Documentation ¶
Overview ¶
Package trivy provides primitives for working with Trivy.
Index ¶
- Constants
- func CheckAwsEcrPrivateRegistry(ImageUrl string) string
- func ConfigWorkloadAnnotationEnvVars(workload client.Object, annotation string, envVarName string, ...) corev1.EnvVar
- func GetCvssV3(findingCvss types.VendorCVSS) map[string]*CVSS
- func GetMirroredImage(image string, mirrors map[string]string) (string, error)
- func GetScoreFromCVSS(CVSSs map[string]*CVSS) *float64
- func MultiSecretSupport(c Config) bool
- func NewPlugin(clock ext.Clock, idGenerator ext.IDGenerator, ...) vulnerabilityreport.Plugin
- func NewTrivyConfigAuditPlugin(clock ext.Clock, idGenerator ext.IDGenerator, ...) configauditreport.PluginInMemory
- func Scanners(c Config) string
- func SkipDBUpdate(c Config) string
- func Slow(c Config) string
- type AdditionalFields
- type CVSS
- type Command
- type Config
- func (c Config) FindIgnorePolicyKey(workload client.Object) string
- func (c Config) GenerateIgnoreFileVolumeIfAvailable(trivyConfigName string) (*corev1.Volume, *corev1.VolumeMount)
- func (c Config) GenerateIgnorePolicyVolumeIfAvailable(trivyConfigName string, workload client.Object) (*corev1.Volume, *corev1.VolumeMount)
- func (c Config) GenerateSslCertDirVolumeIfAvailable(trivyConfigName string) (*corev1.Volume, *corev1.VolumeMount)
- func (c Config) GetAdditionalVulnerabilityReportFields() AdditionalFields
- func (c Config) GetCommand() (Command, error)
- func (c Config) GetDBRepository() (string, error)
- func (c Config) GetDBRepositoryInsecure() bool
- func (c Config) GetImagePullSecret() []corev1.LocalObjectReference
- func (c Config) GetImageRef() (string, error)
- func (c Config) GetImageTag() (string, error)
- func (c Config) GetInsecureRegistries() map[string]bool
- func (c Config) GetMirrors() map[string]string
- func (c Config) GetMode() (Mode, error)
- func (c Config) GetNonSSLRegistries() map[string]bool
- func (c Config) GetResourceRequirements() (corev1.ResourceRequirements, error)
- func (c Config) GetServerInsecure() bool
- func (c Config) GetServerURL() (string, error)
- func (c Config) GetSeverity() string
- func (c Config) GetSlow() bool
- func (c Config) GetSslCertDir() string
- func (c Config) GetSupportedConfigAuditKinds() []string
- func (c Config) GetUseBuiltinRegoPolicies() bool
- func (c Config) GetVulnType() string
- func (c Config) IgnoreFileExists() bool
- func (c Config) IgnoreUnfixed() bool
- func (c Config) OfflineScan() bool
- type Mode
Constants ¶
const ( AWSECR_Image_Regex = "^\\d+\\.dkr\\.ecr\\.(\\w+-\\w+-\\d+)\\.amazonaws\\.com\\/" SupportedConfigAuditKinds = "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota" // SkipDirsAnnotation annotation example: trivy-operator.aquasecurity.github.io/skip-dirs: "/tmp,/home" SkipDirsAnnotation = "trivy-operator.aquasecurity.github.io/skip-dirs" // SkipFilesAnnotation example: trivy-operator.aquasecurity.github.io/skip-files: "/src/Gemfile.lock,/examplebinary" SkipFilesAnnotation = "trivy-operator.aquasecurity.github.io/skip-files" )
const ( DefaultImageRepository = "ghcr.io/aquasecurity/trivy" DefaultDBRepository = "ghcr.io/aquasecurity/trivy-db" DefaultJavaDBRepository = "ghcr.io/aquasecurity/trivy-java-db" DefaultSeverity = "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" )
const ( SslCertDir = "/var/ssl-cert" )
const (
KeyTrivySeverity = "trivy.severity"
)
const (
// Plugin the name of this plugin.
Plugin = "Trivy"
)
Variables ¶
This section is empty.
Functions ¶
func ConfigWorkloadAnnotationEnvVars ¶ added in v0.14.0
func GetMirroredImage ¶
func GetScoreFromCVSS ¶
func MultiSecretSupport ¶ added in v0.12.0
MultiSecretSupport validate if trivy multi secret support
func NewPlugin ¶
func NewPlugin(clock ext.Clock, idGenerator ext.IDGenerator, objectResolver *kube.ObjectResolver) vulnerabilityreport.Plugin
NewPlugin constructs a new vulnerabilityreport.Plugin, which is using an upstream Trivy container image to scan Kubernetes workloads.
The plugin supports Image and Filesystem commands. The Filesystem command may be used to scan workload images cached on cluster nodes by scheduling scan jobs on a particular node.
The Image command supports both Standalone and ClientServer modes depending on the settings returned by Config.GetMode. The ClientServer mode is usually more performant, however it requires a Trivy server accessible at the configurable Config.GetServerURL.
func NewTrivyConfigAuditPlugin ¶
func NewTrivyConfigAuditPlugin(clock ext.Clock, idGenerator ext.IDGenerator, objectResolver *kube.ObjectResolver) configauditreport.PluginInMemory
NewTrivyConfigAuditPlugin constructs a new configAudit.Plugin, which is using an upstream Trivy config audit scanner lib.
func SkipDBUpdate ¶ added in v0.12.0
SkipDBUpdate skip update flag
Types ¶
type AdditionalFields ¶ added in v0.2.0
type Config ¶
type Config struct {
trivyoperator.PluginConfig
}
Config defines configuration params for this plugin.
func (Config) FindIgnorePolicyKey ¶ added in v0.10.2
func (Config) GenerateIgnoreFileVolumeIfAvailable ¶ added in v0.10.2
func (Config) GenerateIgnorePolicyVolumeIfAvailable ¶ added in v0.10.2
func (Config) GenerateSslCertDirVolumeIfAvailable ¶ added in v0.14.0
func (Config) GetAdditionalVulnerabilityReportFields ¶ added in v0.2.0
func (c Config) GetAdditionalVulnerabilityReportFields() AdditionalFields
func (Config) GetCommand ¶
func (Config) GetDBRepository ¶
func (Config) GetDBRepositoryInsecure ¶
func (Config) GetImagePullSecret ¶ added in v0.6.0
func (c Config) GetImagePullSecret() []corev1.LocalObjectReference
func (Config) GetImageRef ¶
GetImageRef returns upstream Trivy container image reference.
func (Config) GetImageTag ¶ added in v0.12.0
GetImageTag returns upstream Trivy container image tag.
func (Config) GetInsecureRegistries ¶
func (Config) GetMirrors ¶
func (Config) GetNonSSLRegistries ¶
func (Config) GetResourceRequirements ¶
func (c Config) GetResourceRequirements() (corev1.ResourceRequirements, error)
GetResourceRequirements creates ResourceRequirements from the Config.