• Product

      Product

      Application Security Platform

      Use Cases

      Shift Left & DevSecOps Supply Chain Security Software Bill of Materials (SBOM) Container Runtime Security & Compliance Cloud Native Application Security
      What is Deepfactor and How Does It Work?
      4-Minute Video
      What is Deepfactor and How Does It Work? >
  • Pricing
    • Pricing Plans
  • Resources

      Resources

      All Resources Next-Gen AppSec Series Case Studies Demos Videos Glossary Webinars Whitepapers Workshops Latest Blogs Documentation
      Implement Effective Next-Gen Container Runtime Security in Kubernetes and Cloud Native Apps
      Whitepaper
      Implement Effective Next-Gen Container Runtime Security in Kubernetes and Cloud Native Apps >
  • Company
    • About
    • Leadership
    • Partners
    • News and Events
    • Careers
    • Contact Us
  • LOGIN
Cisco Logo Deepfactor is now part of Cisco | Learn more
Learn more
Deepfactor Logo
  • Product

      Product

      Use Cases

      Application Security Platform

      Use Cases

      Shift Left & DevSecOps Supply Chain Security Software Bill of Materials (SBOM) Container Runtime Security & Compliance Cloud Native Application Security
      What is Deepfactor and How Does It Work?
      4-Minute Video
      What is Deepfactor and How Does It Work? >
  • Pricing
    • Pricing Plans
  • Resources

      Resources

      All Resources Next-Gen AppSec Series Case Studies Demos Videos Glossary
      Webinars Whitepapers Workshops Latest Blogs Documentation
      Implement Effective Next-Gen Container Runtime Security in Kubernetes and Cloud Native Apps
      Whitepaper
      Implement Effective Next-Gen Container Runtime Security in Kubernetes and Cloud Native Apps >
  • Company
    • About
    • Leadership
    • Partners
    • News and Events
    • Careers
    • Contact Us
LOGIN
Deepfactor's Application Security Platform will no longer be offered for sale or renewal effective September 20, 2024.

Getting Started

  • QuickStart Guide
  • Install Deepfactor CLI
  • Deepfactor Support Matrix

Tutorials

  • SBOM & SCA
    • Artifact Releases
    • Deepfactor Scanner
    • Integrate Deepfactor scanner in your CI/CD pipelines
    • Scanning container images from private registries using Deepfactor CLI
    • Scan container images in K8s cluster
      • Scanning images from private registries in K8s cluster using Deepfactor
      • Scanning container images from private registries with basic authentication support in K8s
      • Scanning container images from private AWS Elastic Container Registry (ECR) in EKS on AWS Fargate
      • Scanning container images from private AWS Elastic Container Registry (ECR) in EKS on AWS EC2
  • Runtime Security
    • Introduction to Deepfactor Runtime Security
    • Deepfactor CLI Reference
    • Kubernetes workload
      • Run your Kubernetes workload with Deepfactor
      • Install Deepfactor Mutating Webhook
      • Configure Deepfactor Kubernetes admission webhook
      • Install Deepfactor K8s webhook on EKS Fargate
      • Selecting the pods you want to run with Deepfactor
      • Configuring application name, component name and component version in K8s webhook
      • Install Deepfactor mutating admission webhook using Argo CD
      • Install Deepfactor portal & webhook using Argo CD and vault
      • Use image pull secret for Runtime images
    • Containers/Other orchestration platforms
      • Run your Container Images with Deepfactor
      • Run containers in ECS with Deepfactor
    • Non-containerized workloads
      • Running non-containerized applications with Deepfactor

Deepfactor Platform

  • Introduction to Deepfactor
  • Alert Policies
  • Alert States and Triaging Flows
  • Deepfactor’s Correlation Capabilities
  • Organization and Teams
  • Role Based Access Control
  • Insights Knowledge Base
    • Privilege Separation and Privilege Dropping
    • Buffer Overflow Alerts
  • Knowledge Base
    • Deepfactor scan errors
    • K8s Webhook & Runtime Troubleshooting Guide
    • Tools for viewing CycloneDX and SPDX SBOMs
    • Graceful handling of pod restarts
    • Deepfactor telemetry events
    • Deepfactor Instrumentation Warning Messages
    • Best Practices for running your applications with Deepfactor in production environments
    • Golang Specific Notes
    • How to access Deepfactor Portal in different AWS subnet types
    • How the Deepfactor Management Portal Communicates With The Outside World
    • Language Specific Agents (LSA)
    • Mixed libc environments
    • Sensitive Information and Secrets in Process Environment Remediation
    • Running HAProxy with Deepfactor
    • Augmenting Alert Evidence with Runtime Stack Traces
  • FAQs
    • General FAQs
    • Open Source Disclosure

Integrations

  • Single Sign On (SSO) for authentication to Deepfactor
  • Integrate Jira with Deepfactor
  • Integrate Slack with Deepfactor
  • Okta
  • Deepfactor HTTPS webhook

Self managed Deepfactor portal

  • Deepfactor Portal architecture & deployment options
  • Install Self managed Deepfactor portal
    • Kubernetes Cluster
      • Prerequisites for deploying Deepfactor portal in Kubernetes Cluster
      • Deploying Deepfactor Portal in your Kubernetes Cluster
      • Install Deepfactor portal using Helm
      • Customizing Deepfactor portal deployment
        • Customizing your Deepfactor Portal Deployment in K8s
        • Deploy Deepfactor Portal With Resource Limits
        • Deploying Deepfactor Portal using external IP
        • Deepfactor Portal Installation with Existing Ingress Controller
    • AWS EC2
      • Prerequisites for installing Deepfactor Portal in AWS Cloud
      • Deploying Deepfactor on AWS using CFT
      • Install AWS Certificate Manager(ACM) certificate on Deepfactor portal EC2 instance
    • VMWare vSphere
      • Deepfactor Portal Proxy Configuration for OVA deployments
      • Prerequisites for deploying Deepfactor portal in VWware vSphere
      • Deploying Deepfactor on VMware vSphere
  • Manage Deepfactor Portal
    • Using Deepfactor APIs
    • Managing Users
    • Updating your Deepfactor Portal
    • Updating Deepfactor portal certificate
  • Deepfactor Portal Certificate
    • Generate certificate using cert-manager for Deepfactor portal
    • Create self-signed certificate for Deepfactor Portal on your K8s cluster
    • Create AWS Private CA Certificate for Deepfactor Portal on your K8s cluster
    • Create Let’s Encrypt certificate for Deepfactor Portal on your K8s cluster

Release Notes

  • Deepfactor Release Notes
  • Home
  • Docs
  • Deepfactor Platform
  • Knowledge Base

Deepfactor scan errors

Deepfactor provides multiple ways to scan your software artifacts (container images/file systems) such as

1. Deepfactor CLI: You can scan your artifacts using the dfctl scan command. More details can be found in the following article

Deepfactor CLI Reference

2. Deepfactor K8s scan pod: When you install the Deepfactor helm chart in your K8s cluster, you can optionally also install the K8s scan pod which is responsible for scanning container images used by pods in your K8s workloads.

Scan Errors #

The following table describes a few common possible reasons of failure to scan your container images. or file system directories. If the scan fails, the status will be shown on the portal UI along with the error log.

No. Sample error log Description Resolution
1 [image.RegisterCreateScan] Image Metadata Error:scan error: unable to initialize a scanner: unable to initialize a docker scanner: 4 errors occurred: * unable to inspect the image (deepqa/sca:juiceshop-alpine3.14): Error: No such image: deepqa/sca:juiceshop-alpine3.14 * unable to initialize Podman client: no podman socket found: stat /run/user/0/podman/podman.sock: no such file or directory * failed to get deepqa/sca:juiceshop-alpine3.14: image “docker.io/deepqa/sca:juiceshop-alpine3.14“: not found * GET https://auth.docker.io/token?scope=repository%3Adeepqa%2Fsca%3Apull&service=registry.docker.io: unexpected status code 401 Unauthorized: {“details”:”incorrect username or password”}

 

Deepfactor can scan container images from private registries as well. However, you will need to specify the credentials so Deepfactor scanner can access the image manifest.

This error occurs when either credentials are not supplied or wrong credentials are supplied.

Please validate the image name and registry.

Please refer to image scanning in private registry to understand how to specify credentials for scanning images from private image registries.

 

2 image.RegisterCreateScan] Image Metadata Error:scan error: unable to initialize a scanner: unable to initialize a docker scanner: 4 errors occurred: * unable to inspect the image (deepqa/sca:juiceshop-alpine3.14): Error: No such image: deepqa/sca:juiceshop-alpine3.14 * unable to initialize Podman client: no podman socket found: stat /run/user/0/podman/podman.sock: no such file or directory * failed to get deepqa/sca:juiceshop-alpine3.14: image “docker.io/deepqa/sca:juiceshop-alpine3.14“: not found * GET https://index.docker.io/v2/deepqa/sca/manifests/juiceshop-alpine3.14: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:deepqa/sca Type:repository]] – Invalid image.

 

This error occurs if the image specified does not exist or the image is present in a private registry and correct credentials have  not been specified Please validate the image name and registry.

Please refer to image scanning in private registry to understand how to specify credentials for scanning images from private image registries.

3 [image.RegisterCreateScan] Image Metadata Error:scan error: unable to initialize a scanner: unable to initialize a docker scanner: 4 errors occurred: * unable to inspect the image (deepfactor/vulnapps:spring-core-rce-2022-03-292): Error: No such image: deepfactor/vulnapps:spring-core-rce-2022-03-292 * unable to initialize Podman client: no podman socket found: stat /run/user/0/podman/podman.sock: no such file or directory * failed to get deepfactor/vulnapps:spring-core-rce-2022-03-292: image “docker.io/deepfactor/vulnapps:spring-core-rce-2022-03-292“: not found * GET https://index.docker.io/v2/deepfactor/vulnapps/manifests/spring-core-rce-2022-03-292: MANIFEST_UNKNOWN: manifest unknown; unknown tag=spring-core-rce-2022-03-292  

This error occurs if the image specified does not exist or the image is present in a private registry and correct credentials have not been specified

Please validate the image name and registry.

Please refer to image scanning in private registry to understand how to specify credentials for scanning images from private image registries.

4 [image.RegisterCreateScan] Image Metadata Error:scan error: scan failed: failed analysis: analyze error: failed to analyze layer: sha256:6c51f9e77a53c2c9f9dcd2fb03988ee48b228d9a2ca7bc2f166d1434eb23e5ed : unable to get uncompressed layer sha256:6c51f9e77a53c2c9f9dcd2fb03988ee48b228d9a2ca7bc2f166d1434eb23e5ed: failed to get the layer (sha256:6c51f9e77a53c2c9f9dcd2fb03988ee48b228d9a2ca7bc2f166d1434eb23e5ed): unable to populate: unable to open: failed to copy the image: write /tmp/fanal-371905441: no space left on device Deepfactor scanner uses some storage on the local filesystem to store scanned artifact data, vulnerability database and other temporary scan metadata.

This error occurs if enough space is not available on the local filesystem

Please free up some space on the filesystem and retry the scan.
5 [image.RegisterCreateScan] Image Metadata Error:scan error: unable to initialize a scanner: unable to initialize a docker scanner: failed to parse the image name: could not parse reference:  

This error occurs when one tries to perform a filesystem scan without specifying the scan type explicitly.

 

Please pass -s fs to dfctl scan command. Please refer  to Deepfactor CLI Reference

to know the different CLI options.

6 [image.RegisterCreateScan] Image Metadata Error:scan error: scan failed: failed analysis: analyze error: timeout: context deadline exceeded

OR

[image.RegisterCreateScan] Image Metadata Error:[GetImageScanMetadata] scan error: scan failed: failed analysis: analyze error: semaphore acquire: context deadline exceeded

 

This error occurs when the scan times out, generally due to large image/filesystem, network issues, resource constraints, etc.

Deepfactor scans have a default timeout of 15 minutes. You can specify a different timeout by passing the -u option. Try rescanning the image with a larger timeout value.
7 [ImageScanFlow] {“error”: “[image.PerformScan] [image.SendResourceEvent] [events.SendResourceEvent] resource event export failed. Eventsvc POST request failure. Error:Post \”https://prateek.portal.deepfactor.io/events/v2/static-scans/event/resource\“: context deadline exceeded (Client.Timeout exceeded while awaiting headers)”} This error occurs when Deepfactor scanner is not able to send the scan results over to the Deepfactor portal backend. This is generally due to network connectivity issues between the Deepfactor scanner and the portal backend. Please make sure there is network connectivity between the host  on which the scan is being performed and Deepfactor backend.

Retry the scan once the network connection stabilizes.

8 [filesystem.RegisterCreateScan] Filesystem Metadata Error:scan error: scan failed: failed analysis: walk filesystem: walk error: lstat /home/mk: no such file or directory This error occurs when an invalid path is provided for filesystem scan Ensure the file path is valid and accessible.
9 [GetImageScanMetadata] scan error: scan failed: failed analysis: analyze error: failed to analyze layer: sha256:eb6ee5b9581f8e84de2e1969953594b7cc976d142c426f8e989d49d9c95f63f5 : walk error: failed to extract the archive: unexpected EOF

OR

[GetImageScanMetadata] scan error: scan failed: failed analysis: analyze error: failed to analyze layer: sha256:42cdd22adca74143bab2cc1a764c7b5d80eafb95ec7b772ffae614487f4a159d : walk error: failed to process the file: failed to analyze file: failed to analyze home/pinot/plugins/pinot-input-format/pinot-orc/pinot-orc-0.13.0-ST.21-shaded.jar: unable to open home/pinot/plugins/pinot-input-format/pinot-orc/pinot-orc-0.13.0-ST.21-shaded.jar: failed to open: unable to read the file: unexpected EOF

OR

[image.RegisterCreateScan] Image Metadata Error:[GetImageScanMetadata] scan error: scan failed: failed analysis: analyze error: failed to analyze layer: sha256:d3e76c9d00efb1797cb10c90f40cc9d2a986f1c50903651ed0bab59b349d5f40 : walk error: failed to process the file: failed to analyze file: failed to analyze usr/bin/cmake: unable to open usr/bin/cmake: failed to open: unable to read the file: stream error: stream ID 43; INTERNAL_ERROR; received from peer

OR

[GetImageScanMetadata] : scan error: scan failed: failed analysis: analyze error: failed to analyze layer: sha256:798bd473b38c175a1fe70189684b440a16fa4d144ad8e466c62ce7da8d9475a5 : walk error: failed to process the file: failed to analyze file: failed to analyze opt/bitnami/kafka/libs/javax.ws.rs-api-2.1.1.jar: unable to open opt/bitnami/kafka/libs/javax.ws.rs-api-2.1.1.jar: failed to open: unable to read the file: stream error: stream ID 3; PROTOCOL_ERROR; received from peer”

This error occurs when Deepfactor scanner cannot parse a package or lookup GAV (GroupID, ArtifactID. version) for java packages Deepfactor scanner will automatically kick of an offline scan when it encounters such errors. This will result in higher scan time. Also, while Deepfactor will generate the full SBOM, it may not be able to find vulnerabilities for some packages. We recommend retrying the scan after some time in such cases. Please refer to the following article to know more about offline scans
Offline scans

 

Scan warnings #

Under certain circumstances, while Deepfactor is successfully able to scan your artifact, results maybe incomplete or in some cases inaccurate due to missing information in the artifact. Deepfactor highlights such warnings on the artifact results page and provides guidance to remediate the warning. The possible warnings are listed here for reference.

No Sample warning log Description Solution
1 GroupID was determined heuristically. Refer https://www.deepfactor.io/docs/deepfactor-scan-errors#scan-warnings. Resource Name: io.github.jglrxavpok.hephaistos:antlr, Version: 2.7.7, Filepath: app/libs/antlr-2.7.7.jar This warning is generated when the groupID of a Java dependency, jar cannot be determined by looking at the package manifest/MANIFEST.MF file. In such cases, Deepfactor determines the groupID in a heuristic fashion based on the count of references in the maven repository. Add groupID information to the manifest file of the jar or the package manifest file (pom.xml, gradle file)
Was this article helpful?
Still stuck? How can we help?

How can we help?

Updated on July 28, 2023
K8s Webhook & Runtime Troubleshooting Guide

Powered by BetterDocs

Table of Contents
  • Scan Errors
  • Scan warnings
Deepfactor Icon

Deepfactor is a next-gen application security platform, using static container scan data + runtime analysis to prioritize vulnerabilities to those representing true risk to a business—based on reachability, runtime usage, deployment context, and exploit maturity.

Product Pricing Resources Company Documentation Login

SUBSCRIBE TO OUR NEWSLETTER!

Sign Up
LinkedIn Icon YouTube Icon GitHub Icon Twitter Icon

© 2025 Deepfactor, Inc. All Rights Reserved.

Privacy Statement | Terms of Service | Open Source Disclosure