trivy

package
v0.15.0-rc Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 11, 2023 License: Apache-2.0 Imports: 29 Imported by: 1

Documentation

Overview

Package trivy provides primitives for working with Trivy.

Index

Constants

View Source 
const (
	AWSECR_Image_Regex        = "^\\d+\\.dkr\\.ecr\\.(\\w+-\\w+-\\d+)\\.amazonaws\\.com\\/"
	SupportedConfigAuditKinds = "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"
	// SkipDirsAnnotation annotation  example: trivy-operator.aquasecurity.github.io/skip-dirs: "/tmp,/home"
	SkipDirsAnnotation = "trivy-operator.aquasecurity.github.io/skip-dirs"
	// SkipFilesAnnotation example: trivy-operator.aquasecurity.github.io/skip-files: "/src/Gemfile.lock,/examplebinary"
	SkipFilesAnnotation = "trivy-operator.aquasecurity.github.io/skip-files"
)
View Source 
const (
	DefaultImageRepository  = "ghcr.io/aquasecurity/trivy"
	DefaultDBRepository     = "ghcr.io/aquasecurity/trivy-db"
	DefaultJavaDBRepository = "ghcr.io/aquasecurity/trivy-java-db"
	DefaultSeverity         = "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
)
View Source 
const (
	FsSharedVolumeName          = "trivyoperator"
	SharedVolumeLocationOfTrivy = "/var/trivyoperator/trivy"
	SslCertDir                  = "/var/ssl-cert"
)
View Source 
const (
	KeyTrivySeverity = "trivy.severity"
)
View Source 
const (
	// Plugin the name of this plugin.
	Plugin = "Trivy"
)

Variables

This section is empty.

Functions

func CheckAwsEcrPrivateRegistry 

func CheckAwsEcrPrivateRegistry(ImageUrl string) string

func ConfigWorkloadAnnotationEnvVars added in v0.14.0 

func ConfigWorkloadAnnotationEnvVars(workload client.Object, annotation string, envVarName string, trivyConfigName string, configKey string) corev1.EnvVar

func GetCvssV3 added in v0.3.0 

func GetCvssV3(findingCvss types.VendorCVSS) map[string]*CVSS

func GetMirroredImage 

func GetMirroredImage(image string, mirrors map[string]string) (string, error)

func GetScoreFromCVSS 

func GetScoreFromCVSS(CVSSs map[string]*CVSS) *float64

func MultiSecretSupport added in v0.12.0 

func MultiSecretSupport(c Config) bool

MultiSecretSupport validate if trivy multi secret support

func NewPlugin 

func NewPlugin(clock ext.Clock, idGenerator ext.IDGenerator, objectResolver *kube.ObjectResolver) vulnerabilityreport.Plugin

NewPlugin constructs a new vulnerabilityreport.Plugin, which is using an upstream Trivy container image to scan Kubernetes workloads.

The plugin supports Image and Filesystem commands. The Filesystem command may be used to scan workload images cached on cluster nodes by scheduling scan jobs on a particular node.

The Image command supports both Standalone and ClientServer modes depending on the settings returned by Config.GetMode. The ClientServer mode is usually more performant, however it requires a Trivy server accessible at the configurable Config.GetServerURL.

func NewTrivyConfigAuditPlugin 

func NewTrivyConfigAuditPlugin(clock ext.Clock, idGenerator ext.IDGenerator, objectResolver *kube.ObjectResolver) configauditreport.PluginInMemory

NewTrivyConfigAuditPlugin constructs a new configAudit.Plugin, which is using an upstream Trivy config audit scanner lib.

func Scanners added in v0.12.0 

func Scanners(c Config) string

Scanners use scanners flag

func SkipDBUpdate added in v0.12.0 

func SkipDBUpdate(c Config) string

SkipDBUpdate skip update flag

func Slow added in v0.12.0 

func Slow(c Config) string

Slow determine if to use the slow flag (improve memory footprint)

Types

type AdditionalFields added in v0.2.0 

type AdditionalFields struct {
	Description bool
	Links       bool
	CVSS        bool
	Target      bool
	Class       bool
	PackageType bool
	PkgPath     bool
}

type CVSS 

type CVSS struct {
	V3Score *float64 `json:"V3Score,omitempty"`
}

type Command 

type Command string

Command to scan image or filesystem. 

const (
	Filesystem Command = "filesystem"
	Image      Command = "image"
	Rootfs     Command = "rootfs"
)

type Config 

type Config struct {
	trivyoperator.PluginConfig
}

Config defines configuration params for this plugin.

func (Config) FindIgnorePolicyKey added in v0.10.2 

func (c Config) FindIgnorePolicyKey(workload client.Object) string

func (Config) GenerateIgnoreFileVolumeIfAvailable added in v0.10.2 

func (c Config) GenerateIgnoreFileVolumeIfAvailable(trivyConfigName string) (*corev1.Volume, *corev1.VolumeMount)

func (Config) GenerateIgnorePolicyVolumeIfAvailable added in v0.10.2 

func (c Config) GenerateIgnorePolicyVolumeIfAvailable(trivyConfigName string, workload client.Object) (*corev1.Volume, *corev1.VolumeMount)

func (Config) GenerateSslCertDirVolumeIfAvailable added in v0.14.0 

func (c Config) GenerateSslCertDirVolumeIfAvailable(trivyConfigName string) (*corev1.Volume, *corev1.VolumeMount)

func (Config) GetAdditionalVulnerabilityReportFields added in v0.2.0 

func (c Config) GetAdditionalVulnerabilityReportFields() AdditionalFields

func (Config) GetCommand 

func (c Config) GetCommand() (Command, error)

func (Config) GetDBRepository 

func (c Config) GetDBRepository() (string, error)

func (Config) GetDBRepositoryInsecure 

func (c Config) GetDBRepositoryInsecure() bool

func (Config) GetImagePullSecret added in v0.6.0 

func (c Config) GetImagePullSecret() []corev1.LocalObjectReference

func (Config) GetImageRef 

func (c Config) GetImageRef() (string, error)

GetImageRef returns upstream Trivy container image reference.

func (Config) GetImageTag added in v0.12.0 

func (c Config) GetImageTag() (string, error)

GetImageTag returns upstream Trivy container image tag.

func (Config) GetInsecureRegistries 

func (c Config) GetInsecureRegistries() map[string]bool

func (Config) GetMirrors 

func (c Config) GetMirrors() map[string]string

func (Config) GetMode 

func (c Config) GetMode() (Mode, error)

func (Config) GetNonSSLRegistries 

func (c Config) GetNonSSLRegistries() map[string]bool

func (Config) GetResourceRequirements 

func (c Config) GetResourceRequirements() (corev1.ResourceRequirements, error)

GetResourceRequirements creates ResourceRequirements from the Config.

func (Config) GetServerInsecure 

func (c Config) GetServerInsecure() bool

func (Config) GetServerURL 

func (c Config) GetServerURL() (string, error)

func (Config) GetSeverity added in v0.12.0 

func (c Config) GetSeverity() string

func (Config) GetSlow added in v0.8.0 

func (c Config) GetSlow() bool

func (Config) GetSslCertDir added in v0.14.0 

func (c Config) GetSslCertDir() string

func (Config) GetSupportedConfigAuditKinds 

func (c Config) GetSupportedConfigAuditKinds() []string

func (Config) GetUseBuiltinRegoPolicies 

func (c Config) GetUseBuiltinRegoPolicies() bool

func (Config) GetVulnType added in v0.14.0 

func (c Config) GetVulnType() string

func (Config) IgnoreFileExists 

func (c Config) IgnoreFileExists() bool

func (Config) IgnoreUnfixed 

func (c Config) IgnoreUnfixed() bool

func (Config) OfflineScan added in v0.7.0 

func (c Config) OfflineScan() bool

type Mode 

type Mode string

Mode in which Trivy client operates. 

const (
	Standalone   Mode = "Standalone"
	ClientServer Mode = "ClientServer"
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.