feat(trivy): configure timeout

Resolves: #942 Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
aquasecurity · danielpacak · Feb 17, 2022 · Feb 17, 2022 · Feb 17, 2022 · 419bde0a1755dd52cc1acb619cc904156063ba77
commit 419bde0a1755dd52cc1acb619cc904156063ba77
diff --git a/deploy/helm/templates/config.yaml b/deploy/helm/templates/config.yaml
@@ -60,6 +60,9 @@ data:
   {{- if .ignoreUnfixed }}
   trivy.ignoreUnfixed: {{ .ignoreUnfixed | quote }}
   {{- end }}
+  {{- if .timeout }}
+  trivy.timeout: {{ .timeout | quote }}
+  {{- end }}
   {{- with .ignoreFile }}
   trivy.ignoreFile: |
 {{- . | trim | nindent 4 }}

diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
@@ -124,6 +124,9 @@ trivy:
   #
   ignoreUnfixed: "false"
 
+  # timeout is the duration to wait for scan completion.
+  timeout: "5m0s"
+
   # ignoreFile can be used to tell Trivy to ignore vulnerabilities by ID (one per line)
   #
   # ignoreFile: |

diff --git a/deploy/static/03-starboard-operator.config.yaml b/deploy/static/03-starboard-operator.config.yaml
@@ -50,6 +50,7 @@ data:
   trivy.imageRef: "docker.io/aquasec/trivy:0.23.0"
   trivy.mode: "Standalone"
   trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
+  trivy.timeout: "5m0s"
   trivy.resources.requests.cpu: 100m
   trivy.resources.requests.memory: 100M
   trivy.resources.limits.cpu: 500m

diff --git a/docs/integrations/vulnerability-scanners/trivy.md b/docs/integrations/vulnerability-scanners/trivy.md
@@ -5,17 +5,17 @@
 The default configuration settings enable Trivy `vulnerabilityReports.scanner` in [`Standalone`][trivy-standalone]
 `trivy.mode`. Even though it doesn't require any additional setup, it's the least efficient method. Each Pod created
 by a scan Job has the init container that downloads the Trivy vulnerabilities database from the GitHub releases page
-and stores it in the local file system of an [emptyDir][emptyDir-volume] volume. This volume is then shared with
-containers that perform the actual scanning. Finally, the Pod is deleted along with the emptyDir volume.
+and stores it in the local file system of the [emptyDir volume]. This volume is then shared with containers that perform
+the actual scanning. Finally, the Pod is deleted along with the emptyDir volume.
 
 ![](./../../images/design/trivy-standalone.png)
 
 The number of containers defined by a scan Job equals the number of containers defined by the scanned Kubernetes
 workload, so the cache in this mode is useful only if the workload defines multiple containers.
 
-Beyond that, frequent downloads from GitHub might lead to a [rate limiting][gh-rate-limiting] problem. The limits are
-imposed by GitHub on all anonymous requests originating from a given IP. To mitigate such problems you can add the
-`trivy.githubToken` key to the `starboard` secret.
+Beyond that, frequent downloads from GitHub might lead to a [rate limiting] problem. The limits are imposed by GitHub on
+all anonymous requests originating from a given IP. To mitigate such problems you can add the `trivy.githubToken` key to
+the `starboard` secret.
 
 ```
 GITHUB_TOKEN=<your token>
@@ -53,8 +53,8 @@ EOF
 )"
 ```
 
-The Trivy server could be your own deployment, or it could be an external service. See [Trivy documentation][trivy-clientserver]
-for more information on deploying Trivy in `ClientServer` mode.
+The Trivy server could be your own deployment, or it could be an external service. See Trivy documentation for more
+information on deploying [Trivy server][trivy-clientserver].
 
 If the server requires access token and / or custom HTTP authentication headers, you may add `trivy.serverToken`
 and `trivy.serverCustomHeaders` properties to the `starboard` secret.
@@ -89,6 +89,7 @@ EOF
 | `trivy.skipFiles`                  | N/A                                | A comma separated list of file paths for Trivy to skip traversal.                                                                                                   |
 | `trivy.skipDirs`                   | N/A                                | A comma separated list of directories for Trivy to skip traversal.                                                                                                  |
 | `trivy.ignoreFile`                 | N/A                                | It specifies the `.trivyignore` file which contains a list of vulnerability IDs to be ignored from vulnerabilities reported by Trivy.                               |
+| `trivy.timeout`                    | `5m0s`                             | The duration to wait for scan completion                                                                                                                            |
 | `trivy.serverURL`                  | N/A                                | The endpoint URL of the Trivy server. Required in `ClientServer` mode.                                                                                              |
 | `trivy.serverTokenHeader`          | `Trivy-Token`                      | The name of the HTTP header to send the authentication token to Trivy server. Only application in `ClientServer` mode when `trivy.serverToken` is specified.        |
 | `trivy.insecureRegistry.<id>`      | N/A                                | The registry to which insecure connections are allowed. There can be multiple registries with different registry `<id>`.                                            |
@@ -109,6 +110,6 @@ EOF
 | `trivy.serverCustomHeaders` | A comma separated list of custom HTTP headers sent by Trivy client to Trivy server. Only applicable in `ClientServer` mode.       |
 
 [trivy-standalone]: https://aquasecurity.github.io/trivy/latest/modes/standalone/
-[emptyDir-volume]: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir
-[gh-rate-limiting]: https://docs.github.com/en/free-pro-team@latest/rest/overview/resources-in-the-rest-api#rate-limiting
-[trivy-clientserver]: https://aquasecurity.github.io/trivy/latest/modes/client-server/
+[emptyDir volume]: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir
+[rate limiting]: https://docs.github.com/en/free-pro-team@latest/rest/overview/resources-in-the-rest-api#rate-limiting
+[trivy-clientserver]: https://aquasecurity.github.io/trivy/latest/advanced/modes/client-server/
diff --git a/pkg/plugin/trivy/plugin.go b/pkg/plugin/trivy/plugin.go
@@ -32,6 +32,7 @@ const (
 	keyTrivyCommand                = "trivy.command"
 	keyTrivySeverity               = "trivy.severity"
 	keyTrivyIgnoreUnfixed          = "trivy.ignoreUnfixed"
+	keyTrivyTimeout                = "trivy.timeout"
 	keyTrivyIgnoreFile             = "trivy.ignoreFile"
 	keyTrivyInsecureRegistryPrefix = "trivy.insecureRegistry."
 	keyTrivyNonSslRegistryPrefix   = "trivy.nonSslRegistry."
@@ -236,6 +237,7 @@ func (p *plugin) Init(ctx starboard.PluginContext) error {
 			keyTrivyImageRef: "docker.io/aquasec/trivy:0.23.0",
 			keyTrivySeverity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
 			keyTrivyMode:     string(Standalone),
+			keyTrivyTimeout:  "5m0s",
 
 			keyResourcesRequestsCPU:    "100m",
 			keyResourcesRequestsMemory: "100M",
@@ -486,6 +488,18 @@ func (p *plugin) getPodSpecForStandaloneMode(ctx starboard.PluginContext, config
 					},
 				},
 			},
+			{
+				Name: "TRIVY_TIMEOUT",
+				ValueFrom: &corev1.EnvVarSource{
+					ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
+						LocalObjectReference: corev1.LocalObjectReference{
+							Name: trivyConfigName,
+						},
+						Key:      keyTrivyTimeout,
+						Optional: pointer.BoolPtr(true),
+					},
+				},
+			},
 			{
 				Name: "TRIVY_SKIP_FILES",
 				ValueFrom: &corev1.EnvVarSource{
@@ -741,6 +755,18 @@ func (p *plugin) getPodSpecForClientServerMode(ctx starboard.PluginContext, conf
 					},
 				},
 			},
+			{
+				Name: "TRIVY_TIMEOUT",
+				ValueFrom: &corev1.EnvVarSource{
+					ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
+						LocalObjectReference: corev1.LocalObjectReference{
+							Name: trivyConfigName,
+						},
+						Key:      keyTrivyTimeout,
+						Optional: pointer.BoolPtr(true),
+					},
+				},
+			},
 			{
 				Name: "TRIVY_SKIP_FILES",
 				ValueFrom: &corev1.EnvVarSource{

diff --git a/pkg/plugin/trivy/plugin_test.go b/pkg/plugin/trivy/plugin_test.go
@@ -473,6 +473,7 @@ func TestPlugin_Init(t *testing.T) {
 				"trivy.imageRef": "docker.io/aquasec/trivy:0.23.0",
 				"trivy.severity": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
 				"trivy.mode":     "Standalone",
+				"trivy.timeout":  "5m0s",
 
 				"trivy.resources.requests.cpu":    "100m",
 				"trivy.resources.requests.memory": "100M",
@@ -554,6 +555,19 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
 		ReadOnly:  false,
 	}
 
+	timeoutEnv := corev1.EnvVar{
+		Name: "TRIVY_TIMEOUT",
+		ValueFrom: &corev1.EnvVarSource{
+			ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
+				LocalObjectReference: corev1.LocalObjectReference{
+					Name: "starboard-trivy-config",
+				},
+				Key:      "trivy.timeout",
+				Optional: pointer.BoolPtr(true),
+			},
+		},
+	}
+
 	testCases := []struct {
 		name string
 
@@ -715,6 +729,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
 									},
 								},
 							},
+							timeoutEnv,
 							{
 								Name: "TRIVY_SKIP_FILES",
 								ValueFrom: &corev1.EnvVarSource{
@@ -960,6 +975,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
 									},
 								},
 							},
+							timeoutEnv,
 							{
 								Name: "TRIVY_SKIP_FILES",
 								ValueFrom: &corev1.EnvVarSource{
@@ -1209,6 +1225,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
 									},
 								},
 							},
+							timeoutEnv,
 							{
 								Name: "TRIVY_SKIP_FILES",
 								ValueFrom: &corev1.EnvVarSource{
@@ -1478,6 +1495,7 @@ CVE-2019-1543`,
 									},
 								},
 							},
+							timeoutEnv,
 							{
 								Name: "TRIVY_SKIP_FILES",
 								ValueFrom: &corev1.EnvVarSource{
@@ -1735,6 +1753,7 @@ CVE-2019-1543`,
 									},
 								},
 							},
+							timeoutEnv,
 							{
 								Name: "TRIVY_SKIP_FILES",
 								ValueFrom: &corev1.EnvVarSource{
@@ -1934,6 +1953,7 @@ CVE-2019-1543`,
 									},
 								},
 							},
+							timeoutEnv,
 							{
 								Name: "TRIVY_SKIP_FILES",
 								ValueFrom: &corev1.EnvVarSource{
@@ -2123,6 +2143,7 @@ CVE-2019-1543`,
 									},
 								},
 							},
+							timeoutEnv,
 							{
 								Name: "TRIVY_SKIP_FILES",
 								ValueFrom: &corev1.EnvVarSource{
@@ -2316,6 +2337,7 @@ CVE-2019-1543`,
 									},
 								},
 							},
+							timeoutEnv,
 							{
 								Name: "TRIVY_SKIP_FILES",
 								ValueFrom: &corev1.EnvVarSource{
@@ -2531,6 +2553,7 @@ CVE-2019-1543`,
 									},
 								},
 							},
+							timeoutEnv,
 							{
 								Name: "TRIVY_SKIP_FILES",
 								ValueFrom: &corev1.EnvVarSource{