Merge pull request #11134 from danielpacak/feat/issue_11090/trivy_skip_update_flag

feat(trivy): Configure Trivy to skip database updates
2024-11-22 02:05:41 +01:00 · 2020-03-19 18:13:08 +08:00 · 2020-03-19 18:13:08 +08:00 · 2859cd8b69
commit 2859cd8b69
parent 3de8175d1b 7325105714
4 changed files with 14 additions and 4 deletions
--- a/2
+++ b/2
@ -104,7 +104,7 @@ CLAIRVERSION=v2.1.1
 NOTARYMIGRATEVERSION=v3.5.4
 CLAIRADAPTERVERSION=v1.0.1
 TRIVYVERSION=v0.5.2
-TRIVYADAPTERVERSION=v0.4.0
+TRIVYADAPTERVERSION=v0.5.0

 # version of chartmuseum
 CHARTMUSEUMVERSION=v0.9.0
--- a/make/harbor.yml.tmpl
+++ b/make/harbor.yml.tmpl
@ -70,6 +70,14 @@ clair:

 # Trivy configuration
 trivy:
+  # ignoreUnfixed The flag to display only fixed vulnerabilities
+  ignore_unfixed: false
+  # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
+  #
+  # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
+  # If the flag is enabled you have to manually download the `trivy.db` file and mount it in the
+  # /home/scanner/.cache/trivy/db/trivy.db path.
+  skip_update: false
  # github_token The GitHub access token to download Trivy DB
  #
  # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
--- a/make/photon/prepare/templates/trivy-adapter/env.jinja
+++ b/make/photon/prepare/templates/trivy-adapter/env.jinja
@ -7,7 +7,8 @@ SCANNER_TRIVY_CACHE_DIR=/home/scanner/.cache/trivy
 SCANNER_TRIVY_REPORTS_DIR=/home/scanner/.cache/reports
 SCANNER_TRIVY_VULN_TYPE=os,library
 SCANNER_TRIVY_SEVERITY=UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
-SCANNER_TRIVY_IGNORE_UNFIXED=false
+SCANNER_TRIVY_IGNORE_UNFIXED={{trivy_ignore_unfixed}}
+SCANNER_TRIVY_SKIP_UPDATE={{trivy_skip_update}}
 SCANNER_TRIVY_GITHUB_TOKEN={{trivy_github_token}}
 HTTP_PROXY={{trivy_http_proxy}}
 HTTPS_PROXY={{trivy_https_proxy}}
--- a/make/photon/prepare/utils/configs.py
+++ b/make/photon/prepare/utils/configs.py
@ -242,8 +242,9 @@ def parse_yaml_config(config_file_path, with_notary, with_clair, with_trivy, wit

    # Trivy configs, optional
    trivy_configs = configs.get("trivy") or {}
-    trivy_github_token = trivy_configs.get("github_token") or ''
-    config_dict['trivy_github_token'] = trivy_github_token
+    config_dict['trivy_github_token'] = trivy_configs.get("github_token") or ''
+    config_dict['trivy_skip_update'] = trivy_configs.get("skip_update") or False
+    config_dict['trivy_ignore_unfixed'] = trivy_configs.get("ignore_unfixed") or False

    # Chart configs
    chart_configs = configs.get("chart") or {}