feat: Use custom Docker image for Trivy scanner (aquasecurity#173)

Resolves: aquasecurity#56
rajkrishnamurthy · Oct 5, 2020 · 27be01e · 27be01e
1 parent bf87362
commit 27be01e
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -230,6 +230,7 @@ The following table lists available configuration parameters.
 | --------------------- | ------------------------------------------------------ | ----------- |
 | `trivy.httpProxy`     | N/A                                                    | The HTTP proxy used by Trivy to download the vulnerabilities database from GitHub |
 | `trivy.severity`      | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL`                     | A comma separated list of severity levels reported by Trivy |
+| `trivy.imageRef`      | `docker.io/aquasec/trivy:0.9.1`                        | Trivy image reference |
 | `polaris.config.yaml` | [Check the default value here][default-polaris-config] | Polaris configuration file |
 
 > **Note:** You can find it handy to delete a configuration key, which was not created by default by the

diff --git a/kube/init/starboard-cm.yaml b/kube/init/starboard-cm.yaml
@@ -7,6 +7,7 @@ metadata:
   namespace: starboard
 data:
   trivy.severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
+  trivy.imageRef: docker.io/aquasec/trivy:0.9.1
   polaris.config.yaml: |
     checks:
       # reliability

diff --git a/pkg/find/vulnerabilities/trivy/scanner.go b/pkg/find/vulnerabilities/trivy/scanner.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/aquasecurity/starboard/pkg/docker"
 	"github.com/aquasecurity/starboard/pkg/kube/secrets"
+	"k8s.io/apimachinery/pkg/api/errors"
 
 	"github.com/aquasecurity/starboard/pkg/scanners"
 	"k8s.io/klog"
@@ -132,11 +133,15 @@ func (s *Scanner) PrepareScanJob(_ context.Context, workload kube.Object, spec c
 	imagePullSecretName := jobName
 	imagePullSecretData := make(map[string][]byte)
 	var imagePullSecret *core.Secret
+	trivyImage, err := s.getTrivyImageRef()
+	if err != nil {
+		return nil, nil, err
+	}
 
 	initContainers := []core.Container{
 		{
 			Name:                     initContainerName,
-			Image:                    trivyImageRef,
+			Image:                    trivyImage,
 			ImagePullPolicy:          core.PullIfNotPresent,
 			TerminationMessagePolicy: core.TerminationMessageFallbackToLogsOnError,
 			Env: []core.EnvVar{
@@ -237,7 +242,7 @@ func (s *Scanner) PrepareScanJob(_ context.Context, workload kube.Object, spec c
 
 		scanJobContainers[i] = core.Container{
 			Name:                     c.Name,
-			Image:                    trivyImageRef,
+			Image:                    trivyImage,
 			ImagePullPolicy:          core.PullIfNotPresent,
 			TerminationMessagePolicy: core.TerminationMessageFallbackToLogsOnError,
 			Env:                      envs,
@@ -372,3 +377,18 @@ func (s *Scanner) GetVulnerabilityReportsByScanJob(ctx context.Context, job *bat
 	}
 	return
 }
+
+func (s *Scanner) getTrivyImageRef() (string, error) {
+	cm, err := s.clientset.CoreV1().ConfigMaps(kube.NamespaceStarboard).Get(context.Background(), kube.ConfigMapStarboard, meta.GetOptions{})
+	if err != nil && errors.IsNotFound(err) {
+		return trivyImageRef, nil
+	}
+	if err != nil {
+		return "", err
+	}
+	imageRef := cm.Data["trivy.imageRef"]
+	if imageRef != "" {
+		return imageRef, nil
+	}
+	return trivyImageRef, nil
+}
diff --git a/pkg/kube/cr_manager.go b/pkg/kube/cr_manager.go
@@ -239,6 +239,7 @@ var (
 		},
 		Data: map[string]string{
 			"trivy.severity":      "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
+			"trivy.imageRef":      "docker.io/aquasec/trivy:0.9.1",
 			"polaris.config.yaml": polarisConfigYAML,
 		},
 	}