trivy

package
v0.22.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 4, 2024 License: Apache-2.0 Imports: 27 Imported by: 1

Documentation

Overview

Package trivy provides primitives for working with Trivy.

Index

Constants

View Source
const (
	GCPCR_Image_Regex  = `^(us\.|eu\.|asia\.)?gcr\.io.*|^([a-zA-Z0-9-]+)-*-*.docker\.pkg\.dev.*`
	AWSECR_Image_Regex = "^\\d+\\.dkr\\.ecr\\.(\\w+-\\w+-\\d+)\\.amazonaws\\.com\\/"
	// SkipDirsAnnotation annotation  example: trivy-operator.aquasecurity.github.io/skip-dirs: "/tmp,/home"
	SkipDirsAnnotation = "trivy-operator.aquasecurity.github.io/skip-dirs"
	// SkipFilesAnnotation example: trivy-operator.aquasecurity.github.io/skip-files: "/src/Gemfile.lock,/examplebinary"
	SkipFilesAnnotation = "trivy-operator.aquasecurity.github.io/skip-files"
)
View Source
const (
	DefaultImageRepository  = "ghcr.io/aquasecurity/trivy"
	DefaultDBRepository     = "ghcr.io/aquasecurity/trivy-db"
	DefaultJavaDBRepository = "ghcr.io/aquasecurity/trivy-java-db"
	DefaultSeverity         = "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
)
View Source
const (
	FsSharedVolumeName          = "trivyoperator"
	SharedVolumeLocationOfTrivy = "/var/trivyoperator/trivy"
	SslCertDir                  = "/var/ssl-cert"
)
View Source
const (
	KeyTrivySeverity = "trivy.severity"
)
View Source
const (
	// Plugin the name of this plugin.
	Plugin = "Trivy"
)
View Source
const (
	SupportedConfigAuditKinds = "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"
)

Variables

This section is empty.

Functions

func CheckAwsEcrPrivateRegistry

func CheckAwsEcrPrivateRegistry(imageURL string) string

func CheckGcpCrOrPrivateRegistry added in v0.19.0

func CheckGcpCrOrPrivateRegistry(imageUrl string) bool

func ConfigWorkloadAnnotationEnvVars added in v0.14.0

func ConfigWorkloadAnnotationEnvVars(workload client.Object, annotation string, envVarName string, trivyConfigName string, configKey string) corev1.EnvVar

func CreateSbomDataAsSecret added in v0.17.0

func CreateSbomDataAsSecret(bom v1alpha1.BOM, secretName string) (corev1.Secret, error)

CreateSbomDataAsSecret creates a secret with the BOM data

func CreateVolumeSbomFiles added in v0.17.0

func CreateVolumeSbomFiles(volumeMounts *[]corev1.VolumeMount, volumes *[]corev1.Volume, secretName *string, fileName string, mountPath string, cname string)

CreateVolumeSbomFiles creates a volume and volume mount for the sbom data

func ExcludeImage added in v0.21.0

func ExcludeImage(excludeImagePattern []string, imageName string) bool

ExcludeImage checks if the image should be excluded from scanning based on the excludeImagePattern (glob pattern)

func GetFSScanningArgs added in v0.18.0

func GetFSScanningArgs(ctx trivyoperator.PluginContext, command Command, mode Mode, trivyServerURL string) []string

func GetMirroredImage

func GetMirroredImage(image string, mirrors map[string]string) (string, error)

func GetPodSpecForClientServerFSMode added in v0.16.4

func GetPodSpecForClientServerFSMode(ctx trivyoperator.PluginContext, config Config, workload client.Object, _ map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)

FileSystem scan option with ClientServer mode. The only difference is that instead of scanning the resource by name, We scanning the resource place on a specific file system location using the following command.

trivy --quiet fs  --server TRIVY_SERVER  --format json --ignore-unfixed  file/system/location

func GetPodSpecForClientServerMode added in v0.16.4

func GetPodSpecForClientServerMode(ctx trivyoperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)

In the ClientServer mode the number of containers of the pod created by the scan job equals the number of containers defined for the scanned workload. Each container runs Trivy image scan command and refers to Trivy server URL returned by Config.GetServerURL:

trivy image --server <server URL> \
  --format json <container image>

func GetPodSpecForStandaloneFSMode added in v0.16.4

func GetPodSpecForStandaloneFSMode(ctx trivyoperator.PluginContext, config Config, workload client.Object, _ map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)

FileSystem scan option with standalone mode. The only difference is that instead of scanning the resource by name, We are scanning the resource place on a specific file system location using the following command.

trivy --quiet fs  --format json --ignore-unfixed  file/system/location

func GetPodSpecForStandaloneMode added in v0.16.4

func GetPodSpecForStandaloneMode(ctx trivyoperator.PluginContext,
	config Config,
	workload client.Object,
	credentials map[string]docker.Auth,
	securityContext *corev1.SecurityContext,
	p *plugin,
	clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)

In the Standalone mode there is the init container responsible for downloading the latest Trivy DB file from GitHub and storing it to the emptyDir volume shared with main containers. In other words, the init container runs the following Trivy command:

trivy --cache-dir /tmp/trivy/.cache image --download-db-only

The number of main containers correspond to the number of containers defined for the scanned workload. Each container runs the Trivy image scan command and skips the database download:

trivy --cache-dir /tmp/trivy/.cache image --skip-update \
  --format json <container image>

func GetSbomFSScanningArgs added in v0.17.0

func GetSbomFSScanningArgs(ctx trivyoperator.PluginContext, mode Mode, trivyServerURL string, sbomFile string) ([]string, []string)

func GetSbomScanCommandAndArgs added in v0.17.0

func GetSbomScanCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, sbomFile string, trivyServerURL string, resultFileName string) ([]string, []string)

func MultiSecretSupport added in v0.12.0

func MultiSecretSupport(c Config) bool

MultiSecretSupport validate if trivy multi secret support

func NewPlugin

func NewPlugin(clock ext.Clock, idGenerator ext.IDGenerator, objectResolver *kube.ObjectResolver) vulnerabilityreport.Plugin

NewPlugin constructs a new vulnerabilityreport.Plugin, which is using an upstream Trivy container image to scan Kubernetes workloads.

The plugin supports Image and Filesystem commands. The Filesystem command may be used to scan workload images cached on cluster nodes by scheduling scan jobs on a particular node.

The Image command supports both Standalone and ClientServer modes depending on the settings returned by Config.GetMode. The ClientServer mode is usually more performant, however it requires a Trivy server accessible at the configurable Config.GetServerURL.

func NewTrivyConfigAuditPlugin

func NewTrivyConfigAuditPlugin(clock ext.Clock, idGenerator ext.IDGenerator, objectResolver *kube.ObjectResolver) configauditreport.PluginInMemory

NewTrivyConfigAuditPlugin constructs a new configAudit.Plugin, which is using an upstream Trivy config audit scanner lib.

func Scanners added in v0.12.0

func Scanners(c Config) string

Scanners use scanners flag

func SkipDBUpdate added in v0.12.0

func SkipDBUpdate(c Config) string

SkipDBUpdate skip update flag

func SkipJavaDBUpdate added in v0.16.0

func SkipJavaDBUpdate(c Config) string

SkipJavaDBUpdate skip update flag

func Slow added in v0.12.0

func Slow(c Config) string

Slow determine if to use the slow flag (improve memory footprint)

Types

type Command

type Command string

Command to scan image or filesystem.

const (
	Filesystem Command = "filesystem"
	Image      Command = "image"
	Rootfs     Command = "rootfs"
)

type Config

type Config struct {
	trivyoperator.PluginConfig
}

Config defines configuration params for this plugin.

func (Config) FindIgnorePolicyKey added in v0.10.2

func (c Config) FindIgnorePolicyKey(workload client.Object) string

func (Config) GenerateIgnoreFileVolumeIfAvailable added in v0.10.2

func (c Config) GenerateIgnoreFileVolumeIfAvailable(trivyConfigName string) (*corev1.Volume, *corev1.VolumeMount)

func (Config) GenerateIgnorePolicyVolumeIfAvailable added in v0.10.2

func (c Config) GenerateIgnorePolicyVolumeIfAvailable(trivyConfigName string, workload client.Object) (*corev1.Volume, *corev1.VolumeMount)

func (Config) GenerateSslCertDirVolumeIfAvailable added in v0.14.0

func (c Config) GenerateSslCertDirVolumeIfAvailable(trivyConfigName string) (*corev1.Volume, *corev1.VolumeMount)

func (Config) GetAdditionalVulnerabilityReportFields added in v0.2.0

func (c Config) GetAdditionalVulnerabilityReportFields() vulnerabilityreport.AdditionalFields

func (Config) GetClientServerSkipUpdate added in v0.16.0

func (c Config) GetClientServerSkipUpdate() bool

func (Config) GetCommand

func (c Config) GetCommand() Command

func (Config) GetDBRepository

func (c Config) GetDBRepository() (string, error)

func (Config) GetDBRepositoryInsecure

func (c Config) GetDBRepositoryInsecure() bool

func (Config) GetFilesystemScanCacheDir added in v0.17.0

func (c Config) GetFilesystemScanCacheDir() string

func (Config) GetImagePullPolicy added in v0.16.2

func (c Config) GetImagePullPolicy() string

func (Config) GetImagePullSecret added in v0.6.0

func (c Config) GetImagePullSecret() []corev1.LocalObjectReference

func (Config) GetImageRef

func (c Config) GetImageRef() (string, error)

GetImageRef returns upstream Trivy container image reference.

func (Config) GetImageScanCacheDir added in v0.17.0

func (c Config) GetImageScanCacheDir() string

func (Config) GetImageTag added in v0.12.0

func (c Config) GetImageTag() (string, error)

GetImageTag returns upstream Trivy container image tag.

func (Config) GetIncludeDevDeps added in v0.18.0

func (c Config) GetIncludeDevDeps() bool

func (Config) GetInsecureRegistries

func (c Config) GetInsecureRegistries() map[string]bool

func (Config) GetMirrors

func (c Config) GetMirrors() map[string]string

func (Config) GetMode

func (c Config) GetMode() Mode

func (Config) GetNonSSLRegistries

func (c Config) GetNonSSLRegistries() map[string]bool

func (Config) GetResourceRequirements

func (c Config) GetResourceRequirements() (corev1.ResourceRequirements, error)

GetResourceRequirements creates ResourceRequirements from the Config.

func (Config) GetSbomSources added in v0.18.0

func (c Config) GetSbomSources() string

func (Config) GetServerInsecure

func (c Config) GetServerInsecure() bool

func (Config) GetServerURL

func (c Config) GetServerURL() (string, error)

func (Config) GetSeverity added in v0.12.0

func (c Config) GetSeverity() string

func (Config) GetSkipJavaDBUpdate added in v0.16.0

func (c Config) GetSkipJavaDBUpdate() bool

func (Config) GetSlow added in v0.8.0

func (c Config) GetSlow() bool

func (Config) GetSslCertDir added in v0.14.0

func (c Config) GetSslCertDir() string

func (Config) GetSupportedConfigAuditKinds

func (c Config) GetSupportedConfigAuditKinds() []string

func (Config) GetUseBuiltinRegoPolicies

func (c Config) GetUseBuiltinRegoPolicies() bool

func (Config) GetUseEmbeddedRegoPolicies added in v0.21.0

func (c Config) GetUseEmbeddedRegoPolicies() bool

func (Config) GetVulnType added in v0.14.0

func (c Config) GetVulnType() string

func (Config) IgnoreFileExists

func (c Config) IgnoreFileExists() bool

func (Config) IgnoreUnfixed

func (c Config) IgnoreUnfixed() bool

func (Config) OfflineScan added in v0.7.0

func (c Config) OfflineScan() bool

func (Config) TrivyDBRepositoryCredentialsSet added in v0.18.0

func (c Config) TrivyDBRepositoryCredentialsSet() bool

type FileSystemJobSpecMgr added in v0.16.4

type FileSystemJobSpecMgr struct {
	// contains filtered or unexported fields
}

func (*FileSystemJobSpecMgr) GetPodSpec added in v0.16.4

func (j *FileSystemJobSpecMgr) GetPodSpec(ctx trivyoperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)

type GetPodSpecFunc added in v0.16.4

type GetPodSpecFunc func(ctx trivyoperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)

type ImageJobSpecMgr added in v0.16.4

type ImageJobSpecMgr struct {
	// contains filtered or unexported fields
}

func (*ImageJobSpecMgr) GetPodSpec added in v0.16.4

func (j *ImageJobSpecMgr) GetPodSpec(ctx trivyoperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)

type Mode

type Mode string

Mode in which Trivy client operates.

const (
	Standalone   Mode = "Standalone"
	ClientServer Mode = "ClientServer"
)

type PodSpecMgr added in v0.16.4

type PodSpecMgr interface {
	GetPodSpec(ctx trivyoperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)
}

func NewFileSystemJobSpecMgr added in v0.16.4

func NewFileSystemJobSpecMgr() PodSpecMgr

func NewImageJobSpecMgr added in v0.16.4

func NewImageJobSpecMgr() PodSpecMgr

func NewPodSpecMgr added in v0.16.4

func NewPodSpecMgr(config Config) PodSpecMgr

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL