[cli] - any way to add specific trivy client arguments?

[rurus9]

Is it possible to add some trivy client argument with starboard scan vulnerabilityreports (global or for specific workload scan)?

With trivy client I can add do not show unfixed (https://github.com/aquasecurity/trivy#ignore-unfixed-vulnerabilities):
--ignore-unfixed # display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]

another thing important for me is to avoid some false positive checks with Ruby (https://github.com/aquasecurity/trivy#skip-traversal-of-the-specific-files):
--skip-files "/Gemfile.lock,/app/Pipfile.lock"

or ignore specific vulnerabilities (https://github.com/aquasecurity/trivy#ignore-the-specified-vulnerabilities):
--ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]

[danielpacak]

👋 @rurus9 Currently the only option that you can configure globally and pass to Trivy is --severity (see trivy.severity in https://aquasecurity.github.io/starboard/settings/). However, it should be relatively easy to add other flags that you mentioned to the ConfigMap used by Starboard.

[rurus9]

@danielpacak However, it should be relatively easy to add other flags that you mentioned to the ConfigMap used by Starboard.

Something like:

kubectl patch cm starboard -n starboard \
  --type merge \
  -p "$(cat <<EOF
{
  "data": {
    "trivy.imageRef": "trivy:0.14.0",
    "trivy.mode": "ClientServer",
    "trivy.serverURL": "trivy.server.address:port",
    "trivy.ignorefile": "/cache/trivy/trivyignore "
  }
}
EOF
)"

or:

kubectl patch cm starboard -n starboard \
  --type merge \
  -p "$(cat <<EOF
{
  "data": {
    "trivy.imageRef": "trivy:0.14.0",
    "trivy.mode": "ClientServer",
    "trivy.serverURL": "trivy.server.address:port",
    "trivy.clientArguments": "--ignorefile /cache/trivy/trivyignore --ignore-unfixed "
  }
}
EOF
)"

As I understand it would require some code changes in starboard?

[danielpacak]

Yes, this would require code change. However, you'd rather specify the content of tirvyignore file because the path is not enough to mount it as a ConfigMap volume attached to a pod, which is running Trivy. We run all scan jobs as Kubernetes job and local paths are not accessible.

[rurus9]

Thank you, @danielpacak for your answer.
Can you include this in your development plans for starboard (I tried to open "Feature request" issue, but it redirects to this forum)?

[danielpacak]

@rurus9 We have #541 to track your requirements

[rurus9]

thanks, i will follow the topic

[strus38]

Hi
Was this issue done as part of a feature?
I am looing at the exact same thing to add the air-gapped environment option of trivy.

[danielpacak]

In scope of #541 we just passed certain settings to Trivy client.

To support air-gapped environments more work has to be done. For example, design how a K8s job spawned by Starboard would refer to an offline Trivy DB archive. This could be probably done by some kind of a sidecar container that holds the offline Trivy DB file along with the --skip-update flag passed to Trivy, but it's currently not supported.

We've created #617 to elaborate on such requirement and eventually design, implement, and document it.