Image scanning fails with “DB error: failed to download vulnerability DB” for all Harbor images in an air-gapped environment.
search cancel

Image scanning fails with “DB error: failed to download vulnerability DB” for all Harbor images in an air-gapped environment.

book

Article ID: 418338

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service

Issue/Introduction

Image scanning for all images from Harbor is failing with the following error in an air-gapped setup:

INFO [vulndb] Need to update DB
INFO [vulndb] Downloading vulnerability DB...
INFO [vulndb] Downloading artifact... repo="mirror.gcr.io/aquasec/trivy-db:2"
FATAL Fatal error init error: DB error: failed to download vulnerability DB: OCI artifact error:
failed to download vulnerability DB: failed to download artifact from mirror.gcr.io/aquasec/trivy-db:2:
OCI repository error: 2 errors occurred:
 * Get "https://mirror.gcr.io/v2/": dial tcp: lookup mirror.gcr.io on <masked-dns-ip>:53: server misbehaving
 * Get "https://mirror.gcr.io/v2/": dial tcp: lookup mirror.gcr.io on <masked-dns-ip>:53: server misbehaving
: general response handler: unexpected status code: 500, expected: 200

Environment

VMware vCenter Server 8.0.x 

vSphere with Tanzu 8.0.x

Cause

As the environment is air-gapped, Trivy cannot reach external URLs to download the vulnerability database.

Resolution

The DB must be downloaded manually and imported into the Trivy container.

Step 1: Verify Environment Variables and Trivy DB in the Container

kubectl exec -it <trivy-pod-name> -n <namespace> -- env
kubectl exec -it <trivy-pod-name> -n <namespace> -- ls -l /home/scanner/.cache/trivy/db/

Step 2: Download the Trivy Vulnerability DB on a Jumpbox (with internet)

# Install Trivy binary
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.58.0

# Create a temporary directory
TRIVY_TEMP_DIR=$(mktemp -d)

# Download the DB
trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only

# Adjust permissions
chmod o+r $TRIVY_TEMP_DIR/db/metadata.json
chmod o+r $TRIVY_TEMP_DIR/db/trivy.db

Step 3: Transfer the DB Into the Air-Gapped Environment and verify

kubectl cp trivy-offline.db.tgz <trivy-pod-name>:/home/scanner/.cache/trivy/db -n <namespace>

kubectl exec -it <trivy-pod-name> -n <namespace> -- bash
ls -ltr /home/scanner/.cache/trivy/db

Step 4: Configure Trivy for Offline Scanning

Update the Harbor Trivy configuration via vCenter UI:

vCenter UI → Workload Management → Services → Manage Service → Configure → Trivy and edit harbor-data-values file.

trivy:
  enabled: true
  skipUpdate: true
  offlineScan: true

This steps ensures Trivy uses the local DB and does not attempt external downloads.

Powered by Wolken Software