Documentation ¶
Overview ¶
Package trivy provides primitives for working with Trivy.
Index ¶
- Constants
- func CheckAwsEcrPrivateRegistry(ImageUrl string) string
- func GetCvssV3(findingCvss types.VendorCVSS) map[string]*CVSS
- func GetMirroredImage(image string, mirrors map[string]string) (string, error)
- func GetScoreFromCVSS(CVSSs map[string]*CVSS) *float64
- func NewPlugin(clock ext.Clock, idGenerator ext.IDGenerator, ...) vulnerabilityreport.Plugin
- func NewTrivyConfigAuditPlugin(clock ext.Clock, idGenerator ext.IDGenerator, ...) configauditreport.PluginInMemory
- type AdditionalFields
- type CVSS
- type Command
- type Config
- func (c Config) FindIgnorePolicyKey(workload client.Object) string
- func (c Config) GenerateIgnoreFileVolumeIfAvailable(trivyConfigName string) (*corev1.Volume, *corev1.VolumeMount)
- func (c Config) GenerateIgnorePolicyVolumeIfAvailable(trivyConfigName string, workload client.Object) (*corev1.Volume, *corev1.VolumeMount)
- func (c Config) GetAdditionalVulnerabilityReportFields() AdditionalFields
- func (c Config) GetCommand() (Command, error)
- func (c Config) GetDBRepository() (string, error)
- func (c Config) GetDBRepositoryInsecure() bool
- func (c Config) GetImagePullSecret() []corev1.LocalObjectReference
- func (c Config) GetImageRef() (string, error)
- func (c Config) GetInsecureRegistries() map[string]bool
- func (c Config) GetMirrors() map[string]string
- func (c Config) GetMode() (Mode, error)
- func (c Config) GetNonSSLRegistries() map[string]bool
- func (c Config) GetResourceRequirements() (corev1.ResourceRequirements, error)
- func (c Config) GetServerInsecure() bool
- func (c Config) GetServerURL() (string, error)
- func (c Config) GetSlow() bool
- func (c Config) GetSupportedConfigAuditKinds() []string
- func (c Config) GetUseBuiltinRegoPolicies() bool
- func (c Config) IgnoreFileExists() bool
- func (c Config) IgnoreUnfixed() bool
- func (c Config) OfflineScan() bool
- type Layer
- type Mode
- type ScanReport
- type ScanResult
- type Secret
- type Vulnerability
Constants ¶
const ( AWSECR_Image_Regex = "^\\d+\\.dkr\\.ecr\\.(\\w+-\\w+-\\d+)\\.amazonaws\\.com\\/" SupportedConfigAuditKinds = "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota" )
const ()
const (
// Plugin the name of this plugin.
Plugin = "Trivy"
)
Variables ¶
This section is empty.
Functions ¶
func GetMirroredImage ¶
func GetScoreFromCVSS ¶
func NewPlugin ¶
func NewPlugin(clock ext.Clock, idGenerator ext.IDGenerator, objectResolver *kube.ObjectResolver) vulnerabilityreport.Plugin
NewPlugin constructs a new vulnerabilityreport.Plugin, which is using an upstream Trivy container image to scan Kubernetes workloads.
The plugin supports Image and Filesystem commands. The Filesystem command may be used to scan workload images cached on cluster nodes by scheduling scan jobs on a particular node.
The Image command supports both Standalone and ClientServer modes depending on the settings returned by Config.GetMode. The ClientServer mode is usually more performant, however it requires a Trivy server accessible at the configurable Config.GetServerURL.
func NewTrivyConfigAuditPlugin ¶
func NewTrivyConfigAuditPlugin(clock ext.Clock, idGenerator ext.IDGenerator, objectResolver *kube.ObjectResolver) configauditreport.PluginInMemory
NewTrivyConfigAuditPlugin constructs a new configAudit.Plugin, which is using an upstream Trivy config audit scanner lib.
Types ¶
type AdditionalFields ¶ added in v0.2.0
type Config ¶
type Config struct {
trivyoperator.PluginConfig
}
Config defines configuration params for this plugin.
func (Config) FindIgnorePolicyKey ¶ added in v0.10.2
func (Config) GenerateIgnoreFileVolumeIfAvailable ¶ added in v0.10.2
func (Config) GenerateIgnorePolicyVolumeIfAvailable ¶ added in v0.10.2
func (Config) GetAdditionalVulnerabilityReportFields ¶ added in v0.2.0
func (c Config) GetAdditionalVulnerabilityReportFields() AdditionalFields
func (Config) GetCommand ¶
func (Config) GetDBRepository ¶
func (Config) GetDBRepositoryInsecure ¶
func (Config) GetImagePullSecret ¶ added in v0.6.0
func (c Config) GetImagePullSecret() []corev1.LocalObjectReference
func (Config) GetImageRef ¶
GetImageRef returns upstream Trivy container image reference.
func (Config) GetInsecureRegistries ¶
func (Config) GetMirrors ¶
func (Config) GetNonSSLRegistries ¶
func (Config) GetResourceRequirements ¶
func (c Config) GetResourceRequirements() (corev1.ResourceRequirements, error)
GetResourceRequirements creates ResourceRequirements from the Config.
func (Config) GetServerInsecure ¶
func (Config) GetServerURL ¶
func (Config) GetSupportedConfigAuditKinds ¶
func (Config) GetUseBuiltinRegoPolicies ¶
func (Config) IgnoreFileExists ¶
func (Config) IgnoreUnfixed ¶
func (Config) OfflineScan ¶ added in v0.7.0
type ScanReport ¶
type ScanReport struct {
Results []ScanResult `json:"Results"`
}
type ScanResult ¶
type ScanResult struct { Target string `json:"Target"` Class string `json:"Class"` Type string `json:"Type"` Vulnerabilities []Vulnerability `json:"Vulnerabilities"` Secrets []Secret `json:"Secrets"` }
type Vulnerability ¶
type Vulnerability struct { VulnerabilityID string `json:"VulnerabilityID"` PkgName string `json:"PkgName"` InstalledVersion string `json:"InstalledVersion"` FixedVersion string `json:"FixedVersion"` Title string `json:"Title"` Description string `json:"Description"` Severity v1alpha1.Severity `json:"Severity"` Layer Layer `json:"Layer"` PrimaryURL string `json:"PrimaryURL"` References []string `json:"References"` CVSS types.VendorCVSS `json:"CVSS"` Target string `json:"Target"` Class string `json:"Class"` }