Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use vulnerability database from local cache #1342

Open
yanehi opened this issue Jul 6, 2023 Discussed in #1341 · 4 comments
Open

Use vulnerability database from local cache #1342

yanehi opened this issue Jul 6, 2023 Discussed in #1341 · 4 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence. target/kubernetes Issues relating to kubernetes cluster scanning

Comments

@yanehi
Copy link

yanehi commented Jul 6, 2023
edited
Loading

Problem

I would like to run the trivy-operator in standalone mode in an air-gapped environment. For this we use our own trivy-image. It is regulary rebuild with an up-to-date vulnerability database in its local cache (TRIVY_CACHE_DIR).

We have two issues with our setup using the HELM-Chart:

  1. we cant disable the InitContainer
  2. the trivy container enforces arguments to download its database: --db-repository (https://github.com/aquasecurity/trivy-operator/blob/v0.14.0/pkg/plugins/trivy/plugin.go#L700)

Command

  InitContainer: 
   Command:
      trivy
    Args:
      --cache-dir
      /tmp/trivy/.cache
      image
      --download-db-only
      --db-repository
      <private-registry-name>
2023-07-06T10:23:04.261Z  ^[[34mINFO^[[0m           DB Repository: <private-registry-name>
2023-07-06T10:23:04.261Z  ^[[34mINFO^[[0m           Downloading DB...
2023-07-06T10:23:04.519Z  ^[[31mFATAL^[[0m          init error: DB error: failed to download vulnerability DB: database download error: OCI repository error: 1 error occurred:
                          * GET https://<registry-url>/jwt/auth?scope=repository%3A<repository-name>%2Foci%2F<image-name>%3Apull&service=container_registry: DENIED: access forbidden
@yanehi yanehi changed the title Allow InitContainer to pull vulnerability-db from private registry Use vulnerability database from local cache Jul 6, 2023
@chen-keinan
Copy link
Contributor

@yanehi sound reasonable you can raise a PR if you have time

@chen-keinan chen-keinan added kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence. target/kubernetes Issues relating to kubernetes cluster scanning labels Jul 10, 2023
@asifkd012020 asifkd012020 mentioned this issue Oct 3, 2023
Open
@chen-keinan
Copy link
Contributor

Related eraser-dev/eraser#888 (comment)

@zhcli
Copy link

zhcli commented Oct 14, 2023
edited
Loading

Hey @chen-keinan , could you please confirm our agreed approach here:

  • Update getPodSpecForStandaloneFSMode() and getPodSpecForStandaloneFSMode() to use local cache vulnerability database only

or

  • Create new receiver functions to cater offline vulnerability database use case

@chen-keinan
Copy link
Contributor

@zhcli in general look ok , feel free to raise a PR and I'll take a look at it in details

@zhcli zhcli mentioned this issue Oct 17, 2023
Closed
5 tasks
@chen-keinan chen-keinan mentioned this issue Nov 15, 2023
Open
@Heap0017 Heap0017 mentioned this issue Oct 9, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence. target/kubernetes Issues relating to kubernetes cluster scanning
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add local cache mode for scanner zhcli/trivy-operator
3 participants
@chen-keinan @yanehi @zhcli