DEBUG   [pkg] Package types     types=[os library]
2025-09-24T19:29:54Z    DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2025-09-24T19:29:54Z    INFO    [vuln] Vulnerability scanning is enabled
2025-09-24T19:29:54Z    INFO    [secret] Secret scanning is enabled
2025-09-24T19:29:54Z    DEBUG   [notification] Running version check
2025-09-24T19:29:54Z    INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-09-24T19:29:54Z    INFO    [secret] Please see https://trivy.dev/v0.66/docs/scanner/secret#recommendation for faster secret detection
2025-09-24T19:29:54Z    DEBUG   Initializing scan cache...      type="memory"
2025-09-24T19:29:54Z    DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-09-24T19:29:54Z    DEBUG   [fs] Analyzing...       root="/"
2025-09-24T19:29:54Z    DEBUG   Created process-specific temp directory path="/tmp/trivy-1"
2025-09-24T19:29:54Z    DEBUG   Skipping path   path="dev"
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="LICENSE"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="LICENSE" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/apk/keys/[email protected]"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/apk/keys/[email protected]" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="LICENSE" content_len=11357 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/apk/keys/[email protected]" content_len=451 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/apk/keys/[email protected]"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/apk/keys/[email protected]" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/apk/keys/[email protected]" content_len=451 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/apk/keys/[email protected]"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/apk/keys/[email protected]" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/apk/keys/[email protected]" content_len=800 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/apk/keys/[email protected]" content_len=451 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/apk/keys/[email protected]" content_len=451 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/apk/keys/[email protected]"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/apk/keys/[email protected]" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/apk/keys/[email protected]" content_len=800 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/apk/keys/[email protected]" content_len=800 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/apk/keys/[email protected]" content_len=800 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="LICENSE" content_len=4096 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/apk/repositories"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/apk/repositories" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/apk/repositories" content_len=103 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/apk/repositories" content_len=103 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/apk/keys/[email protected]"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/apk/keys/[email protected]" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/apk/world"
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/apk/keys/[email protected]" content_len=800 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/apk/world" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/apk/world" content_len=74 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/apk/world" content_len=74 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/apk/keys/[email protected]" content_len=800 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/busybox-paths.d/busybox"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/busybox-paths.d/busybox" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/busybox-paths.d/busybox" content_len=3989 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/fstab"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/fstab" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/group"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/group" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/group" content_len=510 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/group" content_len=510 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/hostname"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/hostname" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/hostname" content_len=13 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/hostname" content_len=13 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/hosts"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/hosts" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/hosts" content_len=172 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/hosts" content_len=172 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/crontabs/root"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/crontabs/root" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/crontabs/root" content_len=283 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/inittab"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/inittab" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/inittab" content_len=570 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/crontabs/root" content_len=283 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/inittab" content_len=570 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/issue"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/issue" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/issue" content_len=51 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/fstab" content_len=89 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/logrotate.d/acpid"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/logrotate.d/acpid" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/logrotate.d/acpid" content_len=140 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/issue" content_len=51 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/fstab" content_len=89 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/logrotate.d/acpid" content_len=140 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/modprobe.d/aliases.conf"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/modprobe.d/aliases.conf" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/modprobe.d/aliases.conf" content_len=1545 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/modprobe.d/blacklist.conf"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/modprobe.d/blacklist.conf" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/modprobe.d/blacklist.conf" content_len=2136 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/modprobe.d/i386.conf"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/modprobe.d/i386.conf" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/modprobe.d/blacklist.conf" content_len=2136 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/modprobe.d/i386.conf" content_len=122 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/modprobe.d/i386.conf" content_len=122 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/busybox-paths.d/busybox" content_len=3989 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/modprobe.d/aliases.conf" content_len=1545 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/modules"
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/motd"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/motd" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/modules" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/motd" content_len=284 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/motd" content_len=284 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/modules" content_len=15 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/network/if-up.d/dad"
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/modules" content_len=15 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/network/if-up.d/dad" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/network/if-up.d/dad" content_len=285 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/nsswitch.conf"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/nsswitch.conf" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/network/if-up.d/dad" content_len=285 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/nsswitch.conf" content_len=205 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/passwd"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/passwd" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/profile"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/profile" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/profile" content_len=547 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/nsswitch.conf" content_len=205 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/passwd" content_len=702 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/profile.d/20locale.sh"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/profile.d/20locale.sh" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/profile.d/20locale.sh" content_len=97 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/profile" content_len=547 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/profile.d/README"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/profile.d/README" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/profile.d/README" content_len=249 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/profile.d/color_prompt.sh.disabled"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/profile.d/color_prompt.sh.disabled" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/profile.d/color_prompt.sh.disabled" content_len=447 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/passwd" content_len=702 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/profile.d/README" content_len=249 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/profile.d/color_prompt.sh.disabled" content_len=447 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/protocols"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/protocols" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/protocols" content_len=3144 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/profile.d/20locale.sh" content_len=97 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/secfixes.d/alpine"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/secfixes.d/alpine" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/secfixes.d/alpine" content_len=97 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/securetty"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/securetty" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/resolv.conf"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/resolv.conf" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/securetty" content_len=156 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/services"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/services" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/resolv.conf" content_len=222 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/services" content_len=12813 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/secfixes.d/alpine" content_len=97 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/securetty" content_len=156 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/resolv.conf" content_len=222 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/shadow"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/shadow" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/shadow" content_len=260 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/protocols" content_len=3144 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/shadow" content_len=260 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/shells"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/shells" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/shells" content_len=38 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/ssl/ct_log_list.cnf"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/ssl/ct_log_list.cnf" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/ssl/ct_log_list.cnf" content_len=412 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/ssl/ct_log_list.cnf.dist"
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/ssl/ct_log_list.cnf" content_len=412 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/ssl/certs/ca-certificates.crt"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/ssl/certs/ca-certificates.crt" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/ssl/certs/ca-certificates.crt" content_len=65536 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/shells" content_len=38 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/ssl/openssl.cnf"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/ssl/openssl.cnf" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/ssl/openssl.cnf" content_len=12411 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/ssl/openssl.cnf.dist"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/ssl/openssl.cnf.dist" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/ssl/openssl.cnf.dist" content_len=12411 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/ssl/ct_log_list.cnf.dist" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/ssl/ct_log_list.cnf.dist" content_len=412 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/ssl/ct_log_list.cnf.dist" content_len=412 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/sysctl.conf"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/sysctl.conf" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/sysctl.conf" content_len=53 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/sysctl.conf" content_len=53 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/ssl/openssl.cnf" content_len=4096 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="etc/udhcpc/udhcpc.conf"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="etc/udhcpc/udhcpc.conf" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/udhcpc/udhcpc.conf" content_len=287 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/udhcpc/udhcpc.conf" content_len=287 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/ssl/openssl.cnf.dist" content_len=4096 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="lib/apk/db/triggers"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="lib/apk/db/triggers" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="lib/apk/db/triggers" content_len=95 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="lib/apk/db/triggers" content_len=95 num_rules=87
2025-09-24T19:29:54Z    DEBUG   Skipping path   path="proc"
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="root/.cache/trivy/db/metadata.json"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="root/.cache/trivy/db/metadata.json" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="root/.cache/trivy/db/metadata.json" content_len=153 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="root/.cache/trivy/db/metadata.json" content_len=153 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="lib/apk/db/installed"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="lib/apk/db/installed" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="lib/apk/db/installed" content_len=15328 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/services" content_len=4096 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="root/.cache/trivy/java-db/metadata.json"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="root/.cache/trivy/java-db/metadata.json" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="root/.cache/trivy/java-db/metadata.json" content_len=151 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="root/.cache/trivy/java-db/metadata.json" content_len=151 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="root/.wget-hsts"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="root/.wget-hsts" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="root/.wget-hsts" content_len=165 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="root/.wget-hsts" content_len=165 num_rules=87
2025-09-24T19:29:54Z    DEBUG   Skipping path   path="sys"
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="sbin/ldconfig"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="sbin/ldconfig" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="sbin/ldconfig" content_len=393 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="sbin/ldconfig" content_len=393 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="usr/bin/ldd"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="usr/bin/ldd" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="usr/bin/ldd" content_len=53 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="usr/bin/ldd" content_len=53 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="usr/local/share/trivy/templates/contrib/asff.tpl"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="usr/local/share/trivy/templates/contrib/asff.tpl" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="usr/local/share/trivy/templates/contrib/asff.tpl" content_len=7004 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="usr/local/share/trivy/templates/contrib/gitlab-codequality.tpl"
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="lib/apk/db/installed" content_len=4096 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="usr/local/share/trivy/templates/contrib/gitlab-codequality.tpl" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="usr/local/share/trivy/templates/contrib/gitlab-codequality.tpl" content_len=3392 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="usr/local/share/trivy/templates/contrib/asff.tpl" content_len=4096 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="usr/local/share/trivy/templates/contrib/gitlab-codequality.tpl" content_len=3392 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="usr/local/share/trivy/templates/contrib/gitlab.tpl"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="usr/local/share/trivy/templates/contrib/gitlab.tpl" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="usr/local/share/trivy/templates/contrib/gitlab.tpl" content_len=3484 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="github.com/aquasecurity/trivy" -ldflags=[-s -w -extldflags -static -X github.com/aquasecurity/trivy/pkg/version/app.ver=0.66.0]
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="usr/local/share/trivy/templates/contrib/gitlab.tpl" content_len=3484 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="usr/local/share/trivy/templates/contrib/html.tpl"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="usr/local/share/trivy/templates/contrib/html.tpl" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="usr/local/share/trivy/templates/contrib/html.tpl" content_len=5056 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] Using streaming scanner        file_path="usr/local/share/trivy/templates/contrib/junit.tpl"
2025-09-24T19:29:54Z    DEBUG   [secret] scanStream called      file_path="usr/local/share/trivy/templates/contrib/junit.tpl" buffer_size=65536 overlap_size=4096
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="usr/local/share/trivy/templates/contrib/junit.tpl" content_len=3132 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="usr/local/share/trivy/templates/contrib/junit.tpl" content_len=3132 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="usr/local/share/trivy/templates/contrib/html.tpl" content_len=4096 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/ssl/certs/ca-certificates.crt" content_len=65536 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/ssl/certs/ca-certificates.crt" content_len=65536 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/ssl/certs/ca-certificates.crt" content_len=28265 num_rules=87
2025-09-24T19:29:54Z    DEBUG   [secret] scanChunk called       file_path="etc/ssl/certs/ca-certificates.crt" content_len=4096 num_rules=87
2025-09-24T19:29:54Z    INFO    Detected OS     family="alpine" version="3.22.1"
2025-09-24T19:29:54Z    INFO    [alpine] Detecting vulnerabilities...   os_version="3.22" repository="3.22" pkg_num=16
2025-09-24T19:29:55Z    INFO    Number of language-specific files       num=1
2025-09-24T19:29:55Z    INFO    [gobinary] Detecting vulnerabilities...
2025-09-24T19:29:55Z    DEBUG   [gobinary] Scanning packages for vulnerabilities        file_path="usr/local/bin/trivy"
2025-09-24T19:29:55Z    WARN    Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.66/docs/scanner/vulnerability#severity-selection for details.
2025-09-24T19:29:55Z    DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-09-24T19:29:55Z    DEBUG   [vex] VEX filtering is disabled

Report Summary

┌──────────────────────────────┬──────────┬─────────────────┬─────────┐
│            Target            │   Type   │ Vulnerabilities │ Secrets │
├──────────────────────────────┼──────────┼─────────────────┼─────────┤
│ 938c13c4e3a9 (alpine 3.22.1) │  alpine  │        0        │    -    │
├──────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/trivy          │ gobinary │        3        │    -    │
└──────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


usr/local/bin/trivy (gobinary)
==============================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 0)

┌─────────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬─────────────────┬───────────────────────────────────────────────────────────┐
│               Library               │    Vulnerability    │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                           │
├─────────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼─────────────────┼───────────────────────────────────────────────────────────┤
│ github.com/go-viper/mapstructure/v2 │ GHSA-2464-8j7c-4cjm │ MEDIUM   │ fixed  │ v2.3.0            │ 2.4.0           │ go-viper's mapstructure May Leak Sensitive Information in │
│                                     │                     │          │        │                   │                 │ Logs When Processing Malformed Data...                    │
│                                     │                     │          │        │                   │                 │ https://github.com/advisories/GHSA-2464-8j7c-4cjm         │
├─────────────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┼─────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib                              │ CVE-2025-47906      │ HIGH     │        │ v1.24.4           │ 1.23.12, 1.24.6 │ If the PATH environment variable contains paths which are │
│                                     │                     │          │        │                   │                 │ executables ......                                        │
│                                     │                     │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-47906                │
│                                     ├─────────────────────┤          │        │                   │                 ├───────────────────────────────────────────────────────────┤
│                                     │ CVE-2025-47907      │          │        │                   │                 │ database/sql: Postgres Scan Race Condition                │
│                                     │                     │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-47907                │
└─────────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴─────────────────┴───────────────────────────────────────────────────────────┘
2025-09-24T19:29:55Z    DEBUG   Cleaning up temp directory      path="/tmp/trivy-1"

Operating System

alpine linux

Version

Version: 0.66.0-SNAPSHOT-7b663d86c
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-09-24 18:30:49.675123524 +0000 UTC
  NextUpdate: 2025-09-25 18:30:49.675123273 +0000 UTC
  DownloadedAt: 2025-09-24 19:17:01.113498923 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-09-24 00:54:35.32511731 +0000 UTC
  NextUpdate: 2025-09-27 00:54:35.32511719 +0000 UTC
  DownloadedAt: 2025-09-24 19:18:38.422222552 +0000 UTC

Checklist

Run trivy clean --all
Read the troubleshooting

knqyf263 · 2025-09-25T05:21:35Z

knqyf263
Sep 25, 2025
Maintainer

They have been fixed in the main branch and will be released in v0.67.0.

trivy/go.mod

Line 281 in 8e40d27

github.com/go-viper/mapstructure/v2 v2.4.0 // indirect

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

trivy fails its own security scan #9524

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

trivy fails its own security scan #9524

Uh oh!

Uh oh!

flegelleicht Sep 24, 2025

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 1 comment

Uh oh!

knqyf263 Sep 25, 2025 Maintainer

flegelleicht
Sep 24, 2025

knqyf263
Sep 25, 2025
Maintainer