Upstream/harbor
1
0
Fork 0
mirror of https://github.com/goharbor/harbor.git synced 2024-12-22 16:48:30 +01:00
Code Issues Projects Releases Wiki Activity

feat(trivy): Configure Trivy to skip database updates

Browse Source 
Resolves: #11090

Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
This commit is contained in:
Daniel Pacak 2020-03-18 17:11:43 +01:00
parent dbedcf960c
commit 7325105714
4 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -103,7 +103,7 @@ CLAIRVERSION=v2.1.1
NOTARYMIGRATEVERSION=v3.5.4 NOTARYMIGRATEVERSION=v3.5.4
CLAIRADAPTERVERSION=v1.0.1 CLAIRADAPTERVERSION=v1.0.1
TRIVYVERSION=v0.5.2 TRIVYVERSION=v0.5.2
TRIVYADAPTERVERSION=v0.4.0 TRIVYADAPTERVERSION=v0.5.0
# version of chartmuseum # version of chartmuseum
CHARTMUSEUMVERSION=v0.9.0 CHARTMUSEUMVERSION=v0.9.0

8
make/harbor.yml.tmpl
View File

@ -61,6 +61,14 @@ clair:
# Trivy configuration # Trivy configuration
trivy: trivy:
# ignoreUnfixed The flag to display only fixed vulnerabilities
ignore_unfixed: false
# skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
#
# You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
# If the flag is enabled you have to manually download the `trivy.db` file and mount it in the
# /home/scanner/.cache/trivy/db/trivy.db path.
skip_update: false
# github_token The GitHub access token to download Trivy DB # github_token The GitHub access token to download Trivy DB
# #
# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.

3
make/photon/prepare/templates/trivy-adapter/env.jinja
View File

@ -7,7 +7,8 @@ SCANNER_TRIVY_CACHE_DIR=/home/scanner/.cache/trivy
SCANNER_TRIVY_REPORTS_DIR=/home/scanner/.cache/reports SCANNER_TRIVY_REPORTS_DIR=/home/scanner/.cache/reports
SCANNER_TRIVY_VULN_TYPE=os,library SCANNER_TRIVY_VULN_TYPE=os,library
SCANNER_TRIVY_SEVERITY=UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL SCANNER_TRIVY_SEVERITY=UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
SCANNER_TRIVY_IGNORE_UNFIXED=false SCANNER_TRIVY_IGNORE_UNFIXED={{trivy_ignore_unfixed}}
SCANNER_TRIVY_SKIP_UPDATE={{trivy_skip_update}}
SCANNER_TRIVY_GITHUB_TOKEN={{trivy_github_token}} SCANNER_TRIVY_GITHUB_TOKEN={{trivy_github_token}}
HTTP_PROXY={{trivy_http_proxy}} HTTP_PROXY={{trivy_http_proxy}}
HTTPS_PROXY={{trivy_https_proxy}} HTTPS_PROXY={{trivy_https_proxy}}

5
make/photon/prepare/utils/configs.py
View File

@ -241,8 +241,9 @@ def parse_yaml_config(config_file_path, with_notary, with_clair, with_trivy, wit
# Trivy configs, optional # Trivy configs, optional
trivy_configs = configs.get("trivy") or {} trivy_configs = configs.get("trivy") or {}
trivy_github_token = trivy_configs.get("github_token") or '' config_dict['trivy_github_token'] = trivy_configs.get("github_token") or ''
config_dict['trivy_github_token'] = trivy_github_token config_dict['trivy_skip_update'] = trivy_configs.get("skip_update") or False
config_dict['trivy_ignore_unfixed'] = trivy_configs.get("ignore_unfixed") or False
# Chart configs # Chart configs
chart_configs = configs.get("chart") or {} chart_configs = configs.get("chart") or {}