feat(scan): support offline option #1511
Conversation
knqyf263
changed the title
docs/advanced/air-gap.md
Outdated
| ### Run Trivy with --skip-update option | ||
| In an air-gapped environment, specify `--skip-update` so that Trivy doesn't attempt to download the latest database file. | ||
| ### Run Trivy with --skip-update and --offline option | ||
| In an air-gapped environment, specify `--skip-update` and `--offline` so that Trivy doesn't attempt to download the latest database file and issue any API requests for vulnerability scanning. |
There was a problem hiding this comment.
I would mention that it affects Maven only (as of Dec 2021)
docs/getting-started/cli/client.md
Outdated
| @@ -22,6 +22,7 @@ OPTIONS: | |||
| --timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT] | |||
| --ignore-policy value specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY] | |||
| --list-all-pkgs enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS] | |||
| --offline try to scan without Internet access (default: false) [$TRIVY_OFFLINE] | |||
There was a problem hiding this comment.
description is a bit ambiguous. Some new users may think it's enough to run trivy in air-gapped environment
There was a problem hiding this comment.
--offline-scan is better?
There was a problem hiding this comment.
Something like this:
"Do not download extra information about dependencies . Some dependency parsers (like Maven) uses public API to download entire dependency tree. Use this option to disable that behavior"
There was a problem hiding this comment.
or --parse-deps-offline
There was a problem hiding this comment.
Thanks. It is a bit long for a help message. I fixed it based on your suggestion. I think it is clear enough to understand this option doesn't affect DB download.
558b8b7
Description
This option allows avoiding Internet access. The results with/without the option may differ. For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't exist in the local repositories. On the other hand, the online mode will resolve those dependencies in the remote repositories. It means the dependencies might be fewer in offline mode.
Supported
Issues
Close #1294
Close #1290
Close #1173
Close #1057
Close #982
Blockers