feat: add auth support for downloading OCI artifacts

[knqyf263]

Description

Add authentication support for downloading OCI artifacts such as Trivy DB.

$ TRIVY_USERNAME=foo TRIVY_PASSWORD=bar trivy image --db-repository ghcr.io/your/private-db --download-db-only

Trivy currently supports keychains for private OCI artifacts. It requires docker login or something similar to configure credentials for registries. This PR allows taking credentials from environmental variables, CLI flags and trivy.yaml. It was implemented for private container images so that Trivy could scan them for vulnerabilities. This PR expands it to OCI artifacts as well.

Note that Java DB is out of scope in this PR.

• Trivy DB (default: ghcr.io/aquasecurity/trivy-db)
• Misconfiguration policies
• Wasm modules
• Java DB

Related issues

• Close download trivy DB from private repo #3891

Related PRs

• feat(image): add registry options #3906

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[DmitriyLewen]

Good work!
I added 1 comment.

Also I think we need to add information about support of private DB repositories and combination of credentials for DB and images.

[DmitriyLewen]

Looks like this field is not used.
Also ArtifactOption has same field.

[knqyf263]

I've removed it in this commit.
554e01c

I probably made a mistake when rebasing, and It has reappeared. Removed it again.
e2630d0

[knqyf263]

I updated the documentation. I'll restructure the entire doc shortly, though.
74a1aa4

[DmitriyLewen]

LGTM

[chen-keinan]

@knqyf263 this change is not supported for trivy server ... sub command ?

TRIVY_USERNAME=user TRIVY_PASSWORD=pass trivy server --listen 0.0.0.0:4975 --db-repository ghcr.io/private-repo/trivy-db  --download-db-only

[knqyf263]

Right, server is not supported now.

[chen-keinan]

Right, server is not supported now.

Any plan to add support to server , the initial use-case in trivy-operator was for server subcommand

[knqyf263]

Yes, it is just adding 1 line here, like RegistryFlagGroup: flag.NewRegistryFlags(),

trivy/pkg/commands/app.go

Lines 520 to 525 in f14bed4

	serverFlags := &flag.Flags{
	CacheFlagGroup: flag.NewCacheFlagGroup(),
	DBFlagGroup: flag.NewDBFlagGroup(),
	ModuleFlagGroup: flag.NewModuleFlagGroup(),
	RemoteFlagGroup: flag.NewServerFlags(),
	}

But if you just want to download the database with --download-db-only, you can use other subcommands until server supports it.

TRIVY_USERNAME=user TRIVY_PASSWORD=pass trivy image --db-repository ghcr.io/private-repo/trivy-db  --download-db-only

Anyway, it is good to add registry flags to server. @chen-keinan Could you work on this change and test it with trivy-operator?