Closed knqyf263 closed 2 weeks ago
@aquasecurity/trivy Please let me know if you have any feedback.
Can we also add a flag to clear the Terraform modules cache as well? I'm not entirely sure if it's needed, as the modules are saved in a temporary folder that the system cleans up automatically.
I don't mind adding such a flag, but don't we delete the modules after scanning? For example, we clone a remote repository to a system temporary directory, but we'll delete it after scan completes. Are those modules something you want to make permanent in the cache? If so, should we store them in the Trivy cache directory?
Are those modules something you want to make permanent in the cache?
We do this so it to help with the scan speeds where we might have a lot of remote modules and the user has not performed a terraform init
. If we download once and cache them and re-scan it helps.
If so, should we store them in the Trivy cache directory?
If we move them here we can add them as a cleanup item with trivy clean
. Today they are in a system tempdir
If we move them here we can add them as a cleanup item with trivy clean. Today they are in a system tempdir
OK. If you move it to the Trivy cache dir, we should add it to trivy clean
. Otherwise, we can let OS manage the system directory. Either is fine for me.
2. Announce this breaking change in GitHub Discussions.
This change, while breaking, will lead to a more user-friendly and maintainable Trivy.
Was surprised this was not listed as a breaking change in the release notes as well.
2. Announce this breaking change in GitHub Discussions.
This change, while breaking, will lead to a more user-friendly and maintainable Trivy.
Was surprised this was not listed as a breaking change in the release notes as well.
It's listed. Do you mean something else? https://github.com/aquasecurity/trivy/discussions/7061
It's listed. Do you mean something else?
Sorry, I meant the CHANGELOG under Github Releases. https://github.com/aquasecurity/trivy/releases/tag/v0.53.0 , which has a couple of breaking changes but not this one.
While I do appreciate GH Discussion for Q-A style stuff or commenting on a release, I think most people would check the CHANGELOG file, or view it under releases.
Although CHANGELOG.md kinda mentions it, "add clean subcommand" is not as obvious as "Cache Management Flags Removed".
@chen-keinan It seems like you forgot to update https://github.com/aquasecurity/trivy/releases/tag/v0.53.0. We usually add a link to the detailed release notes like this.
UPDATE: I opened a PR to document it. https://github.com/aquasecurity/trivy/pull/7072
Background
Trivy has evolved since its initial release (v0.0.1), operating without subcommands (e.g.
trivy debian:11
) and using CLI flags like--clear-cache
and--reset
for cache management (e.g.,trivy --clear-cache
). As the project grew, several changes were added:Then, several problems occurred.
--reset-checks-bundle
are not available in subcommands that don't support misconfigurations scanning (e.g.,trivy sbom
).--reset
flag is implemented under subcommands rather than as a global flag, leading to unintuitive usage liketrivy image --reset
even when not scanning images.These factors have led to a situation where it's not intuitive which flags are available for which subcommands, and the overall user experience for cache management has become inconsistent and confusing.
Proposal
To simplify the user experience and internal implementation, I'd propose the following changes:
Remove the following flags:
--clear-cache
--reset
--reset-checks-bundle
Introduce a new
trivy clean
command, inspired by thego clean
command.Examples
Old
New
Old
New
The new command supports multiple flags, allowing for more flexible cache management, similar to
go clean -testcache -modcache
.Benefits
Migration
To assist users in migrating to the new command, we will:
clean
command.This change, while breaking, will lead to a more user-friendly and maintainable Trivy.