docker-scout in Jenkins is getting permission denied error

[didoux]

Jenkins is running on a Amazon Linux EC2 (Linux xxx-xxx 4.18.0-513.9.1.el8_9.x86_64 #1 SMP Thu Nov 16 10:29:04 EST 2023 x86_64 x86_64 x86_64 GNU/Linux) Jenikins version is 2.426.1 Docker Version: docker -v Docker version 24.0.7, build afdd53b which docker /usr/bin/docker

docker running as root

 ps -elf | grep docker
4 S root        1536       1  0  80   0 - 474532 -     07:00 ?        00:00:05 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock

jenkins running as user jenkins

ps -elf | grep jenkins
4 S jenkins     1036       1  1  80   0 - 3546677 -    07:00 ?        00:04:07 /usr/bin/java -Djava.awt.headless=true -jar /usr/share/java/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080

        stage('Analyze image') {
            steps {
                // Install Docker Scout
                sh 'curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- -b .'
                sh 'chmod 777 ./docker-scout'

                // Log into Docker Hub
                sh 'echo $DOCKERHUB_CREDENTIALS_PSW | docker login -u $DOCKERHUB_CREDENTIALS_USR --password-stdin'

                // Analyze and fail on critical or high vulnerabilities
                sh "./docker-scout cves $IMAGE_TAG --exit-code --only-severity critical,high"
            }
        }

Jenkins Log:

+ docker login -u my-login-id --password-stdin
WARNING! Your password will be stored unencrypted in /var/lib/jenkins/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[Pipeline] sh
+ ./docker-scout cves ubi8-minimal-openjdk8-perl:8.9 --exit-code --only-severity critical,high
    ...Storing image for indexing
    ! lstat /tmp/docker-scout/sha256: permission denied
    ! failed to delete temporary image archive /tmp/docker-scout/sha256/7bd9a25030474cd4b22918a6fa769277542107195cb647f749d7543a375942f8/6d7f770b-bb61-4c02-8658-a23f819f570f: open /tmp/docker-scout/sha256/7bd9a25030474cd4b22918a6fa769277542107195cb647f749d7543a375942f8: permission deniedERROR   Status: could not get the image ubi8-minimal-openjdk8-perl:8.9 from cache: failed to copy image: mkdir /tmp/docker-scout/sha256: permission denied, Code: 1 

[cdupuis]

@didoux tganks for raising this issue.

Could you please try setting the cache to a writable directory or disable it completely as documented at https://github.com/docker/scout-cli#environment-variables?

[didoux]

@didoux tganks for raising this issue.

Could you please try setting the cache to a writable directory or disable it completely as documented at https://github.com/docker/scout-cli#environment-variables?

Yep, Thanks, I'm not getting the permission denied error anymore. I had to combine the two statements into a one-liner:

sh 'export DOCKER_SCOUT_CACHE_DIR=/home/jenkins/.docker/scout && ./docker-scout cves ubi8-minimal-openjdk8-perl:8.9 --exit-code --only-severity critical,high'

So, just the documentation need to be updated? Right?

https://docs.docker.com/scout/integrations/ci/jenkins/

sh 'echo $DOCKER_HUB_PAT | docker login -u $DOCKER_HUB_USER --password-stdin' to sh 'echo $DOCKER_HUB_PSW | docker login -u $DOCKER_HUB_USR --password-stdin'

Plus, something about the cache.

[cdupuis]

@dvdksn is there something we can do here in the docs?

[dvdksn]

thanks, I'll get it updated.