trivy-operator icon indicating copy to clipboard operation
trivy-operator copied to clipboard
verified publisher icon aquasecurity

Allow InitContainer to pull vulnerability-db from private registry

Open crtvmn opened this issue 1 year ago • 3 comments

Hello,

I'm trying to deploy the Trivy Operator in standalone mode with the provided Helm chart in an offline environment with a private registry. Credentials are required to access this registry.

Unfortunately, it is not possible to forward or add env variables (TRIVY_USER and TRIVY_PASSWORD) to allow the Trivy init-container to pull the vulnerability database from my private registry.

Moreover the dbRepositoryPassword and dbRepositoryUsername seem useless. https://github.com/aquasecurity/trivy-operator/blob/2cd18ea09464a9d86bdab516c94ccdfd41b551f5/deploy/helm/values.yaml#L525-L529

Can you confirm that this use case is not possible for the moment? I found this discussion https://github.com/aquasecurity/trivy-operator/discussions/1341 but no answer and no link to the related issue. Thanks for your help!

Best regards

crtvmn avatar Aug 09 '24 17:08 crtvmn

This issue is stale because it has been labeled with inactivity.

github-actions[bot] avatar Oct 09 '24 00:10 github-actions[bot]

I'm having the same issue. In my opinion it should be possible to provide the credentials for pulling trivy-db and trivy-java-db just like we can do it for trivy-checks.

@crtvmn This is the issue mentioned in the discussion: https://github.com/aquasecurity/trivy-operator/issues/1342

ghost avatar Oct 09 '24 07:10 ghost

@crtvmn I just found out that you can in fact use a secret for setting dbRepositoryUsername and dbRepositoryPassword. It just isn't mentioned in the README. https://github.com/aquasecurity/trivy-operator/issues/2282

ghost avatar Oct 09 '24 14:10 ghost

@crtvmn @Heap0017 thanks for the comments and so sorry for long response

I checked this case with my private repo on Github with the latest version of Trivy-operator. and it works as expected

$ kubectl get vulnerabilityreports --all-namespaces -o wide
NAMESPACE            NAME                                                       REPOSITORY                       TAG                  SCANNER   AGE     CRITICAL   HIGH   MEDIUM   LOW   UNKNOWN
kube-system          daemonset-kube-proxy-kube-proxy                            kube-proxy                       v1.30.0              Trivy     72s     3          8      22       16    0
kube-system          pod-7d98c5bddf                                             kube-controller-manager          v1.30.0              Trivy     59s     3          6      10       0     0
kube-system          pod-etcd-cve-kind-control-plane-etcd                       etcd                             3.5.12-0             Trivy     50s     9          14     53       4     1
kube-system          pod-kube-scheduler-cve-kind-control-plane-kube-scheduler   kube-scheduler                   v1.30.0              Trivy     89s     3          6      8        0     0
kube-system          replicaset-coredns-7db6d8ff4d-coredns                      coredns/coredns                  v1.11.1              Trivy     2m10s   2          8      20       1     1
local-path-storage   replicaset-dcbb8bf7b                                       kindest/local-path-provisioner   v20240202-8f1494ea   Trivy     80s     2          7      31       11    1

my settings:

  dbRegistry: "ghcr.io"
  dbRepository: "afdesk/trivy-db-private"

  # -- The username for dbRepository authentication
  #
  dbRepositoryUsername: afdesk	

  # -- The password for dbRepository authentication
  #
  dbRepositoryPassword: ghp_TOKEN

afdesk avatar Jan 28 '25 19:01 afdesk

it should work as expected. if the issue is arrised, please feel free to reopen this one.

afdesk avatar Jan 28 '25 19:01 afdesk