Hi all,

I have an issue with a vulnerability check. I will describe the steps that i followed:

1. Firstable, i get up the docker compose with your config.yaml. The only difference that i used is the network. I created another network in another subnet:

docker network create anchore --subnet 192.168.2.0/24
docker-compose up -d

2. I export all vars to user anchore-cli:

ANCHORE_CLI_URL=http://localhost:8228/v1
ANCHORE_CLI_USER=admin
ANCHORE_CLI_PASS=password

3. I add my AWS ECR registry in anchore:

anchore-cli registry add 123123123.dkr.ecr.eu-west-1.amazonaws.com MY_AWS_ACCES_KEY_ID MY_SECRET_KEY

4.Checking that registry is added correctly:

Registry Name Type User
123123123.dkr.ecr.eu-west-1.amazonaws.com N/A awsecr MY_ACCES_KEY_ID

5. Adding image to scan:

anchore-cli image add 975671738503.dkr.ecr.eu-west-1.amazonaws.com/myimage/prod:2.2

6. Checking that is added correctly:

anchore-cli image list
Full Tag Image Digest > Analysis Status
123123123.dkr.ecr.eu-west-1.amazonaws.com/myimage/prod:2.2 sha256:06e738952e177a08381f2bef03544819e3a25ec6084b393e2f8d944cf633ef0c analyzed

So far so good. In next step i execture the scan:

anchore-cli image vuln 123123.dkr.ecr.eu-west-1.amazonaws.com/myimage/prod:2.2

And im getting: Error: cannot use input image string (no discovered imageDigest)

anchore-cli, version 0.5.0
Docker version 18.06.1-ce, build e68fc7a215d7133c34aa18e3b72b4a21fd0c6136

Additional --debug info whe i execute vuln command:

INFO:anchorecli.clients.apiexternal:As Account = None
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:8228
DEBUG:urllib3.connectionpool:http://localhost:8228 "GET /v1 HTTP/1.1" 200 5
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:8228
DEBUG:urllib3.connectionpool:http://localhost:8228 "GET /swagger.json HTTP/1.1" 200 84648
INFO:anchorecli.clients.apiexternal:As Account = None
DEBUG:anchorecli.clients.apiexternal:GET url=http://localhost:8228/v1/images
DEBUG:anchorecli.clients.apiexternal:GET params={'history': 'false', 'fulltag': '123123123.dkr.ecr.eu-west-1.amazonaws.com/myimage/prod:2.3.1'}
DEBUG:anchorecli.clients.apiexternal:Use get body because detected api version (0, 1, 9) < (0, 1, 6)? False
DEBUG:anchorecli.clients.apiexternal:GET insecure=False
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:8228
DEBUG:urllib3.connectionpool:http://localhost:8228 "GET /v1/images?history=false&fulltag=975671738503.dkr.ecr.eu-west-1.amazonaws.com%2Fsmartsteps-api-kong%2Fprod%3A2.3.1 HTTP/1.1" 404 81
Error: cannot use input image string (no discovered imageDigest)

I should underline that it was working 1 week ago and i dont made any several changes...

Hi @ectorr ,

There are a few steps that we can suggest to get some more information about why the service is not finding the input image:

1. double-check/ensure that you are using the exact fulltag identifier as input for the different CLI operations
2. try a few other ops, adding the --json flag to anchore-cli as well

anchore-cli --debug --json image get host/repo:tag
anchore-cli --debug --json image get sha256:<digest reported by image list or image get associated with tag>
anchore-cli --debug --json image vuln host/repo:tag all
anchore-cli --debug --json image vuln sha256:<digest reported by image list or image get associated with tag>

After that, the next steps will be to look at the anchore service logs (for the anchore 'apiext' service, and also 'catalog' service) during the any failing CLI commands, looking for log output with WARN or ERROR level messages.

Finally, enabling the DEBUG log level in anchore engine , restarting the system, and trying the above.

With the above process, we should be able to see more on what might be failing which would give us some insight into what is causing the 404.

Best
-Dan

Closing as stale. Please re-open if the issue still exists or to provide new information to help debug. Thanks!