chore(install): Add --with-trivy arg to the installation script

Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
2024-11-21 17:55:30 +01:00 · 2020-02-10 16:46:26 +01:00 · 2020-02-10 16:46:26 +01:00 · a642667ffc
commit a642667ffc
parent e68b474dbc
17 changed files with 177 additions and 17 deletions
--- a/17
+++ b/17
@ -77,6 +77,7 @@ REGISTRYPROJECTNAME=goharbor
 DEVFLAG=true
 NOTARYFLAG=false
 CLAIRFLAG=false
+TRIVYFLAG=false
 HTTPPROXY=
 BUILDBIN=false
 MIGRATORFLAG=false
@ -104,6 +105,8 @@ MIGRATORVERSION=$(VERSIONTAG)
 REDISVERSION=$(VERSIONTAG)
 NOTARYMIGRATEVERSION=v3.5.4
 CLAIRADAPTERVERSION=v1.0.1
+TRIVYVERSION=v0.4.3
+TRIVYADAPTERVERSION=v0.2.3

 # version of chartmuseum
 CHARTMUSEUMVERSION=v0.9.0
@ -117,6 +120,8 @@ REGISTRY_VERSION: $(REGISTRYVERSION)
 NOTARY_VERSION: $(NOTARYVERSION)
 CLAIR_VERSION: $(CLAIRVERSION)
 CLAIR_ADAPTER_VERSION: $(CLAIRADAPTERVERSION)
+TRIVY_VERSION: $(TRIVYVERSION)
+TRIVY_ADAPTER_VERSION: $(TRIVYADAPTERVERSION)
 CHARTMUSEUM_VERSION: $(CHARTMUSEUMVERSION)
 endef

@ -193,6 +198,9 @@ endif
 ifeq ($(CLAIRFLAG), true)
 	PREPARECMD_PARA+= --with-clair
 endif
+ifeq ($(TRIVYFLAG), true)
+	PREPARECMD_PARA+= --with-trivy
+endif
 # append chartmuseum parameters if set
 ifeq ($(CHARTFLAG), true)
    PREPARECMD_PARA+= --with-chartmuseum
@ -272,6 +280,9 @@ endif
 ifeq ($(CLAIRFLAG), true)
 	DOCKERSAVE_PARA+= goharbor/clair-photon:$(CLAIRVERSION)-$(VERSIONTAG) goharbor/clair-adapter-photon:$(CLAIRADAPTERVERSION)-$(VERSIONTAG)
 endif
+ifeq ($(TRIVYFLAG), true)
+	DOCKERSAVE_PARA+= goharbor/trivy-adapter-photon:$(TRIVYADAPTERVERSION)-$(VERSIONTAG)
+endif
 ifeq ($(MIGRATORFLAG), true)
 	DOCKERSAVE_PARA+= goharbor/harbor-migrator:$(MIGRATORVERSION)
 endif
@ -340,14 +351,16 @@ prepare:

 build:
 	make -f $(MAKEFILEPATH_PHOTON)/Makefile $(BUILDTARGET) -e DEVFLAG=$(DEVFLAG) -e GOBUILDIMAGE=$(GOBUILDIMAGE) \
-	 -e REGISTRYVERSION=$(REGISTRYVERSION) -e REGISTRY_SRC_TAG=$(REGISTRY_SRC_TAG) -e NGINXVERSION=$(NGINXVERSION) -e NOTARYVERSION=$(NOTARYVERSION) -e NOTARYMIGRATEVERSION=$(NOTARYMIGRATEVERSION) \
+	 -e REGISTRYVERSION=$(REGISTRYVERSION) -e REGISTRY_SRC_TAG=$(REGISTRY_SRC_TAG) -e NGINXVERSION=$(NGINXVERSION) \
+	 -e NOTARYVERSION=$(NOTARYVERSION) -e NOTARYMIGRATEVERSION=$(NOTARYMIGRATEVERSION) \
+	 -e TRIVYVERSION=$(TRIVYVERSION) -e TRIVYADAPTERVERSION=$(TRIVYADAPTERVERSION) \
 	 -e CLAIRVERSION=$(CLAIRVERSION) -e CLAIRADAPTERVERSION=$(CLAIRADAPTERVERSION) -e VERSIONTAG=$(VERSIONTAG) \
 	 -e BUILDBIN=$(BUILDBIN) -e REDISVERSION=$(REDISVERSION) -e MIGRATORVERSION=$(MIGRATORVERSION) \
 	 -e CHARTMUSEUMVERSION=$(CHARTMUSEUMVERSION) -e DOCKERIMAGENAME_CHART_SERVER=$(DOCKERIMAGENAME_CHART_SERVER) \
 	 -e NPM_REGISTRY=$(NPM_REGISTRY) -e BASEIMAGETAG=$(BASEIMAGETAG)

 build_base_docker:
-	@for name in chartserver clair clair-adapter core db jobservice log nginx notary-server notary-signer portal prepare redis registry registryctl; do \
+	@for name in chartserver clair clair-adapter trivy-adapter core db jobservice log nginx notary-server notary-signer portal prepare redis registry registryctl; do \
 		echo $$name ; \
 		$(DOCKERBUILD) --pull -f $(MAKEFILEPATH_PHOTON)/$$name/Dockerfile.base -t goharbor/harbor-$$name-base:$(BASEIMAGETAG) . ; \
 		$(PUSHSCRIPTPATH)/$(PUSHSCRIPTNAME) goharbor/harbor-$$name-base:$(BASEIMAGETAG) $(REGISTRYUSER) $(REGISTRYPASSWORD) ; \
--- a/make/install.sh
+++ b/make/install.sh
@ -10,6 +10,7 @@ set +o noglob
 usage=$'Please set hostname and other necessary attributes in harbor.yml first. DO NOT use localhost or 127.0.0.1 for hostname, because Harbor needs to be accessed by external clients.
 Please set --with-notary if needs enable Notary in Harbor, and set ui_url_protocol/ssl_cert/ssl_cert_key in harbor.yml bacause notary must run under https. 
 Please set --with-clair if needs enable Clair in Harbor
+Please set --with-tivy if needs enable Trivy in Harbor
 Please set --with-chartmuseum if needs enable Chartmuseum in Harbor'
 item=0

@ -17,6 +18,8 @@ item=0
 with_notary=$false
 # clair is not enabled by default
 with_clair=$false
+# trivy is not enabled by default
+with_trivy=$false
 # chartmuseum is not enabled by default
 with_chartmuseum=$false

@ -29,6 +32,8 @@ while [ $# -gt 0 ]; do
            with_notary=true;;
            --with-clair)
            with_clair=true;;
+            --with-trivy)
+            with_trivy=true;;
            --with-chartmuseum)
            with_chartmuseum=true;;
            *)
@ -70,6 +75,10 @@ if [ $with_clair ]
 then
    prepare_para="${prepare_para} --with-clair"
 fi
+if [ $with_trivy ]
+then
+    prepare_para="${prepare_para} --with-trivy"
+fi
 if [ $with_chartmuseum ]
 then
    prepare_para="${prepare_para} --with-chartmuseum"
--- a/make/photon/Makefile
+++ b/make/photon/Makefile
@ -65,6 +65,10 @@ DOCKERFILEPATH_CLAIR_ADAPTER=$(DOCKERFILEPATH)/clair-adapter
 DOCKERFILENAME_CLAIR_ADAPTER=Dockerfile
 DOCKERIMAGENAME_CLAIR_ADAPTER=goharbor/clair-adapter-photon

+DOCKERFILEPATH_TRIVY_ADAPTER=$(DOCKERFILEPATH)/trivy-adapter
+DOCKERFILENAME_TRIVY_ADAPTER=Dockerfile
+DOCKERIMAGENAME_TRIVY_ADAPTER=goharbor/trivy-adapter-photon
+
 DOCKERFILEPATH_NGINX=$(DOCKERFILEPATH)/nginx
 DOCKERFILENAME_NGINX=Dockerfile
 DOCKERIMAGENAME_NGINX=goharbor/nginx-photon
@ -159,6 +163,19 @@ _build_clair_adapter:
 		echo "Done." ; \
 	fi

+_build_trivy_adapter:
+	@if [ "$(TRIVYFLAG)" = "true" ] ; then \
+		if [ "$(BUILDBIN)" != "true" ] ; then \
+			rm -rf $(DOCKERFILEPATH_TRIVY_ADAPTER)/binary && mkdir -p $(DOCKERFILEPATH_TRIVY_ADAPTER)/binary && \
+			$(call _extract_archive, https://github.com/aquasecurity/trivy/releases/download/$(TRIVYVERSION)/trivy_$(TRIVYVERSION:v%=%)_Linux-64bit.tar.gz, $(DOCKERFILEPATH_TRIVY_ADAPTER)/binary/) && \
+			$(call _extract_archive, https://github.com/aquasecurity/harbor-scanner-trivy/releases/download/$(TRIVYADAPTERVERSION)/harbor-scanner-trivy_$(TRIVYADAPTERVERSION:v%=%)_Linux_x86_64.tar.gz, $(DOCKERFILEPATH_TRIVY_ADAPTER)/binary/) ; \
+		fi ; \
+		echo "building trivy adapter container for photon..." ; \
+		$(DOCKERBUILD) --build-arg harbor_base_image_version=$(BASEIMAGETAG) --build-arg trivy_version=$(TRIVYVERSION) -f $(DOCKERFILEPATH_TRIVY_ADAPTER)/$(DOCKERFILENAME_TRIVY_ADAPTER) -t $(DOCKERIMAGENAME_TRIVY_ADAPTER):$(TRIVYADAPTERVERSION)-$(VERSIONTAG) . ; \
+		rm -rf $(DOCKERFILEPATH_TRIVY_ADAPTER)/binary; \
+		echo "Done." ; \
+	fi
+
 _build_chart_server:
 	@if [ "$(CHARTFLAG)" = "true" ] ; then \
 		if [ "$(BUILDBIN)" != "true" ] ; then \
@ -231,7 +248,7 @@ define _get_binary
 	$(WGET) --timeout 30 --no-check-certificate $1 -O $2 || exit 1
 endef

-build: _build_prepare _build_db _build_portal _build_core _build_jobservice _build_log _build_nginx _build_registry _build_registryctl _build_notary _build_clair _build_clair_adapter _build_redis _build_migrator _build_chart_server
+build: _build_prepare _build_db _build_portal _build_core _build_jobservice _build_log _build_nginx _build_registry _build_registryctl _build_notary _build_clair _build_clair_adapter _build_trivy_adapter _build_redis _build_migrator _build_chart_server

 cleanimage:
 	@echo "cleaning image for photon..."
--- a/make/photon/prepare/main.py
+++ b/make/photon/prepare/main.py
@ -15,6 +15,7 @@ from utils.notary import prepare_notary
 from utils.log import prepare_log_configs
 from utils.clair import prepare_clair
 from utils.clair_adapter import prepare_clair_adapter
+from utils.trivy_adapter import prepare_trivy_adapter
 from utils.chart import prepare_chartmuseum
 from utils.docker_compose import prepare_docker_compose
 from utils.nginx import prepare_nginx, nginx_confd_dir
@ -27,11 +28,12 @@ old_private_key_pem_path, old_crt_path)
@click.option('--conf', default=input_config_path, help="the path of Harbor configuration file")
@click.option('--with-notary', is_flag=True, help="the Harbor instance is to be deployed with notary")
@click.option('--with-clair', is_flag=True, help="the Harbor instance is to be deployed with clair")
+@click.option('--with-trivy', is_flag=True, help="the Harbor instance is to be deployed with Trivy")
@click.option('--with-chartmuseum', is_flag=True, help="the Harbor instance is to be deployed with chart repository supporting")
-def main(conf, with_notary, with_clair, with_chartmuseum):
+def main(conf, with_notary, with_clair, with_trivy, with_chartmuseum):

    delfile(config_dir)
-    config_dict = parse_yaml_config(conf, with_notary=with_notary, with_clair=with_clair, with_chartmuseum=with_chartmuseum)
+    config_dict = parse_yaml_config(conf, with_notary=with_notary, with_clair=with_clair, with_trivy=with_trivy, with_chartmuseum=with_chartmuseum)
    try:
        validate(config_dict, notary_mode=with_notary)
    except Exception as e:
@ -41,7 +43,7 @@ def main(conf, with_notary, with_clair, with_chartmuseum):

    prepare_log_configs(config_dict)
    prepare_nginx(config_dict)
-    prepare_core(config_dict, with_notary=with_notary, with_clair=with_clair, with_chartmuseum=with_chartmuseum)
+    prepare_core(config_dict, with_notary=with_notary, with_clair=with_clair, with_trivy=with_trivy, with_chartmuseum=with_chartmuseum)
    prepare_registry(config_dict)
    prepare_registry_ctl(config_dict)
    prepare_db(config_dict)
@ -63,10 +65,13 @@ def main(conf, with_notary, with_clair, with_chartmuseum):
        prepare_clair(config_dict)
        prepare_clair_adapter(config_dict)

+    if with_trivy:
+        prepare_trivy_adapter(config_dict)
+
    if with_chartmuseum:
        prepare_chartmuseum(config_dict)

-    prepare_docker_compose(config_dict, with_clair, with_notary, with_chartmuseum)
+    prepare_docker_compose(config_dict, with_clair, with_trivy, with_notary, with_chartmuseum)

 if __name__ == '__main__':
-    main()
+    main()
--- a/make/photon/prepare/templates/core/env.jinja
+++ b/make/photon/prepare/templates/core/env.jinja
@ -26,6 +26,7 @@ CORE_SECRET={{core_secret}}
 JOBSERVICE_SECRET={{jobservice_secret}}
 WITH_NOTARY={{with_notary}}
 WITH_CLAIR={{with_clair}}
+WITH_TRIVY={{with_trivy}}
 CLAIR_DB_PASSWORD={{clair_db_password}}
 CLAIR_DB_HOST={{clair_db_host}}
 CLAIR_DB_PORT={{clair_db_port}}
@ -37,6 +38,7 @@ CORE_LOCAL_URL={{core_local_url}}
 JOBSERVICE_URL={{jobservice_url}}
 CLAIR_URL={{clair_url}}
 CLAIR_ADAPTER_URL={{clair_adapter_url}}
+TRIVY_ADAPTER_URL={{trivy_adapter_url}}
 NOTARY_URL={{notary_url}}
 REGISTRY_STORAGE_PROVIDER_NAME={{storage_provider_name}}
 READ_ONLY=false
--- a/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja
+++ b/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja
@ -437,6 +437,35 @@ services:
    env_file:
      ./common/config/clair-adapter/env
 {% endif %}
+{% if with_trivy %}
+  trivy-adapter:
+    container_name: trivy-adapter
+    image: goharbor/trivy-adapter-photon:{{trivy_adapter_version}}
+    restart: always
+    cap_drop:
+      - ALL
+    dns_search: .
+    networks:
+      - harbor
+{% if external_redis == False %}
+    depends_on:
+      - redis
+{% endif %}
+    volumes:
+      - type: bind
+        source: {{data_volume}}/trivy-adapter/trivy
+        target: /home/scanner/.cache/trivy
+      - type: bind
+        source: {{data_volume}}/trivy-adapter/reports
+        target: /home/scanner/.cache/reports
+    logging:
+      driver: "syslog"
+      options:
+        syslog-address: "tcp://127.0.0.1:1514"
+        tag: "trivy-adapter"
+    env_file:
+      ./common/config/trivy-adapter/env
+{% endif %}
 {% if with_chartmuseum %}
  chartmuseum:
    container_name: chartmuseum
@ -491,4 +520,4 @@ networks:
 {% if with_chartmuseum %}
  harbor-chartmuseum:
    external: false
-{% endif %}
+{% endif %}
--- a/make/photon/prepare/templates/trivy-adapter/env.jinja
+++ b/make/photon/prepare/templates/trivy-adapter/env.jinja
@ -0,0 +1,7 @@
+SCANNER_LOG_LEVEL={{log_level}}
+SCANNER_STORE_REDIS_URL=redis://redis:6379
+SCANNER_JOB_QUEUE_REDIS_URL=redis://redis:6379
+SCANNER_TRIVY_CACHE_DIR=/home/scanner/.cache/trivy
+SCANNER_TRIVY_REPORTS_DIR=/home/scanner/.cache/reports
+SCANNER_TRIVY_VULN_TYPE=os,library
+SCANNER_TRIVY_SEVERITY=UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
--- a/make/photon/prepare/utils/configs.py
+++ b/make/photon/prepare/utils/configs.py
@ -94,7 +94,7 @@ def parse_versions():
    return versions


-def parse_yaml_config(config_file_path, with_notary, with_clair, with_chartmuseum):
+def parse_yaml_config(config_file_path, with_notary, with_clair, with_trivy, with_chartmuseum):
    '''
    :param configs: config_parser object
    :returns: dict of configs
@ -113,6 +113,7 @@ def parse_yaml_config(config_file_path, with_notary, with_clair, with_chartmuseu
        'jobservice_url': 'http://jobservice:8080',
        'clair_url': 'http://clair:6060',
        'clair_adapter_url': 'http://clair-adapter:8080',
+        'trivy_adapter_url': 'http://trivy-adapter:8080',
        'notary_url': 'http://notary-server:4443',
        'chart_repository_url': 'http://chartmuseum:9999'
    }
--- a/make/photon/prepare/utils/core.py
+++ b/make/photon/prepare/utils/core.py
@ -13,7 +13,7 @@ core_conf = os.path.join(config_dir, "core", "app.conf")
 ca_download_dir = os.path.join(data_dir, 'ca_download')


-def prepare_core(config_dict, with_notary, with_clair, with_chartmuseum):
+def prepare_core(config_dict, with_notary, with_clair, with_trivy, with_chartmuseum):
    prepare_dir(ca_download_dir, uid=DEFAULT_UID, gid=DEFAULT_GID)
    prepare_dir(core_config_dir)
    # Render Core
@ -30,6 +30,7 @@ def prepare_core(config_dict, with_notary, with_clair, with_chartmuseum):
        chart_cache_driver=chart_cache_driver,
        with_notary=with_notary,
        with_clair=with_clair,
+        with_trivy=with_trivy,
        with_chartmuseum=with_chartmuseum,
        **config_dict)

@ -41,7 +42,6 @@ def prepare_core(config_dict, with_notary, with_clair, with_chartmuseum):
        xsrf_key=generate_random_string(40))


-
 def copy_core_config(core_templates_path, core_config_path):
    shutil.copyfile(core_templates_path, core_config_path)
    print("Generated configuration file: %s" % core_config_path)
--- a/make/photon/prepare/utils/docker_compose.py
+++ b/make/photon/prepare/utils/docker_compose.py
@ -8,13 +8,14 @@ docker_compose_template_path = os.path.join(templates_dir, 'docker_compose', 'do
 docker_compose_yml_path = '/compose_location/docker-compose.yml'

 # render docker-compose
-def prepare_docker_compose(configs, with_clair, with_notary, with_chartmuseum):
+def prepare_docker_compose(configs, with_clair, with_trivy, with_notary, with_chartmuseum):
    versions = parse_versions()
    VERSION_TAG = versions.get('VERSION_TAG') or 'dev'
    REGISTRY_VERSION = versions.get('REGISTRY_VERSION') or 'v2.7.1-patch-2819-2553'
    NOTARY_VERSION = versions.get('NOTARY_VERSION') or 'v0.6.1'
    CLAIR_VERSION = versions.get('CLAIR_VERSION') or 'v2.0.9'
    CLAIR_ADAPTER_VERSION = versions.get('CLAIR_ADAPTER_VERSION') or 'v1.0.0'
+    TRIVY_ADAPTER_VERSION = versions.get('TRIVY_ADAPTER_VERSION') or 'v0.2.3'
    CHARTMUSEUM_VERSION = versions.get('CHARTMUSEUM_VERSION') or 'v0.9.0'

    rendering_variables = {
@ -24,6 +25,7 @@ def prepare_docker_compose(configs, with_clair, with_notary, with_chartmuseum):
        'notary_version': '{}-{}'.format(NOTARY_VERSION, VERSION_TAG),
        'clair_version': '{}-{}'.format(CLAIR_VERSION, VERSION_TAG),
        'clair_adapter_version': '{}-{}'.format(CLAIR_ADAPTER_VERSION, VERSION_TAG),
+        'trivy_adapter_version': '{}-{}'.format(TRIVY_ADAPTER_VERSION, VERSION_TAG),
        'chartmuseum_version': '{}-{}'.format(CHARTMUSEUM_VERSION, VERSION_TAG),
        'data_volume': configs['data_volume'],
        'log_location': configs['log_location'],
@ -34,6 +36,7 @@ def prepare_docker_compose(configs, with_clair, with_notary, with_chartmuseum):
        'external_database': configs['external_database'],
        'with_notary': with_notary,
        'with_clair': with_clair,
+        'with_trivy': with_trivy,
        'with_chartmuseum': with_chartmuseum
    }

--- a/make/photon/prepare/utils/trivy_adapter.py
+++ b/make/photon/prepare/utils/trivy_adapter.py
@ -0,0 +1,21 @@
+import os
+
+from g import templates_dir, config_dir, data_dir, DEFAULT_UID, DEFAULT_GID
+from .jinja import render_jinja
+from .misc import prepare_dir
+
+trivy_adapter_template_dir = os.path.join(templates_dir, "trivy-adapter")
+
+
+def prepare_trivy_adapter(config_dict):
+    trivy_adapter_config_dir = prepare_dir(config_dir, "trivy-adapter")
+    prepare_dir(data_dir, "trivy-adapter", "trivy", uid=DEFAULT_UID, gid=DEFAULT_GID)
+    prepare_dir(data_dir, "trivy-adapter", "reports", uid=DEFAULT_UID, gid=DEFAULT_GID)
+
+    trivy_adapter_env_path = os.path.join(trivy_adapter_config_dir, "env")
+    trivy_adapter_env_template = os.path.join(trivy_adapter_template_dir, "env.jinja")
+
+    render_jinja(
+        trivy_adapter_env_template,
+        trivy_adapter_env_path,
+        **config_dict)
--- a/make/photon/trivy-adapter/Dockerfile
+++ b/make/photon/trivy-adapter/Dockerfile
@ -0,0 +1,17 @@
+ARG harbor_base_image_version
+FROM goharbor/harbor-trivy-adapter-base:${harbor_base_image_version}
+
+ARG trivy_version
+
+COPY ./make/photon/trivy-adapter/binary/trivy /usr/local/bin/trivy
+COPY ./make/photon/trivy-adapter/binary/scanner-trivy /home/scanner/bin/scanner-trivy
+
+EXPOSE 8080
+
+HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl -sS 127.0.0.1:8080/probe/healthy || exit 1
+
+ENV TRIVY_VERSION=${trivy_version}
+
+USER scanner
+
+ENTRYPOINT ["/home/scanner/bin/scanner-trivy"]
--- a/make/photon/trivy-adapter/Dockerfile.base
+++ b/make/photon/trivy-adapter/Dockerfile.base
@ -0,0 +1,6 @@
+FROM photon:2.0
+
+RUN tdnf install -y sudo rpm >> /dev/null \
+    && tdnf clean all \
+    && groupadd -r -g 10000 scanner \
+    && useradd --no-log-init -m -r -g 10000 -u 10000 scanner
--- a/src/common/config/metadata/metadatalist.go
+++ b/src/common/config/metadata/metadatalist.go
@ -73,6 +73,7 @@ var (
 		{Name: common.ClairDBUsername, Scope: SystemScope, Group: ClairGroup, EnvKey: "CLAIR_DB_USERNAME", DefaultValue: "postgres", ItemType: &StringType{}, Editable: false},
 		{Name: common.ClairURL, Scope: SystemScope, Group: ClairGroup, EnvKey: "CLAIR_URL", DefaultValue: "http://clair:6060", ItemType: &StringType{}, Editable: false},
 		{Name: common.ClairAdapterURL, Scope: SystemScope, Group: ClairGroup, EnvKey: "CLAIR_ADAPTER_URL", DefaultValue: "http://clair-adapter:8080", ItemType: &StringType{}, Editable: false},
+		{Name: common.TrivyAdapterURL, Scope: SystemScope, Group: ClairGroup, EnvKey: "TRIVY_ADAPTER_URL", DefaultValue: "http://trivy-adapter:8080", ItemType: &StringType{}, Editable: false},

 		{Name: common.CoreURL, Scope: SystemScope, Group: BasicGroup, EnvKey: "CORE_URL", DefaultValue: "http://core:8080", ItemType: &StringType{}, Editable: false},
 		{Name: common.CoreLocalURL, Scope: SystemScope, Group: BasicGroup, EnvKey: "CORE_LOCAL_URL", DefaultValue: "http://127.0.0.1:8080", ItemType: &StringType{}, Editable: false},
@ -150,6 +151,7 @@ var (

 		{Name: common.WithChartMuseum, Scope: SystemScope, Group: BasicGroup, EnvKey: "WITH_CHARTMUSEUM", DefaultValue: "false", ItemType: &BoolType{}, Editable: true},
 		{Name: common.WithClair, Scope: SystemScope, Group: BasicGroup, EnvKey: "WITH_CLAIR", DefaultValue: "false", ItemType: &BoolType{}, Editable: true},
+		{Name: common.WithTrivy, Scope: SystemScope, Group: BasicGroup, EnvKey: "WITH_TRIVY", DefaultValue: "false", ItemType: &BoolType{}, Editable: true},
 		{Name: common.WithNotary, Scope: SystemScope, Group: BasicGroup, EnvKey: "WITH_NOTARY", DefaultValue: "false", ItemType: &BoolType{}, Editable: true},
 		// the unit of expiration is minute, 43200 minutes = 30 days
 		{Name: common.RobotTokenDuration, Scope: UserScope, Group: BasicGroup, EnvKey: "ROBOT_TOKEN_DURATION", DefaultValue: "43200", ItemType: &IntType{}, Editable: true},
--- a/src/common/const.go
+++ b/src/common/const.go
@ -89,6 +89,7 @@ const (
 	AdminInitialPassword             = "admin_initial_password"
 	WithNotary                       = "with_notary"
 	WithClair                        = "with_clair"
+	WithTrivy                        = "with_trivy"
 	ScanAllPolicy                    = "scan_all_policy"
 	ClairDBPassword                  = "clair_db_password"
 	ClairDBHost                      = "clair_db_host"
@ -123,6 +124,7 @@ const (
 	ReadOnly                          = "read_only"
 	ClairURL                          = "clair_url"
 	ClairAdapterURL                   = "clair_adapter_url"
+	TrivyAdapterURL                   = "trivy_adapter_url"
 	NotaryURL                         = "notary_url"
 	DefaultCoreEndpoint               = "http://core:8080"
 	DefaultNotaryEndpoint             = "http://notary-server:4443"
--- a/src/core/config/config.go
+++ b/src/core/config/config.go
@ -348,6 +348,16 @@ func ClairAdapterEndpoint() string {
 	return cfgMgr.Get(common.ClairAdapterURL).GetString()
 }

+// WithTrivy returns a bool value to indicate if Harbor's deployed with Trivy.
+func WithTrivy() bool {
+	return cfgMgr.Get(common.WithTrivy).GetBool()
+}
+
+// TrivyAdapterURL returns the endpoint URL of a Trivy adapter instance, by default it's the one deployed within Harbor.
+func TrivyAdapterURL() string {
+	return cfgMgr.Get(common.TrivyAdapterURL).GetString()
+}
+
 // UAASettings returns the UAASettings to access UAA service.
 func UAASettings() (*models.UAASettings, error) {
 	err := cfgMgr.Load()
--- a/src/core/main.go
+++ b/src/core/main.go
@ -208,7 +208,22 @@ func main() {
 		log.Fatalf("Failed to initialize API handlers with error: %s", err.Error())
 	}

+	if config.WithTrivy() {
+		log.Info("Registering Trivy scanner adapter")
+		reg := &scanner.Registration{
+			Name:            "Trivy",
+			Description:     "The Trivy scanner adapter",
+			URL:             config.TrivyAdapterURL(),
+			UseInternalAddr: true,
+			Immutable:       true,
+		}
+		if err := scan.EnsureScanner(reg, true); err != nil {
+			log.Fatalf("failed to initialize Trivy scanner: %v", err)
+		}
+	}
+
 	if config.WithClair() {
+		log.Info("Registering Clair scanner adapter")
 		clairDB, err := config.ClairDB()
 		if err != nil {
 			log.Fatalf("failed to load clair database information: %v", err)
@ -228,11 +243,12 @@ func main() {
 		if err := scan.EnsureScanner(reg, true); err != nil {
 			log.Fatalf("failed to initialize clair scanner: %v", err)
 		}
-	} else {
-		if err := scan.RemoveImmutableScanners(); err != nil {
-			log.Warningf("failed to remove immutable scanners: %v", err)
-		}
 	}
+	//} else {
+	//	if err := scan.RemoveImmutableScanners(); err != nil {
+	//		log.Warningf("failed to remove immutable scanners: %v", err)
+	//	}
+	//}

 	closing := make(chan struct{})
 	done := make(chan struct{})