feat: Add support for Trivy client-server mode (#240)

Resolves: #213 Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
aquasecurity · Nov 13, 2020 · 668f7a7 · 668f7a7
1 parent 9be5bc8
commit 668f7a7
Show file tree

Hide file tree

Showing 29 changed files with 5,485 additions and 683 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
diff --git a/Makefile b/Makefile
@@ -66,7 +66,8 @@ itests-starboard: check-env get-ginkgo
 	github.com/aquasecurity/starboard/pkg/kubehunter,\
 	github.com/aquasecurity/starboard/pkg/polaris,\
 	github.com/aquasecurity/starboard/pkg/polaris/crd,\
-	github.com/aquasecurity/starboard/pkg/find/vulnerabilities/trivy,\
+	github.com/aquasecurity/starboard/pkg/trivy,\
+	github.com/aquasecurity/starboard/pkg/find/vulnerabilities,\
 	github.com/aquasecurity/starboard/pkg/vulnerabilityreport \
 	./itest/starboard
 
@@ -82,7 +83,8 @@ itests-starboard-operator: check-env get-ginkgo
 	github.com/aquasecurity/starboard/pkg/operator/controller/job,\
 	github.com/aquasecurity/starboard/pkg/operator/controller/pod,\
 	github.com/aquasecurity/starboard/pkg/operator/logs,\
-	github.com/aquasecurity/starboard/pkg/operator/trivy \
+	github.com/aquasecurity/starboard/pkg/trivy,\
+	github.com/aquasecurity/starboard/pkg/vulnerabilityreport \
 	./itest/starboard-operator
 
 check-env:

diff --git a/README.md b/README.md
@@ -268,10 +268,12 @@ The following table lists available configuration parameters.
 
 | CONFIGMAP KEY         | DEFAULT                                                | DESCRIPTION |
 | --------------------- | ------------------------------------------------------ | ----------- |
-| `trivy.httpProxy`     | N/A                                                    | The HTTP proxy used by Trivy to download the vulnerabilities database from GitHub |
-| `trivy.githubToken`   | N/A                                                    | The GitHub personal access token used by Trivy to download the vulnerabilities database from GitHub |
+| `trivy.httpProxy`     | N/A                                                    | The HTTP proxy used by Trivy to download the vulnerabilities database from GitHub. Only applicable if Trivy runs in the `Standalone` mode. |
+| `trivy.githubToken`   | N/A                                                    | The GitHub personal access token used by Trivy to download the vulnerabilities database from GitHub. Only applicable if Trivy runs in the `Standalone` mode. |
 | `trivy.severity`      | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL`                     | A comma separated list of severity levels reported by Trivy |
-| `trivy.imageRef`      | `docker.io/aquasec/trivy:0.9.1`                        | Trivy image reference |
+| `trivy.imageRef`      | `docker.io/aquasec/trivy:0.12.0`                       | Trivy image reference |
+| `trivy.mode`          | `Standalone`                                           | Trivy client mode. Either `Standalone` or `ClientServer`. |
+| `trivy.serverURL`     | `http://trivy-server.trivy-server:4954`                | The endpoint URL of the Trivy server. This parameter is required when Trivy runs in the `ClientServer` mode. |
 | `polaris.config.yaml` | [Check the default value here][default-polaris-config] | Polaris configuration file |
 
 > **Note:** You can find it handy to delete a configuration key, which was not created by default by the
@@ -415,10 +417,7 @@ Configuration of the operator is done via environment variables at startup.
 | `OPERATOR_NAMESPACE`                 | N/A                    | See [Install modes](#install-modes) |
 | `OPERATOR_TARGET_NAMESPACES`         | N/A                    | See [Install modes](#install-modes) |
 | `OPERATOR_SCANNER_TRIVY_ENABLED`     | `true`                 | The flag to enable Trivy vulnerability scanner |
-| `OPERATOR_SCANNER_TRIVY_VERSION`     | `0.11.0`               | The version of Trivy to be used |
-| `OPERATOR_SCANNER_TRIVY_IMAGE`       | `aquasec/trivy:0.11.0` | The Docker image of Trivy to be used |
 | `OPERATOR_SCANNER_AQUA_CSP_ENABLED`  | `false`                | The flag to enable Aqua vulnerability scanner |
-| `OPERATOR_SCANNER_AQUA_CSP_VERSION`  | `5.0`                  | The version of Aqua scanner to be used |
 | `OPERATOR_SCANNER_AQUA_CSP_IMAGE`    | `aquasec/scanner:5.0`  | The Docker image of Aqua scanner to be used |
 | `OPERATOR_LOG_DEV_MODE`              | `false`                | The flag to use (or not use) development mode (more human-readable output, extra stack traces and logging information, etc). |
 | `OPERATOR_SCAN_JOB_TIMEOUT`          | `5m`                   | The length of time to wait before giving up on a scan job |

diff --git a/deploy/init/03-starboard.cm.yaml b/deploy/init/03-starboard.cm.yaml
@@ -7,7 +7,9 @@ metadata:
   namespace: starboard
 data:
   trivy.severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
-  trivy.imageRef: docker.io/aquasec/trivy:0.9.1
+  trivy.imageRef: docker.io/aquasec/trivy:0.12.0
+  trivy.mode: Standalone
+  trivy.serverURL: http://trivy-server.trivy-server:4954
   kube-bench.imageRef: docker.io/aquasec/kube-bench:0.4.0
   polaris.config.yaml: |
     checks:

diff --git a/deploy/trivy-server/01-trivy-server.ns.yaml b/deploy/trivy-server/01-trivy-server.ns.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: trivy-server
diff --git a/deploy/trivy-server/02-trivy-server.sa.yaml b/deploy/trivy-server/02-trivy-server.sa.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: trivy-server
+  namespace: trivy-server
diff --git a/deploy/trivy-server/03-trivy-server.deployment.yaml b/deploy/trivy-server/03-trivy-server.deployment.yaml
@@ -0,0 +1,38 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: trivy-server
+  name: trivy-server
+  namespace: trivy-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: trivy-server
+  template:
+    metadata:
+      labels:
+        app: trivy-server
+    spec:
+      serviceAccountName: trivy-server
+      automountServiceAccountToken: false
+      volumes:
+        - name: trivy-cache
+          emptyDir: {}
+      containers:
+        - name: trivy-server
+          image: docker.io/aquasec/trivy:0.12.0
+          command:
+            - trivy
+            - server
+            - --debug
+            - --listen
+            - 0.0.0.0:4954
+          volumeMounts:
+            - name: trivy-cache
+              mountPath: /root/.cache/trivy
+          ports:
+            - containerPort: 4954
+              name: twirp
diff --git a/deploy/trivy-server/04-trivy-server.svc.yaml b/deploy/trivy-server/04-trivy-server.svc.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: trivy-server
+  namespace: trivy-server
+  labels:
+    app: trivy-server
+spec:
+  type: ClusterIP
+  selector:
+    app: trivy-server
+  ports:
+    - protocol: TCP
+      port: 4954
+      targetPort: 4954
diff --git a/deploy/trivy-server/README.md b/deploy/trivy-server/README.md
@@ -0,0 +1,16 @@
+# Trivy Server
+
+> **Note:** This is just for testing Trivy in client-server mode. We should move away the YAML Manifests from this repository.
+> Maybe even provide a Helm chart for Trivy server.
+
+## Deploy with Static YAML Manifests
+
+```
+$ kubectl apply -f deploy/trivy-server
+```
+
+```
+$ kubectl run trivy-client -it --rm --image aquasec/trivy:0.12.0 --command -- sh
+/ # trivy client --format json --remote http://trivy-server.trivy-server:4954 wordpress:4.9
+/ # trivy client --format json --remote http://trivy-server.trivy-server:4954 wordpress:5.5
+```