trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 4 weeks ago verified publisher icon aquasecurity

feat: Update registry fallbacks

Open simar7 opened this issue 1 year ago • 8 comments

Description

Adds public ECR registry as a fallback for both vuln-db and java-db.

Related PRs

  • [x] https://github.com/aquasecurity/trivy/pull/7605/

Checklist

  • [x] I've read the guidelines for contributing to this repository.
  • [x] I've followed the conventions in the PR title.
  • [x] I've added tests that prove my fix is effective or that my feature works.
  • [x] I've updated the documentation with the relevant information (if needed).
  • [ ] I've added usage information (if the PR introduces new options)
  • [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).

simar7 avatar Oct 08 '24 23:10 simar7

We should document how to authenticate with ECR. Otherwise, ECR Public has only 500 GB free tier for anonymous users. Also, it's calculated by IP address. I suppose we'll run out of the free tier on CI service as it shares IP addresses.

knqyf263 avatar Oct 09 '24 03:10 knqyf263

I'm worried about adding ecr as the default registry. I think most users will ignore the authentication recommendation, and some users just don't read the docs.

Instead of adding ecr - I suggest adding warning if downloading db from ghcr returns error. We will show information about using ecr (with authentication information) + link to the docs.

DmitriyLewen avatar Oct 09 '24 03:10 DmitriyLewen

We read the docs but... having to authenticate to aws would be a breaking change 🥹

nvuillam avatar Oct 09 '24 21:10 nvuillam

hello @nvuillam Authentication is necessary to preserve aws limits for unauthenticated users as much as possible. But we don't require it. We just ask users to do it if possible - it will help avoid rate limiting errors like ghcr.io.

DmitriyLewen avatar Oct 10 '24 04:10 DmitriyLewen

We should document how to authenticate with ECR. Otherwise, ECR Public has only 500 GB free tier for anonymous users. Also, it's calculated by IP address. I suppose we'll run out of the free tier on CI service as it shares IP addresses.

Yes - I wanted to add more info on this topic. Added https://github.com/aquasecurity/trivy/pull/7679/commits/fa031898ebd2d39009e6bace47b288595793a6d7

simar7 avatar Oct 10 '24 06:10 simar7

We will show information about using ecr (with authentication information) + link to the docs.

I'm also leaning toward this approach. I'm afraid that users downloading container images from ECR Public (e.g., Kubernetes cluster) may suddenly reach rate limits due to Trivy DB and be unable to deploy, etc.

Of course, it is best if users can continue to use DBs as before without being aware of it, but the implicit use of ECR Public may have other negative effects. We should be careful about the use of ECR Public. If users explicitly set this up, they will understand these trade-offs.

knqyf263 avatar Oct 10 '24 08:10 knqyf263

We will show information about using ecr (with authentication information) + link to the docs.

I'm also leaning toward this approach. I'm afraid that users downloading container images from ECR Public (e.g., Kubernetes cluster) may suddenly reach rate limits due to Trivy DB and be unable to deploy, etc.

Yes but the same can be said for GHCR today.

Of course, it is best if users can continue to use DBs as before without being aware of it, but the implicit use of ECR Public may have other negative effects. We should be careful about the use of ECR Public. If users explicitly set this up, they will understand these trade-offs.

I added some docs here.

Ultimately we can reach rate limits even with authenticated use of container registries. The fallback to using a secondary registry only mitigates the risk up to an extent.

simar7 avatar Oct 17 '24 04:10 simar7

Yes but the same can be said for GHCR today.

The rate limits in GHCR are on the organization, not the user, unlike ECR Public. In other words, heavy use of GHCR may make aquasecurity images unavailable, but not other images. Users may not be able to use Trivy, but they will be able to pull any other images except aquasecurity.

knqyf263 avatar Oct 17 '24 05:10 knqyf263

checks bundle also needs ecr.

        env:
          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
          TRIVY_CHECKS_BUNDLE_REPOSITORY: public.ecr.aws/aquasecurity/trivy-checks

goatwu1993 avatar Oct 22 '24 07:10 goatwu1993

The trivy.dbRepository parameter in the helm/trivy/values.yaml file also needs to be updated.

bgoareguer avatar Oct 24 '24 09:10 bgoareguer

The trivy.dbRepository parameter in the helm/trivy/values.yaml file also needs to be updated.

thanks for the good idea. it should be add after the PR is merged and released.

afdesk avatar Oct 28 '24 06:10 afdesk

@simar7 Now trivy-db pushes the database to Docker Hub: https://github.com/aquasecurity/trivy-db/pull/448 maybe it makes sense to add Docker Hub as a default repository too? just idea. thanks!

afdesk avatar Oct 28 '24 06:10 afdesk

Any updates here?

jeanmarcmoeckel avatar Nov 13 '24 07:11 jeanmarcmoeckel

mirror.gcr.io seems the best for our use case. Please let us know if anyone knows about rate limits on that. https://github.com/aquasecurity/trivy/discussions/7538#discussioncomment-11258881

knqyf263 avatar Nov 14 '24 19:11 knqyf263

I see 8 incorrect mentions of public.ecr.aws/aquasecurity/trivy-db:1 which should be trivy-java-db !

benji78 avatar Nov 15 '24 09:11 benji78

@aqua-bot backport release/v0.57

DmitriyLewen avatar Nov 18 '24 09:11 DmitriyLewen

Backport PR created: https://github.com/aquasecurity/trivy/pull/7944

aqua-bot avatar Nov 18 '24 09:11 aqua-bot