Improve Container Scanning error messaging when an image is not found
Summary
When someone uses container scanning and:
- The scanner is Trivy
- The image to be scanned (
DOCKER_IMAGE
) cannot be found
Then the error message emitted by the scanner is difficult to understand and contains red herrings.
[ERROR] [2021-07-20 15:02:00 +0000] [] ▶ 2021-07-20T15:02:00.738Z FATAL scan error: unable to initialize a scanner: unable to initialize a docker scanner: 3 errors occurred:
* unable to inspect the image (registry.gitlab.com/bwill/container-scanning-test/some-branch-which-does-not-exit:500eeeae44f97568feb254f2141a0603668d03a8): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
* GET https://registry.gitlab.com/v2/bwill/container-scanning-test/some-branch-which-does-not-exit/manifests/500eeeae44f97568feb254f2141a0603668d03a8: MANIFEST_UNKNOWN: manifest unknown; map[Tag:500eeeae44f97568feb254f2141a0603668d03a8]
This error message comes from Trivy's stderr and it includes multiple errors because Trivy looks for images in multiple locations. There's several problems with it.
-
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
is a red herring because the container scanning job does not use the docker daemon -
unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
is a red herring because the container scanning job does not use the podman daemon -
GET https://registry.gitlab.com/v2/bwill/container-scanning-test/some-branch-which-does-not-exit/manifests/500eeeae44f97568feb254f2141a0603668d03a8: MANIFEST_UNKNOWN: manifest unknown; map[Tag:500eeeae44f97568feb254f2141a0603668d03a8]
does provide a hint as to what the issue is, but the corrective action required is left ambiguous to the user
When this error occurs, we should give more helpful instructions to the user and possibly even suppress the Trivy error message.
An example of a better error message would be:
The image "registry.gitlab.com/bwill/container-scanning-test/some-branch-which-does-not-exit:500eeeae44f97568feb254f2141a0603668d03a8" could not be found. To change the image being scanned, use the DOCKER_IMAGE environment variable.
Example Project
https://gitlab.com/bwill/container-scanning-test/-/jobs/1438618178