Skip to content

Commit

Permalink
feat(trivy): configure timeout (aquasecurity#967)
Browse files Browse the repository at this point in the history 
Resolves: aquasecurity#942

Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
  • Loading branch information
@danielpacak
danielpacak authored Feb 17, 2022
1 parent 5c79162 commit 36be22d
Show file tree
Hide file tree
Showing 6 changed files with 67 additions and 10 deletions.
3 changes: 3 additions & 0 deletions deploy/helm/templates/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,9 @@ data:
{{- if .ignoreUnfixed }}
trivy.ignoreUnfixed: {{ .ignoreUnfixed | quote }}
{{- end }}
{{- if .timeout }}
trivy.timeout: {{ .timeout | quote }}
{{- end }}
{{- with .ignoreFile }}
trivy.ignoreFile: |
{{- . | trim | nindent 4 }}
Expand Down
3 changes: 3 additions & 0 deletions deploy/helm/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,9 @@ trivy:
#
ignoreUnfixed: "false"

# timeout is the duration to wait for scan completion.
timeout: "5m0s"

# ignoreFile can be used to tell Trivy to ignore vulnerabilities by ID (one per line)
#
# ignoreFile: |
Expand Down
1 change: 1 addition & 0 deletions deploy/static/03-starboard-operator.config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ data:
trivy.imageRef: "docker.io/aquasec/trivy:0.23.0"
trivy.mode: "Standalone"
trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
trivy.timeout: "5m0s"
trivy.resources.requests.cpu: 100m
trivy.resources.requests.memory: 100M
trivy.resources.limits.cpu: 500m
Expand Down
21 changes: 11 additions & 10 deletions docs/integrations/vulnerability-scanners/trivy.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,17 +5,17 @@
The default configuration settings enable Trivy `vulnerabilityReports.scanner` in [`Standalone`][trivy-standalone]
`trivy.mode`. Even though it doesn't require any additional setup, it's the least efficient method. Each Pod created
by a scan Job has the init container that downloads the Trivy vulnerabilities database from the GitHub releases page
and stores it in the local file system of an [emptyDir][emptyDir-volume] volume. This volume is then shared with
containers that perform the actual scanning. Finally, the Pod is deleted along with the emptyDir volume.
and stores it in the local file system of the [emptyDir volume]. This volume is then shared with containers that perform
the actual scanning. Finally, the Pod is deleted along with the emptyDir volume.

![](./../../images/design/trivy-standalone.png)

The number of containers defined by a scan Job equals the number of containers defined by the scanned Kubernetes
workload, so the cache in this mode is useful only if the workload defines multiple containers.

Beyond that, frequent downloads from GitHub might lead to a [rate limiting][gh-rate-limiting] problem. The limits are
imposed by GitHub on all anonymous requests originating from a given IP. To mitigate such problems you can add the
`trivy.githubToken` key to the `starboard` secret.
Beyond that, frequent downloads from GitHub might lead to a [rate limiting] problem. The limits are imposed by GitHub on
all anonymous requests originating from a given IP. To mitigate such problems you can add the `trivy.githubToken` key to
the `starboard` secret.

```
GITHUB_TOKEN=<your token>
Expand Down Expand Up @@ -53,8 +53,8 @@ EOF
)"
```

The Trivy server could be your own deployment, or it could be an external service. See [Trivy documentation][trivy-clientserver]
for more information on deploying Trivy in `ClientServer` mode.
The Trivy server could be your own deployment, or it could be an external service. See Trivy documentation for more
information on deploying [Trivy server][trivy-clientserver].

If the server requires access token and / or custom HTTP authentication headers, you may add `trivy.serverToken`
and `trivy.serverCustomHeaders` properties to the `starboard` secret.
Expand Down Expand Up @@ -89,6 +89,7 @@ EOF
| `trivy.skipFiles` | N/A | A comma separated list of file paths for Trivy to skip traversal. |
| `trivy.skipDirs` | N/A | A comma separated list of directories for Trivy to skip traversal. |
| `trivy.ignoreFile` | N/A | It specifies the `.trivyignore` file which contains a list of vulnerability IDs to be ignored from vulnerabilities reported by Trivy. |
| `trivy.timeout` | `5m0s` | The duration to wait for scan completion |
| `trivy.serverURL` | N/A | The endpoint URL of the Trivy server. Required in `ClientServer` mode. |
| `trivy.serverTokenHeader` | `Trivy-Token` | The name of the HTTP header to send the authentication token to Trivy server. Only application in `ClientServer` mode when `trivy.serverToken` is specified. |
| `trivy.insecureRegistry.<id>` | N/A | The registry to which insecure connections are allowed. There can be multiple registries with different registry `<id>`. |
Expand All @@ -109,6 +110,6 @@ EOF
| `trivy.serverCustomHeaders` | A comma separated list of custom HTTP headers sent by Trivy client to Trivy server. Only applicable in `ClientServer` mode. |

[trivy-standalone]: https://aquasecurity.github.io/trivy/latest/modes/standalone/
[emptyDir-volume]: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir
[gh-rate-limiting]: https://docs.github.com/en/free-pro-team@latest/rest/overview/resources-in-the-rest-api#rate-limiting
[trivy-clientserver]: https://aquasecurity.github.io/trivy/latest/modes/client-server/
[emptyDir volume]: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir
[rate limiting]: https://docs.github.com/en/free-pro-team@latest/rest/overview/resources-in-the-rest-api#rate-limiting
[trivy-clientserver]: https://aquasecurity.github.io/trivy/latest/advanced/modes/client-server/
26 changes: 26 additions & 0 deletions pkg/plugin/trivy/plugin.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ const (
keyTrivyCommand = "trivy.command"
keyTrivySeverity = "trivy.severity"
keyTrivyIgnoreUnfixed = "trivy.ignoreUnfixed"
keyTrivyTimeout = "trivy.timeout"
keyTrivyIgnoreFile = "trivy.ignoreFile"
keyTrivyInsecureRegistryPrefix = "trivy.insecureRegistry."
keyTrivyNonSslRegistryPrefix = "trivy.nonSslRegistry."
Expand Down Expand Up @@ -236,6 +237,7 @@ func (p *plugin) Init(ctx starboard.PluginContext) error {
keyTrivyImageRef: "docker.io/aquasec/trivy:0.23.0",
keyTrivySeverity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
keyTrivyMode: string(Standalone),
keyTrivyTimeout: "5m0s",

keyResourcesRequestsCPU: "100m",
keyResourcesRequestsMemory: "100M",
Expand Down Expand Up @@ -486,6 +488,18 @@ func (p *plugin) getPodSpecForStandaloneMode(ctx starboard.PluginContext, config
},
},
},
{
Name: "TRIVY_TIMEOUT",
ValueFrom: &corev1.EnvVarSource{
ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: trivyConfigName,
},
Key: keyTrivyTimeout,
Optional: pointer.BoolPtr(true),
},
},
},
{
Name: "TRIVY_SKIP_FILES",
ValueFrom: &corev1.EnvVarSource{
Expand Down Expand Up @@ -741,6 +755,18 @@ func (p *plugin) getPodSpecForClientServerMode(ctx starboard.PluginContext, conf
},
},
},
{
Name: "TRIVY_TIMEOUT",
ValueFrom: &corev1.EnvVarSource{
ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: trivyConfigName,
},
Key: keyTrivyTimeout,
Optional: pointer.BoolPtr(true),
},
},
},
{
Name: "TRIVY_SKIP_FILES",
ValueFrom: &corev1.EnvVarSource{
Expand Down
23 changes: 23 additions & 0 deletions pkg/plugin/trivy/plugin_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -473,6 +473,7 @@ func TestPlugin_Init(t *testing.T) {
"trivy.imageRef": "docker.io/aquasec/trivy:0.23.0",
"trivy.severity": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
"trivy.mode": "Standalone",
"trivy.timeout": "5m0s",

"trivy.resources.requests.cpu": "100m",
"trivy.resources.requests.memory": "100M",
Expand Down Expand Up @@ -554,6 +555,19 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
ReadOnly: false,
}

timeoutEnv := corev1.EnvVar{
Name: "TRIVY_TIMEOUT",
ValueFrom: &corev1.EnvVarSource{
ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: "starboard-trivy-config",
},
Key: "trivy.timeout",
Optional: pointer.BoolPtr(true),
},
},
}

testCases := []struct {
name string

Expand Down Expand Up @@ -715,6 +729,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
},
},
},
timeoutEnv,
{
Name: "TRIVY_SKIP_FILES",
ValueFrom: &corev1.EnvVarSource{
Expand Down Expand Up @@ -960,6 +975,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
},
},
},
timeoutEnv,
{
Name: "TRIVY_SKIP_FILES",
ValueFrom: &corev1.EnvVarSource{
Expand Down Expand Up @@ -1209,6 +1225,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
},
},
},
timeoutEnv,
{
Name: "TRIVY_SKIP_FILES",
ValueFrom: &corev1.EnvVarSource{
Expand Down Expand Up @@ -1478,6 +1495,7 @@ CVE-2019-1543`,
},
},
},
timeoutEnv,
{
Name: "TRIVY_SKIP_FILES",
ValueFrom: &corev1.EnvVarSource{
Expand Down Expand Up @@ -1735,6 +1753,7 @@ CVE-2019-1543`,
},
},
},
timeoutEnv,
{
Name: "TRIVY_SKIP_FILES",
ValueFrom: &corev1.EnvVarSource{
Expand Down Expand Up @@ -1934,6 +1953,7 @@ CVE-2019-1543`,
},
},
},
timeoutEnv,
{
Name: "TRIVY_SKIP_FILES",
ValueFrom: &corev1.EnvVarSource{
Expand Down Expand Up @@ -2123,6 +2143,7 @@ CVE-2019-1543`,
},
},
},
timeoutEnv,
{
Name: "TRIVY_SKIP_FILES",
ValueFrom: &corev1.EnvVarSource{
Expand Down Expand Up @@ -2316,6 +2337,7 @@ CVE-2019-1543`,
},
},
},
timeoutEnv,
{
Name: "TRIVY_SKIP_FILES",
ValueFrom: &corev1.EnvVarSource{
Expand Down Expand Up @@ -2531,6 +2553,7 @@ CVE-2019-1543`,
},
},
},
timeoutEnv,
{
Name: "TRIVY_SKIP_FILES",
ValueFrom: &corev1.EnvVarSource{
Expand Down

0 comments on commit 36be22d

Please sign in to comment.