Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for --db-repository and --java-db-repository #3

Merged
merged 1 commit into from
Nov 4, 2024
Merged

Add support for --db-repository and --java-db-repository #3

merged 1 commit into from
Nov 4, 2024

Conversation

benji78
Copy link

@benji78 benji78 commented Oct 24, 2024

This implements the --db-repository and --java-db-repository options to allow users to specify a custom Trivy vulnerability DB repository. This is useful for users who want to use a custom database repository, such as a private repository mirror like Artifactory or other private registries.

This adds SCANNER_TRIVY_DB_REPOSITORY and SCANNER_TRIVY_JAVA_DB_REPOSITORY environment variables as well as scanner.trivy.dbRepository and scanner.trivy.javaDBRepository helm values.

I have updated the documentation to reflect this new option, as well as one of the existing wrapper tests (feel free to change it).

This is the first step to address the issue I created on the harbor-helm repository: goharbor/harbor-helm#1821

@reasonerjt reasonerjt self-requested a review November 4, 2024 07:19
reasonerjt
reasonerjt approved these changes Nov 4, 2024
View reviewed changes
Copy link

@reasonerjt reasonerjt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@reasonerjt reasonerjt merged commit edc4498 into goharbor:main Nov 4, 2024
1 check passed
@pkalemba
Copy link

pkalemba commented Nov 7, 2024

i know that is a merged PR but , maybe we missed something, what if user want to use a private registry eg. local harbor.
You need provide somehow auth details....

@benji78

@rassie rassie mentioned this pull request Nov 11, 2024
Open
@benji78 benji78 mentioned this pull request Nov 11, 2024
Open
@benji78 benji78 deleted the trivy-bd-repository branch November 11, 2024 17:00
@benji78
Copy link
Author

benji78 commented Nov 11, 2024

If we want to add authentication, it is much more complicated than just adding a --dbRepository option in the command being ran. I don't think using trivy registry login (previously trivy auth login) is possible. Therefore, it would require adding --username and --password (which is not recommended as the password may be exposed) or TRIVY_PASSWORD environment variable if it even is possible.
Also we would need to make sure it is working with multiple DB repositories likely coming in the next trivy release (v0.58).

@hoerup
Copy link

hoerup commented Nov 11, 2024
edited
Loading

multi DB repo was enabled in 0.56

aquasecurity/trivy#7640

📦 Support for multiple DB repositories for vulnerability and Java DB ↻

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@reasonerjt reasonerjt reasonerjt approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@benji78 @pkalemba @hoerup @reasonerjt