Container Scanning appears broken on self-hosted
When using Auto DevOps on a self-hosted Omnibus install of gitlab (17.2.2), I'm finding that container scanning returns errors:
I've used the container scanning tutorial from the docs to demonstrate this as a simple test:
$ gtcs scan
[INFO] [2024-08-14 16:22:18 +0000] [container-scanning] > Remediation is disabled; /builds/myuser/container-scanning-test/Dockerfile cannot be found. Have you set `GIT_STRATEGY` and
`CS_DOCKERFILE_PATH`?
See https://docs.gitlab.com/ee/user/application_security/container_scanning/#solutions-for-vulnerabilities-auto-remediation
[INFO] [2024-08-14 16:22:20 +0000] [container-scanning] > Scanning container from registry registry.masked-domain.com/myuser/container-scanning-test/main:ef1c456f4a790bad2eb147d9e9c2f2c50c553f36 for vulnerabilities with severity level UNKNOWN or higher, with gcs 7.3.5 and Trivy unknown, advisories updated at unknown
[ERROR] [2024-08-14 16:22:20 +0000] [container-scanning] > Scanner has not created a file with results (tmp.json)
[INFO] [2024-08-14 16:22:20 +0000] [container-scanning] > Scan failed. Use `SECURE_LOG_LEVEL=debug` to see more details.
[ERROR] [2024-08-14 16:22:20 +0000] [container-scanning] > 2024-08-14T16:22:20Z INFO Adding schema version to the Java DB repository for backward compatibility repository="ghcr.io/aquasecurity/trivy-java-db:1"
2024-08-14T16:22:20Z ERROR The first run cannot skip downloading DB
2024-08-14T16:22:20Z FATAL Fatal error init error: DB error: database error: --skip-update cannot be specified on the first run
[INFO] [2024-08-14 16:22:21 +0000] [container-scanning] > Scanning container from registry registry.masked-domain.com/myuser/container-scanning-test/main:ef1c456f4a790bad2eb147d9e9c2f2c50c553f36 for vulnerabilities with severity level UNKNOWN or higher, with gcs 7.3.5 and Trivy unknown, advisories updated at unknown
Uploading artifacts for failed jobHowever, I've used the same tutorial on gitlab.com to test whether it was the environment or not, and I get a successful run:
$ gtcs scan
[INFO] [2024-08-14 16:21:02 +0000] [container-scanning] > Remediation is disabled; /builds/myuser/container-scanning-test-project/Dockerfile cannot be found. Have you set `GIT_STRATEGY` and
`CS_DOCKERFILE_PATH`?
See https://docs.gitlab.com/ee/user/application_security/container_scanning/#solutions-for-vulnerabilities-auto-remediation
[INFO] [2024-08-14 16:21:03 +0000] [container-scanning] > Scanning container from registry registry.gitlab.com/myuser/container-scanning-test-project/main:925b49f3c3f97ed55fad1ec5df13055fe91f2e87 for vulnerabilities with severity level UNKNOWN or higher, with gcs 7.3.5 and Trivy Version: 0.52.1, advisories updated at 2024-08-14T12:13:03+00:00
[INFO] [2024-08-14 16:21:05 +0000] [container-scanning] > Scanning container from registry registry.gitlab.com/myuser/container-scanning-test-project/main:925b49f3c3f97ed55fad1ec5df13055fe91f2e87 for vulnerabilities with severity level UNKNOWN or higher, with gcs 7.3.5 and Trivy Version: 0.52.1, advisories updated at 2024-08-14T12:13:03+00:00
Uploading artifacts for successful jobI'm not entirely sure what's going wrong, but it appears there's no trivy db available on the self-hosted instance.