feat: Add TRIVY_INSECURE flag to skip verifying registry certificates

Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>

README.md

@@ -136,6 +136,7 @@ Configuration of the adapter is done via environment variables at startup.
 | `SCANNER_TRIVY_IGNORE_UNFIXED`            | `false`                            | The flag to display only fixed vulnerabilities                                       |
 | `SCANNER_TRIVY_SKIP_UPDATE`               | `false`                            | The flag to enable or disable [Trivy DB][trivy-db] downloads from GitHub             |
 | `SCANNER_TRIVY_GITHUB_TOKEN`              | N/A                                | The GitHub access token to download [Trivy DB][trivy-db] (see [GitHub rate limiting][gh-rate-limit]) |
+| `SCANNER_TRIVY_INSECURE`                  | `false`                            | The flag to skip verifying registry certificate                                      |
 | `SCANNER_STORE_REDIS_URL`                 | `redis://harbor-harbor-redis:6379` | Redis server URI for a redis store                                                   |
 | `SCANNER_STORE_REDIS_NAMESPACE`           | `harbor.scanner.trivy:store`       | A namespace for keys in a redis store                                                |
 | `SCANNER_STORE_REDIS_POOL_MAX_ACTIVE`     | `5`                                | The max number of connections allocated by the pool for a redis store                |

helm/harbor-scanner-trivy/README.md

@@ -90,6 +90,7 @@ The following table lists the configurable parameters of the scanner adapter cha
 | `scanner.trivy.ignoreUnfixed`         | The flag to display only fixed vulnerabilities                          | `false`        |
 | `scanner.trivy.skipUpdate`            | The flag to enable or disable Trivy DB downloads from GitHub            | `false`        |
 | `scanner.trivy.gitHubToken`           | The GitHub access token to download Trivy DB                            |      |
+| `scanner.trivy.insecure`              | The flag to skip verifying registry certificate                         | `false` |
 | `scanner.store.redisURL`              | Redis server URI for a redis store                                      | `redis://harbor-harbor-redis:6379` |
 | `scanner.store.redisNamespace`        | A namespace for keys in a redis store                                   | `harbor.scanner.trivy:store`       |
 | `scanner.store.redisMaxActive`        | The max number of connections allocated by the pool for a redis store   | `5`  |

helm/harbor-scanner-trivy/templates/statefulset.yaml

@@ -71,6 +71,8 @@ spec:
                 secretKeyRef:
                   name: {{ include "harbor-scanner-trivy.fullname" . }}
                   key: gitHubToken
+            - name: "SCANNER_TRIVY_INSECURE"
+              value: {{ .Values.scanner.trivy.insecure | default false | quote }}
             - name: "SCANNER_STORE_REDIS_URL"
               value: {{ .Values.scanner.store.redisURL | quote }}
             - name: "SCANNER_STORE_REDIS_NAMESPACE"

helm/harbor-scanner-trivy/values.yaml

@@ -74,6 +74,8 @@ scanner:
     # You can create a GitHub token by following the instructions in
     # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
     gitHubToken: ""
+    # insecure the flag to skip verifying registry certificate
+    insecure: false
   store:
     redisURL: "redis://harbor-harbor-redis:6379"
     redisNamespace: "harbor.scanner.trivy:store"

pkg/etc/config.go

@@ -32,6 +32,7 @@ type Trivy struct {
 	IgnoreUnfixed bool   `env:"SCANNER_TRIVY_IGNORE_UNFIXED" envDefault:"false"`
 	SkipUpdate    bool   `env:"SCANNER_TRIVY_SKIP_UPDATE" envDefault:"false"`
 	GitHubToken   string `env:"SCANNER_TRIVY_GITHUB_TOKEN"`
+	Insecure      bool   `env:"SCANNER_TRIVY_INSECURE" envDefault:"false"`
 }
 
 type API struct {

pkg/etc/config_test.go

@@ -69,6 +69,7 @@ func TestGetConfig(t *testing.T) {
 					ReportsDir:  "/home/scanner/.cache/reports",
 					VulnType:    "os,library",
 					Severity:    "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
+					Insecure:    false,
 					GitHubToken: "",
 				},
 				RedisStore: RedisStore{
@@ -105,6 +106,7 @@ func TestGetConfig(t *testing.T) {
 				"SCANNER_TRIVY_VULN_TYPE":      "os,library",
 				"SCANNER_TRIVY_SEVERITY":       "CRITICAL",
 				"SCANNER_TRIVY_IGNORE_UNFIXED": "true",
+				"SCANNER_TRIVY_INSECURE":       "true",
 				"SCANNER_TRIVY_SKIP_UPDATE":    "true",
 				"SCANNER_TRIVY_GITHUB_TOKEN":   "<GITHUB_TOKEN>",
 
@@ -131,6 +133,7 @@ func TestGetConfig(t *testing.T) {
 					Severity:      "CRITICAL",
 					IgnoreUnfixed: true,
 					SkipUpdate:    true,
+					Insecure:      true,
 					GitHubToken:   "<GITHUB_TOKEN>",
 				},
 				RedisStore: RedisStore{

pkg/trivy/wrapper.go

@@ -131,6 +131,11 @@ func (w *wrapper) prepareScanCmd(imageRef ImageRef, outputFile string) (*exec.Cm
 	if strings.TrimSpace(w.config.GitHubToken) != "" {
 		cmd.Env = append(cmd.Env, fmt.Sprintf("GITHUB_TOKEN=%s", w.config.GitHubToken))
 	}
+
+	if w.config.Insecure {
+		cmd.Env = append(cmd.Env, "TRIVY_INSECURE=true")
+	}
+
 	return cmd, nil
 }
 

pkg/trivy/wrapper_test.go

@@ -66,6 +66,7 @@ func TestWrapper_Scan(t *testing.T) {
 		IgnoreUnfixed: true,
 		SkipUpdate:    true,
 		GitHubToken:   "<github_token>",
+		Insecure:      true,
 	}
 
 	imageRef := ImageRef{
@@ -99,6 +100,7 @@ func TestWrapper_Scan(t *testing.T) {
 		"TRIVY_PASSWORD=s3cret",
 		"TRIVY_NON_SSL=true",
 		"GITHUB_TOKEN=<github_token>",
+		"TRIVY_INSECURE=true",
 	}
 
 	ambassador.On("TempFile", "/home/scanner/.cache/reports", "scan_report_*.json").