Trivy keeps failing with "database download timeout" but my internet works fine. WTF?

Your internet works for normal browsing, but Trivy needs to download 200MB+ vulnerability databases from GitHub. Corporate proxies, firewalls, or rate limiting can break this even when web browsing works fine. **Quick fix:** ```bash # Test database download directly trivy image --download-db-only # If that fails, your network is the problem # Force offline mode with existing database trivy --skip-db-update image myapp:latest ``` **Corporate network fix:** Configure proxy settings or whitelist GitHub's database URLs. The database downloads come from `github.com/aquasecurity/trivy-db/releases/` - make sure that's not blocked.

My scanner worked yesterday but now every build fails with "resource temporarily unavailable"

BoltDB cache corruption. Multiple build processes tried to access the same cache file and corrupted it. This happens constantly in CI environments. **Nuclear option (always works):** ```bash # Kill any running Trivy processes pkill trivy # Delete the entire cache rm -rf ~/.cache/trivy # Or on CI agents, clear system-wide cache sudo rm -rf /var/lib/trivy-cache ``` **Prevention:** Use separate cache directories for parallel builds: ```bash trivy --cache-dir /tmp/trivy-$BUILD_ID image myapp:latest ```

Scanner shows "UNAUTHORIZED" for my private registry but docker pull works fine

Registry authentication tokens have different scopes and expiration times. Docker Desktop manages this transparently, but CI environments don't. **Debug auth issues:** ```bash # Check if registry credentials work docker pull your-registry.com/myapp:latest # If pull works, check token scope docker inspect your-registry.com/myapp:latest ``` **GitHub Actions fix:** ```yaml - name: Login to registry uses: docker/login-action@v2 with: registry: your-registry.com username: ${{ secrets.REGISTRY_USER }} password: ${{ secrets.REGISTRY_TOKEN }} # THEN run the scanner in the same job ```

Why does my scanner randomly pick the wrong architecture on multi-platform images?

Manifest lists contain multiple architectures. Scanners either pick randomly or scan all platforms and confuse you with duplicate results. **Force specific platform:** ```bash # Scan AMD64 only trivy image --platform linux/amd64 myapp:latest # Scan ARM64 only trivy image --platform linux/arm64 myapp:latest # Don't let it guess ```

My Kubernetes admission controller rejects everything, including system pods. I'm locked out of my cluster

Your webhook is probably configured wrong and blocking critical system components. This is why you start with `warn` mode, not `enforce`. **Emergency cluster recovery:** ```bash # Delete the problematic webhook kubectl delete validatingadmissionwebhook your-scanner-webhook # Or disable it temporarily kubectl patch validatingadmissionwebhook your-scanner-webhook \ --type='merge' -p='{"webhooks":[{"admissionReviewVersions":["v1","v1beta1"],"name":"scanner","failurePolicy":"Ignore"}]}' ``` **Do this next time:** Start with `failurePolicy: Ignore` and monitor logs before switching to `Fail`.

Scanner runs out of memory and gets killed, but I'm only scanning a "small" 500MB image

Image size on disk != memory usage during scanning. That 500MB compressed image becomes 2GB+ uncompressed, plus the scanner needs additional memory for analysis. **Actual memory requirements:** - Small images (<100MB): 2GB RAM minimum - Medium images (500MB): 4-6GB RAM - Large Node.js apps: 8GB+ RAM - Images with lots of layers: Even more **Container memory limits that work:** ```yaml resources: limits: memory: "8Gi" # Yes, really cpu: "2" ```

Scanner finds thousands of vulnerabilities and I'm overwhelmed. How do I know what actually matters?

Most vulnerability reports are garbage - theoretical problems in dependencies you don't use. Focus on what can actually hurt you. **Sane filtering:** ```bash # Only critical and high severity, with fixes available trivy image --severity CRITICAL,HIGH --ignore-unfixed myapp:latest # Skip base image issues you can't fix anyway trivy image --skip-files /usr/lib* myapp:latest ``` **Create a `.trivyignore` file:** ``` # CVEs that don't affect your actual code paths CVE-2019-12345 # gzip vulnerability, we don't compress user data CVE-2020-54321 # database driver issue, we use different ORM ```

GitHub Actions randomly fails with rate limiting errors but I'm not hitting any limits

GitHub Actions shares IP addresses between runners. When other people's builds hit rate limits, yours can fail too. **Workaround:** ```yaml # Add authentication to increase rate limits - name: Run Trivy env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: trivy image myapp:latest ``` **Better solution:** Use GitHub's [built-in security scanning](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security) instead of running your own scanners in Actions.

My scanner hangs forever with no output or error message

Usually networking - the scanner is waiting for a response that never comes. Check if it's actually network timeout by looking at what it's trying to connect to. **Debug hanging scans:** ```bash # Run with maximum verbosity trivy image --debug myapp:latest # Check what network connections it's trying to make strace -e trace=connect trivy image myapp:latest # Set shorter timeouts trivy image --timeout 5m myapp:latest ``` **Common causes:** DNS resolution failures, proxy authentication, firewall blocking outbound connections.

Scanner worked on Ubuntu 20.04 but fails on Alpine Linux with certificate errors

Alpine uses musl libc and different certificate handling. Many scanners expect glibc and standard certificate locations. **Alpine-specific fixes:** ```dockerfile # Install certificates in Alpine RUN apk add --no-cache ca-certificates # Update certificate bundle RUN update-ca-certificates ``` **Or switch to Ubuntu base images** if certificate issues keep causing problems. Alpine's size savings aren't worth the compatibility headaches.

My scanner reports different vulnerabilities each time I run it on the same image

Database updates. Vulnerability databases change multiple times per day, so the same image can have different scan results based on when you run it. **Consistent results for testing:** ```bash # Pin to specific database version trivy image --skip-db-update myapp:latest # Or cache database locally trivy image --cache-backend redis --cache-ttl 24h myapp:latest ``` **In production:** This is normal and expected. New vulnerabilities get discovered constantly.

Jenkins builds started failing after we added security scanning but the error is just "Build step failed"

Jenkins error reporting for container operations sucks. The real error is probably in the Jenkins agent logs or system logs. **Better debugging:** ```bash # Check agent system logs sudo journalctl -u jenkins # Look for OOM kills sudo dmesg | grep -i "killed process" # Check Docker daemon logs sudo journalctl -u docker ``` **Common Jenkins issues:** Insufficient disk space, memory limits, or Docker socket permission problems.

My air-gapped scanner can't update vulnerability databases. Now what?

You need to manually download and serve vulnerability databases locally. This is painful but necessary for air-gapped environments. **Database mirror setup:** ```bash # Download latest database # Note: Trivy DB v1 is deprecated, use current Trivy version's built-in database # For air-gapped environments, see: https://aquasecurity.github.io/trivy/latest/docs/advanced/air-gap/ wget https://github.com/aquasecurity/trivy/releases/download/v0.66.0/trivy_0.66.0_Linux-64bit.tar.gz # Serve locally python3 -m http.server 8080 # Point scanner to local server # Use offline scanning with current Trivy version trivy image --skip-db-update myapp:latest ``` **Automation:** Set up a cron job to download database updates and sync them to your air-gapped environment.

Everything was working fine until we upgraded Docker Desktop and now nothing works

Docker Desktop updates change networking, storage drivers, and sometimes break volume mounts. Scanner cache and database paths can become invalid. **Post-upgrade reset:** ```bash # Clear all scanner caches rm -rf ~/.cache/trivy ~/.local/share/trivy # Reset Docker Desktop docker system prune -a --volumes # Restart Docker Desktop completely ``` **Better approach:** Pin Docker Desktop versions in your team and test upgrades in staging environments first.

Currently viewing the AI version

Switch to human version

Docker Security Scanner Failures: AI-Optimized Knowledge Base

Critical Context and Failure Patterns

Database Update Failures (Primary Cause: 60% of Scanner Failures)

Severity: Critical - Pipeline blocking
Frequency: Multiple times daily during vulnerability database updates

Root Causes:

Vulnerability database downloads (200MB+) timeout through corporate proxies (60-second limits)
GitHub releases API blocked by firewalls
Air-gapped environments cannot reach external database servers
AWS/network outages during database synchronization

Diagnostic Commands:

# Test database download separately
trivy image --download-db-only
# Force offline mode
trivy --skip-db-update image myapp:latest

Resource Requirements:

Network: 200MB+ download bandwidth
Time: 2-5 minutes for database download
Proxy timeout: Must exceed 5 minutes

BoltDB Cache Corruption (Concurrency Killer)

Severity: High - Random build failures
Impact: Spreads through shared storage, affects all concurrent builds

Technical Root Cause: BoltDB designed for single-process access, fails catastrophically with concurrent access
Error Signature: "resource temporarily unavailable", "freelist: X is not a data page"

Prevention Strategy:

# Separate cache directories per build
trivy --cache-dir /tmp/trivy-$BUILD_ID image myapp:latest
# Process-specific isolation
trivy --cache-dir /tmp/trivy-$$ image myapp:latest

Recovery Time: 5 minutes to clear cache, 2 hours to reconfigure CI pipeline

Memory Exhaustion Patterns

Critical Threshold: Scanner memory usage = 4x compressed image size + 2GB overhead

Image Size	Required RAM	Scan Duration	Failure Rate
<100MB	2GB	<5 min	<5%
500MB	4-6GB	10-15 min	15%
1GB+ Node.js	8GB+	20+ min	40%
Multi-GB	16GB+	45+ min	70%

Resource Configuration:

resources:
  limits:
    memory: "8Gi"    # Actually required for production images
    cpu: "2"         # Scanning is CPU intensive
  requests:
    memory: "4Gi"    # Minimum viable allocation

Production Deployment Requirements

Network Configuration

Corporate Environment Prerequisites:

Whitelist: github.com/aquasecurity/trivy-db/releases/
Proxy timeout: >300 seconds
Certificate chain: Include corporate CA certificates

Air-Gapped Setup Complexity:

Initial setup: 1-2 days
Ongoing maintenance: Weekly database updates
Required expertise: Network administration, HTTP server management

Kubernetes Admission Controller Death Loop Prevention

Critical Failure Mode: Admission controller rejects its own pods, creating unrecoverable state

Emergency Recovery Commands:

# Nuclear option - delete webhook entirely
kubectl delete validatingadmissionwebhook container-security-webhook
# Temporary disable
kubectl patch validatingadmissionwebhook container-security-webhook \
  --type='json' \
  -p='[{"op": "replace", "path": "/webhooks/0/failurePolicy", "value": "Ignore"}]'

Deployment Protocol:

Start with failurePolicy: Ignore
Monitor for 24-48 hours
Switch to failurePolicy: Fail only after validation

Multi-Architecture Platform Confusion

Problem: Scanners randomly select platform from manifest lists
Impact: Wrong architecture scanned, inconsistent results

Solution Commands:

# Force specific platform scanning
trivy image --platform linux/amd64 myapp:latest
trivy image --platform linux/arm64 myapp:latest

Resource Requirements and Scaling Limits

Concurrent Scanning Limits

Single Scanner Instance:

Maximum concurrent scans: 4-8 (depends on image sizes)
Memory per concurrent scan: 2-8GB
Network bandwidth: 50-100Mbps for database updates

Scaling Thresholds:

<50 images: Single scanner instance sufficient
50-500 images: Requires distributed scanning or batching
500+ images: Must implement queue-based processing

Registry Authentication Scope Issues

Problem: Scanner authentication tokens have different scopes than Docker CLI
Diagnostic: docker pull works, scanner shows "UNAUTHORIZED"

Resolution Pattern:

# GitHub Actions fix
- name: Login to registry
  uses: docker/login-action@v2
  with:
    registry: your-registry.com
    username: ${{ secrets.REGISTRY_USER }}
    password: ${{ secrets.REGISTRY_TOKEN }}
# Scanner must run in same job after login

Emergency Debugging Procedures

3AM Failure Response Matrix

Error Pattern	Immediate Diagnostic	5-Minute Fix	Root Cause Resolution
"context deadline exceeded"	`trivy image --download-db-only`	`trivy --skip-db-update`	Configure proxy/firewall
"resource temporarily unavailable"	`pkill trivy`	`rm -rf ~/.cache/trivy`	Separate cache directories
"UNAUTHORIZED" registry	`docker pull <image>`	Re-authenticate to registry	Update scanner credentials
Scanner OOM killed	Check `dmesg` for kills	Increase memory limits	Right-size scanner resources
Admission webhook loop	Check pod events	Delete webhook	Set failurePolicy: Ignore

Critical Diagnostic Commands

# Test connectivity separately
trivy image --download-db-only

# Check resource usage
docker stats <scanner-container>

# Verify authentication
docker pull <private-image>

# Debug network issues
strace -e trace=connect trivy image <image>

# Check for OOM kills
sudo dmesg | grep -i "killed process"

Vulnerability Result Filtering (Operational Priority)

Signal vs Noise Ratio

Reality: Average Node.js application reports 800+ vulnerabilities
Actionable: <10 vulnerabilities typically require immediate attention

Effective Filtering Strategy:

# Only actionable issues
trivy image --severity CRITICAL,HIGH --ignore-unfixed myapp:latest
# Exclude base image issues you cannot control
trivy image --skip-files /usr/lib* myapp:latest

Vulnerability Triage Matrix

Severity	CVSS Score	Exploitability	Response Time	Action Required
Critical	9.0-10.0	Public exploit exists	<24 hours	Immediate patching
High	7.0-8.9	Theoretical/limited	<1 week	Planned remediation
Medium	4.0-6.9	Research required	<1 month	Risk assessment
Low	0.1-3.9	Unlikely	Next cycle	Backlog consideration

Configuration Templates

Production-Ready Scanner Configuration

apiVersion: v1
kind: ConfigMap
metadata:
  name: trivy-config
data:
  config.yaml: |
    cache:
      redis:
        addr: "redis:6379"
        ttl: 24h
    db:
      skip-update: false
      download-timeout: 10m
    vulnerability:
      severity: ["CRITICAL", "HIGH"]
      ignore-unfixed: true
    format: json
    timeout: 30m

Air-Gapped Database Mirror Setup

# Download database (internet-connected machine)
wget https://github.com/aquasecurity/trivy/releases/download/v0.66.0/trivy_0.66.0_Linux-64bit.tar.gz

# Transfer to air-gapped environment
scp trivy-offline.db.tar.gz airgapped-host:/opt/trivy/

# Serve locally
cd /opt/trivy && python3 -m http.server 8080 &

# Configure scanner
export TRIVY_DB_REPOSITORY=http://localhost:8080/trivy-db
trivy image --skip-update myapp:latest

Critical Decision Points

Scanner Selection Criteria

Trivy:

Best for CI/CD integration
Excellent community support
Higher memory usage for large images
BoltDB concurrency issues

Grype:

Better performance on large images
More stable concurrent processing
Limited Kubernetes integration
Fewer vulnerability sources

Docker Scout:

Native Docker integration
Commercial support available
Requires Docker Desktop or license
Limited air-gap support

When to Abandon Scanner Implementation

Red Flags:

Setup takes >2 weeks (indicates fundamental compatibility issues)
Memory requirements exceed available infrastructure by 2x
Air-gap database updates require manual intervention >weekly
False positive rate exceeds 80% (too much noise to be useful)
Concurrent build failures occur >20% of the time

Cost-Benefit Analysis

Implementation Costs:

Initial setup: 40-80 hours engineering time
Infrastructure: 4-8GB RAM per scanner instance
Ongoing maintenance: 4-8 hours per week
Incident response: 2-6 hours per major failure

Break-Even Point: 100+ containers scanned regularly
ROI Negative: <25 containers or infrequent scanning

Essential Recovery Resources

Critical Links for Production Failures

Trivy Troubleshooting: https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/
BoltDB Concurrency Issues: https://github.com/etcd-io/bbolt/issues/98
Kubernetes Admission Recovery: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
Container Platform Issues: https://github.com/aquasecurity/trivy/discussions/7847
Air-Gap Setup Guide: https://aquasecurity.github.io/trivy/latest/docs/advanced/air-gap/

Emergency Contact Matrix

Database Issues: Check GitHub status, Trivy community Slack
Kubernetes Problems: Platform team, admission controller documentation
Network/Proxy: Infrastructure team, corporate firewall logs
Memory/Resource: Container platform team, resource monitoring dashboards

Success Metrics and Monitoring

Key Performance Indicators

Scan Success Rate: >95% (below 90% indicates systematic issues)
Average Scan Duration: <5 minutes for typical images
False Positive Rate: <30% (higher rates indicate poor filtering)
Time to Resolution: <2 hours for critical vulnerabilities

Essential Monitoring Alerts

# Scanner failure rate
alert: ScannerFailureRate
expr: (scanner_failed_scans / scanner_total_scans) > 0.1
severity: warning

# Memory usage trending
alert: ScannerMemoryExhaustion
expr: scanner_memory_usage > 0.8
severity: critical

# Database update failures
alert: DatabaseUpdateFailure
expr: scanner_db_update_failed > 0
severity: warning

Operational Intelligence: Security scanners work well for demos but require significant operational expertise for production deployment. Budget 3-5x vendor estimates for implementation time and ongoing maintenance overhead. The scanning technology is mature, but production reliability requires deep understanding of failure modes and resource requirements.

Useful Links for Further Investigation

Essential Links for 3AM Scanner Debugging - The Bookmarks That Actually Help

Link	Description
Trivy Troubleshooting Guide	The only official troubleshooting doc that doesn't suck. Real error messages, actual solutions. Start here when Trivy breaks.
BoltDB Concurrency Issues on GitHub	Why your scanner cache keeps getting corrupted. Read this to understand why parallel builds break BoltDB and what to do about it.
Docker Multi-Platform Build Support	Platform selection problems with manifest lists. Essential reading if you build for multiple architectures.
Kubernetes Admission Controller Recovery	How to not lock yourself out of your cluster. Explains failurePolicy settings that prevent death loops.
Trivy GitHub Issues	Active community, maintainers respond quickly. Search here before filing new issues - someone else probably hit your problem.
Grype Issues	Anchore's scanner issues and fixes. Less active than Trivy but still useful for specific problems.
Docker Scout Documentation	Official Docker Scout documentation. Covers installation, usage, and common integration issues.
Snyk Support and Documentation	Commercial support portal. Requires account but has solutions for enterprise deployment issues.
Corporate Proxy Configuration Guide	Docker proxy settings that actually work. Essential for corporate environments where everything's behind a proxy.
Air-Gapped Scanner Setup	Offline database mirroring and configuration. The only complete guide for secure environments.
Container Registry Authentication	Registry credential debugging. When your scanner can't authenticate but docker pull works fine.
GitHub Actions Rate Limiting	Why your Actions randomly fail. Explains shared IP rate limiting that affects scanner database downloads.
Container Security Admission Controllers	Working Kubernetes webhook examples. Real YAML that won't lock you out of your cluster.
Scanner Resource Requirements	Memory and CPU needs for different image sizes. Use this to size your scanner infrastructure properly.
Monitoring Scanner Health	How to monitor scanner performance. Set up alerts before your scanners start failing silently.
Emergency Bypass Procedures	Disable security scanning when it breaks production. Have this ready before you need it.
CVE Details Database	Research if vulnerabilities actually matter. Check CVSS scores and exploit availability before panicking.
National Vulnerability Database	Official CVE source. Slow but authoritative for vulnerability details.
Exploit Database	Check if working exploits exist. Most CVEs don't have public exploits - focus on ones that do.
Common Vulnerabilities Scoring System	CVSS calculator to understand severity scores. Learn what "Critical" actually means in context.
Trivy Database Releases	Download offline databases. Essential for air-gapped environments and consistent testing.
Alpine Package Database	Check Alpine package vulnerabilities. Useful when base image upgrades might fix issues.
Ubuntu Security Notices	Ubuntu CVE announcements and fixes. Track when base image updates include security fixes.
Red Hat Security Data	RHEL/CentOS security updates. Enterprise environment vulnerability tracking.
Scanner CI/CD Integration Examples	Working GitHub Actions configurations. Copy these instead of writing from scratch.
Jenkins Security Scanning Pipeline	Jenkins plugin configuration. Enterprise CI integration examples that work.
GitLab Container Scanning	Built-in GitLab scanning setup. Uses Trivy under the hood with better error handling.
Docker Compose Scanner Setup	Local development scanning. Test your scanner configuration before deploying to production.
Container Image Analysis Tools	Dive into image layers to understand what's being scanned. Useful for optimizing images and understanding scanner behavior.
Docker System Information	System diagnostics when everything's broken. `docker system df` and `docker system prune` are lifesavers.
Kubernetes Debugging Commands	Debug scanner pods and admission controllers. Essential kubectl commands for troubleshooting.
Network Debugging in Containers	Network troubleshooting container. Deploy this to debug connectivity issues in Kubernetes.
Container Security Best Practices	Official Docker security guide. Good background reading on why scanning matters.
NIST Container Security Guidelines	Government security standards. What compliance audits actually require.
CIS Docker Benchmark	Security configuration standards. Industry benchmarks for container hardening.
OWASP Container Security Cheat Sheet	Practical security checklist. Focus on actionable items, not theory.

Docker Security Scanner Failures: AI-Optimized Knowledge Base

Critical Context and Failure Patterns

Database Update Failures (Primary Cause: 60% of Scanner Failures)

BoltDB Cache Corruption (Concurrency Killer)

Memory Exhaustion Patterns

Production Deployment Requirements

Network Configuration

Kubernetes Admission Controller Death Loop Prevention

Multi-Architecture Platform Confusion

Resource Requirements and Scaling Limits

Concurrent Scanning Limits

Registry Authentication Scope Issues

Emergency Debugging Procedures

3AM Failure Response Matrix

Critical Diagnostic Commands

Vulnerability Result Filtering (Operational Priority)

Signal vs Noise Ratio

Vulnerability Triage Matrix

Configuration Templates

Production-Ready Scanner Configuration

Air-Gapped Database Mirror Setup

Critical Decision Points

Scanner Selection Criteria

When to Abandon Scanner Implementation

Cost-Benefit Analysis

Essential Recovery Resources

Critical Links for Production Failures

Emergency Contact Matrix

Success Metrics and Monitoring

Key Performance Indicators

Essential Monitoring Alerts

Useful Links for Further Investigation

Essential Links for 3AM Scanner Debugging - The Bookmarks That Actually Help

Related Tools & Recommendations

Snyk + Trivy + Prisma Cloud: Stop Your Security Tools From Fighting Each Other

Container Security Tools: Which Ones Don't Suck?

Making Pulumi, Kubernetes, Helm, and GitOps Actually Work Together

Fix Snyk Authentication Nightmares That Kill Your Deployments

Jenkins + Docker + Kubernetes: How to Deploy Without Breaking Production (Usually)

Jenkins Production Deployment - From Dev to Bulletproof

Jenkins - The CI/CD Server That Won't Die

GitHub Actions Alternatives for Security & Compliance Teams

Tired of GitHub Actions Eating Your Budget? Here's Where Teams Are Actually Going

GitHub Actions is Fine for Open Source Projects, But Try Explaining to an Auditor Why Your CI/CD Platform Was Built for Hobby Projects

CrashLoopBackOff Exit Code 1: When Your App Works Locally But Kubernetes Hates It

Temporal + Kubernetes + Redis: The Only Microservices Stack That Doesn't Hate You

Docker Desktop Alternatives That Don't Suck

Docker Swarm - Container Orchestration That Actually Works

Docker Security Scanner Performance Optimization - Stop Waiting Forever

GitLab CI/CD - The Platform That Does Everything (Usually)

Aqua Security - Container Security That Actually Works

Aqua Security Production Troubleshooting - When Things Break at 3AM

Twistlock vs Aqua Security vs Snyk Container - Which One Won't Bankrupt You?

Sysdig - Security Tools That Actually Watch What's Running