Help pulling trivy-db and java-db from private registry #2344
Replies: 5 comments 4 replies
-
Hi, i also spent several hours on finding solution how to pull trivy-db and java-db. trivy-db from private repository works great but as i checked pulling java-db for now its impossible. i hope they will add this functionality asap. |
Beta Was this translation helpful? Give feedback.
-
I would appreciate this feature as well, as I have the exact same problem. I looked at the scan job and it seems that the init container that downloads the normal db has the initContainers:
- args:
- --cache-dir
- /tmp/trivy/.cache
- image
- --download-db-only
- --db-repository
- artifactory.devops.telekom.de/ghcr.io.docker/aquasecurity/trivy-db
command:
- trivy
....
- name: TRIVY_USERNAME
valueFrom:
secretKeyRef:
key: trivy.dbRepositoryUsername
name: trivy-operator-trivy-config
optional: true
- name: TRIVY_PASSWORD
valueFrom:
secretKeyRef:
key: trivy.dbReposito ryPassword
name: trivy-operator-trivy-config
optional: true Yet the main container does not. I was also wondering whether there is the possibility to use different credentials for downloading the |
Beta Was this translation helpful? Give feedback.
-
FYI: A possible workaround I use now is to have an independent cronjob which pulls the |
Beta Was this translation helpful? Give feedback.
-
I checked trivy code and found where Error is generated. https://github.com/aquasecurity/trivy/blob/51f2123c5ccc4f7a37d1068830b6670b4ccf9ac8/pkg/javadb/client.go#L101. What is interesting, mechanism of downloading trivydb and javadb is the same, only difference is in Error msg 😄. So i started digging deeper. As @tom1299 said, trivy uses TRIVY_USERNAME and TRIVY_PASSWORD env to authentication. Those credentials work for both trivy-db and java-db. Testsi decided to perform some tests.
and then i ran my scan: trivy image nginx:1.14.2 --db-repository registry.gitlab.com/myrepo:tag Everything was working fine, i got scan result and trivy downloaded trivy-db and java-db from my private gitlab registry. ConclusionTrivy itself works fine, so the problem lies with the trivy-operator and how authentication is managed. It is thought that somehow after downloading the trivy-db database, the trivy operator loses credentials to the registry. tbh after couple of hours i don't have any idea why this is not working, code looks fine.... maybe someone will find my findings useful. |
Beta Was this translation helpful? Give feedback.
-
FYI: I made a PR which simply adds a dedicated second init container to download the java db if required. That seemed to fit better with the overall concept of the scan jobs design. |
Beta Was this translation helpful? Give feedback.
-
We are trying to pull the trivy-db and java-db from a private registry. To note, we are running in
ClientServer
mode.We already allowed Trivy Operator to access private registries via the Helm chart value
privateRegistryScanSecretsNames
. However, when settingdbRegistry
andjavaDbRegistry
we tried setting thedbRepositoryUsername
anddbRepositoryPassword
via an External Secret but we get errors in both trivy-operator and trivy-server saying that the databases cannot be downloaded (we also settrivy.existingSecret
to false).We also tried setting directly the
TRIVY_USERNAME
andTRIVY_PASSWORD
values via an External Secret trivy-server was able to pull from the trivy-db (but the trivy-client was not able to pull from java-db).Beta Was this translation helpful? Give feedback.
All reactions