trivy

package
v0.9.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 14, 2023 License: Apache-2.0 Imports: 27 Imported by: 0

Documentation

Overview

Package trivy provides primitives for working with Trivy.

Index

Constants

View Source 
const (
	GCPCR_Inage_Regex  = `^(gcr\.io.*|^([a-zA-Z0-9-]+)-*-*.docker.pkg.dev.*)`
	AWSECR_Image_Regex = "^\\d+\\.dkr\\.ecr\\.(\\w+-\\w+-\\d+)\\.amazonaws\\.com\\/"
	// SkipDirsAnnotation annotation  example: tunnel-operator.khulnasoft.github.io/skip-dirs: "/tmp,/home"
	SkipDirsAnnotation = "tunnel-operator.khulnasoft.github.io/skip-dirs"
	// SkipFilesAnnotation example: tunnel-operator.khulnasoft.github.io/skip-files: "/src/Gemfile.lock,/examplebinary"
	SkipFilesAnnotation = "tunnel-operator.khulnasoft.github.io/skip-files"
)
View Source 
const (
	DefaultImageRepository  = "ghcr.io/aquasecurity/trivy"
	DefaultDBRepository     = "ghcr.io/aquasecurity/trivy-db"
	DefaultJavaDBRepository = "ghcr.io/aquasecurity/trivy-java-db"
	DefaultSeverity         = "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
)
View Source 
const (
	FsSharedVolumeName          = "tunneloperator"
	SharedVolumeLocationOfTrivy = "/var/tunneloperator/trivy"
	SslCertDir                  = "/var/ssl-cert"
)
View Source 
const (
	KeyTrivySeverity = "trivy.severity"
)
View Source 
const (
	// Plugin the name of this plugin.
	Plugin = "Trivy"
)
View Source 
const (
	SupportedConfigAuditKinds = "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"
)

Variables

This section is empty.

Functions

func CheckAwsEcrPrivateRegistry 

func CheckAwsEcrPrivateRegistry(ImageUrl string) string

func ConfigWorkloadAnnotationEnvVars 

func ConfigWorkloadAnnotationEnvVars(workload client.Object, annotation string, envVarName string, trivyConfigName string, configKey string) corev1.EnvVar

func CreateSbomDataAsSecret added in v0.9.2 

func CreateSbomDataAsSecret(bom v1alpha1.BOM, secretName string) (corev1.Secret, error)

CreateSbomDataAsSecret creates a secret with the BOM data

func CreateVolumeSbomFiles added in v0.9.2 

func CreateVolumeSbomFiles(volumeMounts *[]corev1.VolumeMount, volumes *[]corev1.Volume, secretName *string, fileName string)

CreateVolumeSbomFiles creates a volume and volume mount for the sbom data

func GetMirroredImage 

func GetMirroredImage(image string, mirrors map[string]string) (string, error)

func GetPodSpecForClientServerFSMode added in v0.9.2 

func GetPodSpecForClientServerFSMode(ctx tunneloperator.PluginContext, config Config, workload client.Object, _ map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)

FileSystem scan option with ClientServer mode. The only difference is that instead of scanning the resource by name, We scanning the resource place on a specific file system location using the following command. 

trivy --quiet fs  --server TRIVY_SERVER  --format json --ignore-unfixed  file/system/location

func GetPodSpecForClientServerMode added in v0.9.2 

func GetPodSpecForClientServerMode(ctx tunneloperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)

In the ClientServer mode the number of containers of the pod created by the scan job equals the number of containers defined for the scanned workload. Each container runs Trivy image scan command and refers to Trivy server URL returned by Config.GetServerURL: 

trivy image --server <server URL> \
  --format json <container image>

func GetPodSpecForStandaloneFSMode added in v0.9.2 

func GetPodSpecForStandaloneFSMode(ctx tunneloperator.PluginContext, config Config, workload client.Object, _ map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)

FileSystem scan option with standalone mode. The only difference is that instead of scanning the resource by name, We are scanning the resource place on a specific file system location using the following command. 

trivy --quiet fs  --format json --ignore-unfixed  file/system/location

func GetPodSpecForStandaloneMode added in v0.9.2 

func GetPodSpecForStandaloneMode(ctx tunneloperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)

In the Standalone mode there is the init container responsible for downloading the latest Trivy DB file from GitHub and storing it to the emptyDir volume shared with main containers. In other words, the init container runs the following Trivy command: 

trivy --cache-dir /tmp/trivy/.cache image --download-db-only

The number of main containers correspond to the number of containers defined for the scanned workload. Each container runs the Trivy image scan command and skips the database download: 

trivy --cache-dir /tmp/trivy/.cache image --skip-update \
  --format json <container image>

func GetSbomFSScanningArgs added in v0.9.2 

func GetSbomFSScanningArgs(ctx tunneloperator.PluginContext, mode Mode, trivyServerURL string, sbomFile string) ([]string, []string)

func GetSbomScanCommandAndArgs added in v0.9.2 

func GetSbomScanCommandAndArgs(ctx tunneloperator.PluginContext, mode Mode, sbomFile string, trivyServerURL string, resultFileName string) ([]string, []string)

func MultiSecretSupport 

func MultiSecretSupport(c Config) bool

MultiSecretSupport validate if trivy multi secret support

func NewPlugin 

func NewPlugin(clock ext.Clock, idGenerator ext.IDGenerator, objectResolver *kube.ObjectResolver) vulnerabilityreport.Plugin

NewPlugin constructs a new vulnerabilityreport.Plugin, which is using an upstream Trivy container image to scan Kubernetes workloads.

The plugin supports Image and Filesystem commands. The Filesystem command may be used to scan workload images cached on cluster nodes by scheduling scan jobs on a particular node.

The Image command supports both Standalone and ClientServer modes depending on the settings returned by Config.GetMode. The ClientServer mode is usually more performant, however it requires a Trivy server accessible at the configurable Config.GetServerURL.

func NewTrivyConfigAuditPlugin added in v0.9.2 

func NewTrivyConfigAuditPlugin(clock ext.Clock, idGenerator ext.IDGenerator, objectResolver *kube.ObjectResolver) configauditreport.PluginInMemory

NewTrivyConfigAuditPlugin constructs a new configAudit.Plugin, which is using an upstream Trivy config audit scanner lib.

func Scanners 

func Scanners(c Config) string

Scanners use scanners flag

func SkipDBUpdate 

func SkipDBUpdate(c Config) string

SkipDBUpdate skip update flag

func SkipJavaDBUpdate 

func SkipJavaDBUpdate(c Config) string

SkipJavaDBUpdate skip update flag

func Slow 

func Slow(c Config) string

Slow determine if to use the slow flag (improve memory footprint)

Types

type Command 

type Command string

Command to scan image or filesystem. 

const (
	Filesystem Command = "filesystem"
	Image      Command = "image"
	Rootfs     Command = "rootfs"
)

type Config 

type Config struct {
	tunneloperator.PluginConfig
}

Config defines configuration params for this plugin.

func (Config) FindIgnorePolicyKey 

func (c Config) FindIgnorePolicyKey(workload client.Object) string

func (Config) GenerateIgnoreFileVolumeIfAvailable 

func (c Config) GenerateIgnoreFileVolumeIfAvailable(trivyConfigName string) (*corev1.Volume, *corev1.VolumeMount)

func (Config) GenerateIgnorePolicyVolumeIfAvailable 

func (c Config) GenerateIgnorePolicyVolumeIfAvailable(trivyConfigName string, workload client.Object) (*corev1.Volume, *corev1.VolumeMount)

func (Config) GenerateSslCertDirVolumeIfAvailable 

func (c Config) GenerateSslCertDirVolumeIfAvailable(trivyConfigName string) (*corev1.Volume, *corev1.VolumeMount)

func (Config) GetAdditionalVulnerabilityReportFields 

func (c Config) GetAdditionalVulnerabilityReportFields() vulnerabilityreport.AdditionalFields

func (Config) GetClientServerSkipUpdate 

func (c Config) GetClientServerSkipUpdate() bool

func (Config) GetCommand 

func (c Config) GetCommand() Command

func (Config) GetDBRepository 

func (c Config) GetDBRepository() (string, error)

func (Config) GetDBRepositoryInsecure 

func (c Config) GetDBRepositoryInsecure() bool

func (Config) GetFilesystemScanCacheDir added in v0.9.2 

func (c Config) GetFilesystemScanCacheDir() string

func (Config) GetImagePullPolicy added in v0.9.2 

func (c Config) GetImagePullPolicy() string

func (Config) GetImagePullSecret 

func (c Config) GetImagePullSecret() []corev1.LocalObjectReference

func (Config) GetImageRef 

func (c Config) GetImageRef() (string, error)

GetImageRef returns upstream Trivy container image reference.

func (Config) GetImageScanCacheDir added in v0.9.2 

func (c Config) GetImageScanCacheDir() string

func (Config) GetImageTag 

func (c Config) GetImageTag() (string, error)

GetImageTag returns upstream Trivy container image tag.

func (Config) GetInsecureRegistries 

func (c Config) GetInsecureRegistries() map[string]bool

func (Config) GetMirrors 

func (c Config) GetMirrors() map[string]string

func (Config) GetMode 

func (c Config) GetMode() Mode

func (Config) GetNonSSLRegistries 

func (c Config) GetNonSSLRegistries() map[string]bool

func (Config) GetResourceRequirements 

func (c Config) GetResourceRequirements() (corev1.ResourceRequirements, error)

GetResourceRequirements creates ResourceRequirements from the Config.

func (Config) GetServerInsecure 

func (c Config) GetServerInsecure() bool

func (Config) GetServerURL 

func (c Config) GetServerURL() (string, error)

func (Config) GetSeverity 

func (c Config) GetSeverity() string

func (Config) GetSkipJavaDBUpdate 

func (c Config) GetSkipJavaDBUpdate() bool

func (Config) GetSlow 

func (c Config) GetSlow() bool

func (Config) GetSslCertDir 

func (c Config) GetSslCertDir() string

func (Config) GetSupportedConfigAuditKinds 

func (c Config) GetSupportedConfigAuditKinds() []string

func (Config) GetUseBuiltinRegoPolicies 

func (c Config) GetUseBuiltinRegoPolicies() bool

func (Config) GetVulnType 

func (c Config) GetVulnType() string

func (Config) IgnoreFileExists 

func (c Config) IgnoreFileExists() bool

func (Config) IgnoreUnfixed 

func (c Config) IgnoreUnfixed() bool

func (Config) OfflineScan 

func (c Config) OfflineScan() bool

type FileSystemJobSpecMgr added in v0.9.2 

type FileSystemJobSpecMgr struct {
	// contains filtered or unexported fields
}

func (*FileSystemJobSpecMgr) GetPodSpec added in v0.9.2 

func (j *FileSystemJobSpecMgr) GetPodSpec(ctx tunneloperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)

type GetPodSpecFunc added in v0.9.2 

type GetPodSpecFunc func(ctx tunneloperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)

type ImageJobSpecMgr added in v0.9.2 

type ImageJobSpecMgr struct {
	// contains filtered or unexported fields
}

func (*ImageJobSpecMgr) GetPodSpec added in v0.9.2 

func (j *ImageJobSpecMgr) GetPodSpec(ctx tunneloperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)

type Mode 

type Mode string

Mode in which Trivy client operates. 

const (
	Standalone   Mode = "Standalone"
	ClientServer Mode = "ClientServer"
)

type PodSpecMgr added in v0.9.2 

type PodSpecMgr interface {
	GetPodSpec(ctx tunneloperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)
}

func NewFileSystemJobSpecMgr added in v0.9.2 

func NewFileSystemJobSpecMgr() PodSpecMgr

func NewImageJobSpecMgr added in v0.9.2 

func NewImageJobSpecMgr() PodSpecMgr

func NewPodSpecMgr added in v0.9.2 

func NewPodSpecMgr(config Config) PodSpecMgr

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.