Course name: Certified Jenkins engineer
Module name: Kubernetes and GitOps
First lab: LAB: Jenkins CD with Docker, Trivy, GitOps, and Kubernetes - Part 1
I did the below:
docker pull alpine:latest
Update Dockerfile and Jenkinsfile (at both the Build Docker Image and Trivy Scan stages) with the image name: alpine: latest.
I deleted all older versions of alpine image in the terminal.
Somehow Trivy Scan still detects alpine version 3.19.4 and fails to complete the scan.
Please help to resolve this issue.
Going through the lab, my impression is that this is not an error per se – it’s a warning. The lab is still running trivy, and it is attempting (perhaps not correctly) to create a report. You can find the report under /var/lib/jenkins/jobs/Gitea-Dasher-Org-Project/jobs/solar-system/branches/feature-enabling-cicd.do7rqr/builds. There’s a .json file for your builds that will show the results of the scan.
That said, there may be a problem with the lab around step 4, where the lab assumes there are no CRITICAL CVE found, yet, I find, there are. But this might or might not be your problem. Please tell me what step you tried when you got into trouble, and we’ll look further into this.
Hello Rob,
Thank you for reading my query and your inputs.
I will check the report at the location you have provided.
Is this the same location as obtained in the Workspace of Jenkins UI after committing & running the pipeline?
Yes, the main issue starts at step 4 of the lab (which expects the Trivy Scan to pass after removing the high severity vulnerabilities, instead the scan fails.
The image version is alpine:3.19.4 which Trivy fails to scan.
Error message from console output of Jenkins:
2025-11-26T15:47:08Z WARN This OS version is no longer supported by the distribution family=“alpine” version=“3.19.4”
I ran docker pull alpine:latest.
Updated the Dockerfile and Jenkinsfile (at both the Build Docker Image and Trivy Scan stages) with the image name: alpine: latest.
I deleted all older versions of alpine image in the terminal.
Somehow Trivy Scan still detects alpine version 3.19.4 and fails to complete the scan.
Please see the attached console output from the Jenkins UI attached.
Please rename the file to remove the .pdf from it.
The console output is in a text file but this portal does not allow text files to be uploaded.
Please help to resolve this issue.
Is it possible to add a newer and supported version of alpine to the lab?
CO.txt.pdf (15.2 KB)
Did docker pull node:22-alpine
Updated the Dockerfile and Jenkinsfile (at both the Build Docker Image and Trivy Scan stages) with the image name: alpine: latest.
I deleted node:18-alpine3.19
Somehow Trivy Scan still detects alpine version 3.19.4 and fails to complete the scan.
root@jenkins-server ~ on 
(us-east-1) 
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
node 22-alpine abc56bec7650 4 minutes ago 188MB
localstack/localstack latest 6e1f934a90c5 16 hours ago 1.14GB
node d14f4a9e34c6 4 weeks ago 162MB
registry 2 26b2eb03618e 2 years ago 25.4MB
root@jenkins-server ~ on (us-east-1) ➜
root@jenkins-server ~ on (us-east-1) trivy image node:22-alpine --severity HIGH,CRITICAL --exit-code 1 --format json -o trivy-image-CRITICAL-results.json
2025-11-28T08:16:10Z INFO [vulndb] Need to update DB
2025-11-28T08:16:10Z INFO [vulndb] Downloading vulnerability DB…
2025-11-28T08:16:10Z INFO [vulndb] Downloading artifact… repo=“mirror.gcr.io/aquasec/trivy-db:2”
76.34 MiB / 76.34 MiB [------------------------------------------] 100.00% 25.60 MiB p/s 3.2s
2025-11-28T08:16:13Z INFO [vulndb] Artifact successfully downloaded repo=“mirror.gcr.io/aquasec/trivy-db:2”
2025-11-28T08:16:13Z INFO [vuln] Vulnerability scanning is enabled
2025-11-28T08:16:13Z INFO [secret] Secret scanning is enabled
2025-11-28T08:16:13Z INFO [secret] If your scanning is slow, please try ‘–scanners vuln’ to disable secret scanning
2025-11-28T08:16:13Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2025-11-28T08:16:16Z INFO Detected OS family=“alpine” version=“3.19.4”
2025-11-28T08:16:16Z INFO [alpine] Detecting vulnerabilities… os_version=“3.19” repository=“3.19” pkg_num=17
2025-11-28T08:16:16Z INFO Number of language-specific files num=1
2025-11-28T08:16:16Z INFO [node-pkg] Detecting vulnerabilities…
2025-11-28T08:16:16Z WARN Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.58/docs/scanner/vulnerability#severity-selection for details.
2025-11-28T08:16:16Z WARN This OS version is no longer supported by the distribution family=“alpine” version=“3.19.4”
2025-11-28T08:16:16Z WARN The vulnerability detection may be insufficient because security updates are not provided
root@jenkins-server ~ on (us-east-1)
I’ve been looking at at your error here, and found a relevant note on trivy’s issue queue., Could you please try the above test using the --exit-on-eol instead of the --exit-code 1 flag, just so I can test a theory here? It does appear that trivy’s behavior changes on very old images, and it would appear that alpine:22 is indeed “very old”.
Hello Rob,
Thanks a ton for the advice and the dicussion link!
It worked.
1.) I did - docker pull node:25-alpine
2.) Updated the Dockerfile and the Jenkinsfile (at both the build image and Trivy scan stages) with the node:25-alpine image version. As you suggested I also replaced the --exit-code 1 with --exit-on-eol 22 (an INT integer value is required, so I typed 22). The pipeline succeeded. (Please see the console output from the Jenkins UI attached, please rename it to 2.txt, “.pdf” needs to be removed from the filename)
2.txt.pdf (16.8 KB).
This was the first time, Trivy did not auto detect alpine version 3.19 even when it was deleted from the terminal.
3.) What is the theory that you want to test?
Someone needs to update the lab solution with the right options to use in the Trivy scan stage and also update the lab solution with a newer and supported version of the nodejs image. If possible, please update this thread when that has been completed. All the labs which are present in the subsequent modules are dependent on this lab. We need to complete this lab with a green check to be able to work on the following labs.
Thanks again for the valuable guidance!
Also ran the step 4 with the original image: kodekloud-hub:5000/solar-system:${GIT_COMMIT} and Trivy scan with --exit-on-eol 19.
There is an error: 2025-11-30T14:47:23Z ERROR Detected EOL OS family=“alpine” version=“3.19.4” and the script fails at the end.
Attached below is the complete console output form the Jenkins UI.
3.txt.pdf (15.1 KB)
