Documentation ¶
Overview ¶
Package trivy provides primitives for working with Trivy.
Index ¶
- Constants
- func CheckAwsEcrPrivateRegistry(ImageUrl string) string
- func ConfigWorkloadAnnotationEnvVars(workload client.Object, annotation string, envVarName string, ...) corev1.EnvVar
- func CreateSbomDataAsSecret(bom v1alpha1.BOM, secretName string) (corev1.Secret, error)
- func CreateVolumeSbomFiles(volumeMounts *[]corev1.VolumeMount, volumes *[]corev1.Volume, ...)
- func GetFSScanningArgs(ctx trivyoperator.PluginContext, command Command, mode Mode, ...) []string
- func GetMirroredImage(image string, mirrors map[string]string) (string, error)
- func GetPodSpecForClientServerFSMode(ctx trivyoperator.PluginContext, config Config, workload client.Object, ...) (corev1.PodSpec, []*corev1.Secret, error)
- func GetPodSpecForClientServerMode(ctx trivyoperator.PluginContext, config Config, workload client.Object, ...) (corev1.PodSpec, []*corev1.Secret, error)
- func GetPodSpecForStandaloneFSMode(ctx trivyoperator.PluginContext, config Config, workload client.Object, ...) (corev1.PodSpec, []*corev1.Secret, error)
- func GetPodSpecForStandaloneMode(ctx trivyoperator.PluginContext, config Config, workload client.Object, ...) (corev1.PodSpec, []*corev1.Secret, error)
- func GetSbomFSScanningArgs(ctx trivyoperator.PluginContext, mode Mode, trivyServerURL string, ...) ([]string, []string)
- func GetSbomScanCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, sbomFile string, ...) ([]string, []string)
- func MultiSecretSupport(c Config) bool
- func NewPlugin(clock ext.Clock, idGenerator ext.IDGenerator, ...) vulnerabilityreport.Plugin
- func NewTrivyConfigAuditPlugin(clock ext.Clock, idGenerator ext.IDGenerator, ...) configauditreport.PluginInMemory
- func Scanners(c Config) string
- func SkipDBUpdate(c Config) string
- func SkipJavaDBUpdate(c Config) string
- func Slow(c Config) string
- type Command
- type Config
- func (c Config) FindIgnorePolicyKey(workload client.Object) string
- func (c Config) GenerateIgnoreFileVolumeIfAvailable(trivyConfigName string) (*corev1.Volume, *corev1.VolumeMount)
- func (c Config) GenerateIgnorePolicyVolumeIfAvailable(trivyConfigName string, workload client.Object) (*corev1.Volume, *corev1.VolumeMount)
- func (c Config) GenerateSslCertDirVolumeIfAvailable(trivyConfigName string) (*corev1.Volume, *corev1.VolumeMount)
- func (c Config) GetAdditionalVulnerabilityReportFields() vulnerabilityreport.AdditionalFields
- func (c Config) GetClientServerSkipUpdate() bool
- func (c Config) GetCommand() Command
- func (c Config) GetDBRepository() (string, error)
- func (c Config) GetDBRepositoryInsecure() bool
- func (c Config) GetFilesystemScanCacheDir() string
- func (c Config) GetImagePullPolicy() string
- func (c Config) GetImagePullSecret() []corev1.LocalObjectReference
- func (c Config) GetImageRef() (string, error)
- func (c Config) GetImageScanCacheDir() string
- func (c Config) GetImageTag() (string, error)
- func (c Config) GetIncludeDevDeps() bool
- func (c Config) GetInsecureRegistries() map[string]bool
- func (c Config) GetMirrors() map[string]string
- func (c Config) GetMode() Mode
- func (c Config) GetNonSSLRegistries() map[string]bool
- func (c Config) GetResourceRequirements() (corev1.ResourceRequirements, error)
- func (c Config) GetSbomSources() string
- func (c Config) GetServerInsecure() bool
- func (c Config) GetServerURL() (string, error)
- func (c Config) GetSeverity() string
- func (c Config) GetSkipJavaDBUpdate() bool
- func (c Config) GetSlow() bool
- func (c Config) GetSslCertDir() string
- func (c Config) GetSupportedConfigAuditKinds() []string
- func (c Config) GetUseBuiltinRegoPolicies() bool
- func (c Config) GetVulnType() string
- func (c Config) IgnoreFileExists() bool
- func (c Config) IgnoreUnfixed() bool
- func (c Config) OfflineScan() bool
- func (c Config) TrivyDBRepositoryCredentialsSet() bool
- type FileSystemJobSpecMgr
- type GetPodSpecFunc
- type ImageJobSpecMgr
- type Mode
- type PodSpecMgr
Constants ¶
const ( GCPCR_Inage_Regex = `^(gcr\.io.*|^([a-zA-Z0-9-]+)-*-*.docker.pkg.dev.*)` AWSECR_Image_Regex = "^\\d+\\.dkr\\.ecr\\.(\\w+-\\w+-\\d+)\\.amazonaws\\.com\\/" // SkipDirsAnnotation annotation example: trivy-operator.aquasecurity.github.io/skip-dirs: "/tmp,/home" SkipDirsAnnotation = "trivy-operator.aquasecurity.github.io/skip-dirs" // SkipFilesAnnotation example: trivy-operator.aquasecurity.github.io/skip-files: "/src/Gemfile.lock,/examplebinary" SkipFilesAnnotation = "trivy-operator.aquasecurity.github.io/skip-files" )
const ( DefaultImageRepository = "ghcr.io/aquasecurity/trivy" DefaultDBRepository = "ghcr.io/aquasecurity/trivy-db" DefaultJavaDBRepository = "ghcr.io/aquasecurity/trivy-java-db" DefaultSeverity = "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" )
const ( SslCertDir = "/var/ssl-cert" )
const (
KeyTrivySeverity = "trivy.severity"
)
const (
// Plugin the name of this plugin.
Plugin = "Trivy"
)
const (
SupportedConfigAuditKinds = "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"
)
Variables ¶
This section is empty.
Functions ¶
func ConfigWorkloadAnnotationEnvVars ¶ added in v0.14.0
func CreateSbomDataAsSecret ¶ added in v0.17.0
CreateSbomDataAsSecret creates a secret with the BOM data
func CreateVolumeSbomFiles ¶ added in v0.17.0
func CreateVolumeSbomFiles(volumeMounts *[]corev1.VolumeMount, volumes *[]corev1.Volume, secretName *string, fileName string, mountPath string, cname string)
CreateVolumeSbomFiles creates a volume and volume mount for the sbom data
func GetFSScanningArgs ¶ added in v0.18.0
func GetFSScanningArgs(ctx trivyoperator.PluginContext, command Command, mode Mode, trivyServerURL string) []string
func GetMirroredImage ¶
func GetPodSpecForClientServerFSMode ¶ added in v0.16.4
func GetPodSpecForClientServerFSMode(ctx trivyoperator.PluginContext, config Config, workload client.Object, _ map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)
FileSystem scan option with ClientServer mode. The only difference is that instead of scanning the resource by name, We scanning the resource place on a specific file system location using the following command.
trivy --quiet fs --server TRIVY_SERVER --format json --ignore-unfixed file/system/location
func GetPodSpecForClientServerMode ¶ added in v0.16.4
func GetPodSpecForClientServerMode(ctx trivyoperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)
In the ClientServer mode the number of containers of the pod created by the scan job equals the number of containers defined for the scanned workload. Each container runs Trivy image scan command and refers to Trivy server URL returned by Config.GetServerURL:
trivy image --server <server URL> \ --format json <container image>
func GetPodSpecForStandaloneFSMode ¶ added in v0.16.4
func GetPodSpecForStandaloneFSMode(ctx trivyoperator.PluginContext, config Config, workload client.Object, _ map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)
FileSystem scan option with standalone mode. The only difference is that instead of scanning the resource by name, We are scanning the resource place on a specific file system location using the following command.
trivy --quiet fs --format json --ignore-unfixed file/system/location
func GetPodSpecForStandaloneMode ¶ added in v0.16.4
func GetPodSpecForStandaloneMode(ctx trivyoperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)
In the Standalone mode there is the init container responsible for downloading the latest Trivy DB file from GitHub and storing it to the emptyDir volume shared with main containers. In other words, the init container runs the following Trivy command:
trivy --cache-dir /tmp/trivy/.cache image --download-db-only
The number of main containers correspond to the number of containers defined for the scanned workload. Each container runs the Trivy image scan command and skips the database download:
trivy --cache-dir /tmp/trivy/.cache image --skip-update \ --format json <container image>
func GetSbomFSScanningArgs ¶ added in v0.17.0
func GetSbomFSScanningArgs(ctx trivyoperator.PluginContext, mode Mode, trivyServerURL string, sbomFile string) ([]string, []string)
func GetSbomScanCommandAndArgs ¶ added in v0.17.0
func GetSbomScanCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, sbomFile string, trivyServerURL string, resultFileName string) ([]string, []string)
func MultiSecretSupport ¶ added in v0.12.0
MultiSecretSupport validate if trivy multi secret support
func NewPlugin ¶
func NewPlugin(clock ext.Clock, idGenerator ext.IDGenerator, objectResolver *kube.ObjectResolver) vulnerabilityreport.Plugin
NewPlugin constructs a new vulnerabilityreport.Plugin, which is using an upstream Trivy container image to scan Kubernetes workloads.
The plugin supports Image and Filesystem commands. The Filesystem command may be used to scan workload images cached on cluster nodes by scheduling scan jobs on a particular node.
The Image command supports both Standalone and ClientServer modes depending on the settings returned by Config.GetMode. The ClientServer mode is usually more performant, however it requires a Trivy server accessible at the configurable Config.GetServerURL.
func NewTrivyConfigAuditPlugin ¶
func NewTrivyConfigAuditPlugin(clock ext.Clock, idGenerator ext.IDGenerator, objectResolver *kube.ObjectResolver) configauditreport.PluginInMemory
NewTrivyConfigAuditPlugin constructs a new configAudit.Plugin, which is using an upstream Trivy config audit scanner lib.
func SkipDBUpdate ¶ added in v0.12.0
SkipDBUpdate skip update flag
func SkipJavaDBUpdate ¶ added in v0.16.0
SkipJavaDBUpdate skip update flag
Types ¶
type Config ¶
type Config struct {
trivyoperator.PluginConfig
}
Config defines configuration params for this plugin.
func (Config) FindIgnorePolicyKey ¶ added in v0.10.2
func (Config) GenerateIgnoreFileVolumeIfAvailable ¶ added in v0.10.2
func (Config) GenerateIgnorePolicyVolumeIfAvailable ¶ added in v0.10.2
func (Config) GenerateSslCertDirVolumeIfAvailable ¶ added in v0.14.0
func (Config) GetAdditionalVulnerabilityReportFields ¶ added in v0.2.0
func (c Config) GetAdditionalVulnerabilityReportFields() vulnerabilityreport.AdditionalFields
func (Config) GetClientServerSkipUpdate ¶ added in v0.16.0
func (Config) GetCommand ¶
func (Config) GetDBRepository ¶
func (Config) GetDBRepositoryInsecure ¶
func (Config) GetFilesystemScanCacheDir ¶ added in v0.17.0
func (Config) GetImagePullPolicy ¶ added in v0.16.2
func (Config) GetImagePullSecret ¶ added in v0.6.0
func (c Config) GetImagePullSecret() []corev1.LocalObjectReference
func (Config) GetImageRef ¶
GetImageRef returns upstream Trivy container image reference.
func (Config) GetImageScanCacheDir ¶ added in v0.17.0
func (Config) GetImageTag ¶ added in v0.12.0
GetImageTag returns upstream Trivy container image tag.
func (Config) GetIncludeDevDeps ¶ added in v0.18.0
func (Config) GetInsecureRegistries ¶
func (Config) GetMirrors ¶
func (Config) GetNonSSLRegistries ¶
func (Config) GetResourceRequirements ¶
func (c Config) GetResourceRequirements() (corev1.ResourceRequirements, error)
GetResourceRequirements creates ResourceRequirements from the Config.
func (Config) GetSbomSources ¶ added in v0.18.0
func (Config) GetServerInsecure ¶
func (Config) GetServerURL ¶
func (Config) GetSeverity ¶ added in v0.12.0
func (Config) GetSkipJavaDBUpdate ¶ added in v0.16.0
func (Config) GetSslCertDir ¶ added in v0.14.0
func (Config) GetSupportedConfigAuditKinds ¶
func (Config) GetUseBuiltinRegoPolicies ¶
func (Config) GetVulnType ¶ added in v0.14.0
func (Config) IgnoreFileExists ¶
func (Config) IgnoreUnfixed ¶
func (Config) OfflineScan ¶ added in v0.7.0
func (Config) TrivyDBRepositoryCredentialsSet ¶ added in v0.18.0
type FileSystemJobSpecMgr ¶ added in v0.16.4
type FileSystemJobSpecMgr struct {
// contains filtered or unexported fields
}
func (*FileSystemJobSpecMgr) GetPodSpec ¶ added in v0.16.4
func (j *FileSystemJobSpecMgr) GetPodSpec(ctx trivyoperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)
type GetPodSpecFunc ¶ added in v0.16.4
type GetPodSpecFunc func(ctx trivyoperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)
type ImageJobSpecMgr ¶ added in v0.16.4
type ImageJobSpecMgr struct {
// contains filtered or unexported fields
}
func (*ImageJobSpecMgr) GetPodSpec ¶ added in v0.16.4
func (j *ImageJobSpecMgr) GetPodSpec(ctx trivyoperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)
type PodSpecMgr ¶ added in v0.16.4
type PodSpecMgr interface {
GetPodSpec(ctx trivyoperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)
}
func NewFileSystemJobSpecMgr ¶ added in v0.16.4
func NewFileSystemJobSpecMgr() PodSpecMgr
func NewImageJobSpecMgr ¶ added in v0.16.4
func NewImageJobSpecMgr() PodSpecMgr
func NewPodSpecMgr ¶ added in v0.16.4
func NewPodSpecMgr(config Config) PodSpecMgr