Skip to content

Commit

Permalink
feat(trivy): Configure insecure image registries (#548)
Browse files Browse the repository at this point in the history
Resolves: #545
  • Loading branch information
xyoxo authored May 9, 2021
1 parent 85af65f commit 472fd92
Show file tree
Hide file tree
Showing 5 changed files with 436 additions and 2 deletions.
1 change: 1 addition & 0 deletions docs/settings.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ The following tables list available configuration settings with their default va
| `trivy.mode` | `Standalone` | Trivy client mode. Either `Standalone` or `ClientServer`. Depending on the active mode other settings might be applicable or required. |
| `trivy.serverURL` | N/A | The endpoint URL of the Trivy server. Required in `ClientServer` mode. |
| `trivy.serverTokenHeader` | `Trivy-Token` | The name of the HTTP header to send the authentication token to Trivy server. Only application in `ClientServer` mode when `trivy.serverToken` is specified. |
| `trivy.insecureRegistry.<id>` | N/A | The registry to which insecure connections are allowed. There can be multiple registries with different registry `<id>`. |
| `aqua.imageRef` | `docker.io/aquasec/scanner:5.3` | Aqua scanner image reference. The tag determines the version of the `scanner` binary executable and it must be compatible with version of Aqua console. |
| `aqua.serverURL` | N/A | The endpoint URL of Aqua management console |
| `kube-bench.imageRef` | `docker.io/aquasec/kube-bench:0.5.0` | kube-bench image reference |
Expand Down
29 changes: 29 additions & 0 deletions pkg/plugin/trivy/plugin.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"github.com/aquasecurity/starboard/pkg/kube"
"github.com/aquasecurity/starboard/pkg/starboard"
"github.com/aquasecurity/starboard/pkg/vulnerabilityreport"
"github.com/google/go-containerregistry/pkg/name"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/resource"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Expand Down Expand Up @@ -40,6 +41,7 @@ type Config interface {
GetTrivyImageRef() (string, error)
GetTrivyMode() (starboard.TrivyMode, error)
GetTrivyServerURL() (string, error)
GetTrivyInsecureRegistries() map[string]bool
}

// NewPlugin constructs a new vulnerabilityreport.Plugin, which is using an
Expand Down Expand Up @@ -271,6 +273,11 @@ func (s *scanner) getPodSpecForStandaloneMode(spec corev1.PodSpec, credentials m
})
}

env, err = s.appendTrivyInsecureEnv(c.Image, env)
if err != nil {
return corev1.PodSpec{}, nil, err
}

containers = append(containers, corev1.Container{
Name: c.Name,
Image: trivyImageRef,
Expand Down Expand Up @@ -478,6 +485,11 @@ func (s *scanner) getPodSpecForClientServerMode(spec corev1.PodSpec, credentials
})
}

env, err = s.appendTrivyInsecureEnv(container.Image, env)
if err != nil {
return corev1.PodSpec{}, nil, err
}

containers = append(containers, corev1.Container{
Name: container.Name,
Image: trivyImageRef,
Expand Down Expand Up @@ -514,3 +526,20 @@ func (s *scanner) ParseVulnerabilityScanResult(imageRef string, logsReader io.Re
}
return result, nil
}

func (s *scanner) appendTrivyInsecureEnv(image string, env []corev1.EnvVar) ([]corev1.EnvVar, error) {
ref, err := name.ParseReference(image)
if err != nil {
return nil, err
}

insecureRegistries := s.config.GetTrivyInsecureRegistries()
if insecureRegistries[ref.Context().RegistryStr()] {
env = append(env, corev1.EnvVar{
Name: "TRIVY_INSECURE",
Value: "true",
})
}

return env, nil
}
Loading

0 comments on commit 472fd92

Please sign in to comment.