trivy

package
v0.16.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 29, 2023 License: Apache-2.0 Imports: 31 Imported by: 1

Documentation

Overview

Package trivy provides primitives for working with Trivy.

Index

Constants

View Source 
const (
	GCPCR_Inage_Regex  = `^(gcr\.io.*|^([a-zA-Z0-9-]+)-*-*.docker.pkg.dev.*)`
	AWSECR_Image_Regex = "^\\d+\\.dkr\\.ecr\\.(\\w+-\\w+-\\d+)\\.amazonaws\\.com\\/"
	// SkipDirsAnnotation annotation  example: trivy-operator.aquasecurity.github.io/skip-dirs: "/tmp,/home"
	SkipDirsAnnotation = "trivy-operator.aquasecurity.github.io/skip-dirs"
	// SkipFilesAnnotation example: trivy-operator.aquasecurity.github.io/skip-files: "/src/Gemfile.lock,/examplebinary"
	SkipFilesAnnotation = "trivy-operator.aquasecurity.github.io/skip-files"
)
View Source 
const (
	DefaultImageRepository  = "ghcr.io/aquasecurity/trivy"
	DefaultDBRepository     = "ghcr.io/aquasecurity/trivy-db"
	DefaultJavaDBRepository = "ghcr.io/aquasecurity/trivy-java-db"
	DefaultSeverity         = "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
)
View Source 
const (
	FsSharedVolumeName          = "trivyoperator"
	SharedVolumeLocationOfTrivy = "/var/trivyoperator/trivy"
	SslCertDir                  = "/var/ssl-cert"
)
View Source 
const (
	KeyTrivySeverity = "trivy.severity"
)
View Source 
const (
	// Plugin the name of this plugin.
	Plugin = "Trivy"
)
View Source 
const (
	SupportedConfigAuditKinds = "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"
)

Variables

This section is empty.

Functions

func CheckAwsEcrPrivateRegistry 

func CheckAwsEcrPrivateRegistry(ImageUrl string) string

func ConfigWorkloadAnnotationEnvVars added in v0.14.0 

func ConfigWorkloadAnnotationEnvVars(workload client.Object, annotation string, envVarName string, trivyConfigName string, configKey string) corev1.EnvVar

func GetCvssV3 added in v0.3.0 

func GetCvssV3(findingCvss types.VendorCVSS) map[string]*CVSS

func GetMirroredImage 

func GetMirroredImage(image string, mirrors map[string]string) (string, error)

func GetPodSpecForClientServerFSMode added in v0.16.4 

func GetPodSpecForClientServerFSMode(ctx trivyoperator.PluginContext, config Config, workload client.Object, _ map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin) (corev1.PodSpec, []*corev1.Secret, error)

FileSystem scan option with ClientServer mode. The only difference is that instead of scanning the resource by name, We scanning the resource place on a specific file system location using the following command. 

trivy --quiet fs  --server TRIVY_SERVER  --format json --ignore-unfixed  file/system/location

func GetPodSpecForClientServerMode added in v0.16.4 

func GetPodSpecForClientServerMode(ctx trivyoperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin) (corev1.PodSpec, []*corev1.Secret, error)

In the ClientServer mode the number of containers of the pod created by the scan job equals the number of containers defined for the scanned workload. Each container runs Trivy image scan command and refers to Trivy server URL returned by Config.GetServerURL: 

trivy image --server <server URL> \
  --format json <container image>

func GetPodSpecForStandaloneFSMode added in v0.16.4 

func GetPodSpecForStandaloneFSMode(ctx trivyoperator.PluginContext, config Config, workload client.Object, _ map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin) (corev1.PodSpec, []*corev1.Secret, error)

FileSystem scan option with standalone mode. The only difference is that instead of scanning the resource by name, We are scanning the resource place on a specific file system location using the following command. 

trivy --quiet fs  --format json --ignore-unfixed  file/system/location

func GetPodSpecForStandaloneMode added in v0.16.4 

func GetPodSpecForStandaloneMode(ctx trivyoperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin) (corev1.PodSpec, []*corev1.Secret, error)

In the Standalone mode there is the init container responsible for downloading the latest Trivy DB file from GitHub and storing it to the emptyDir volume shared with main containers. In other words, the init container runs the following Trivy command: 

trivy --cache-dir /tmp/trivy/.cache image --download-db-only

The number of main containers correspond to the number of containers defined for the scanned workload. Each container runs the Trivy image scan command and skips the database download: 

trivy --cache-dir /tmp/trivy/.cache image --skip-update \
  --format json <container image>

func GetScoreFromCVSS 

func GetScoreFromCVSS(CVSSs map[string]*CVSS) *float64

func MultiSecretSupport added in v0.12.0 

func MultiSecretSupport(c Config) bool

MultiSecretSupport validate if trivy multi secret support

func NewPlugin 

func NewPlugin(clock ext.Clock, idGenerator ext.IDGenerator, objectResolver *kube.ObjectResolver) vulnerabilityreport.Plugin

NewPlugin constructs a new vulnerabilityreport.Plugin, which is using an upstream Trivy container image to scan Kubernetes workloads.

The plugin supports Image and Filesystem commands. The Filesystem command may be used to scan workload images cached on cluster nodes by scheduling scan jobs on a particular node.

The Image command supports both Standalone and ClientServer modes depending on the settings returned by Config.GetMode. The ClientServer mode is usually more performant, however it requires a Trivy server accessible at the configurable Config.GetServerURL.

func NewTrivyConfigAuditPlugin 

func NewTrivyConfigAuditPlugin(clock ext.Clock, idGenerator ext.IDGenerator, objectResolver *kube.ObjectResolver) configauditreport.PluginInMemory

NewTrivyConfigAuditPlugin constructs a new configAudit.Plugin, which is using an upstream Trivy config audit scanner lib.

func Scanners added in v0.12.0 

func Scanners(c Config) string

Scanners use scanners flag

func SkipDBUpdate added in v0.12.0 

func SkipDBUpdate(c Config) string

SkipDBUpdate skip update flag

func SkipJavaDBUpdate added in v0.16.0 

func SkipJavaDBUpdate(c Config) string

SkipJavaDBUpdate skip update flag

func Slow added in v0.12.0 

func Slow(c Config) string

Slow determine if to use the slow flag (improve memory footprint)

Types

type AdditionalFields added in v0.2.0 

type AdditionalFields struct {
	Description bool
	Links       bool
	CVSS        bool
	Target      bool
	Class       bool
	PackageType bool
	PkgPath     bool
}

type CVSS 

type CVSS struct {
	V3Score *float64 `json:"V3Score,omitempty"`
}

type Command 

type Command string

Command to scan image or filesystem. 

const (
	Filesystem Command = "filesystem"
	Image      Command = "image"
	Rootfs     Command = "rootfs"
)

type Config 

type Config struct {
	trivyoperator.PluginConfig
}

Config defines configuration params for this plugin.

func (Config) FindIgnorePolicyKey added in v0.10.2 

func (c Config) FindIgnorePolicyKey(workload client.Object) string

func (Config) GenerateIgnoreFileVolumeIfAvailable added in v0.10.2 

func (c Config) GenerateIgnoreFileVolumeIfAvailable(trivyConfigName string) (*corev1.Volume, *corev1.VolumeMount)

func (Config) GenerateIgnorePolicyVolumeIfAvailable added in v0.10.2 

func (c Config) GenerateIgnorePolicyVolumeIfAvailable(trivyConfigName string, workload client.Object) (*corev1.Volume, *corev1.VolumeMount)

func (Config) GenerateSslCertDirVolumeIfAvailable added in v0.14.0 

func (c Config) GenerateSslCertDirVolumeIfAvailable(trivyConfigName string) (*corev1.Volume, *corev1.VolumeMount)

func (Config) GetAdditionalVulnerabilityReportFields added in v0.2.0 

func (c Config) GetAdditionalVulnerabilityReportFields() AdditionalFields

func (Config) GetClientServerSkipUpdate added in v0.16.0 

func (c Config) GetClientServerSkipUpdate() bool

func (Config) GetCommand 

func (c Config) GetCommand() Command

func (Config) GetDBRepository 

func (c Config) GetDBRepository() (string, error)

func (Config) GetDBRepositoryInsecure 

func (c Config) GetDBRepositoryInsecure() bool

func (Config) GetImagePullPolicy added in v0.16.2 

func (c Config) GetImagePullPolicy() string

func (Config) GetImagePullSecret added in v0.6.0 

func (c Config) GetImagePullSecret() []corev1.LocalObjectReference

func (Config) GetImageRef 

func (c Config) GetImageRef() (string, error)

GetImageRef returns upstream Trivy container image reference.

func (Config) GetImageTag added in v0.12.0 

func (c Config) GetImageTag() (string, error)

GetImageTag returns upstream Trivy container image tag.

func (Config) GetInsecureRegistries 

func (c Config) GetInsecureRegistries() map[string]bool

func (Config) GetMirrors 

func (c Config) GetMirrors() map[string]string

func (Config) GetMode 

func (c Config) GetMode() Mode

func (Config) GetNonSSLRegistries 

func (c Config) GetNonSSLRegistries() map[string]bool

func (Config) GetResourceRequirements 

func (c Config) GetResourceRequirements() (corev1.ResourceRequirements, error)

GetResourceRequirements creates ResourceRequirements from the Config.

func (Config) GetServerInsecure 

func (c Config) GetServerInsecure() bool

func (Config) GetServerURL 

func (c Config) GetServerURL() (string, error)

func (Config) GetSeverity added in v0.12.0 

func (c Config) GetSeverity() string

func (Config) GetSkipJavaDBUpdate added in v0.16.0 

func (c Config) GetSkipJavaDBUpdate() bool

func (Config) GetSlow added in v0.8.0 

func (c Config) GetSlow() bool

func (Config) GetSslCertDir added in v0.14.0 

func (c Config) GetSslCertDir() string

func (Config) GetSupportedConfigAuditKinds 

func (c Config) GetSupportedConfigAuditKinds() []string

func (Config) GetUseBuiltinRegoPolicies 

func (c Config) GetUseBuiltinRegoPolicies() bool

func (Config) GetVulnType added in v0.14.0 

func (c Config) GetVulnType() string

func (Config) IgnoreFileExists 

func (c Config) IgnoreFileExists() bool

func (Config) IgnoreUnfixed 

func (c Config) IgnoreUnfixed() bool

func (Config) OfflineScan added in v0.7.0 

func (c Config) OfflineScan() bool

type FileSystemJobSpecMgr added in v0.16.4 

type FileSystemJobSpecMgr struct {
	// contains filtered or unexported fields
}

func (*FileSystemJobSpecMgr) GetPodSpec added in v0.16.4 

func (j *FileSystemJobSpecMgr) GetPodSpec(ctx trivyoperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin) (corev1.PodSpec, []*corev1.Secret, error)

type GetPodSpecFunc added in v0.16.4 

type GetPodSpecFunc func(ctx trivyoperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin) (corev1.PodSpec, []*corev1.Secret, error)

type ImageJobSpecMgr added in v0.16.4 

type ImageJobSpecMgr struct {
	// contains filtered or unexported fields
}

func (*ImageJobSpecMgr) GetPodSpec added in v0.16.4 

func (j *ImageJobSpecMgr) GetPodSpec(ctx trivyoperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin) (corev1.PodSpec, []*corev1.Secret, error)

type Mode 

type Mode string

Mode in which Trivy client operates. 

const (
	Standalone   Mode = "Standalone"
	ClientServer Mode = "ClientServer"
)

type PodSpecMgr added in v0.16.4 

type PodSpecMgr interface {
	GetPodSpec(ctx trivyoperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin) (corev1.PodSpec, []*corev1.Secret, error)
}

func NewFileSystemJobSpecMgr added in v0.16.4 

func NewFileSystemJobSpecMgr() PodSpecMgr

func NewImageJobSpecMgr added in v0.16.4 

func NewImageJobSpecMgr() PodSpecMgr

func NewPodSpecMgr added in v0.16.4 

func NewPodSpecMgr(config Config) PodSpecMgr

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.