Parallel scans / read-only database

[skandragon]

Description

I'm needing to scan a large number of images frequently, and want to do this in parallel as much as possible. While I could use a pile of database directories, it seems like overkill to copy an existing database before every image scan.

What I would like:

• When database updates are disabled during an image scan, open the database in read-only mode, which will prevent single-opener locking.
• Same for java database.
• Add the ability to override the cache filesystem location without changing the location for the other (now read-only) databases. I could also choose to use Redis here, but that adds another dependency which I may not otherwise need.

Target

Container Image

Scanner

Vulnerability

[jackarch-2]

I'm looking to do the same thing. This was the recipe I was using;

cat images.txt \
    | parallel --jobs 0 \
        'docker run --volume /var/run/docker.sock:/var/run/docker.sock \
            --volume trivy-db-cache:/root/.cache \
            aquasec/trivy \
                --scanners vuln \
                --format json image {} \
            2> trivy_logs/{#}.log \
            | jq --compact-output . \
            > trivy_out/{#}.json' \

In reality, images.txt comes from a pipe that scans my codebase for the set of public base-images we use.

About 40% of the time, I was encountering this error message when trying to do this:

run error: init error: DB error: error in vulnerability DB initialize: vulnerability database may be in use by another process: timeout