search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
22.86k stars 2.25k forks source link

Init of Trivy from the `main` branch is slow. #7431

Closed DmitriyLewen closed 1 week ago

DmitriyLewen commented 1 week ago

Description

After #7417 Trivy starts slower.

➜ git checkout a5aa63eff7e229744090f9ad300c1bec3259397e
Previous HEAD position was 39c80248b chore(deps): Bump trivy-checks (#7417)
HEAD is now at a5aa63eff fix(misconf): do not register Rego libs in checks registry (#7420)
➜ mage build
➜ time ./trivy -v 
./trivy -v  0.35s user 0.05s system 30% cpu 1.304 total

➜ git checkout 39c80248bcafd296e0bb6712113da3abe70e4ce2
Previous HEAD position was a5aa63eff fix(misconf): do not register Rego libs in checks registry (#7420)
HEAD is now at 39c80248b chore(deps): Bump trivy-checks (#7417)
➜ mage build 
➜ time ./trivy -v                                      
./trivy -v  8.58s user 0.19s system 129% cpu 6.791 total
DmitriyLewen commented 1 week ago

This is critical for us. We are delaying the release of v0.55.0 until this issue is resolved.

simar7 commented 1 week ago

This is due two reasons:

  1. (short term fix): There is a performance issue in OPA. See here for the issue. We have a fix for it upstream but it hasn't been merged just yet. In the meantime, we can cherry pick the fix to not delay our release as done here

  2. (long term fix, separate issue) As @knqyf263 mentioned here we should only initialize the misconf checks when the misconfiguration scanner is enabled. We will tackle this improvement in a separate feature improvement so we don't delay the current release. Issue to track https://github.com/aquasecurity/trivy/issues/7434