feat(trivy): Configure insecure image registries (#548)

Resolves: #545
aquasecurity · May 9, 2021 · 472fd92 · 472fd92
1 parent 85af65f
commit 472fd92
Show file tree

Hide file tree

Showing 5 changed files with 436 additions and 2 deletions.
diff --git a/docs/settings.md b/docs/settings.md
@@ -68,6 +68,7 @@ The following tables list available configuration settings with their default va
 | `trivy.mode`                   | `Standalone`                                           | Trivy client mode. Either `Standalone` or `ClientServer`. Depending on the active mode other settings might be applicable or required. |
 | `trivy.serverURL`              | N/A                                                    | The endpoint URL of the Trivy server. Required in `ClientServer` mode. |
 | `trivy.serverTokenHeader`      | `Trivy-Token`                                          | The name of the HTTP header to send the authentication token to Trivy server. Only application in `ClientServer` mode when `trivy.serverToken` is specified. |
+| `trivy.insecureRegistry.<id>`  | N/A                                                    | The registry to which insecure connections are allowed. There can be multiple registries with different registry `<id>`. |
 | `aqua.imageRef`                | `docker.io/aquasec/scanner:5.3`                        | Aqua scanner image reference. The tag determines the version of the `scanner` binary executable and it must be compatible with version of Aqua console. |
 | `aqua.serverURL`               | N/A                                                    | The endpoint URL of Aqua management console |
 | `kube-bench.imageRef`          | `docker.io/aquasec/kube-bench:0.5.0`                   | kube-bench image reference |

diff --git a/pkg/plugin/trivy/plugin.go b/pkg/plugin/trivy/plugin.go
@@ -10,6 +10,7 @@ import (
 	"github.com/aquasecurity/starboard/pkg/kube"
 	"github.com/aquasecurity/starboard/pkg/starboard"
 	"github.com/aquasecurity/starboard/pkg/vulnerabilityreport"
+	"github.com/google/go-containerregistry/pkg/name"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -40,6 +41,7 @@ type Config interface {
 	GetTrivyImageRef() (string, error)
 	GetTrivyMode() (starboard.TrivyMode, error)
 	GetTrivyServerURL() (string, error)
+	GetTrivyInsecureRegistries() map[string]bool
 }
 
 // NewPlugin constructs a new vulnerabilityreport.Plugin, which is using an
@@ -271,6 +273,11 @@ func (s *scanner) getPodSpecForStandaloneMode(spec corev1.PodSpec, credentials m
 			})
 		}
 
+		env, err = s.appendTrivyInsecureEnv(c.Image, env)
+		if err != nil {
+			return corev1.PodSpec{}, nil, err
+		}
+
 		containers = append(containers, corev1.Container{
 			Name:                     c.Name,
 			Image:                    trivyImageRef,
@@ -478,6 +485,11 @@ func (s *scanner) getPodSpecForClientServerMode(spec corev1.PodSpec, credentials
 			})
 		}
 
+		env, err = s.appendTrivyInsecureEnv(container.Image, env)
+		if err != nil {
+			return corev1.PodSpec{}, nil, err
+		}
+
 		containers = append(containers, corev1.Container{
 			Name:                     container.Name,
 			Image:                    trivyImageRef,
@@ -514,3 +526,20 @@ func (s *scanner) ParseVulnerabilityScanResult(imageRef string, logsReader io.Re
 	}
 	return result, nil
 }
+
+func (s *scanner) appendTrivyInsecureEnv(image string, env []corev1.EnvVar) ([]corev1.EnvVar, error) {
+	ref, err := name.ParseReference(image)
+	if err != nil {
+		return nil, err
+	}
+
+	insecureRegistries := s.config.GetTrivyInsecureRegistries()
+	if insecureRegistries[ref.Context().RegistryStr()] {
+		env = append(env, corev1.EnvVar{
+			Name:  "TRIVY_INSECURE",
+			Value: "true",
+		})
+	}
+
+	return env, nil
+}