You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Recently, Trivy scans got much slower than they used to be and started routinely needing a 30+ minute timeout. I'm trying to make it easier to reproduce that regression since it's the big problem but one thing I noticed is that the output doesn't really give you anything useful for understanding what you could change to make the scanning process go faster – e.g. is it CPU-bound, network transfer, local filesystem I/O, or something else?
cadams@hostname ~> trivy image --timeout=30s git.example.org:4567/project/service/development:latest
2023-05-23T16:41:25.982-0400 INFO Vulnerability scanning is enabled
2023-05-23T16:41:25.982-0400 INFO Secret scanning is enabled
2023-05-23T16:41:25.982-0400 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-05-23T16:41:25.982-0400 INFO Please see also https://aquasecurity.github.io/trivy/v0.41/docs/secret/scanning/#recommendation for faster secret detection
2023-05-23T16:41:55.971-0400 WARN Increase --timeout value
2023-05-23T16:41:55.971-0400 FATAL image scan error: scan error: scan failed: failed analysis: analyze error: timeout: context deadline exceeded
Debug mode shows you the layer IDs but still doesn't explain what took so long:
cadams@hostname ~]> trivy image --scanners=vuln git.example.org:4567/project/service/development:latest -d
2023-05-23T16:22:35.253-0400 DEBUG Severities: ["UNKNOWN""LOW""MEDIUM""HIGH""CRITICAL"]
2023-05-23T16:22:35.265-0400 DEBUG cache dir: /Users/cadams/Library/Caches/trivy
2023-05-23T16:22:35.266-0400 DEBUG DB update was skipped because the local DB is the latest
2023-05-23T16:22:35.266-0400 DEBUG DB Schema: 2, UpdatedAt: 2023-05-23 18:07:51.704636484 +0000 UTC, NextUpdate: 2023-05-24 00:07:51.704635684 +0000 UTC, DownloadedAt: 2023-05-23 18:10:01.698953 +0000 UTC
2023-05-23T16:22:35.266-0400 INFO Vulnerability scanning is enabled
2023-05-23T16:22:35.266-0400 DEBUG Vulnerability type: [os library]
2023-05-23T16:22:36.245-0400 DEBUG Image ID: sha256:02385c8f4b5919c0c62c0f375060ab1f9cc01e006bbe3e30d54e3c196d6cf080
2023-05-23T16:22:36.246-0400 DEBUG Diff IDs: [sha256:bda2149b6580f66ff0db64364a3fc49eb8b6844c36703ef1cb1bf997e33def74 sha256:1dba4fd9a4a5467a0e03b21f11fcb407537b959332e691e562e7ae3003f8417e sha256:d04036cb75467f8dfb4a5162547d8b4ab4bcab3d7396fe3b4ec59b08ffec3cb7 sha256:939228fe16eac0b66231c441b5d811ae07e8cb4e2c0906016a059b08e27384aa sha256:8bca5507455216c279172e802cfea48acfb017385a59deb3b68be3cbcee1e935 sha256:fce076696b5eda26e5106402b38990da5aa4e07d390e08ee92715fca527e52a2 sha256:b4f2d95e20d8e008a116cf11e706050cadd5ce7284603c48af2109349c663b40 sha256:0bf31fdb039e4bb965af5aa3a60c07c4560fd46ef49f3d92149704a7ea88eacd sha256:89830f4160096aeb4e9b9cc902c6d2d1794014aef4268be2745fda06265231a9 sha256:622cf8742ff8f71b9bee83edaf5e6a6494e0de09ff29388090d718ec48d0a48d sha256:0a8aff5c3d700eaaddad95c9e9c6096a6c88828ce94aa8ccf2b495809f71d302 sha256:695aa85494523bc4358a18068297e5614336ed21b8661c9c279a0a903b4fb5fb sha256:11d426ab245f97bf489951d5838b25a290b65ce653e90ea2a5737b7aeb0bd61c sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef sha256:6083dff47606e5cb107de040eb8ef3a147670342697cfd40acf50e50692ee011]
2023-05-23T16:22:36.246-0400 DEBUG Base Layers: []
2023-05-23T16:22:36.253-0400 DEBUG Missing image ID in cache: sha256:02385c8f4b5919c0c62c0f375060ab1f9cc01e006bbe3e30d54e3c196d6cf080
2023-05-23T16:22:36.253-0400 DEBUG Missing diff ID in cache: sha256:6083dff47606e5cb107de040eb8ef3a147670342697cfd40acf50e50692ee011
2023-05-23T16:27:35.270-0400 WARN Increase --timeout value
2023-05-23T16:27:35.270-0400 FATAL image scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.Run
github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:432
- scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:267
- scan failed:
github.com/aquasecurity/trivy/pkg/commands/artifact.scan
github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:690
- failed analysis:
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
github.com/aquasecurity/trivy/pkg/scanner/scan.go:146
- analyze error:
github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.Inspect
github.com/aquasecurity/trivy/pkg/fanal/artifact/image/image.go:140
- timeout:
github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.inspect
github.com/aquasecurity/trivy/pkg/fanal/artifact/image/image.go:262
- context deadline exceeded
kind/featureCategorizes issue or PR as related to a new feature.
1 participant
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Description
Recently, Trivy scans got much slower than they used to be and started routinely needing a 30+ minute timeout. I'm trying to make it easier to reproduce that regression since it's the big problem but one thing I noticed is that the output doesn't really give you anything useful for understanding what you could change to make the scanning process go faster – e.g. is it CPU-bound, network transfer, local filesystem I/O, or something else?
Debug mode shows you the layer IDs but still doesn't explain what took so long:
Target
Container Image
Scanner
None
Beta Was this translation helpful? Give feedback.
All reactions