Documentation ¶
Overview ¶
Package trivy provides primitives for working with Trivy.
Index ¶
- Constants
- func CheckAwsEcrPrivateRegistry(ImageUrl string) string
- func ConfigWorkloadAnnotationEnvVars(workload client.Object, annotation string, envVarName string, ...) corev1.EnvVar
- func CreateSbomDataAsSecret(bom v1alpha1.BOM, secretName string) (corev1.Secret, error)
- func CreateVolumeSbomFiles(volumeMounts *[]corev1.VolumeMount, volumes *[]corev1.Volume, ...)
- func GetMirroredImage(image string, mirrors map[string]string) (string, error)
- func GetPodSpecForClientServerFSMode(ctx tunneloperator.PluginContext, config Config, workload client.Object, ...) (corev1.PodSpec, []*corev1.Secret, error)
- func GetPodSpecForClientServerMode(ctx tunneloperator.PluginContext, config Config, workload client.Object, ...) (corev1.PodSpec, []*corev1.Secret, error)
- func GetPodSpecForStandaloneFSMode(ctx tunneloperator.PluginContext, config Config, workload client.Object, ...) (corev1.PodSpec, []*corev1.Secret, error)
- func GetPodSpecForStandaloneMode(ctx tunneloperator.PluginContext, config Config, workload client.Object, ...) (corev1.PodSpec, []*corev1.Secret, error)
- func GetSbomFSScanningArgs(ctx tunneloperator.PluginContext, mode Mode, trivyServerURL string, ...) ([]string, []string)
- func GetSbomScanCommandAndArgs(ctx tunneloperator.PluginContext, mode Mode, sbomFile string, ...) ([]string, []string)
- func MultiSecretSupport(c Config) bool
- func NewPlugin(clock ext.Clock, idGenerator ext.IDGenerator, ...) vulnerabilityreport.Plugin
- func NewTrivyConfigAuditPlugin(clock ext.Clock, idGenerator ext.IDGenerator, ...) configauditreport.PluginInMemory
- func Scanners(c Config) string
- func SkipDBUpdate(c Config) string
- func SkipJavaDBUpdate(c Config) string
- func Slow(c Config) string
- type Command
- type Config
- func (c Config) FindIgnorePolicyKey(workload client.Object) string
- func (c Config) GenerateIgnoreFileVolumeIfAvailable(trivyConfigName string) (*corev1.Volume, *corev1.VolumeMount)
- func (c Config) GenerateIgnorePolicyVolumeIfAvailable(trivyConfigName string, workload client.Object) (*corev1.Volume, *corev1.VolumeMount)
- func (c Config) GenerateSslCertDirVolumeIfAvailable(trivyConfigName string) (*corev1.Volume, *corev1.VolumeMount)
- func (c Config) GetAdditionalVulnerabilityReportFields() vulnerabilityreport.AdditionalFields
- func (c Config) GetClientServerSkipUpdate() bool
- func (c Config) GetCommand() Command
- func (c Config) GetDBRepository() (string, error)
- func (c Config) GetDBRepositoryInsecure() bool
- func (c Config) GetFilesystemScanCacheDir() string
- func (c Config) GetImagePullPolicy() string
- func (c Config) GetImagePullSecret() []corev1.LocalObjectReference
- func (c Config) GetImageRef() (string, error)
- func (c Config) GetImageScanCacheDir() string
- func (c Config) GetImageTag() (string, error)
- func (c Config) GetInsecureRegistries() map[string]bool
- func (c Config) GetMirrors() map[string]string
- func (c Config) GetMode() Mode
- func (c Config) GetNonSSLRegistries() map[string]bool
- func (c Config) GetResourceRequirements() (corev1.ResourceRequirements, error)
- func (c Config) GetServerInsecure() bool
- func (c Config) GetServerURL() (string, error)
- func (c Config) GetSeverity() string
- func (c Config) GetSkipJavaDBUpdate() bool
- func (c Config) GetSlow() bool
- func (c Config) GetSslCertDir() string
- func (c Config) GetSupportedConfigAuditKinds() []string
- func (c Config) GetUseBuiltinRegoPolicies() bool
- func (c Config) GetVulnType() string
- func (c Config) IgnoreFileExists() bool
- func (c Config) IgnoreUnfixed() bool
- func (c Config) OfflineScan() bool
- type FileSystemJobSpecMgr
- type GetPodSpecFunc
- type ImageJobSpecMgr
- type Mode
- type PodSpecMgr
Constants ¶
const ( GCPCR_Inage_Regex = `^(gcr\.io.*|^([a-zA-Z0-9-]+)-*-*.docker.pkg.dev.*)` AWSECR_Image_Regex = "^\\d+\\.dkr\\.ecr\\.(\\w+-\\w+-\\d+)\\.amazonaws\\.com\\/" // SkipDirsAnnotation annotation example: tunnel-operator.khulnasoft.github.io/skip-dirs: "/tmp,/home" SkipDirsAnnotation = "tunnel-operator.khulnasoft.github.io/skip-dirs" // SkipFilesAnnotation example: tunnel-operator.khulnasoft.github.io/skip-files: "/src/Gemfile.lock,/examplebinary" SkipFilesAnnotation = "tunnel-operator.khulnasoft.github.io/skip-files" )
const ( DefaultImageRepository = "ghcr.io/aquasecurity/trivy" DefaultDBRepository = "ghcr.io/aquasecurity/trivy-db" DefaultJavaDBRepository = "ghcr.io/aquasecurity/trivy-java-db" DefaultSeverity = "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" )
const ( SslCertDir = "/var/ssl-cert" )
const (
KeyTrivySeverity = "trivy.severity"
)
const (
// Plugin the name of this plugin.
Plugin = "Trivy"
)
const (
SupportedConfigAuditKinds = "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"
)
Variables ¶
This section is empty.
Functions ¶
func CreateSbomDataAsSecret ¶ added in v0.9.2
CreateSbomDataAsSecret creates a secret with the BOM data
func CreateVolumeSbomFiles ¶ added in v0.9.2
func CreateVolumeSbomFiles(volumeMounts *[]corev1.VolumeMount, volumes *[]corev1.Volume, secretName *string, fileName string)
CreateVolumeSbomFiles creates a volume and volume mount for the sbom data
func GetMirroredImage ¶
func GetPodSpecForClientServerFSMode ¶ added in v0.9.2
func GetPodSpecForClientServerFSMode(ctx tunneloperator.PluginContext, config Config, workload client.Object, _ map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)
FileSystem scan option with ClientServer mode. The only difference is that instead of scanning the resource by name, We scanning the resource place on a specific file system location using the following command.
trivy --quiet fs --server TRIVY_SERVER --format json --ignore-unfixed file/system/location
func GetPodSpecForClientServerMode ¶ added in v0.9.2
func GetPodSpecForClientServerMode(ctx tunneloperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)
In the ClientServer mode the number of containers of the pod created by the scan job equals the number of containers defined for the scanned workload. Each container runs Trivy image scan command and refers to Trivy server URL returned by Config.GetServerURL:
trivy image --server <server URL> \ --format json <container image>
func GetPodSpecForStandaloneFSMode ¶ added in v0.9.2
func GetPodSpecForStandaloneFSMode(ctx tunneloperator.PluginContext, config Config, workload client.Object, _ map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)
FileSystem scan option with standalone mode. The only difference is that instead of scanning the resource by name, We are scanning the resource place on a specific file system location using the following command.
trivy --quiet fs --format json --ignore-unfixed file/system/location
func GetPodSpecForStandaloneMode ¶ added in v0.9.2
func GetPodSpecForStandaloneMode(ctx tunneloperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)
In the Standalone mode there is the init container responsible for downloading the latest Trivy DB file from GitHub and storing it to the emptyDir volume shared with main containers. In other words, the init container runs the following Trivy command:
trivy --cache-dir /tmp/trivy/.cache image --download-db-only
The number of main containers correspond to the number of containers defined for the scanned workload. Each container runs the Trivy image scan command and skips the database download:
trivy --cache-dir /tmp/trivy/.cache image --skip-update \ --format json <container image>
func GetSbomFSScanningArgs ¶ added in v0.9.2
func GetSbomFSScanningArgs(ctx tunneloperator.PluginContext, mode Mode, trivyServerURL string, sbomFile string) ([]string, []string)
func GetSbomScanCommandAndArgs ¶ added in v0.9.2
func GetSbomScanCommandAndArgs(ctx tunneloperator.PluginContext, mode Mode, sbomFile string, trivyServerURL string, resultFileName string) ([]string, []string)
func MultiSecretSupport ¶
MultiSecretSupport validate if trivy multi secret support
func NewPlugin ¶
func NewPlugin(clock ext.Clock, idGenerator ext.IDGenerator, objectResolver *kube.ObjectResolver) vulnerabilityreport.Plugin
NewPlugin constructs a new vulnerabilityreport.Plugin, which is using an upstream Trivy container image to scan Kubernetes workloads.
The plugin supports Image and Filesystem commands. The Filesystem command may be used to scan workload images cached on cluster nodes by scheduling scan jobs on a particular node.
The Image command supports both Standalone and ClientServer modes depending on the settings returned by Config.GetMode. The ClientServer mode is usually more performant, however it requires a Trivy server accessible at the configurable Config.GetServerURL.
func NewTrivyConfigAuditPlugin ¶ added in v0.9.2
func NewTrivyConfigAuditPlugin(clock ext.Clock, idGenerator ext.IDGenerator, objectResolver *kube.ObjectResolver) configauditreport.PluginInMemory
NewTrivyConfigAuditPlugin constructs a new configAudit.Plugin, which is using an upstream Trivy config audit scanner lib.
Types ¶
type Config ¶
type Config struct {
tunneloperator.PluginConfig
}
Config defines configuration params for this plugin.
func (Config) FindIgnorePolicyKey ¶
func (Config) GenerateIgnoreFileVolumeIfAvailable ¶
func (Config) GenerateIgnorePolicyVolumeIfAvailable ¶
func (Config) GenerateSslCertDirVolumeIfAvailable ¶
func (Config) GetAdditionalVulnerabilityReportFields ¶
func (c Config) GetAdditionalVulnerabilityReportFields() vulnerabilityreport.AdditionalFields
func (Config) GetClientServerSkipUpdate ¶
func (Config) GetCommand ¶
func (Config) GetDBRepository ¶
func (Config) GetDBRepositoryInsecure ¶
func (Config) GetFilesystemScanCacheDir ¶ added in v0.9.2
func (Config) GetImagePullPolicy ¶ added in v0.9.2
func (Config) GetImagePullSecret ¶
func (c Config) GetImagePullSecret() []corev1.LocalObjectReference
func (Config) GetImageRef ¶
GetImageRef returns upstream Trivy container image reference.
func (Config) GetImageScanCacheDir ¶ added in v0.9.2
func (Config) GetImageTag ¶
GetImageTag returns upstream Trivy container image tag.
func (Config) GetInsecureRegistries ¶
func (Config) GetMirrors ¶
func (Config) GetNonSSLRegistries ¶
func (Config) GetResourceRequirements ¶
func (c Config) GetResourceRequirements() (corev1.ResourceRequirements, error)
GetResourceRequirements creates ResourceRequirements from the Config.
func (Config) GetServerInsecure ¶
func (Config) GetServerURL ¶
func (Config) GetSeverity ¶
func (Config) GetSkipJavaDBUpdate ¶
func (Config) GetSslCertDir ¶
func (Config) GetSupportedConfigAuditKinds ¶
func (Config) GetUseBuiltinRegoPolicies ¶
func (Config) GetVulnType ¶
func (Config) IgnoreFileExists ¶
func (Config) IgnoreUnfixed ¶
func (Config) OfflineScan ¶
type FileSystemJobSpecMgr ¶ added in v0.9.2
type FileSystemJobSpecMgr struct {
// contains filtered or unexported fields
}
func (*FileSystemJobSpecMgr) GetPodSpec ¶ added in v0.9.2
func (j *FileSystemJobSpecMgr) GetPodSpec(ctx tunneloperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)
type GetPodSpecFunc ¶ added in v0.9.2
type GetPodSpecFunc func(ctx tunneloperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)
type ImageJobSpecMgr ¶ added in v0.9.2
type ImageJobSpecMgr struct {
// contains filtered or unexported fields
}
func (*ImageJobSpecMgr) GetPodSpec ¶ added in v0.9.2
func (j *ImageJobSpecMgr) GetPodSpec(ctx tunneloperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)
type PodSpecMgr ¶ added in v0.9.2
type PodSpecMgr interface {
GetPodSpec(ctx tunneloperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)
}
func NewFileSystemJobSpecMgr ¶ added in v0.9.2
func NewFileSystemJobSpecMgr() PodSpecMgr
func NewImageJobSpecMgr ¶ added in v0.9.2
func NewImageJobSpecMgr() PodSpecMgr
func NewPodSpecMgr ¶ added in v0.9.2
func NewPodSpecMgr(config Config) PodSpecMgr