Unable to docker scan: "failed to get DockerScanID"

cybermrs · November 17, 2021, 8:49am

Hello

I am new to docker and have studied “Get started”.

I did everything exactly before the vulnerability scan (Image-building best practices | Docker Documentation).

When I execute <$ sudo docker scan second-time>, I get the error <failed to get DockerScanID: bad status code “400 Bad Request”>

is my image.

OS Version: Ubuntu 20.04.

First, I did everything according to the instructions (Orientation and setup | Docker Documentation).

When I got to , I got an error.

I thought that maybe something broke during the experiments. Therefore, I completely removed the docker, deleted the account on the “Docker Hub”.

After that:

installed docker from repository
downloaded the app
created Dockerfile
executed <$ sudo docker build -t second-time . >
created a new docker account and public repository
executed <$ sudo docker login -u My_account_at_dockerhub >
executed <$ sudo docker tag second-time My_account_at_dockerhub/second-time>
executed <$ sudo docker push My_account_at_dockerhub/second-time>
on “Docker Hub” in the repository I see the image
I execute <$ sudo docker scan second-time>

and I get the error <failed to get DockerScanID: bad status code “400 Bad Request”>

trying <$ sudo docker scan My_account_at_dockerhub/second-time>

and getting the same error.

I could not find a solution to this problem anywhere, so I decided to write here.

Sincerely, Maris

rimelek · November 17, 2021, 10:12am

This is just a guess but is it possible you reached the limit of the monthly free Docker scan? The limit is 10 per month.

cybermrs · November 17, 2021, 10:36am

I haven’t been able to scan even once. But, perhaps, I somehow reached my limit. Can I see how many requests were counted by Docker Hub?

rimelek · November 17, 2021, 10:14pm

I don’t know but I got the same error when I was not logged in with

docker scan --login

It opened a webbrowser to authenticate. Afther that I could run docker scan without any error.

cybermrs · November 18, 2021, 4:35am

Thank you very much! It really helped.

florinsandru · November 24, 2021, 9:16am

I also had the same experience. Once I authenticated, as you suggested, it worked just fine. Thank you!

yshak · November 29, 2021, 10:27am

The same thing
Thanks

songpl · December 3, 2021, 3:02am

Thank you very much!

madeupname · December 7, 2021, 7:25am

Unfortunately that didn’t work for me. I did a “docker login” and that worked, but gave me the same error above.

If I tried adding --login the command fails:

–login flag expects no argument

no matter where I put the flag. I then checked Docker Hub and note it says:

vulnerability scanning - disabled

If I try to enable it, I’m told I must upgrade to a Pro license. So maybe they just changed this? Or perhaps you’re all paying customers? Otherwise not sure what I’m doing wrong. Rest of the tutorial went fine.

avbentem · December 7, 2021, 7:49am

Hmmm, you probably know, but that is not what is documented, unless you already used it earlier this month?

This feature requires a Docker subscription

You can now get 10 free scans per month as part of your Docker subscription. Sign in to Docker to start scanning your images for vulnerabilities.

But the Docker Subscription Cheat Sheet seems to indicate you’ll need Pro or better indeed.

(Sorry, cannot check as indeed I am on a Pro account.)

madeupname · December 7, 2021, 8:17am

Thanks for your help. I just started with Docker yesterday and this was my first attempt at a scan, and I’m confident I haven’t even made 10 failures (yet!). Looking at the cheat sheet, it says I should get 10 “Local vulnerability scans” with the free edition, and 200 with Snyk. The ones I don’t get are the Hub scans. But still, it doesn’t work for me and maybe it’s a syntax issue I’m blind to:

PS D:\Downloads\app> docker scan getting-started
failed to get DockerScanID: bad status code "400 Bad Request"
PS D:\Downloads\app> docker scan getting-started --accept-license
failed to get DockerScanID: bad status code "400 Bad Request"
PS D:\Downloads\app> docker scan getting-started --login
--login flag expects no argument

docker login works fine on its own, though.

rimelek · December 7, 2021, 8:20am

Is this the only way you tried to log in? You shouldn’t pass “getting-started” as an argument.

madeupname · December 7, 2021, 9:01am

I’ve solved the problem, here are all the details. Note it seems you may be using an older version, because your comments don’t align with the command output or docs. Do appreciate the help, though!

First, I had successfully logged in with:

docker login -u username

But that logs me into Docker Hub. What the docs fail to mention is that I also need to register with Snyk first.

But before I discovered that, I read the docker scan docs, notably troubleshooting section:

WSL 2

The Vulnerability scanning feature doesn’t work with Alpine distributions.

If you are using Debian and OpenSUSE distributions, the login process only works with the --token flag, you won’t be redirected to the Snyk website for authentication.

Both warnings are for WSL, which I am using (probably obvious from the D:\ in my paths). That’s where I discovered I needed a token for login, but when I created a Docker Hub auth token and used that, I got a clue in the form of an error message:

PS D:\Downloads\app> docker scan  --login --token TOKEN
Authentication failed. Please check the API token on https://snyk.io

Aha! I then registered on Snyk, got the token, and retried the above command with the Snyk token. Success:

Your account has been authenticated. Snyk is now ready to be used.

After logging in, I’m able to successfully scan with (truncated output):

PS D:\Downloads\app> docker scan getting-started

Testing getting-started...

Now, you’re saying I don’t include the image name, but docker scan throws an error if I don’t.

Usage:  docker scan [OPTIONS] IMAGE
...
"docker scan" requires exactly 1 argument

Passing the image name comes directly from the tutorial, which I have been following precisely:

github.com

docker/getting-started/blob/master/docs/tutorial/image-building-best-practices/index.md

## Security Scanning

When you have built an image, it is good practice to scan it for security vulnerabilities using the `docker scan` command.
Docker has partnered with [Snyk](http://snyk.io) to provide the vulnerability scanning service.

For example, to scan the `getting-started` image you created earlier in the tutorial, you can just type

```bash
docker scan getting-started
```

The scan uses a constantly updated database of vulnerabilities, so the output you see will vary as new
vulnerabilities are discovered, but it might look something like this:

```plaintext
✗ Low severity vulnerability found in freetype/freetype
  Description: CVE-2020-15999
  Info: https://snyk.io/vuln/SNYK-ALPINE310-FREETYPE-1019641
  Introduced through: freetype/freetype@2.10.0-r0, gd/libgd@2.2.5-r2
  From: freetype/freetype@2.10.0-r0

This file has been truncated. show original

Here is the output of --version, in case it helps:

PS D:\Downloads\app> docker scan --version
Version:    0.9.0
Git commit: b05830d
Provider:   Snyk (1.563.0 (standalone))

It seems the tutorial may need to be updated (I see it’s a year old), but as this is just day 1 for me, I could be missing something.

rimelek · December 7, 2021, 10:11am

I meant don’t pass the argument when you want to log in.

Right

docker scan --login

Wrong

docker scan getting-started --login

You also got the error message so I am pretty sure it is not a matter of versions

But I’m glad you managed to solve your problem.

ilcylic · December 8, 2021, 2:52pm

I had the same experience as MadeUpName, though fortunately for me, a day later than him so the solution was here for me to find.

The tutorial should probably reflect these steps, since it is at least notionally for Docker newbies.

Thanks for the solution!

madeupname · December 8, 2021, 10:23pm

What was confusing to me was:

Usage:  docker scan [OPTIONS] IMAGE
...
"docker scan" requires exactly 1 argument

I read “exactly 1 argument” as the IMAGE argument in the usage line. Not that an option might count as an argument. Or that with --login option, takes zero arguments. If I may be so bold, that conflict makes the command help/error message incorrect. Or at a minimum, imprecise.

rimelek · December 8, 2021, 10:34pm

Oh I see. You are right, that is confusing.

takahashishotaro · November 11, 2022, 8:54am

In my case it was because I was running it in msys2, when I ran it in powershell it worked fine.

amiteshj · November 30, 2022, 7:20pm

I am trying to run this command but it’s not woking. it’s always asking to login to Dockerhub. Login to dockerhub is must to run the scan?
docker scan --token dsd-sd2-2222-4dsd-sds nginx:latest
Token is from Snyk.

If I use the command like this
docker scan --login --token dsd-sd2-2222-4dsd-sds nginx:latest
then it throw this error,
–login flag expects no argument

Looks like login to dockerhub is must to use Docker Scan. It may be cost thing

rimelek · November 30, 2022, 7:27pm

Then don’t add an argument

Topic		Replies	Views
Docker image scan fails continuously General dockerhub	0	918	July 10, 2017
Scanned Images: Scan failed Docker Hub	0	811	January 6, 2017
Scan failed on Docker Hub Docker Hub dockerhub , dockersecurityscan	2	1736	September 20, 2016
Security scan not working for my private repos Docker Hub dockerhub , dockersecurityscan	7	1734	August 29, 2017
"Official Image Vulnerability Scanning" is missing in action? Docker Hub dockerhub , dockersecurityscan	7	1193	October 22, 2020

Unable to docker scan: "failed to get DockerScanID"

This feature requires a Docker subscription

Related topics