-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Update registry fallbacks #7679
base: main
Are you sure you want to change the base?
Conversation
We should document how to authenticate with ECR. Otherwise, ECR Public has only 500 GB free tier for anonymous users. Also, it's calculated by IP address. I suppose we'll run out of the free tier on CI service as it shares IP addresses. |
I'm worried about adding Instead of adding |
We read the docs but... having to authenticate to aws would be a breaking change 🥹 |
hello @nvuillam |
Yes - I wanted to add more info on this topic. Added fa03189 |
c4d3c8d
to
fa03189
Compare
Please see more info on how to authenticate with ECR [auth-ecr] and GHCR [auth-ghcr]. | ||
|
||
#### Caching DBs | ||
Trivy DB and Trivy Java DB are published every 24 hours. If you are running Trivy scans more often than this, you can significantly benefit from caching the DBs on each run and updating them as needed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
24 hours is incorrect.
We publish trivy-db every 6 hours, but update interval is 24 hours.
for trivy-java-db: publish every 24 hours, update interval is 3 days.
I'm also leaning toward this approach. I'm afraid that users downloading container images from ECR Public (e.g., Kubernetes cluster) may suddenly reach rate limits due to Trivy DB and be unable to deploy, etc. Of course, it is best if users can continue to use DBs as before without being aware of it, but the implicit use of ECR Public may have other negative effects. We should be careful about the use of ECR Public. If users explicitly set this up, they will understand these trade-offs. |
Yes but the same can be said for GHCR today.
I added some docs here. Ultimately we can reach rate limits even with authenticated use of container registries. The fallback to using a secondary registry only mitigates the risk up to an extent. |
The rate limits in GHCR are on the organization, not the user, unlike ECR Public. In other words, heavy use of GHCR may make aquasecurity images unavailable, but not other images. Users may not be able to use Trivy, but they will be able to pull any other images except aquasecurity. |
Description
Adds public ECR registry as a fallback for both vuln-db and java-db.
Related PRs
Checklist