This project aims to solve an issue while using trivy at scale. In an environment where you need to scan hundreds or even thousands of container images with trivy, you can hit a GitHub limit while downloading the vulnerability database.
This project was inspired by the arminc/clair-db container image,
and github.com/arminc/clair-local-scan project witch speeds up
clair vulnerability scans.
We build and publish a new container image every day following
trivy documentation to download and use the vulnerability database just once.
The process was designed to be used in the air-gapped environment. Still, it fits perfectly while running this software on CI
systems like drone, gitlab, github-actions, circle-ci, or travis.
We publish two different tags every day:
- quay.io/sighup/trivy-offline:
latest: It is overridden every day. If you choose this tag, be sure to pull the image before running your scan. - quay.io/sighup/trivy-offline:
YYYY-MM-DD: It is just one every day. We recommend you to use this tag. It is published at 01:00 UTC Time.
# Don't forget to pull before running
$ docker pull quay.io/sighup/trivy-offline
$ docker run --rm quay.io/sighup/trivy-offline [YOUR_IMAGE_NAME]
# or
$ docker run --rm quay.io/sighup/trivy-offline:$(date +%Y-%m-%d) [YOUR_IMAGE_NAME]If you would like to scan the image on your host machine, you need to mount docker.sock.
# Don't forget to pull before run
$ docker pull quay.io/sighup/trivy-offline
$ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
quay.io/sighup/trivy-offline python:3.4-alpine
# or
$ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
quay.io/sighup/trivy-offline:$(date +%Y-%m-%d) python:3.4-alpine
Please re-pull latest quay.io/sighup/trivy-offline if an error occurred.
You can scan your container images (or anyone public available) on drone ci. See an example below:
---
kind: pipeline
name: example
steps:
- name: scan
image: quay.io/sighup/trivy-offline:latest
pull: always
commands:
- trivy image --skip-update python:3.4-alpineYou can include gitlab.yml in your .gitlab-ci.yml.
Here trivy is defined as a hidden job so it can be extended in any job in any stage any number of times in the same pipeline.
You can scan your own public/private container images (or anyone public available) on gitlab ci.
By default CI_REGISTRY, CI_REGISTRY_USER & CI_REGISTRY_PASSWORD are used to fetch private docker image if TRIVY_AUTH_URL, TRIVY_USERNAME & TRIVY_PASSWORD variables are not defined.
In this example, by default trivy will scan the docker image (${CI_REGISTRY_IMAGE}/${CI_COMMIT_REF_NAME}) in the container registry of the repo for the branch pipeline is running for,
include:
- remote: 'https://raw.githubusercontent.com/sighupio/trivy-offline/main/gitlab.yml'
trivy:
extends: .trivy
stage: scanAnd, in this example we are passing the docker image manually.
trivy:
extends: .trivy
stage: scan
script:
- |
# node:alpine...
trivy image --skip-update node:alpineYou can scan your container images (or anyone public available) on circle ci. See an example below:
test:
docker:
- image: quay.io/sighup/trivy-offline:latest
steps:
- run:
name: Run Aquasec trivy scanner
command: trivy image --exit-code 0 --format json --output trivy-container-scanning-report.json --no-progress --skip-update python:3.4-alpine
- store_artifacts:
path: trivy-container-scanning-report.json
destination: trivy-container-scanning-report