This message was deleted.

I think the main issue here is that Rancher Desktop is scanning by image id, and that will always pull the image from Dockerhub. It seems like scanning local images by name should work. And there may be further complication for scanning local images from containerd vs. moby; I found conflicting information about this in the Trivy Github issues. I've updated bug 539 with this information.

Firstly, thank you for your answer. Secondly, how can I scan an image by name? Trivy cli isn't installed by Rancher Desktop, and if I install it using brew, then I try to scan an image built locally, I receive the same errors:

% trivy image python:3.4-alpine
2022-10-16T02:54:52.234-0400	INFO	Vulnerability scanning is enabled
2022-10-16T02:54:52.234-0400	INFO	Secret scanning is enabled
2022-10-16T02:54:52.234-0400	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-10-16T02:54:52.234-0400	INFO	Please see also <https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation> for faster secret detection
2022-10-16T02:54:52.249-0400	FATAL	image scan error: scan error: unable to initialize a scanner: unable to initialize a docker scanner: 4 errors occurred:
	* unable to inspect the image (python:3.4-alpine): Error: No such image: python:3.4-alpine
	* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
	* containerd socket not found: /run/containerd/containerd.sock
	* error getting credentials - err: docker-credential-osxkeychain resolves to executable in current directory (./docker-credential-osxkeychain), out: ``

...

% docker pull python:3.4-alpine
3.4-alpine: Pulling from library/python
3b00a3925ee4: Pull complete
a3cd3e3d08dd: Pull complete
bed9db30154f: Pull complete
d837e8e30360: Pull complete
f307ca8b43fd: Pull complete
Digest: sha256:c210b660e2ea553a7afa23b41a6ed112f85dbce25cbcb567c75dfe05342a4c4b
Status: Downloaded newer image for python:3.4-alpine
<http://docker.io/library/python:3.4-alpine|docker.io/library/python:3.4-alpine>
% trivy image python:3.4-alpine
2022-10-16T02:55:07.995-0400	INFO	Vulnerability scanning is enabled
2022-10-16T02:55:07.995-0400	INFO	Secret scanning is enabled
2022-10-16T02:55:07.995-0400	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-10-16T02:55:07.995-0400	INFO	Please see also <https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation> for faster secret detection
2022-10-16T02:55:09.368-0400	INFO	Detected OS: alpine
2022-10-16T02:55:09.368-0400	INFO	Detecting Alpine vulnerabilities...
2022-10-16T02:55:09.369-0400	INFO	Number of language-specific files: 1
2022-10-16T02:55:09.369-0400	INFO	Detecting python-pkg vulnerabilities...
2022-10-16T02:55:09.376-0400	WARN	This OS version is no longer supported by the distribution: alpine 3.9.2
2022-10-16T02:55:09.376-0400	WARN	The vulnerability detection may be insufficient because security updates are not provided

python:3.4-alpine (alpine 3.9.2)

Total: 37 (UNKNOWN: 0, LOW: 4, MEDIUM: 16, HIGH: 13, CRITICAL: 4)
...

...

% trivy image 99a53e6ad17e
2022-10-16T02:56:30.516-0400	INFO	Vulnerability scanning is enabled
2022-10-16T02:56:30.516-0400	INFO	Secret scanning is enabled
2022-10-16T02:56:30.516-0400	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-10-16T02:56:30.516-0400	INFO	Please see also <https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation> for faster secret detection
2022-10-16T02:56:30.525-0400	INFO	Detected OS: alpine
2022-10-16T02:56:30.525-0400	INFO	Detecting Alpine vulnerabilities...
2022-10-16T02:56:30.525-0400	INFO	Number of language-specific files: 1
2022-10-16T02:56:30.525-0400	INFO	Detecting python-pkg vulnerabilities...
2022-10-16T02:56:30.526-0400	WARN	This OS version is no longer supported by the distribution: alpine 3.9.2
2022-10-16T02:56:30.526-0400	WARN	The vulnerability detection may be insufficient because security updates are not provided

99a53e6ad17e (alpine 3.9.2)

Total: 37 (UNKNOWN: 0, LOW: 4, MEDIUM: 16, HIGH: 13, CRITICAL: 4)
...

...

% docker build . --tag mookas/junk:latest
Sending build context to Docker daemon  2.048kB
Step 1/1 : FROM python:3.4-alpine
 ---> 99a53e6ad17e
Successfully built 99a53e6ad17e
Successfully tagged mookas/junk:latest
% trivy image mookas/junk:latest
2022-10-16T02:57:55.764-0400	INFO	Vulnerability scanning is enabled
2022-10-16T02:57:55.764-0400	INFO	Secret scanning is enabled
2022-10-16T02:57:55.764-0400	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-10-16T02:57:55.764-0400	INFO	Please see also <https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation> for faster secret detection
2022-10-16T02:57:55.777-0400	INFO	Detected OS: alpine
2022-10-16T02:57:55.777-0400	INFO	Detecting Alpine vulnerabilities...
2022-10-16T02:57:55.778-0400	INFO	Number of language-specific files: 1
2022-10-16T02:57:55.778-0400	INFO	Detecting python-pkg vulnerabilities...
2022-10-16T02:57:55.779-0400	WARN	This OS version is no longer supported by the distribution: alpine 3.9.2
2022-10-16T02:57:55.779-0400	WARN	The vulnerability detection may be insufficient because security updates are not provided

mookas/junk:latest (alpine 3.9.2)

Total: 37 (UNKNOWN: 0, LOW: 4, MEDIUM: 16, HIGH: 13, CRITICAL: 4)
...

trivy seems to behave vaguely reasonably here (macOS, m1, rancher desktop 1.6.0, trivy installed via brew)

Well, I assume that makes the difference: I use containerd and kubernetes

Can you try switching to Moby to confirm that it works for you?

I'll try in the next days. I'll come back with a result.

I won't be back until Wednesday (I'm sick now and have a Holy Day coming up), but I am interested in the results 🙂