feat: add TRIVY_NON_SSL config and environment variable (#854)

Co-authored-by: chenk <hen.keinan@gmail.com>
aquasecurity · Jan 6, 2022 · 5ab3973 · 5ab3973
1 parent 8f637cf
commit 5ab3973
Show file tree

Hide file tree

Showing 5 changed files with 523 additions and 0 deletions.
diff --git a/deploy/helm/templates/config.yaml b/deploy/helm/templates/config.yaml
@@ -50,6 +50,9 @@ data:
   {{- if .noProxy }}
   trivy.noProxy: {{ .noProxy | quote }}
   {{- end }}
+  {{- range $key, $registry := .nonSslRegistries }}
+  trivy.nonSslRegistry.{{ $key }}: {{ $registry | quote }}
+  {{- end }}
   trivy.severity: {{ .severity | quote }}
   {{- if .ignoreUnfixed }}
   trivy.ignoreUnfixed: {{ .ignoreUnfixed | quote }}

diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
@@ -102,6 +102,12 @@ trivy:
   #
   # noProxy:
 
+  # Registries without SSL. There can be multiple registries with different keys.
+  nonSslRegistries: {}
+  #  pocRegistry: poc.myregistry.harbor.com.pl
+  #  qaRegistry: qa.registry.aquasec.com
+  #  internalRegistry: registry.registry.svc:5000
+
   # severity is a comma separated list of severity levels reported by Trivy.
   severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
 

diff --git a/docs/integrations/vulnerability-scanners/trivy.md b/docs/integrations/vulnerability-scanners/trivy.md
@@ -92,6 +92,7 @@ EOF
 | `trivy.serverURL`                 | N/A                                | The endpoint URL of the Trivy server. Required in `ClientServer` mode. |
 | `trivy.serverTokenHeader`         | `Trivy-Token`                      | The name of the HTTP header to send the authentication token to Trivy server. Only application in `ClientServer` mode when `trivy.serverToken` is specified. |
 | `trivy.insecureRegistry.<id>`     | N/A                                | The registry to which insecure connections are allowed. There can be multiple registries with different registry `<id>`. |
+| `trivy.nonSslRegistry.<id>`       | N/A                                | A registry without SSL. There can be multiple registries with different registry `<id>`. |
 | `trivy.registry.mirror.<registry>`| N/A                                | Mirror for the registry `<registry>`, e.g. `trivy.registry.mirror.index.docker.io: mirror.io` would use `mirror.io` to get images originated from `index.docker.io` |
 | `trivy.httpProxy`                 | N/A                                | The HTTP proxy used by Trivy to download the vulnerabilities database from GitHub. |
 | `trivy.httpsProxy`                | N/A                                | The HTTPS proxy used by Trivy to download the vulnerabilities database from GitHub. |

diff --git a/pkg/plugin/trivy/plugin.go b/pkg/plugin/trivy/plugin.go
@@ -31,6 +31,7 @@ const (
 	keyTrivyIgnoreUnfixed          = "trivy.ignoreUnfixed"
 	keyTrivyIgnoreFile             = "trivy.ignoreFile"
 	keyTrivyInsecureRegistryPrefix = "trivy.insecureRegistry."
+	keyTrivyNonSslRegistryPrefix   = "trivy.nonSslRegistry."
 	keyTrivyMirrorPrefix           = "trivy.registry.mirror."
 	keyTrivyHTTPProxy              = "trivy.httpProxy"
 	keyTrivyHTTPSProxy             = "trivy.httpsProxy"
@@ -106,6 +107,17 @@ func (c Config) GetInsecureRegistries() map[string]bool {
 	return insecureRegistries
 }
 
+func (c Config) GetNonSslRegistries() map[string]bool {
+	nonSslRegistries := make(map[string]bool)
+	for key, val := range c.Data {
+		if strings.HasPrefix(key, keyTrivyNonSslRegistryPrefix) {
+			nonSslRegistries[val] = true
+		}
+	}
+
+	return nonSslRegistries
+}
+
 func (c Config) GetMirrors() map[string]string {
 	res := make(map[string]string)
 	for registryKey, mirror := range c.Data {
@@ -513,6 +525,11 @@ func (p *plugin) getPodSpecForStandaloneMode(ctx starboard.PluginContext, config
 			return corev1.PodSpec{}, nil, err
 		}
 
+		env, err = p.appendTrivyNonSslEnv(config, c.Image, env)
+		if err != nil {
+			return corev1.PodSpec{}, nil, err
+		}
+
 		resourceRequirements, err := config.GetResourceRequirements()
 		if err != nil {
 			return corev1.PodSpec{}, nil, err
@@ -755,6 +772,11 @@ func (p *plugin) getPodSpecForClientServerMode(ctx starboard.PluginContext, conf
 			return corev1.PodSpec{}, nil, err
 		}
 
+		env, err = p.appendTrivyNonSslEnv(config, container.Image, env)
+		if err != nil {
+			return corev1.PodSpec{}, nil, err
+		}
+
 		if config.IgnoreFileExists() {
 			volumes = []corev1.Volume{
 				{
@@ -849,6 +871,23 @@ func (p *plugin) appendTrivyInsecureEnv(config Config, image string, env []corev
 	return env, nil
 }
 
+func (p *plugin) appendTrivyNonSslEnv(config Config, image string, env []corev1.EnvVar) ([]corev1.EnvVar, error) {
+	ref, err := name.ParseReference(image)
+	if err != nil {
+		return nil, err
+	}
+
+	nonSslRegistries := config.GetNonSslRegistries()
+	if nonSslRegistries[ref.Context().RegistryStr()] {
+		env = append(env, corev1.EnvVar{
+			Name:  "TRIVY_NON_SSL",
+			Value: "true",
+		})
+	}
+
+	return env, nil
+}
+
 func (p *plugin) ParseVulnerabilityReportData(ctx starboard.PluginContext, imageRef string, logsReader io.ReadCloser) (v1alpha1.VulnerabilityReportData, error) {
 	config, err := p.newConfigFrom(ctx)
 	if err != nil {