docs: add note about temporary podman socket (#7921)

Signed-off-by: Ferenc Géczi <[email protected]> Signed-off-by: Ferenc Géczi <[email protected]> Co-authored-by: knqyf263 <[email protected]>
aquasecurity · Nov 18, 2024 · a5f0ef5 · a5f0ef5
1 parent 94791f8
commit a5f0ef5
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/docs/docs/target/container_image.md b/docs/docs/target/container_image.md
@@ -272,7 +272,7 @@ $ trivy image aquasec/nginx
     This feature might change without preserving backwards compatibility.
 
 Scan your image in Podman (>=2.0) running locally. The remote Podman is not supported.
-Before performing Trivy commands, you must enable the podman.sock systemd service on your machine.
+If you prefer to keep the socket open at all times, then before performing Trivy commands, you can enable the podman.sock systemd service on your machine.
 For more details, see [here](https://github.com/containers/podman/blob/master/docs/tutorials/remote_client.md#enable-the-podman-service-on-the-server-machine).
 
 
@@ -293,6 +293,15 @@ localhost/test            latest  efc372d4e0de  About a minute ago  7.94 MB
 $ trivy image test
 ```
 
+If you prefer not to keep the socket open at all times, but to limit the socket opening for your trivy scanning duration only then you can scan your image with the following command:
+
+```bash
+podman system service --time=0 "${TMP_PODMAN_SOCKET}" &                                                                                                                                                             
+PODMAN_SYSTEM_SERVICE_PID="$!"                                                                                                                                                                                      
+trivy image --podman-host="${TMP_PODMAN_SOCKET}" --docker-host="${TMP_PODMAN_SOCKET}" test
+kill "${PODMAN_SYSTEM_SERVICE_PID}"
+```
+
 ### Container Registry
 Trivy supports registries that comply with the following specifications.