diff --git a/.goreleaser.yml b/.goreleaser.yml index 52ea01da..d574ab71 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -29,16 +29,15 @@ changelog: - '^release' dockers: - image_templates: - - "docker.io/aquasec/harbor-scanner-trivy:{{ .Version }}" - - "public.ecr.aws/aquasecurity/harbor-scanner-trivy:{{ .Version }}" + - "docker.io/goharbor/harbor-scanner-trivy:{{ .Version }}" ids: - scanner-trivy build_flag_templates: - "--label=org.label-schema.schema-version=1.0" - "--label=org.label-schema.name={{ .ProjectName }}" - "--label=org.label-schema.description=Harbor scanner adapter for Trivy" - - "--label=org.label-schema.vendor=Aqua Security" + - "--label=org.label-schema.vendor=Harbor community" - "--label=org.label-schema.version={{ .Version }}" - "--label=org.label-schema.build-date={{ .Date }}" - - "--label=org.label-schema.vcs=https://github.com/aquasecurity/harbor-scanner-trivy" + - "--label=org.label-schema.vcs=https://github.com/goharbor/harbor-scanner-trivy" - "--label=org.label-schema.vcs-ref={{ .FullCommit }}" diff --git a/README.md b/README.md index 43f4ebc0..9c83869c 100644 --- a/README.md +++ b/README.md @@ -32,6 +32,7 @@ The following matrix indicates the version of Trivy and Trivy adapter installed | Harbor | Trivy Adapter | Trivy | |-------------------------|---------------|-----------------| +| harbor v2.12.0 | v0.32.0 | [trivy v0.56.1] | | harbor v2.11.1 | v0.31.4 | [trivy v0.54.1] | | - | v0.31.3 | [trivy v0.52.2] | | harbor v2.11.0 | v0.31.2 | [trivy v0.51.2] | @@ -67,45 +68,47 @@ designated as the default scanner. Configuration of the adapter is done via environment variables at startup. -| Name | Default | Description | -|-----------------------------------------|------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `SCANNER_LOG_LEVEL` | `info` | The log level of `trace`, `debug`, `info`, `warn`, `warning`, `error`, `fatal` or `panic`. The standard logger logs entries with that level or anything above it. | -| `SCANNER_API_SERVER_ADDR` | `:8080` | Binding address for the API server | -| `SCANNER_API_SERVER_TLS_CERTIFICATE` | N/A | The absolute path to the x509 certificate file | -| `SCANNER_API_SERVER_TLS_KEY` | N/A | The absolute path to the x509 private key file | -| `SCANNER_API_SERVER_CLIENT_CAS` | N/A | A list of absolute paths to x509 root certificate authorities that the api use if required to verify a client certificate | -| `SCANNER_API_SERVER_READ_TIMEOUT` | `15s` | The maximum duration for reading the entire request, including the body | -| `SCANNER_API_SERVER_WRITE_TIMEOUT` | `15s` | The maximum duration before timing out writes of the response | -| `SCANNER_API_SERVER_IDLE_TIMEOUT` | `60s` | The maximum amount of time to wait for the next request when keep-alives are enabled | -| `SCANNER_API_SERVER_METRICS_ENABLED` | `true` | Whether to enable metrics | -| `SCANNER_TRIVY_CACHE_DIR` | `/home/scanner/.cache/trivy` | Trivy cache directory | -| `SCANNER_TRIVY_REPORTS_DIR` | `/home/scanner/.cache/reports` | Trivy reports directory | -| `SCANNER_TRIVY_DEBUG_MODE` | `false` | The flag to enable or disable Trivy debug mode | -| `SCANNER_TRIVY_VULN_TYPE` | `os,library` | Comma-separated list of vulnerability types. Possible values are `os` and `library`. | -| `SCANNER_TRIVY_SECURITY_CHECKS` | `vuln,config,secret` | comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`. | -| `SCANNER_TRIVY_SEVERITY` | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Comma-separated list of vulnerabilities severities to be displayed | -| `SCANNER_TRIVY_IGNORE_UNFIXED` | `false` | The flag to display only fixed vulnerabilities | -| `SCANNER_TRIVY_IGNORE_POLICY` | `` | The path for the Trivy ignore policy OPA Rego file | -| `SCANNER_TRIVY_SKIP_UPDATE` | `false` | The flag to disable [Trivy DB] downloads. | -| `SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE` | `false` | The flag to disable [Trivy JAVA DB] downloads. | -| `SCANNER_TRIVY_OFFLINE_SCAN` | `false` | The flag to disable external API requests to identify dependencies. | -| `SCANNER_TRIVY_GITHUB_TOKEN` | N/A | The GitHub access token to download [Trivy DB] (see [GitHub rate limiting][gh-rate-limit]) | -| `SCANNER_TRIVY_INSECURE` | `false` | The flag to skip verifying registry certificate | -| `SCANNER_TRIVY_TIMEOUT` | `5m0s` | The duration to wait for scan completion | -| `SCANNER_STORE_REDIS_NAMESPACE` | `harbor.scanner.trivy:store` | The namespace for keys in the Redis store | -| `SCANNER_STORE_REDIS_SCAN_JOB_TTL` | `1h` | The time to live for persisting scan jobs and associated scan reports | -| `SCANNER_JOB_QUEUE_REDIS_NAMESPACE` | `harbor.scanner.trivy:job-queue` | The namespace for keys in the scan jobs queue backed by Redis | -| `SCANNER_JOB_QUEUE_WORKER_CONCURRENCY` | `1` | The number of workers to spin-up for the scan jobs queue | -| `SCANNER_REDIS_URL` | `redis://harbor-harbor-redis:6379` | The Redis server URI. The URI supports schemas to connect to a standalone Redis server, i.e. `redis://:password@standalone_host:port/db-number` and Redis Sentinel deployment, i.e. `redis+sentinel://:password@sentinel_host1:port1,sentinel_host2:port2/monitor-name/db-number`. | -| `SCANNER_REDIS_POOL_MAX_ACTIVE` | `5` | The max number of connections allocated by the Redis connection pool | -| `SCANNER_REDIS_POOL_MAX_IDLE` | `5` | The max number of idle connections in the Redis connection pool | -| `SCANNER_REDIS_POOL_IDLE_TIMEOUT` | `5m` | The duration after which idle connections to the Redis server are closed. If the value is zero, then idle connections are not closed. | -| `SCANNER_REDIS_POOL_CONNECTION_TIMEOUT` | `1s` | The timeout for connecting to the Redis server | -| `SCANNER_REDIS_POOL_READ_TIMEOUT` | `1s` | The timeout for reading a single Redis command reply | -| `SCANNER_REDIS_POOL_WRITE_TIMEOUT` | `1s` | The timeout for writing a single Redis command. | -| `HTTP_PROXY` | N/A | The URL of the HTTP proxy server | -| `HTTPS_PROXY` | N/A | The URL of the HTTPS proxy server | -| `NO_PROXY` | N/A | The URLs that the proxy settings do not apply to | +| Name | Default | Description | +|-----------------------------------------|--------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `SCANNER_LOG_LEVEL` | `info` | The log level of `trace`, `debug`, `info`, `warn`, `warning`, `error`, `fatal` or `panic`. The standard logger logs entries with that level or anything above it. | +| `SCANNER_API_SERVER_ADDR` | `:8080` | Binding address for the API server | +| `SCANNER_API_SERVER_TLS_CERTIFICATE` | N/A | The absolute path to the x509 certificate file | +| `SCANNER_API_SERVER_TLS_KEY` | N/A | The absolute path to the x509 private key file | +| `SCANNER_API_SERVER_CLIENT_CAS` | N/A | A list of absolute paths to x509 root certificate authorities that the api use if required to verify a client certificate | +| `SCANNER_API_SERVER_READ_TIMEOUT` | `15s` | The maximum duration for reading the entire request, including the body | +| `SCANNER_API_SERVER_WRITE_TIMEOUT` | `15s` | The maximum duration before timing out writes of the response | +| `SCANNER_API_SERVER_IDLE_TIMEOUT` | `60s` | The maximum amount of time to wait for the next request when keep-alives are enabled | +| `SCANNER_API_SERVER_METRICS_ENABLED` | `true` | Whether to enable metrics | +| `SCANNER_TRIVY_CACHE_DIR` | `/home/scanner/.cache/trivy` | Trivy cache directory | +| `SCANNER_TRIVY_REPORTS_DIR` | `/home/scanner/.cache/reports` | Trivy reports directory | +| `SCANNER_TRIVY_DEBUG_MODE` | `false` | The flag to enable or disable Trivy debug mode | +| `SCANNER_TRIVY_VULN_TYPE` | `os,library` | Comma-separated list of vulnerability types. Possible values are `os` and `library`. | +| `SCANNER_TRIVY_SECURITY_CHECKS` | `vuln,config,secret` | comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`. | +| `SCANNER_TRIVY_SEVERITY` | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Comma-separated list of vulnerabilities severities to be displayed | +| `SCANNER_TRIVY_IGNORE_UNFIXED` | `false` | The flag to display only fixed vulnerabilities | +| `SCANNER_TRIVY_IGNORE_POLICY` | `` | The path for the Trivy ignore policy OPA Rego file | +| `SCANNER_TRIVY_SKIP_UPDATE` | `false` | The flag to disable [Trivy DB] downloads. | +| `SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE` | `false` | The flag to disable [Trivy JAVA DB] downloads. | +| `SCANNER_TRIVY_DB_REPOSITORY` | `ghcr.io/aquasecurity/trivy-db` | OCI repository to retrieve the trivy vulnerability database from | +| `SCANNER_TRIVY_JAVA_DB_REPOSITORY` | `ghcr.io/aquasecurity/trivy-java-db` | OCI repository to retrieve the Java trivy vulnerability database from | +| `SCANNER_TRIVY_OFFLINE_SCAN` | `false` | The flag to disable external API requests to identify dependencies. | +| `SCANNER_TRIVY_GITHUB_TOKEN` | N/A | The GitHub access token to download [Trivy DB] (see [GitHub rate limiting][gh-rate-limit]) | +| `SCANNER_TRIVY_INSECURE` | `false` | The flag to skip verifying registry certificate | +| `SCANNER_TRIVY_TIMEOUT` | `5m0s` | The duration to wait for scan completion | +| `SCANNER_STORE_REDIS_NAMESPACE` | `harbor.scanner.trivy:store` | The namespace for keys in the Redis store | +| `SCANNER_STORE_REDIS_SCAN_JOB_TTL` | `1h` | The time to live for persisting scan jobs and associated scan reports | +| `SCANNER_JOB_QUEUE_REDIS_NAMESPACE` | `harbor.scanner.trivy:job-queue` | The namespace for keys in the scan jobs queue backed by Redis | +| `SCANNER_JOB_QUEUE_WORKER_CONCURRENCY` | `1` | The number of workers to spin-up for the scan jobs queue | +| `SCANNER_REDIS_URL` | `redis://harbor-harbor-redis:6379` | The Redis server URI. The URI supports schemas to connect to a standalone Redis server, i.e. `redis://:password@standalone_host:port/db-number` and Redis Sentinel deployment, i.e. `redis+sentinel://:password@sentinel_host1:port1,sentinel_host2:port2/monitor-name/db-number`. | +| `SCANNER_REDIS_POOL_MAX_ACTIVE` | `5` | The max number of connections allocated by the Redis connection pool | +| `SCANNER_REDIS_POOL_MAX_IDLE` | `5` | The max number of idle connections in the Redis connection pool | +| `SCANNER_REDIS_POOL_IDLE_TIMEOUT` | `5m` | The duration after which idle connections to the Redis server are closed. If the value is zero, then idle connections are not closed. | +| `SCANNER_REDIS_POOL_CONNECTION_TIMEOUT` | `1s` | The timeout for connecting to the Redis server | +| `SCANNER_REDIS_POOL_READ_TIMEOUT` | `1s` | The timeout for reading a single Redis command reply | +| `SCANNER_REDIS_POOL_WRITE_TIMEOUT` | `1s` | The timeout for writing a single Redis command. | +| `HTTP_PROXY` | N/A | The URL of the HTTP proxy server | +| `HTTPS_PROXY` | N/A | The URL of the HTTPS proxy server | +| `NO_PROXY` | N/A | The URLs that the proxy settings do not apply to | ## Documentation diff --git a/helm/harbor-scanner-trivy/Chart.yaml b/helm/harbor-scanner-trivy/Chart.yaml index 93d6c419..fa6d066c 100644 --- a/helm/harbor-scanner-trivy/Chart.yaml +++ b/helm/harbor-scanner-trivy/Chart.yaml @@ -1,11 +1,11 @@ apiVersion: v1 name: harbor-scanner-trivy -version: 0.31.4 -appVersion: 0.31.4 +version: 0.32.0 +appVersion: 0.32.0 description: Harbor scanner adapter for Trivy keywords: - scanner - harbor - vulnerability sources: -- https://github.com/aquasecurity/harbor-scanner-trivy +- https://github.com/goharbor/harbor-scanner-trivy diff --git a/helm/harbor-scanner-trivy/README.md b/helm/harbor-scanner-trivy/README.md index 37dfc859..f63159e5 100644 --- a/helm/harbor-scanner-trivy/README.md +++ b/helm/harbor-scanner-trivy/README.md @@ -73,49 +73,51 @@ The command removes all the Kubernetes components associated with the chart and The following table lists the configurable parameters of the scanner adapter chart and their default values. -| Parameter | Description | Default | -|---------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------| -| `image.registry` | Image registry | `docker.io` | -| `image.repository` | Image name | `aquasec/harbor-scanner-trivy` | -| `image.tag` | Image tag | `{TAG_NAME}` | -| `image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `replicaCount` | Number of scanner adapter Pods to run | `1` | -| `scanner.logLevel` | The log level of `trace`, `debug`, `info`, `warn`, `warning`, `error`, `fatal` or `panic`. The standard logger logs entries with that level or anything above it | `info` | -| `scanner.api.tlsEnabled` | The flag to enable or disable TLS for HTTP | `true` | -| `scanner.api.tlsCertificate` | The absolute path to the x509 certificate file | | -| `scanner.api.tlsKey` | The absolute path to the x509 private key file | | -| `scanner.api.readTimeout` | The maximum duration for reading the entire request, including the body | `15s` | -| `scanner.api.writeTimeout` | The maximum duration before timing out writes of the response | `15s` | -| `scanner.api.idleTimeout` | The maximum amount of time to wait for the next request when keep-alives are enabled | `60s` | -| `scanner.trivy.cacheDir` | Trivy cache directory | `/home/scanner/.cache/trivy` | -| `scanner.trivy.reportsDir` | Trivy reports directory | `/home/scanner/.cache/reports` | -| `scanner.trivy.debugMode` | The flag to enable or disable Trivy debug mode | `false` | -| `scanner.trivy.vulnType` | Comma-separated list of vulnerability types. Possible values are `os` and `library`. | `os,library` | -| `scanner.trivy.ignorepolicy` | The OPA rego script used by Trivy to evaluate each vulnerability | ` ` | -| `scanner.trivy.severity` | Comma-separated list of vulnerabilities severities to be displayed | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | -| `scanner.trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` | -| `scanner.trivy.timeout` | The duration to wait for scan completion | `5m0s` | -| `scanner.trivy.skipUpdate` | The flag to enable or disable Trivy DB downloads from GitHub | `false` | -| `scanner.trivy.skipJavaDBUpdate` | The flag to enable or disable Trivy Java DB downloads from GitHub | `false` | -| `scanner.trivy.offlineScan` | The flag to disable external API requests to identify dependencies | `false` | -| `scanner.trivy.gitHubToken` | The GitHub access token to download Trivy DB | | -| `scanner.trivy.insecure` | The flag to skip verifying registry certificate | `false` | -| `scanner.store.redisNamespace` | The namespace for keys in the Redis store | `harbor.scanner.trivy:store` | -| `scanner.store.redisScanJobTTL` | The time to live for persisting scan jobs and associated scan reports | `1h` | -| `scanner.jobQueue.redisNamespace` | The namespace for keys in the scan jobs queue backed by Redis | `harbor.scanner.trivy:job-queue` | -| `scanner.jobQueue.workerConcurrency` | The number of workers to spin-up for a jobs queue | `1` | +| Parameter | Description | Default | +|---------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------| +| `image.registry` | Image registry | `docker.io` | +| `image.repository` | Image name | `aquasec/harbor-scanner-trivy` | +| `image.tag` | Image tag | `{TAG_NAME}` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `replicaCount` | Number of scanner adapter Pods to run | `1` | +| `scanner.logLevel` | The log level of `trace`, `debug`, `info`, `warn`, `warning`, `error`, `fatal` or `panic`. The standard logger logs entries with that level or anything above it | `info` | +| `scanner.api.tlsEnabled` | The flag to enable or disable TLS for HTTP | `true` | +| `scanner.api.tlsCertificate` | The absolute path to the x509 certificate file | | +| `scanner.api.tlsKey` | The absolute path to the x509 private key file | | +| `scanner.api.readTimeout` | The maximum duration for reading the entire request, including the body | `15s` | +| `scanner.api.writeTimeout` | The maximum duration before timing out writes of the response | `15s` | +| `scanner.api.idleTimeout` | The maximum amount of time to wait for the next request when keep-alives are enabled | `60s` | +| `scanner.trivy.cacheDir` | Trivy cache directory | `/home/scanner/.cache/trivy` | +| `scanner.trivy.reportsDir` | Trivy reports directory | `/home/scanner/.cache/reports` | +| `scanner.trivy.debugMode` | The flag to enable or disable Trivy debug mode | `false` | +| `scanner.trivy.vulnType` | Comma-separated list of vulnerability types. Possible values are `os` and `library`. | `os,library` | +| `scanner.trivy.ignorepolicy` | The OPA rego script used by Trivy to evaluate each vulnerability | ` ` | +| `scanner.trivy.severity` | Comma-separated list of vulnerabilities severities to be displayed | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | +| `scanner.trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` | +| `scanner.trivy.timeout` | The duration to wait for scan completion | `5m0s` | +| `scanner.trivy.skipUpdate` | The flag to enable or disable Trivy DB downloads from GitHub | `false` | +| `scanner.trivy.skipJavaDBUpdate` | The flag to enable or disable Trivy Java DB downloads from GitHub | `ghcr.io/aquasecurity/trivy-db` | +| `scanner.trivy.dbRepository` | OCI repository to retrieve the trivy vulnerability database from | `ghcr.io/aquasecurity/trivy-java-db` | +| `scanner.trivy.javaDBRepository` | OCI repository to retrieve the Java trivy vulnerability database from | `false` | +| `scanner.trivy.offlineScan` | The flag to disable external API requests to identify dependencies | `false` | +| `scanner.trivy.gitHubToken` | The GitHub access token to download Trivy DB | | +| `scanner.trivy.insecure` | The flag to skip verifying registry certificate | `false` | +| `scanner.store.redisNamespace` | The namespace for keys in the Redis store | `harbor.scanner.trivy:store` | +| `scanner.store.redisScanJobTTL` | The time to live for persisting scan jobs and associated scan reports | `1h` | +| `scanner.jobQueue.redisNamespace` | The namespace for keys in the scan jobs queue backed by Redis | `harbor.scanner.trivy:job-queue` | +| `scanner.jobQueue.workerConcurrency` | The number of workers to spin-up for a jobs queue | `1` | | `scanner.redis.poolURL` | The Redis server URI. The URI supports schemas to connect to a standalone Redis server, i.e. `redis://:password@standalone_host:port/db-number` and Redis Sentinel deployment, i.e. `redis+sentinel://:password@sentinel_host1:port1,sentinel_host2:port2/monitor-name/db-number`. | -| `scanner.redis.poolMaxActive` | The max number of connections allocated by the Redis connection pool | `5` | -| `scanner.redis.poolMaxIdle` | The max number of idle connections in the Redis connection pool | `5` | -| `scanner.redis.poolIdleTimeout` | The duration after which idle connections to the Redis server are closed. If the value is zero, then idle connections are not closed. | `5m` | -| `scanner.redis.poolConnectionTimeout` | The timeout for connecting to the Redis server | `1s` | -| `scanner.redis.poolReadTimeout` | The timeout for reading a single Redis command reply | `1s` | -| `scanner.redis.poolWriteTimeout` | The timeout for writing a single Redis command | `1s` | -| `service.type` | Kubernetes service type | `ClusterIP` | -| `service.port` | Kubernetes service port | `8080` | -| `httpProxy` | The URL of the HTTP proxy server | | -| `httpsProxy` | The URL of the HTTPS proxy server | | -| `noProxy` | The URLs that the proxy settings do not apply to | | +| `scanner.redis.poolMaxActive` | The max number of connections allocated by the Redis connection pool | `5` | +| `scanner.redis.poolMaxIdle` | The max number of idle connections in the Redis connection pool | `5` | +| `scanner.redis.poolIdleTimeout` | The duration after which idle connections to the Redis server are closed. If the value is zero, then idle connections are not closed. | `5m` | +| `scanner.redis.poolConnectionTimeout` | The timeout for connecting to the Redis server | `1s` | +| `scanner.redis.poolReadTimeout` | The timeout for reading a single Redis command reply | `1s` | +| `scanner.redis.poolWriteTimeout` | The timeout for writing a single Redis command | `1s` | +| `service.type` | Kubernetes service type | `ClusterIP` | +| `service.port` | Kubernetes service port | `8080` | +| `httpProxy` | The URL of the HTTP proxy server | | +| `httpsProxy` | The URL of the HTTPS proxy server | | +| `noProxy` | The URLs that the proxy settings do not apply to | | The above parameters map to the env variables defined in [harbor-scanner-trivy](https://github.com/aquasecurity/harbor-scanner-trivy#configuration). diff --git a/helm/harbor-scanner-trivy/templates/statefulset.yaml b/helm/harbor-scanner-trivy/templates/statefulset.yaml index 26a67df9..636d22aa 100644 --- a/helm/harbor-scanner-trivy/templates/statefulset.yaml +++ b/helm/harbor-scanner-trivy/templates/statefulset.yaml @@ -77,6 +77,10 @@ spec: value: {{ .Values.scanner.trivy.skipJavaDBUpdate | quote }} - name: "SCANNER_TRIVY_OFFLINE_SCAN" value: {{ .Values.scanner.trivy.offlineScan | quote }} + - name: "SCANNER_TRIVY_DB_REPOSITORY" + value: {{ .Values.scanner.trivy.dbRepository | quote }} + - name: "SCANNER_TRIVY_JAVA_DB_REPOSITORY" + value: {{ .Values.scanner.trivy.javaDBRepository | quote }} - name: "SCANNER_TRIVY_GITHUB_TOKEN" valueFrom: secretKeyRef: diff --git a/helm/harbor-scanner-trivy/values.yaml b/helm/harbor-scanner-trivy/values.yaml index 419217bf..7961e641 100644 --- a/helm/harbor-scanner-trivy/values.yaml +++ b/helm/harbor-scanner-trivy/values.yaml @@ -3,8 +3,8 @@ fullnameOverride: "" image: registry: docker.io - repository: aquasec/harbor-scanner-trivy - tag: 0.31.4 + repository: goharbor/harbor-scanner-trivy + tag: 0.32.0 pullPolicy: IfNotPresent replicaCount: 1 @@ -78,6 +78,10 @@ scanner: ## If the flag is enabled you have to manually download the `trivy-java.db` file and mount it in the ## `/home/scanner/.cache/trivy/java-db/trivy-java.db` path (see `cacheDir`). skipJavaDBUpdate: false + # OCI repository to retrieve the trivy vulnerability database from + dbRepository: "ghcr.io/aquasecurity/trivy-db" + # OCI repository to retrieve the Java trivy vulnerability database from + javaDBRepository: "ghcr.io/aquasecurity/trivy-java-db" # offlineScan the flag to disable external API requests to identify dependencies. offlineScan: false ## gitHubToken the GitHub access token to download Trivy DB @@ -98,7 +102,7 @@ scanner: gitHubToken: "" ## insecure the flag to skip verifying registry certificate insecure: false - # See https://github.com/aquasecurity/trivy#filter-the-vulnerabilities-by-open-policy-agent-policy for details + # See https://github.com/goharbor/trivy#filter-the-vulnerabilities-by-open-policy-agent-policy for details ignorePolicy: "" # ignorePolicy: | # package trivy diff --git a/pkg/etc/config.go b/pkg/etc/config.go index 5e4edea5..3a51cdcb 100644 --- a/pkg/etc/config.go +++ b/pkg/etc/config.go @@ -34,6 +34,8 @@ type Trivy struct { IgnorePolicy string `env:"SCANNER_TRIVY_IGNORE_POLICY"` SkipDBUpdate bool `env:"SCANNER_TRIVY_SKIP_UPDATE" envDefault:"false"` SkipJavaDBUpdate bool `env:"SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE" envDefault:"false"` + DBRepository string `env:"SCANNER_TRIVY_DB_REPOSITORY" envDefault:"ghcr.io/aquasecurity/trivy-db"` + JavaDBRepository string `env:"SCANNER_TRIVY_JAVA_DB_REPOSITORY" envDefault:"ghcr.io/aquasecurity/trivy-java-db"` OfflineScan bool `env:"SCANNER_TRIVY_OFFLINE_SCAN" envDefault:"false"` GitHubToken string `env:"SCANNER_TRIVY_GITHUB_TOKEN"` Insecure bool `env:"SCANNER_TRIVY_INSECURE" envDefault:"false"` diff --git a/pkg/trivy/wrapper.go b/pkg/trivy/wrapper.go index f5c4a1c4..565ec9d5 100644 --- a/pkg/trivy/wrapper.go +++ b/pkg/trivy/wrapper.go @@ -203,6 +203,14 @@ func (w *wrapper) prepareScanCmd(target ScanTarget, outputFile string, opt ScanO args = append(args, "--ignore-policy", w.config.IgnorePolicy) } + if w.config.DBRepository != "" { + args = append(args, "--db-repository", w.config.DBRepository) + } + + if w.config.JavaDBRepository != "" { + args = append(args, "--java-db-repository", w.config.JavaDBRepository) + } + if w.config.DebugMode { args = append(args, "--debug") } diff --git a/pkg/trivy/wrapper_test.go b/pkg/trivy/wrapper_test.go index 89d87514..b39acca0 100644 --- a/pkg/trivy/wrapper_test.go +++ b/pkg/trivy/wrapper_test.go @@ -115,6 +115,8 @@ func TestWrapper_Scan(t *testing.T) { IgnorePolicy: "/home/scanner/opa/policy.rego", SkipDBUpdate: true, SkipJavaDBUpdate: true, + DBRepository: "ghcr.io/aquasecurity/trivy-db", + JavaDBRepository: "ghcr.io/aquasecurity/trivy-java-db", GitHubToken: "", Insecure: true, Timeout: 5 * time.Minute, @@ -153,6 +155,10 @@ func TestWrapper_Scan(t *testing.T) { "--ignore-unfixed", "--skip-db-update", "--skip-java-db-update", + "--db-repository", + "ghcr.io/aquasecurity/trivy-db", + "--java-db-repository", + "ghcr.io/aquasecurity/trivy-java-db", "--ignore-policy", "/home/scanner/opa/policy.rego", "--debug",