Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make Trivy's dbRepository and javaDbRepository configurable #1821

Open
benji78 opened this issue Sep 4, 2024 · 5 comments · May be fixed by #1857
Open

Make Trivy's dbRepository and javaDbRepository configurable #1821

benji78 opened this issue Sep 4, 2024 · 5 comments · May be fixed by #1857
Assignees

Comments

@benji78
Copy link

benji78 commented Sep 4, 2024

Currently, dbRepository and javaDbRepository cannot be configured in Harbor and the alternative it is to have a runner regularly execute the following commands on the Trivy pods:

trivy image --download-db-only --db-repository registry.example.com/aquasecurity/trivy-db
trivy image --download-java-db-only --java-db-repository registry.example.com/aquasecurity/trivy-java-db

I probably should mention that the official Trivy helm chart does have a configurable dbRepository but not javaDbRepository (which has been added with trivy#3595).

@MinerYang
Copy link
Collaborator

Hi @benji78 ,

I am not sure how configure for example dbRepository would help you to skip this db downloading ops if this is the requirements. I assume these configs only allow you to set up the private repository address.

Best,
Miner

@benji78
Copy link
Author

benji78 commented Sep 9, 2024

It may not have been clear that I want to use a private repository as a replacement for ghcr.io from which Trivy can automatically and regularly fetch both databases. Therefore I do not want to use skipDBUpdate which is what I believe you are referring to. To reiterate, the example commands I gave are just a way to manually import both databases through the private repository but having a runner or chron job run these commands regularly it is not very efficient or practical.

@reasonerjt
Copy link
Contributor

Let's double check if the repository can be set via env variable.

@benji78
Copy link
Author

benji78 commented Sep 24, 2024

--db-repository and --java-db-repository would need to be added here goharbor/harbor-scanner-trivy/pkg/trivy/wrapper.go#L203
However, in this repository's README, trivy.image.repository is still goharbor/trivy-adapter-photon which I believe was removed 4 days ago in favour of goharbor/harbor-scanner-trivy which used to be here aquasecurity/harbor-scanner-trivy

@rassie
Copy link

rassie commented Nov 11, 2024

It seems that goharbor/harbor-scanner-trivy#3 has been merged and released with Harbor 2.12.0., which doesn't have an updated Helm chart yet. What needs to be done to the Helm chart to make this available?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants