Add the ability to preload the Trivy database into the Docker image

[Heyzi]

Is your feature request related to a problem? Please describe. When running MegaLinter on a virtual machine without internet access, Trivy encounters a timeout error because it is unable to load its database. This results in the linter failing during the process.

Describe the solution you'd like Add a step for loading the Trivy database to the file: megalinter/descriptors/repository.megalinter-descriptor.yml. (For now, we solved the problem this way.)

  install:
    dockerfile:
    - RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh  | sh -s -- -b /usr/local/bin
    - RUN trivy image --download-db-only --no-progress

[nvuillam]

@Heyzi that's a smart workaround :)

But as trivy database is upgraded much more often than MegaLinter (every 12h vs about every month), aren't you afraid that using a 30 days old vulnerability database on your sources might miss the latest vulnerabilities ?

[Heyzi]

@Heyzi that's a smart workaround :)

But as trivy database is upgraded much more often than MegaLinter (every 12h vs about every month), aren't you afraid that using a 30 days old vulnerability database on your sources might miss the latest vulnerabilities ?

Thank you for your response. Having a preloaded vulnerability database is better than not having one. If there is internet access, it will update itself upon startup. If there is no internet access, you need to set the environment variables:

REPOSITORY_TRIVY_ARGUMENTS=--skip-db-update --skip-check-update --scanners vuln
REPOSITORY_TRIVY_SBOM_ARGUMENTS=--skip-db-update --skip-check-update --scanners vuln

and Trivy will function.