Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhancement: add support for configuring new Trivy environment variables via harbor.yml #21193

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions make/harbor.yml.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,11 @@ trivy:
# `/home/scanner/.cache/trivy/java-db/trivy-java.db` path
skip_java_db_update: false
#
# OCI repository to retrieve the trivy vulnerability database from.
db_repository: ghcr.io/aquasecurity/trivy-db
# OCI repository to retrieve the Java trivy vulnerability database from.
java_db_repository: ghcr.io/aquasecurity/trivy-java-db
#
# The offline_scan option prevents Trivy from sending API requests to identify dependencies.
# Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it.
# For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't
Expand Down
2 changes: 2 additions & 0 deletions make/photon/prepare/templates/trivy-adapter/env.jinja
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ SCANNER_TRIVY_SEVERITY=UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
SCANNER_TRIVY_IGNORE_UNFIXED={{trivy_ignore_unfixed}}
SCANNER_TRIVY_SKIP_UPDATE={{trivy_skip_update}}
SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE={{trivy_skip_java_db_update}}
SCANNER_TRIVY_DB_REPOSITORY={{trivy_db_repository}}
SCANNER_TRIVY_JAVA_DB_REPOSITORY={{trivy_java_db_repository}}
SCANNER_TRIVY_OFFLINE_SCAN={{trivy_offline_scan}}
SCANNER_TRIVY_SECURITY_CHECKS={{trivy_security_check}}
SCANNER_TRIVY_GITHUB_TOKEN={{trivy_github_token}}
Expand Down
2 changes: 2 additions & 0 deletions make/photon/prepare/utils/configs.py
Original file line number Diff line number Diff line change
Expand Up @@ -213,6 +213,8 @@ def parse_yaml_config(config_file_path, with_trivy):
config_dict['trivy_github_token'] = trivy_configs.get("github_token") or ''
config_dict['trivy_skip_update'] = trivy_configs.get("skip_update") or False
config_dict['trivy_skip_java_db_update'] = trivy_configs.get("skip_java_db_update") or False
config_dict['trivy_db_repository'] = trivy_configs.get("db_repository") or 'ghcr.io/aquasecurity/trivy-db'
config_dict['trivy_java_db_repository'] = trivy_configs.get("java_db_repository") or 'ghcr.io/aquasecurity/trivy-java-db'
config_dict['trivy_offline_scan'] = trivy_configs.get("offline_scan") or False
config_dict['trivy_security_check'] = trivy_configs.get("security_check") or 'vuln'
config_dict['trivy_ignore_unfixed'] = trivy_configs.get("ignore_unfixed") or False
Expand Down
Loading