Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trivy: Build rule download cron similar to nuclei #911

Closed
malexmave opened this issue Jan 4, 2022 · 0 comments · Fixed by #1760
Closed

Trivy: Build rule download cron similar to nuclei #911

malexmave opened this issue Jan 4, 2022 · 0 comments · Fixed by #1760
Assignees
@o1oo11oo
Labels
enhancement New feature or request scanner Implement or update a security scanner

Comments

@malexmave
Copy link
Member

➹ New Feature implementation request

For nuclei, we have an auto-update system for the templates that downloads them on a regular basis and writes them to a persistent volume which is being pulled into every nuclei scan. This avoids the problem of rate limiting by the GitHub API (where the files are hosted).

Since trivy also downloads the rulesets from GitHub, it has the same issues as Nuclei. It would be nice if the same functionality for centralized downloading would be added to the trivy scantype. However, we should consider turning it off by default because not all k8s clusters support the type of volume that the system uses, leading to errors when launching scans.

Alternative: trivy has a ruleserver functionality that does this for us (already documented in our documentation for the scan type). However, this rule server is currently only supported for scans of containers. All other scan types (like FS scans) cannot use the server (see this issue in the trivy repo for the current state).
@malexmave malexmave added enhancement New feature or request scanner Implement or update a security scanner labels Jan 4, 2022
@malexmave malexmave added this to To do in secureCodeBox v3 via automation Jan 4, 2022
o1oo11oo pushed a commit to o1oo11oo/secureCodeBox that referenced this issue Jun 9, 2023
secureCodeBox#911 Create a download cache for trivy database
4652c82 
This uses the trivy client/server functionality to download the
vulnerability DB only once for multiple scans to avoid GitHub's rate
limit. An additional container running trivy in server mode is started,
and all scans connect to it. This integrates the functionality
previously documented [in the SCB docs for trivy][1], now that trivy
supports remote scanning for more than just container image scans.

[1]: https://www.securecodebox.io/docs/scanners/trivy/#scanning-many-targets

Signed-off-by: Lukas Fischer <lukas.fischer@iteratec.com>
@o1oo11oo o1oo11oo self-assigned this Jun 9, 2023
@o1oo11oo o1oo11oo removed this from Backlog in secureCodeBox v3 Jun 9, 2023
@o1oo11oo o1oo11oo mentioned this issue Jun 9, 2023
Merged
4 tasks
o1oo11oo pushed a commit to o1oo11oo/secureCodeBox that referenced this issue Jun 14, 2023
secureCodeBox#911 Create a download cache for trivy database
ad0dafe 
This uses the trivy client/server functionality to download the
vulnerability DB only once for multiple scans to avoid GitHub's rate
limit. An additional container running trivy in server mode is started,
and all scans connect to it. This integrates the functionality
previously documented [in the SCB docs for trivy][1], now that trivy
supports remote scanning for more than just container image scans.

[1]: https://www.securecodebox.io/docs/scanners/trivy/#scanning-many-targets

Signed-off-by: Lukas Fischer <lukas.fischer@iteratec.com>
o1oo11oo pushed a commit to o1oo11oo/secureCodeBox that referenced this issue Jun 14, 2023
secureCodeBox#911 Update trivy cache based on PR feedback
9f477c2 
Move comments, make replicas configurable, change PullPolicy to
IfNotPresent and remove namespace declaration.

Signed-off-by: Lukas Fischer <lukas.fischer@iteratec.com>
o1oo11oo pushed a commit to o1oo11oo/secureCodeBox that referenced this issue Jun 14, 2023
secureCodeBox#911 Add liveness/readiness checks for trivy cache
0c2ab34 
Trivy server provides a /healthz endpoint that always returns 200 (see
aquasecurity/trivy#534), and according to the logs/stdout trivy only
starts listening after downloading the database.

The helm chart provided by trivy (added in aquasecurity/trivy#751) uses
this endpoint for liveness and readiness checks as well. This change
therefore integrates the same checks.

Signed-off-by: Lukas Fischer <lukas.fischer@iteratec.com>
o1oo11oo pushed a commit to o1oo11oo/secureCodeBox that referenced this issue Jun 26, 2023
secureCodeBox#911 Create a download cache for trivy database
d56ec9a 
This uses the trivy client/server functionality to download the
vulnerability DB only once for multiple scans to avoid GitHub's rate
limit. An additional container running trivy in server mode is started,
and all scans connect to it. This integrates the functionality
previously documented [in the SCB docs for trivy][1], now that trivy
supports remote scanning for more than just container image scans.

[1]: https://www.securecodebox.io/docs/scanners/trivy/#scanning-many-targets

Signed-off-by: Lukas Fischer <lukas.fischer@iteratec.com>
o1oo11oo pushed a commit to o1oo11oo/secureCodeBox that referenced this issue Jun 26, 2023
secureCodeBox#911 Make number of trivy DB replicas configurable
4852ecd 
Instead of hardcoding only one replica, allow any number of replicas for
the trivy download cache to be configured by using the the
trivyDatabaseCache.replicas value.

Signed-off-by: Lukas Fischer <lukas.fischer@iteratec.com>
o1oo11oo pushed a commit to o1oo11oo/secureCodeBox that referenced this issue Jun 26, 2023
secureCodeBox#911 Add liveness/readiness checks for trivy cache
307c8db 
Trivy server provides a /healthz endpoint that always returns 200 (see
aquasecurity/trivy#534), and according to the logs/stdout trivy only
starts listening after downloading the database.

The helm chart provided by trivy (added in aquasecurity/trivy#751) uses
this endpoint for liveness and readiness checks as well. This change
therefore integrates the same checks.

Signed-off-by: Lukas Fischer <lukas.fischer@iteratec.com>
o1oo11oo pushed a commit to o1oo11oo/secureCodeBox that referenced this issue Jun 27, 2023
secureCodeBox#911 Create a download cache for trivy database
28950f2 
This uses the trivy client/server functionality to download the
vulnerability DB only once for multiple scans to avoid GitHub's rate
limit. An additional container running trivy in server mode is started,
and all scans connect to it. This integrates the functionality
previously documented [in the SCB docs for trivy][1], now that trivy
supports remote scanning for more than just container image scans.

[1]: https://www.securecodebox.io/docs/scanners/trivy/#scanning-many-targets

Signed-off-by: Lukas Fischer <lukas.fischer@iteratec.com>
o1oo11oo pushed a commit to o1oo11oo/secureCodeBox that referenced this issue Jun 27, 2023
secureCodeBox#911 Make number of trivy DB replicas configurable
bdb330e 
Instead of hardcoding only one replica, allow any number of replicas for
the trivy download cache to be configured by using the the
trivyDatabaseCache.replicas value.

Signed-off-by: Lukas Fischer <lukas.fischer@iteratec.com>
o1oo11oo pushed a commit to o1oo11oo/secureCodeBox that referenced this issue Jun 27, 2023
secureCodeBox#911 Add liveness/readiness checks for trivy cache
b7e3070 
Trivy server provides a /healthz endpoint that always returns 200 (see
aquasecurity/trivy#534), and according to the logs/stdout trivy only
starts listening after downloading the database.

The helm chart provided by trivy (added in aquasecurity/trivy#751) uses
this endpoint for liveness and readiness checks as well. This change
therefore integrates the same checks.

Signed-off-by: Lukas Fischer <lukas.fischer@iteratec.com>
o1oo11oo pushed a commit to o1oo11oo/secureCodeBox that referenced this issue Jun 27, 2023
secureCodeBox#911 Document trivy vulnerability database cache
6d9395b 
Update the documentation to reflect that the trivy vulnerability DB is
now by default served by a trivy server container.

This shortens this section of the documentation quite a bit, because
most of it was example code to set up what is now integrated.
o1oo11oo pushed a commit to o1oo11oo/secureCodeBox that referenced this issue Jun 27, 2023
secureCodeBox#911 Document trivy vulnerability database cache
a06927b 
Update the documentation to reflect that the trivy vulnerability DB is
now by default served by a trivy server container.

This shortens this section of the documentation quite a bit, because
most of it was example code to set up what is now integrated.

Signed-off-by: Lukas Fischer <lukas.fischer@iteratec.com>
o1oo11oo pushed a commit to o1oo11oo/secureCodeBox that referenced this issue Jun 27, 2023
secureCodeBox#911 Document trivy vulnerability database cache
b914636 
Update the documentation to reflect that the trivy vulnerability DB is
now by default served by a trivy server container.

This shortens this section of the documentation quite a bit, because
most of it was example code to set up what is now integrated.

Signed-off-by: Lukas Fischer <lukas.fischer@iteratec.com>
o1oo11oo pushed a commit to o1oo11oo/secureCodeBox that referenced this issue Jun 28, 2023
secureCodeBox#911 Create a download cache for trivy database
ce9ff1e 
This uses the trivy client/server functionality to download the
vulnerability DB only once for multiple scans to avoid GitHub's rate
limit. An additional container running trivy in server mode is started,
and all scans connect to it. This integrates the functionality
previously documented [in the SCB docs for trivy][1], now that trivy
supports remote scanning for more than just container image scans.

[1]: https://www.securecodebox.io/docs/scanners/trivy/#scanning-many-targets

Signed-off-by: Lukas Fischer <lukas.fischer@iteratec.com>
o1oo11oo pushed a commit to o1oo11oo/secureCodeBox that referenced this issue Jun 28, 2023
secureCodeBox#911 Make number of trivy DB replicas configurable
de44be5 
Instead of hardcoding only one replica, allow any number of replicas for
the trivy download cache to be configured by using the the
trivyDatabaseCache.replicas value.

Signed-off-by: Lukas Fischer <lukas.fischer@iteratec.com>
o1oo11oo pushed a commit to o1oo11oo/secureCodeBox that referenced this issue Jun 28, 2023
secureCodeBox#911 Add liveness/readiness checks for trivy cache
ec87d50 
Trivy server provides a /healthz endpoint that always returns 200 (see
aquasecurity/trivy#534), and according to the logs/stdout trivy only
starts listening after downloading the database.

The helm chart provided by trivy (added in aquasecurity/trivy#751) uses
this endpoint for liveness and readiness checks as well. This change
therefore integrates the same checks.

Signed-off-by: Lukas Fischer <lukas.fischer@iteratec.com>
o1oo11oo pushed a commit to o1oo11oo/secureCodeBox that referenced this issue Jun 28, 2023
secureCodeBox#911 Document trivy vulnerability database cache
8239741 
Update the documentation to reflect that the trivy vulnerability DB is
now by default served by a trivy server container.

This shortens this section of the documentation quite a bit, because
most of it was example code to set up what is now integrated.

Signed-off-by: Lukas Fischer <lukas.fischer@iteratec.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@o1oo11oo o1oo11oo

Labels
enhancement New feature or request scanner Implement or update a security scanner
Projects
secureCodeBox v4
Archived in project
Milestone
No milestone
2 participants
@o1oo11oo @malexmave