Scanning JSON packages and private repositories

[DesNotMe]

Question

Having trouble when trying to scan my organisation's repositories even after adding in the GITLAB token. Additionally how do I scan the JSON packages, if I do not have lock file...how do I create one?

repo scan error: scan error: unable to initialize a scanner: unable to initialize a repository scanner: 2 errors occurred:
* no such path: stat {folder}: no such file or directory
* repository clone error: git clone error: authentication required

Target

Git Repository

Scanner

Vulnerability

Output Format

None

Mode

None

Operating System

macos Sonoma

Version

Version: 0.58.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-01-08 00:19:48.716592421 +0000 UTC
  NextUpdate: 2025-01-09 00:19:48.71659204 +0000 UTC
  DownloadedAt: 2025-01-08 05:59:18.214365 +0000 UTC
Check Bundle:
  Digest: sha256:f6901e03f486a48f47aa17a78d89d18e6c31ded82aff83ed19d0d73935a1a059
  DownloadedAt: 2025-01-08 07:57:09.964057 +0000 UTC

[nikpivkin]

Hi @DesNotMe !

Can you run Trivy with the --debug flag and show the logs? It would help for investigation.

[DesNotMe]

trivy fs -d --include-dev-deps /username/DVNA
2025-01-09T16:39:21+08:00	DEBUG	No plugins loaded
2025-01-09T16:39:21+08:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-01-09T16:39:21+08:00	DEBUG	Cache dir	dir="/Users/userename/Library/Caches/trivy"
2025-01-09T16:39:21+08:00	DEBUG	Cache dir	dir="/Users/username/Library/Caches/trivy"
2025-01-09T16:39:21+08:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-01-09T16:39:21+08:00	DEBUG	Ignore statuses	statuses=[]
2025-01-09T16:39:21+08:00	DEBUG	DB update was skipped because the local DB is the latest
2025-01-09T16:39:21+08:00	DEBUG	DB info	schema=2 updated_at=2025-01-09T06:18:08.467411912Z next_update=2025-01-10T06:18:08.467411532Z downloaded_at=2025-01-09T08:36:29.79495Z
2025-01-09T16:39:21+08:00	DEBUG	[pkg] Package types	types=[os library]
2025-01-09T16:39:21+08:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-01-09T16:39:21+08:00	INFO	[vuln] Vulnerability scanning is enabled
2025-01-09T16:39:21+08:00	INFO	[secret] Secret scanning is enabled
2025-01-09T16:39:21+08:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-09T16:39:21+08:00	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2025-01-09T16:39:21+08:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-01-09T16:39:21+08:00	DEBUG	Initializing scan cache...	type="memory"
2025-01-09T16:39:21+08:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-01-09T16:39:21+08:00	DEBUG	Skipping path	path=".git"
2025-01-09T16:39:21+08:00	DEBUG	OS is not detected.
2025-01-09T16:39:21+08:00	DEBUG	Detected OS: unknown
2025-01-09T16:39:21+08:00	INFO	Number of language-specific files	num=0
2025-01-09T16:39:21+08:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-01-09T16:39:21+08:00	DEBUG	[vex] VEX filtering is disabled

above error given when I try to scan a JSON file system

trivy repo -d  https://gitlab.com/{company}/dvna-4
2025-01-09T16:41:27+08:00	DEBUG	No plugins loaded
2025-01-09T16:41:27+08:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-01-09T16:41:27+08:00	DEBUG	Cache dir	dir="/Users/username/Library/Caches/trivy"
2025-01-09T16:41:27+08:00	DEBUG	Cache dir	dir="/Users/username/Library/Caches/trivy"
2025-01-09T16:41:27+08:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-01-09T16:41:27+08:00	DEBUG	Ignore statuses	statuses=[]
2025-01-09T16:41:27+08:00	DEBUG	DB update was skipped because the local DB is the latest
2025-01-09T16:41:27+08:00	DEBUG	DB info	schema=2 updated_at=2025-01-09T06:18:08.467411912Z next_update=2025-01-10T06:18:08.467411532Z downloaded_at=2025-01-09T08:36:29.79495Z
2025-01-09T16:41:27+08:00	DEBUG	[pkg] Package types	types=[library]
2025-01-09T16:41:27+08:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-01-09T16:41:27+08:00	INFO	[vuln] Vulnerability scanning is enabled
2025-01-09T16:41:27+08:00	INFO	[secret] Secret scanning is enabled
2025-01-09T16:41:27+08:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-09T16:41:27+08:00	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2025-01-09T16:41:27+08:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-01-09T16:41:27+08:00	DEBUG	Initializing scan cache...	type="memory"
2025-01-09T16:41:29+08:00	FATAL	Fatal error
  - repo scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:387
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:261
  - unable to initialize a scanner:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan
        github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:616
  - unable to initialize a repository scanner:
    github.com/aquasecurity/trivy/pkg/commands/artifact.repositoryStandaloneScanner
        github.com/aquasecurity/trivy/pkg/commands/artifact/scanner.go:76
  - 2 errors occurred:
	* no such path: stat https://gitlab.com/{company}/dvna-4: no such file or directory
	* repository clone error: git clone error: authentication required

above is the error when i tried to scan a private repo remotely.

[nikpivkin]

Thanks. I don't see an error in the first output. As for the second output, scanning private repositories requires authentication, see the documentation https://trivy.dev/latest/docs/target/repository/#scanning-private-repositories.

[DesNotMe]

thank you for the reply. As for the first output, although there is no error, I can't seem to get a vulneraility result. As for the second result I did export my gitlab token/pat before that command.