search

devopstales / trivy-operator

Kubernetes Operator based on the open-source container vulnerability scanner Trivy.
https://devopstales.github.io/trivy-operator/
Apache License 2.0
47 stars 10 forks source link

RFE: Offline usage trigger #28

Closed evgkrsk closed 2 years ago

evgkrsk commented 2 years ago

It may be usefull to run trivy-operator in offline (air-gapped) environment.

But now trivy-operator always fetch trivy db on startup ("startup_fn_trivy_cache" function) and during runtime.

I think that it is difficult to embrace all variants of offline envs in real-life, so my suggestion for now is simple: it is possible to implement completely offline trivy usage trigger? Idea is to leave db update up to sysadmin.

Official documentation may be good starting point: https://aquasecurity.github.io/trivy/v0.31.3/docs/advanced/air-gap/

devopstales commented 2 years ago

Hi @evgkrsk

Thank you for using my trivy-operator. It is an interesting function. I think it is a fairly simple to add an option for offline scan in the CRD. Based on that it can disable the vulndb download at the beginning and add offline scan option to trivy run. If you want to help in that pull requests are welcomed.

I will try to check on this this in the next release. I plan to release the 2.5 release at the end of September.

evgkrsk commented 2 years ago

Not sure if offline-scan is attribute of CRD. trivy-operator's deployment in k8s have internet access to update DB or don't have it. So, effectively all CRD objects are offline or online.

But surely you have better understanding of project's internals.

devopstales commented 2 years ago

@evgkrsk There is an option for trivy to use your docker registry for vuln-db storage:

DB Flags
      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
      --download-db-only       download/update vulnerability database but don't run a scan
      --no-progress            suppress progress bar
      --reset                  remove all caches and database
      --skip-db-update         skip updating vulnerability database
evgkrsk commented 2 years ago

Yes, it is one of possible ways to deliver fresh trivy db. It may be handy for some users to have ability to override ghcr.io OCI repo in trivy-operator.

devopstales commented 2 years ago

@evgkrsk in the 53e915e I added the ability to use custom OCI repo. I need to test of course but with that I think this feature is done.