harbor-scanner-trivy

module

v0.21.0 Latest Latest Go to latest Published: Sep 14, 2021 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/aquasecurity/harbor-scanner-trivy

Links

Open Source Insights

README ¶

Harbor Scanner Adapter for Trivy

The Harbor Scanner Adapter for Trivy is a service that translates the Harbor scanning API into Trivy commands and allows Harbor to use Trivy for providing vulnerability reports on images stored in Harbor registry as part of its vulnerability scan feature.

Version Matrix

The following matrix indicates the version of Trivy and Trivy adapter installed in each Harbor release.

Harbor	Trivy Adapter	Trivy
-	v0.21.0	v0.19.2
-	v0.20.0	v0.18.3
v2.3.0	v0.19.0	v0.17.2
v2.2.2	v0.18.0	v0.16.0
v2.2.1	v0.18.0	v0.16.0
v2.2.0	v0.18.0	v0.16.0
v2.1.5	v0.14.1	v0.9.2
v2.1.0	v0.14.1	v0.9.2

Deployment

Harbor >= 2.0 on Kubernetes

In Harbor >= 2.0 Trivy can be configured as the default vulnerability scanner, therefore you can install it with the official Harbor Helm chart, where HARBOR_CHART_VERSION >= 1.4:

$ helm repo add harbor https://helm.goharbor.io

$ helm install harbor harbor/harbor \
    --create-namespace \
    --namespace harbor \
    --set clair.enabled=false \
    --set trivy.enabled=true

The adapter service is automatically registered under the Interrogation Service in the Harbor interface and designated as the default scanner.

Harbor 1.10 on Kubernetes

Generate certificate and private key files:
```
$ openssl genrsa -out tls.key 2048
$ openssl req -new -x509 \
    -key tls.key \
    -out tls.crt \
    -days 365 \
    -subj /CN=harbor-scanner-trivy.harbor
```
NOTE: The Common Name (CN) is the fully qualified domain name of the adapter service. In this example we assumed that it is exposed as the harbor-scanner-trivy service in the harbor namespace.

Install the harbor-scanner-trivy chart:

$ helm repo add aqua https://helm.aquasec.com

$ helm install harbor-scanner-trivy aqua/harbor-scanner-trivy \
    --namespace harbor \
    --set service.port=8443 \
    --set scanner.api.tlsEnabled=true \
    --set scanner.api.tlsCertificate="$(cat tls.crt)" \
    --set scanner.api.tlsKey="$(cat tls.key)"

Configure the scanner adapter in the Harbor interface.
1. Navigate to Interrogation Services and click + NEW SCANNER.
2. Enter https://harbor-scanner-trivy.harbor:8443 as the Endpoint URL and click TEST CONNECTION.
3. If everything is fine click ADD to save the configuration.
Select the Trivy scanner and set it as default by clicking SET AS DEFAULT. Make sure the Default label is displayed next to the Trivy scanner's name.

Configuration

Configuration of the adapter is done via environment variables at startup.

Name	Default	Description
`SCANNER_LOG_LEVEL`	`info`	The log level of `trace`, `debug`, `info`, `warn`, `warning`, `error`, `fatal` or `panic`. The standard logger logs entries with that level or anything above it.
`SCANNER_API_SERVER_ADDR`	`:8080`	Binding address for the API server
`SCANNER_API_SERVER_TLS_CERTIFICATE`	N/A	The absolute path to the x509 certificate file
`SCANNER_API_SERVER_TLS_KEY`	N/A	The absolute path to the x509 private key file
`SCANNER_API_SERVER_CLIENT_CAS`	N/A	A list of absolute paths to x509 root certificate authorities that the api use if required to verify a client certificate
`SCANNER_API_SERVER_READ_TIMEOUT`	`15s`	The maximum duration for reading the entire request, including the body
`SCANNER_API_SERVER_WRITE_TIMEOUT`	`15s`	The maximum duration before timing out writes of the response
`SCANNER_API_SERVER_IDLE_TIMEOUT`	`60s`	The maximum amount of time to wait for the next request when keep-alives are enabled
`SCANNER_TRIVY_CACHE_DIR`	`/home/scanner/.cache/trivy`	Trivy cache directory
`SCANNER_TRIVY_REPORTS_DIR`	`/home/scanner/.cache/reports`	Trivy reports directory
`SCANNER_TRIVY_DEBUG_MODE`	`false`	The flag to enable or disable Trivy debug mode
`SCANNER_TRIVY_VULN_TYPE`	`os,library`	Comma-separated list of vulnerability types. Possible values are `os` and `library`.
`SCANNER_TRIVY_SEVERITY`	`UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL`	Comma-separated list of vulnerabilities severities to be displayed
`SCANNER_TRIVY_IGNORE_UNFIXED`	`false`	The flag to display only fixed vulnerabilities
`SCANNER_TRIVY_IGNORE_POLICY`	``	The path for the Trivy ignore policy OPA Rego file
`SCANNER_TRIVY_SKIP_UPDATE`	`false`	The flag to enable or disable Trivy DB downloads from GitHub
`SCANNER_TRIVY_GITHUB_TOKEN`	N/A	The GitHub access token to download Trivy DB (see GitHub rate limiting)
`SCANNER_TRIVY_INSECURE`	`false`	The flag to skip verifying registry certificate
`SCANNER_STORE_REDIS_NAMESPACE`	`harbor.scanner.trivy:store`	The namespace for keys in the Redis store
`SCANNER_STORE_REDIS_SCAN_JOB_TTL`	`1h`	The time to live for persisting scan jobs and associated scan reports
`SCANNER_JOB_QUEUE_REDIS_NAMESPACE`	`harbor.scanner.trivy:job-queue`	The namespace for keys in the scan jobs queue backed by Redis
`SCANNER_JOB_QUEUE_WORKER_CONCURRENCY`	`1`	The number of workers to spin-up for the scan jobs queue
`SCANNER_REDIS_URL`	`redis://harbor-harbor-redis:6379`	The Redis server URI. The URI supports schemas to connect to a standalone Redis server, i.e. `redis://:password@standalone_host:port/db-number` and Redis Sentinel deployment, i.e. `redis+sentinel://:password@sentinel_host1:port1,sentinel_host2:port2/monitor-name/db-number`.
`SCANNER_REDIS_POOL_MAX_ACTIVE`	`5`	The max number of connections allocated by the Redis connection pool
`SCANNER_REDIS_POOL_MAX_IDLE`	`5`	The max number of idle connections in the Redis connection pool
`SCANNER_REDIS_POOL_IDLE_TIMEOUT`	`5m`	The duration after which idle connections to the Redis server are closed. If the value is zero, then idle connections are not closed.
`SCANNER_REDIS_POOL_CONNECTION_TIMEOUT`	`1s`	The timeout for connecting to the Redis server
`SCANNER_REDIS_POOL_READ_TIMEOUT`	`1s`	The timeout for reading a single Redis command reply
`SCANNER_REDIS_POOL_WRITE_TIMEOUT`	`1s`	The timeout for writing a single Redis command.
`HTTP_PROXY`	N/A	The URL of the HTTP proxy server
`HTTPS_PROXY`	N/A	The URL of the HTTPS proxy server
`NO_PROXY`	N/A	The URLs that the proxy settings do not apply to

Documentation

Architecture - architectural decisions behind designing harbor-scanner-trivy.
Releases - how to release a new version of harbor-scanner-trivy.

Troubleshooting

Error: database error: --skip-update cannot be specified on the first run

If you set the value of the SCANNER_TRIVY_SKIP_UPDATE to true, make sure that you download the Trivy DB from GitHub and mount it in the /home/scanner/.cache/trivy/db/trivy.db path.

Error: failed to list releases: GET https://api.github.com/repos/aquasecurity/trivy-db/releases: 403 API rate limit exceeded

Trivy DB downloads from GitHub are subject to rate limiting. Make sure that the Trivy DB is mounted and cached in the /home/scanner/.cache/trivy/db/trivy.db path. If, for any reason, it's not enough you can set the value of the SCANNER_TRIVY_GITHUB_TOKEN environment variable (authenticated requests get a higher rate limit).

Contributing

Please read CONTRIBUTING.md for details on our code of conduct, and the process for submitting pull requests.

Directories ¶

Path	Synopsis
cmd
scanner-trivy
pkg
etc
ext
harbor
http/api
http/api/v1
job
mock
persistence
persistence/redis
queue
redisx
scan
trivy

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL