Replies: 1 comment 3 replies
-
|
what is the problem or question? |
Beta Was this translation helpful? Give feedback.
-
|
@itaysk I want to confirm that Trivy's resource-efficient scanning (which we observed with 100GB images) doesn't compromise security. Specifically: Does Trivy skip any content when scanning large images? |
Beta Was this translation helpful? Give feedback.
-
|
For example, we scanned an image where the layer size was larger than the available RAM, and everything was scanned. Why? Does Trivy ignore layers larger than the available RAM? |
Beta Was this translation helpful? Give feedback.
-
|
For typical scanning, Trivy doesn't read every single file, it looks for specific files that it recognizes. the only exception is secret scanner which 1. reads only text files 2. read files by streaming (doesn't load the entire file to memory) |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Question
We conducted an experiment to understand Trivy's resource usage when scanning large remote images and got surprising results that contradict our expectations.
Test setup:
Created a 100GB Docker image by adding:
Multiple 10GB files filled with /dev/random data
Normal application layers (Ubuntu + app dependencies)
Testing environment: Small Kubernetes pod with:
4GB RAM limit
2 CPU cores
Scanned from remote registry (not locally pulled)
Used all scanners: --scanners vuln,secret,misconfig,license
Target
Container Image
Scanner
Vulnerability
Output Format
JSON
Mode
Client/Server
Operating System
alpine
Version
Beta Was this translation helpful? Give feedback.
All reactions