trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 4 weeks ago verified publisher icon aquasecurity

feat: more airgapped trivy options

Open 06kellyjac opened this issue 3 years ago • 4 comments

Description

This is a pretty WIP PR, just trying out a few options and interested in getting some feedback early.

The goal is to add more options for using trivy in an airgapped or restricted settings.

@controlplaneio we've had some clients that want some stronger guarantees programs wont try reach out to anything via the network (whether the device is fully airgapped or just restricted)

running trivy scan fs --skip-db --offline-scan --skip-policy-update is good and all but you can forget to add them. So being able to swap them to default true would be handy.

Another option would be to fully disable them from working so trivy scan fs --skip-db=true simply wouldn't do anything

This PR could do with a couple improvements out of the gate: potentially removing those flags entirely when this is enabled? Maybe an additional --offline global flag that means you don't need to set --skip-db, --offline-scan & --skip-policy-update separately (I also skipped over --skip-policy-update in my draft changes)

Allow for building trivy default opt-out

Allow for fully disabling db fetching and api calls individually

-ldflags=" ... -X=github.com/aquasecurity/trivy/pkg/commands/option.disableOnlineScanning=true"

and

-ldflags=" ... -X=github.com/aquasecurity/trivy/pkg/commands/option.disableDBUpdates=true"

Allow for fully disabling networking

-ldflags=" ... -X=github.com/aquasecurity/trivy/pkg/commands/option.disableNetworking=true"

or

-tags=offline

e.g.:

$ make build
go build -ldflags "-s -w -X=main.version=v0.28.0-6-g3ecc65d6" -tags=offline ./cmd/trivy

$ ./trivy fs .
2022-05-20T10:41:14.494+0100	ERROR	The first run cannot skip downloading DB
2022-05-20T10:41:14.494+0100	FATAL	init error: DB error: database error: --skip-update cannot be specified on the first run

Checklist

  • [ ] I've read the guidelines for contributing to this repository.
  • [ ] I've followed the conventions in the PR title.
  • [ ] I've added tests that prove my fix is effective or that my feature works.
  • [ ] I've updated the documentation with the relevant information (if needed).
  • [ ] I've added usage information (if the PR introduces new options)
  • [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).

06kellyjac avatar May 20 '22 09:05 06kellyjac

cc: @knqyf263 to get your input before any further changes

06kellyjac avatar May 20 '22 09:05 06kellyjac

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar May 25 '22 02:05 CLAassistant

We may want to start the global --offline flag as you suggested.

knqyf263 avatar May 26 '22 07:05 knqyf263

This PR is stale because it has been labeled with inactivity.

github-actions[bot] avatar Jul 26 '22 00:07 github-actions[bot]