trivy

package
v0.30.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 10, 2026 License: Apache-2.0 Imports: 28 Imported by: 1

Documentation

Overview

Package trivy provides primitives for working with Trivy.

Index

Constants

View Source 
const (
	GCPCR_Image_Regex  = `^(us\.|eu\.|asia\.)?gcr\.io.*|^([a-zA-Z0-9-]+)-*-*.docker\.pkg\.dev.*`
	AWSECR_Image_Regex = `^\d+\.dkr\.ecr\.(\w+-\w+-\d+)\.amazonaws\.com/`
	// SkipDirsAnnotation annotation  example: trivy-operator.aquasecurity.github.io/skip-dirs: "/tmp,/home"
	SkipDirsAnnotation = "trivy-operator.aquasecurity.github.io/skip-dirs"
	// SkipFilesAnnotation example: trivy-operator.aquasecurity.github.io/skip-files: "/src/Gemfile.lock,/examplebinary"
	SkipFilesAnnotation = "trivy-operator.aquasecurity.github.io/skip-files"
)
View Source 
const (
	DefaultImageRepository  = "mirror.gcr.io/aquasec/trivy"
	DefaultDBRepository     = "mirror.gcr.io/aquasec/trivy-db"
	DefaultJavaDBRepository = "mirror.gcr.io/aquasec/trivy-java-db"
	DefaultSeverity         = "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
)
View Source 
const (
	FsSharedVolumeName          = "trivyoperator"
	SharedVolumeLocationOfTrivy = "/var/trivyoperator/trivy"
	SslCertDir                  = "/var/ssl-cert"
)
View Source 
const (
	KeyTrivySeverity = "trivy.severity"
)
View Source 
const (
	// Plugin the name of this plugin.
	Plugin = "Trivy"
)
View Source 
const (
	SupportedConfigAuditKinds = "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"
)

Variables

This section is empty.

Functions

func CheckAwsEcrPrivateRegistry 

func CheckAwsEcrPrivateRegistry(imageURL string) string

func CheckGcpCrOrPrivateRegistry added in v0.19.0 

func CheckGcpCrOrPrivateRegistry(imageUrl string) bool

func ConfigWorkloadAnnotationEnvVars added in v0.14.0 

func ConfigWorkloadAnnotationEnvVars(workload client.Object, annotation, envVarName, trivyConfigName, configKey string) corev1.EnvVar

func CreateSbomDataAsSecret added in v0.17.0 

func CreateSbomDataAsSecret(bom v1alpha1.BOM, secretName string) (corev1.Secret, error)

CreateSbomDataAsSecret creates a secret with the BOM data

func CreateVolumeSbomFiles added in v0.17.0 

func CreateVolumeSbomFiles(volumeMounts *[]corev1.VolumeMount, volumes *[]corev1.Volume, secretName *string, fileName, mountPath, cname string)

CreateVolumeSbomFiles creates a volume and volume mount for the sbom data

func ExcludeImage added in v0.21.0 

func ExcludeImage(excludeImagePattern []string, imageName string) bool

ExcludeImage checks if the image should be excluded from scanning based on the excludeImagePattern (glob pattern)

func GetFSScanningArgs added in v0.18.0 

func GetFSScanningArgs(ctx trivyoperator.PluginContext, command Command, mode Mode, trivyServerURL string) []string

func GetMirroredImage 

func GetMirroredImage(image string, mirrors map[string]string) (string, error)

func GetPodSpecForClientServerFSMode added in v0.16.4 

func GetPodSpecForClientServerFSMode(ctx trivyoperator.PluginContext, config Config, workload client.Object, _ map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)

FileSystem scan option with ClientServer mode. The only difference is that instead of scanning the resource by name, We scanning the resource place on a specific file system location using the following command. 

trivy --quiet fs  --server TRIVY_SERVER  --format json --ignore-unfixed  file/system/location

func GetPodSpecForImageScan added in v0.30.0 

func GetPodSpecForImageScan(ctx trivyoperator.PluginContext,
	config Config,
	workload client.Object,
	credentials map[string]docker.Auth,
	securityContext *corev1.SecurityContext,
	p *plugin,
	clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)

GetPodSpec creates a PodSpec for the Trivy image scan job.

The number of main containers correspond to the number of containers defined for the scanned workload. Each container runs the Trivy image scan command and skips the database download. 

trivy --cache-dir /tmp/trivy/.cache image --skip-update \
  --format json <container image>

In the Standalone mode there is the init container responsible for downloading the latest Trivy DB file from GitHub and storing it to the emptyDir volume shared with main containers. In other words, the init container runs the following Trivy command: 

trivy --cache-dir /tmp/trivy/.cache image --download-db-only

In the ClientServer each container runs Trivy image scan command and refers to Trivy server URL returned by Config.GetServerURL: 

	trivy image --server <server URL> \
	  --format json <container image>

 Also there is the init container responsible for downloading the latest Trivy Java DB for both modes

	trivy --cache-dir /tmp/trivy/.cache image --download-java-db-only

func GetPodSpecForStandaloneFSMode added in v0.16.4 

func GetPodSpecForStandaloneFSMode(ctx trivyoperator.PluginContext, config Config, workload client.Object, _ map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)

FileSystem scan option with standalone mode. The only difference is that instead of scanning the resource by name, We are scanning the resource place on a specific file system location using the following command. 

trivy --quiet fs  --format json --ignore-unfixed  file/system/location

func GetSbomFSScanningArgs added in v0.17.0 

func GetSbomFSScanningArgs(ctx trivyoperator.PluginContext, mode Mode, trivyServerURL, sbomFile string) ([]string, []string)

func GetSbomScanCommandAndArgs added in v0.17.0 

func GetSbomScanCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, sbomFile, trivyServerURL, resultFileName string) ([]string, []string)

func MultiSecretSupport added in v0.12.0 

func MultiSecretSupport(c Config) bool

MultiSecretSupport validate if trivy multi secret support

func NewPlugin 

func NewPlugin(clock ext.Clock, idGenerator ext.IDGenerator, objectResolver *kube.ObjectResolver) vulnerabilityreport.Plugin

NewPlugin constructs a new vulnerabilityreport.Plugin, which is using an upstream Trivy container image to scan Kubernetes workloads.

The plugin supports Image and Filesystem commands. The Filesystem command may be used to scan workload images cached on cluster nodes by scheduling scan jobs on a particular node.

The Image command supports both Standalone and ClientServer modes depending on the settings returned by Config.GetMode. The ClientServer mode is usually more performant, however it requires a Trivy server accessible at the configurable Config.GetServerURL.

func NewTrivyConfigAuditPlugin 

func NewTrivyConfigAuditPlugin(clock ext.Clock, idGenerator ext.IDGenerator, objectResolver *kube.ObjectResolver) configauditreport.PluginInMemory

NewTrivyConfigAuditPlugin constructs a new configAudit.Plugin, which is using an upstream Trivy config audit scanner lib.

func ParseImageRef added in v0.25.0 

func ParseImageRef(imageRef, imageDigest string) (v1alpha1.Registry, v1alpha1.Artifact, error)

func Scanners added in v0.12.0 

func Scanners(c Config) string

Scanners use scanners flag

func SkipDBUpdate added in v0.12.0 

func SkipDBUpdate(c Config) string

SkipDBUpdate skip update flag

func SkipJavaDBUpdate added in v0.16.0 

func SkipJavaDBUpdate(c Config) string

SkipJavaDBUpdate skip update flag

func Slow added in v0.12.0 

func Slow(c Config) string

Slow determine if to use the slow flag (improve memory footprint)

Types

type Command 

type Command string

Command to scan image or filesystem. 

const (
	Filesystem Command = "filesystem"
	Image      Command = "image"
	Rootfs     Command = "rootfs"
)

type Config 

type Config struct {
	trivyoperator.PluginConfig
}

Config defines configuration params for this plugin.

func (Config) ConfigFileExists added in v0.27.0 

func (c Config) ConfigFileExists() bool

func (Config) FindIgnorePolicyKey added in v0.10.2 

func (c Config) FindIgnorePolicyKey(workload client.Object) string

func (Config) GenerateConfigFileVolumeIfAvailable added in v0.27.0 

func (c Config) GenerateConfigFileVolumeIfAvailable(trivyConfigName string) (*corev1.Volume, *corev1.VolumeMount)

func (Config) GenerateIgnoreFileVolumeIfAvailable added in v0.10.2 

func (c Config) GenerateIgnoreFileVolumeIfAvailable(trivyConfigName string) (*corev1.Volume, *corev1.VolumeMount)

func (Config) GenerateIgnorePolicyVolumeIfAvailable added in v0.10.2 

func (c Config) GenerateIgnorePolicyVolumeIfAvailable(trivyConfigName string, workload client.Object) (*corev1.Volume, *corev1.VolumeMount)

func (Config) GenerateSslCertDirVolumeIfAvailable added in v0.14.0 

func (c Config) GenerateSslCertDirVolumeIfAvailable(_ string) (*corev1.Volume, *corev1.VolumeMount)

func (Config) GetAdditionalVulnerabilityReportFields added in v0.2.0 

func (c Config) GetAdditionalVulnerabilityReportFields() vulnerabilityreport.AdditionalFields

func (Config) GetClientServerSkipUpdate added in v0.16.0 

func (c Config) GetClientServerSkipUpdate() bool

func (Config) GetCommand 

func (c Config) GetCommand() Command

func (Config) GetDBRepository 

func (c Config) GetDBRepository() (string, error)

func (Config) GetDBRepositoryInsecure 

func (c Config) GetDBRepositoryInsecure() bool

func (Config) GetFilesystemScanCacheDir added in v0.17.0 

func (c Config) GetFilesystemScanCacheDir() string

func (Config) GetIgnoreFileName added in v0.30.0 

func (c Config) GetIgnoreFileName() string

GetIgnoreFileName returns the ignore file name to be mounted inside the scanner container. Defaults to the package-level default (".trivyignore") when not explicitly set.

func (Config) GetImagePullPolicy added in v0.16.2 

func (c Config) GetImagePullPolicy() string

func (Config) GetImagePullSecret added in v0.6.0 

func (c Config) GetImagePullSecret() []corev1.LocalObjectReference

func (Config) GetImageRef 

func (c Config) GetImageRef() (string, error)

GetImageRef returns upstream Trivy container image reference.

func (Config) GetImageScanCacheDir added in v0.17.0 

func (c Config) GetImageScanCacheDir() string

func (Config) GetImageTag added in v0.12.0 

func (c Config) GetImageTag() (string, error)

GetImageTag returns upstream Trivy container image tag.

func (Config) GetIncludeDevDeps added in v0.18.0 

func (c Config) GetIncludeDevDeps() bool

func (Config) GetInsecureRegistries 

func (c Config) GetInsecureRegistries() map[string]bool

func (Config) GetJavaDBRepository added in v0.24.0 

func (c Config) GetJavaDBRepository() string

func (Config) GetMirrors 

func (c Config) GetMirrors() map[string]string

func (Config) GetMode 

func (c Config) GetMode() Mode

func (Config) GetNonSSLRegistries 

func (c Config) GetNonSSLRegistries() map[string]bool

func (Config) GetResourceRequirements 

func (c Config) GetResourceRequirements() (corev1.ResourceRequirements, error)

GetResourceRequirements creates ResourceRequirements from the Config.

func (Config) GetSbomSources added in v0.18.0 

func (c Config) GetSbomSources() string

func (Config) GetServerInsecure 

func (c Config) GetServerInsecure() bool

func (Config) GetServerURL 

func (c Config) GetServerURL() (string, error)

func (Config) GetSeverity added in v0.12.0 

func (c Config) GetSeverity() string

func (Config) GetSkipJavaDBUpdate added in v0.16.0 

func (c Config) GetSkipJavaDBUpdate() bool

func (Config) GetSlow added in v0.8.0 

func (c Config) GetSlow() bool

func (Config) GetSslCertDir added in v0.14.0 

func (c Config) GetSslCertDir() string

func (Config) GetSupportedConfigAuditKinds 

func (c Config) GetSupportedConfigAuditKinds() []string

func (Config) GetUseBuiltinRegoPolicies 

func (c Config) GetUseBuiltinRegoPolicies() bool

func (Config) GetUseEmbeddedRegoPolicies added in v0.21.0 

func (c Config) GetUseEmbeddedRegoPolicies() bool

func (Config) GetVulnType added in v0.14.0 

func (c Config) GetVulnType() string

func (Config) IgnoreFileExists 

func (c Config) IgnoreFileExists() bool

func (Config) IgnoreFileMountPath added in v0.30.0 

func (c Config) IgnoreFileMountPath() string

IgnoreFileMountPath returns full mount path for the ignore file.

func (Config) IgnoreUnfixed 

func (c Config) IgnoreUnfixed() bool

func (Config) OfflineScan added in v0.7.0 

func (c Config) OfflineScan() bool

func (Config) TrivyDBRepositoryCredentialsSet added in v0.18.0 

func (c Config) TrivyDBRepositoryCredentialsSet() bool

type FileSystemJobSpecMgr added in v0.16.4 

type FileSystemJobSpecMgr struct {
	// contains filtered or unexported fields
}

func (*FileSystemJobSpecMgr) GetPodSpec added in v0.16.4 

func (j *FileSystemJobSpecMgr) GetPodSpec(ctx trivyoperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)

type GetPodSpecFunc added in v0.16.4 

type GetPodSpecFunc func(ctx trivyoperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)

type ImageJobSpecMgr added in v0.16.4 

type ImageJobSpecMgr struct {
	// contains filtered or unexported fields
}

func (*ImageJobSpecMgr) GetPodSpec added in v0.16.4 

func (j *ImageJobSpecMgr) GetPodSpec(ctx trivyoperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)

type Mode 

type Mode string

Mode in which Trivy client operates. 

const (
	Standalone   Mode = "Standalone"
	ClientServer Mode = "ClientServer"
)

type PodSpecMgr added in v0.16.4 

type PodSpecMgr interface {
	GetPodSpec(ctx trivyoperator.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth, securityContext *corev1.SecurityContext, p *plugin, clusterSboms map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error)
}

func NewFileSystemJobSpecMgr added in v0.16.4 

func NewFileSystemJobSpecMgr() PodSpecMgr

func NewImageJobSpecMgr added in v0.16.4 

func NewImageJobSpecMgr() PodSpecMgr

func NewPodSpecMgr added in v0.16.4 

func NewPodSpecMgr(config Config) PodSpecMgr

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.