search

aquasecurity / trivy-operator

Kubernetes-native security toolkit
https://aquasecurity.github.io/trivy-operator/latest
Apache License 2.0
1.28k stars 211 forks source link

Use vulnerability database from local cache #1342

Open yanehi opened 1 year ago

yanehi commented 1 year ago

Problem

I would like to run the trivy-operator in standalone mode in an air-gapped environment. For this we use our own trivy-image. It is regulary rebuild with an up-to-date vulnerability database in its local cache (TRIVY_CACHE_DIR).

We have two issues with our setup using the HELM-Chart:

  1. we cant disable the InitContainer
  2. the trivy container enforces arguments to download its database: --db-repository (https://github.com/aquasecurity/trivy-operator/blob/v0.14.0/pkg/plugins/trivy/plugin.go#L700)

Command

  InitContainer: 
   Command:
      trivy
    Args:
      --cache-dir
      /tmp/trivy/.cache
      image
      --download-db-only
      --db-repository
      <private-registry-name>
2023-07-06T10:23:04.261Z  ^[[34mINFO^[[0m           DB Repository: <private-registry-name>
2023-07-06T10:23:04.261Z  ^[[34mINFO^[[0m           Downloading DB...
2023-07-06T10:23:04.519Z  ^[[31mFATAL^[[0m          init error: DB error: failed to download vulnerability DB: database download error: OCI repository error: 1 error occurred:
                          * GET https://<registry-url>/jwt/auth?scope=repository%3A<repository-name>%2Foci%2F<image-name>%3Apull&service=container_registry: DENIED: access forbidden
chen-keinan commented 1 year ago

@yanehi sound reasonable you can raise a PR if you have time

chen-keinan commented 1 year ago

Related https://github.com/eraser-dev/eraser/issues/888#issuecomment-1753407795

zhcli commented 1 year ago

Hey @chen-keinan , could you please confirm our agreed approach here:

or

chen-keinan commented 1 year ago

@zhcli in general look ok , feel free to raise a PR and I'll take a look at it in details