diff --git a/README.md b/README.md index 85218af1..6af21e5e 100644 --- a/README.md +++ b/README.md @@ -136,6 +136,7 @@ Configuration of the adapter is done via environment variables at startup. | `SCANNER_TRIVY_IGNORE_UNFIXED` | `false` | The flag to display only fixed vulnerabilities | | `SCANNER_TRIVY_SKIP_UPDATE` | `false` | The flag to enable or disable [Trivy DB][trivy-db] downloads from GitHub | | `SCANNER_TRIVY_GITHUB_TOKEN` | N/A | The GitHub access token to download [Trivy DB][trivy-db] (see [GitHub rate limiting][gh-rate-limit]) | +| `SCANNER_TRIVY_INSECURE` | `false` | The flag to skip verifying registry certificate | | `SCANNER_STORE_REDIS_URL` | `redis://harbor-harbor-redis:6379` | Redis server URI for a redis store | | `SCANNER_STORE_REDIS_NAMESPACE` | `harbor.scanner.trivy:store` | A namespace for keys in a redis store | | `SCANNER_STORE_REDIS_POOL_MAX_ACTIVE` | `5` | The max number of connections allocated by the pool for a redis store | diff --git a/helm/harbor-scanner-trivy/README.md b/helm/harbor-scanner-trivy/README.md index 31d057be..c3f3c88a 100644 --- a/helm/harbor-scanner-trivy/README.md +++ b/helm/harbor-scanner-trivy/README.md @@ -90,6 +90,7 @@ The following table lists the configurable parameters of the scanner adapter cha | `scanner.trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` | | `scanner.trivy.skipUpdate` | The flag to enable or disable Trivy DB downloads from GitHub | `false` | | `scanner.trivy.gitHubToken` | The GitHub access token to download Trivy DB | | +| `scanner.trivy.insecure` | The flag to skip verifying registry certificate | `false` | | `scanner.store.redisURL` | Redis server URI for a redis store | `redis://harbor-harbor-redis:6379` | | `scanner.store.redisNamespace` | A namespace for keys in a redis store | `harbor.scanner.trivy:store` | | `scanner.store.redisMaxActive` | The max number of connections allocated by the pool for a redis store | `5` | diff --git a/helm/harbor-scanner-trivy/templates/statefulset.yaml b/helm/harbor-scanner-trivy/templates/statefulset.yaml index 80072429..f5421bd5 100644 --- a/helm/harbor-scanner-trivy/templates/statefulset.yaml +++ b/helm/harbor-scanner-trivy/templates/statefulset.yaml @@ -71,6 +71,8 @@ spec: secretKeyRef: name: {{ include "harbor-scanner-trivy.fullname" . }} key: gitHubToken + - name: "SCANNER_TRIVY_INSECURE" + value: {{ .Values.scanner.trivy.insecure | default false | quote }} - name: "SCANNER_STORE_REDIS_URL" value: {{ .Values.scanner.store.redisURL | quote }} - name: "SCANNER_STORE_REDIS_NAMESPACE" diff --git a/helm/harbor-scanner-trivy/values.yaml b/helm/harbor-scanner-trivy/values.yaml index fbec0af7..8d0126f3 100644 --- a/helm/harbor-scanner-trivy/values.yaml +++ b/helm/harbor-scanner-trivy/values.yaml @@ -74,6 +74,8 @@ scanner: # You can create a GitHub token by following the instructions in # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line gitHubToken: "" + # insecure the flag to skip verifying registry certificate + insecure: false store: redisURL: "redis://harbor-harbor-redis:6379" redisNamespace: "harbor.scanner.trivy:store" diff --git a/pkg/etc/config.go b/pkg/etc/config.go index 6b067ee1..641bb64d 100644 --- a/pkg/etc/config.go +++ b/pkg/etc/config.go @@ -32,6 +32,7 @@ type Trivy struct { IgnoreUnfixed bool `env:"SCANNER_TRIVY_IGNORE_UNFIXED" envDefault:"false"` SkipUpdate bool `env:"SCANNER_TRIVY_SKIP_UPDATE" envDefault:"false"` GitHubToken string `env:"SCANNER_TRIVY_GITHUB_TOKEN"` + Insecure bool `env:"SCANNER_TRIVY_INSECURE" envDefault:"false"` } type API struct { diff --git a/pkg/etc/config_test.go b/pkg/etc/config_test.go index 448e183e..e2ad1d32 100644 --- a/pkg/etc/config_test.go +++ b/pkg/etc/config_test.go @@ -69,6 +69,7 @@ func TestGetConfig(t *testing.T) { ReportsDir: "/home/scanner/.cache/reports", VulnType: "os,library", Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", + Insecure: false, GitHubToken: "", }, RedisStore: RedisStore{ @@ -105,6 +106,7 @@ func TestGetConfig(t *testing.T) { "SCANNER_TRIVY_VULN_TYPE": "os,library", "SCANNER_TRIVY_SEVERITY": "CRITICAL", "SCANNER_TRIVY_IGNORE_UNFIXED": "true", + "SCANNER_TRIVY_INSECURE": "true", "SCANNER_TRIVY_SKIP_UPDATE": "true", "SCANNER_TRIVY_GITHUB_TOKEN": "", @@ -131,6 +133,7 @@ func TestGetConfig(t *testing.T) { Severity: "CRITICAL", IgnoreUnfixed: true, SkipUpdate: true, + Insecure: true, GitHubToken: "", }, RedisStore: RedisStore{ diff --git a/pkg/trivy/wrapper.go b/pkg/trivy/wrapper.go index b3fc577f..c5e98bba 100644 --- a/pkg/trivy/wrapper.go +++ b/pkg/trivy/wrapper.go @@ -131,6 +131,11 @@ func (w *wrapper) prepareScanCmd(imageRef ImageRef, outputFile string) (*exec.Cm if strings.TrimSpace(w.config.GitHubToken) != "" { cmd.Env = append(cmd.Env, fmt.Sprintf("GITHUB_TOKEN=%s", w.config.GitHubToken)) } + + if w.config.Insecure { + cmd.Env = append(cmd.Env, "TRIVY_INSECURE=true") + } + return cmd, nil } diff --git a/pkg/trivy/wrapper_test.go b/pkg/trivy/wrapper_test.go index 481a332b..8eae99fb 100644 --- a/pkg/trivy/wrapper_test.go +++ b/pkg/trivy/wrapper_test.go @@ -66,6 +66,7 @@ func TestWrapper_Scan(t *testing.T) { IgnoreUnfixed: true, SkipUpdate: true, GitHubToken: "", + Insecure: true, } imageRef := ImageRef{ @@ -99,6 +100,7 @@ func TestWrapper_Scan(t *testing.T) { "TRIVY_PASSWORD=s3cret", "TRIVY_NON_SSL=true", "GITHUB_TOKEN=", + "TRIVY_INSECURE=true", } ambassador.On("TempFile", "/home/scanner/.cache/reports", "scan_report_*.json").