Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for --db-repository and --java-db-repository #3

Merged
merged 1 commit into from
Nov 4, 2024

Conversation

benji78
Copy link

@benji78 benji78 commented Oct 24, 2024

This implements the --db-repository and --java-db-repository options to allow users to specify a custom Trivy vulnerability DB repository. This is useful for users who want to use a custom database repository, such as a private repository mirror like Artifactory or other private registries.

This adds SCANNER_TRIVY_DB_REPOSITORY and SCANNER_TRIVY_JAVA_DB_REPOSITORY environment variables as well as scanner.trivy.dbRepository and scanner.trivy.javaDBRepository helm values.

I have updated the documentation to reflect this new option, as well as one of the existing wrapper tests (feel free to change it).

This is the first step to address the issue I created on the harbor-helm repository: goharbor/harbor-helm#1821

@benji78 benji78 force-pushed the trivy-bd-repository branch from 3883f4b to 94b04c6 Compare October 24, 2024 13:51
@reasonerjt reasonerjt self-requested a review November 4, 2024 07:19
Copy link

@reasonerjt reasonerjt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@reasonerjt reasonerjt merged commit edc4498 into goharbor:main Nov 4, 2024
1 check passed
@pkalemba
Copy link

pkalemba commented Nov 7, 2024

i know that is a merged PR but , maybe we missed something, what if user want to use a private registry eg. local harbor.
You need provide somehow auth details....

@benji78

@benji78
Copy link
Author

benji78 commented Nov 11, 2024

If we want to add authentication, it is much more complicated than just adding a --dbRepository option in the command being ran. I don't think using trivy registry login (previously trivy auth login) is possible. Therefore, it would require adding --username and --password (which is not recommended as the password may be exposed) or TRIVY_PASSWORD environment variable if it even is possible.
Also we would need to make sure it is working with multiple DB repositories likely coming in the next trivy release (v0.58).

@hoerup
Copy link

hoerup commented Nov 11, 2024

multi DB repo was enabled in 0.56

aquasecurity/trivy#7640

📦 Support for multiple DB repositories for vulnerability and Java DB ↻

@benji78
Copy link
Author

benji78 commented Nov 16, 2024

@pkalemba I was working on multi DB repository when, looking at the tests, I realised that it should already work with:

    trivy:
      extraEnvVars:
        - name: TRIVY_USERNAME
          value: USERNAME1,USERNAME2
        - name: TRIVY_PASSWORD
          value: PASSWORD1,PASSWORD2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants