Skip to content

Enable client/server mode for trivy by default to cache the vulnerability DB (closes #911) #1760

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
o1oo11oo merged 4 commits into from
Jun 28, 2023
Merged

Enable client/server mode for trivy by default to cache the vulnerability DB (closes #911) #1760

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ce9ff1e
#911 Create a download cache for trivy database
Jun 9, 2023
de44be5
#911 Make number of trivy DB replicas configurable
Jun 26, 2023
ec87d50
#911 Add liveness/readiness checks for trivy cache
Jun 14, 2023
8239741
#911 Document trivy vulnerability database cache
Jun 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
91 changes: 5 additions & 86 deletions scanners/trivy/.helm-docs.gotmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,95 +68,14 @@ spec:
```

### Scanning Many Targets
By default, the docker container of trivy will download new rulesets when starting the process.
By default, the docker container of trivy will download the vulnerability database when starting the process.
As this download is performed directly from GitHub, you will run into API rate limiting issues after roughly 50 requests.
Trivy [supports a client-server mode](https://aquasecurity.github.io/trivy/latest/advanced/modes/client-server/) where one process downloads a copy of the rule database and provides it to the others.
Due to [limitations in trivy](https://github.com/aquasecurity/trivy/issues/634), this mode currently only supports scanning container images.
If this fits your use case, you can deploy a rule service with the following template:
```yaml
# First declare a service that will serve requests to the rule pod
kind: Service
apiVersion: v1
metadata:
name: trivy-rules
# Update the namespace here if you are using a different one
namespace: default
labels:
app: trivy-rules
spec:
selector:
app: trivy-rules
ports:
- port: 8080
protocol: TCP
targetPort: 8080
type: ClusterIP
---
# Now declare the actual deployment of the rule server
apiVersion: apps/v1
kind: Deployment
metadata:
name: trivy-rules
# Again, update the namespace here
namespace: default
labels:
app: trivy-rules
spec:
replicas: 1
selector:
matchLabels:
app: trivy-rules
template:
metadata:
labels:
app: trivy-rules
spec:
containers:
- name: trivy-rules
# Don't forget to set this to a version matching that used in secureCodeBox
image: aquasec/trivy:0.20.2
imagePullPolicy: Always
args:
- "server"
- "--listen"
- "0.0.0.0:8080"
ports:
- containerPort: 8080
protocol: TCP
```

You can then start scans of images using the client mode. For example:
Trivy [supports a client-server mode](https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/) where one process downloads a copy of the vulnerability database and provides it to the others.

```yaml
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "test-trivy"
# Don't forget to update the namespace if necessary
namespace: default
spec:
scanType: "trivy-image"
parameters:
- "client"
# Again, add the extra parameters here (required to make the parser work)
# But don't add the --no-progress switch.
- "--format"
- "json"
- "--output"
- "/home/securecodebox/trivy-results.json"
# Specify the rule service internal DNS name here.
# (Substitute a different namespace if you changed it)
- "--remote"
- "http://trivy-rules.default.svc:8080"
# Finally, specify the image you want to scan
- "securecodebox/operator:3.0.0"
```
This mode is implemented and active by default.
A separate Deployment for the trivy server will be created during the installation and the trivy scanTypes are automatically configured to run in client mode and connect to the server.

If you want to scan anything other than docker images, you currently [cannot use the client-server mode](https://github.com/aquasecurity/trivy/issues/634) described above.
Instead, you have to [manually download the ruleset and provide it to trivy](https://aquasecurity.github.io/trivy/latest/advanced/air-gap/).
In practice, this is a difficult problem because the most natural method for providing these files in kubernetes, ConfigMaps, has a size limit of 1 MB, while the vulnerability database is over 200 MB in size (28 MB after compression).
Your best bet would thus be to serve the files from your own servers and load them into the scanner [using an initContainer](https://www.securecodebox.io/docs/api/crds/scan#initcontainers-optional), taking care to keep the databases on your server up to date.
Consult the [trivy documentation](https://aquasecurity.github.io/trivy/latest/advanced/air-gap/) for additional details on the required steps.
In case only a single scan or very few are run, and you want to avoid the small performance overhead, client/server mode can be disabled by setting `--set="trivyDatabaseCache.enabled=false"` during helm install.
{{- end }}

{{- define "extra.chartConfigurationSection" -}}
Expand Down
91 changes: 5 additions & 86 deletions scanners/trivy/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,95 +85,14 @@ spec:
```

### Scanning Many Targets
By default, the docker container of trivy will download new rulesets when starting the process.
By default, the docker container of trivy will download the vulnerability database when starting the process.
As this download is performed directly from GitHub, you will run into API rate limiting issues after roughly 50 requests.
Trivy [supports a client-server mode](https://aquasecurity.github.io/trivy/latest/advanced/modes/client-server/) where one process downloads a copy of the rule database and provides it to the others.
Due to [limitations in trivy](https://github.com/aquasecurity/trivy/issues/634), this mode currently only supports scanning container images.
If this fits your use case, you can deploy a rule service with the following template:
```yaml
# First declare a service that will serve requests to the rule pod
kind: Service
apiVersion: v1
metadata:
name: trivy-rules
# Update the namespace here if you are using a different one
namespace: default
labels:
app: trivy-rules
spec:
selector:
app: trivy-rules
ports:
- port: 8080
protocol: TCP
targetPort: 8080
type: ClusterIP
---
# Now declare the actual deployment of the rule server
apiVersion: apps/v1
kind: Deployment
metadata:
name: trivy-rules
# Again, update the namespace here
namespace: default
labels:
app: trivy-rules
spec:
replicas: 1
selector:
matchLabels:
app: trivy-rules
template:
metadata:
labels:
app: trivy-rules
spec:
containers:
- name: trivy-rules
# Don't forget to set this to a version matching that used in secureCodeBox
image: aquasec/trivy:0.20.2
imagePullPolicy: Always
args:
- "server"
- "--listen"
- "0.0.0.0:8080"
ports:
- containerPort: 8080
protocol: TCP
```

You can then start scans of images using the client mode. For example:
Trivy [supports a client-server mode](https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/) where one process downloads a copy of the vulnerability database and provides it to the others.

```yaml
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "test-trivy"
# Don't forget to update the namespace if necessary
namespace: default
spec:
scanType: "trivy-image"
parameters:
- "client"
# Again, add the extra parameters here (required to make the parser work)
# But don't add the --no-progress switch.
- "--format"
- "json"
- "--output"
- "/home/securecodebox/trivy-results.json"
# Specify the rule service internal DNS name here.
# (Substitute a different namespace if you changed it)
- "--remote"
- "http://trivy-rules.default.svc:8080"
# Finally, specify the image you want to scan
- "securecodebox/operator:3.0.0"
```
This mode is implemented and active by default.
A separate Deployment for the trivy server will be created during the installation and the trivy scanTypes are automatically configured to run in client mode and connect to the server.

If you want to scan anything other than docker images, you currently [cannot use the client-server mode](https://github.com/aquasecurity/trivy/issues/634) described above.
Instead, you have to [manually download the ruleset and provide it to trivy](https://aquasecurity.github.io/trivy/latest/advanced/air-gap/).
In practice, this is a difficult problem because the most natural method for providing these files in kubernetes, ConfigMaps, has a size limit of 1 MB, while the vulnerability database is over 200 MB in size (28 MB after compression).
Your best bet would thus be to serve the files from your own servers and load them into the scanner [using an initContainer](https://www.securecodebox.io/docs/api/crds/scan#initcontainers-optional), taking care to keep the databases on your server up to date.
Consult the [trivy documentation](https://aquasecurity.github.io/trivy/latest/advanced/air-gap/) for additional details on the required steps.
In case only a single scan or very few are run, and you want to avoid the small performance overhead, client/server mode can be disabled by setting `--set="trivyDatabaseCache.enabled=false"` during helm install.

## Requirements

Expand Down
91 changes: 5 additions & 86 deletions scanners/trivy/docs/README.ArtifactHub.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,95 +92,14 @@ spec:
```

### Scanning Many Targets
By default, the docker container of trivy will download new rulesets when starting the process.
By default, the docker container of trivy will download the vulnerability database when starting the process.
As this download is performed directly from GitHub, you will run into API rate limiting issues after roughly 50 requests.
Trivy [supports a client-server mode](https://aquasecurity.github.io/trivy/latest/advanced/modes/client-server/) where one process downloads a copy of the rule database and provides it to the others.
Due to [limitations in trivy](https://github.com/aquasecurity/trivy/issues/634), this mode currently only supports scanning container images.
If this fits your use case, you can deploy a rule service with the following template:
```yaml
# First declare a service that will serve requests to the rule pod
kind: Service
apiVersion: v1
metadata:
name: trivy-rules
# Update the namespace here if you are using a different one
namespace: default
labels:
app: trivy-rules
spec:
selector:
app: trivy-rules
ports:
- port: 8080
protocol: TCP
targetPort: 8080
type: ClusterIP
---
# Now declare the actual deployment of the rule server
apiVersion: apps/v1
kind: Deployment
metadata:
name: trivy-rules
# Again, update the namespace here
namespace: default
labels:
app: trivy-rules
spec:
replicas: 1
selector:
matchLabels:
app: trivy-rules
template:
metadata:
labels:
app: trivy-rules
spec:
containers:
- name: trivy-rules
# Don't forget to set this to a version matching that used in secureCodeBox
image: aquasec/trivy:0.20.2
imagePullPolicy: Always
args:
- "server"
- "--listen"
- "0.0.0.0:8080"
ports:
- containerPort: 8080
protocol: TCP
```
Trivy [supports a client-server mode](https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/) where one process downloads a copy of the vulnerability database and provides it to the others.

You can then start scans of images using the client mode. For example:

```yaml
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "test-trivy"
# Don't forget to update the namespace if necessary
namespace: default
spec:
scanType: "trivy-image"
parameters:
- "client"
# Again, add the extra parameters here (required to make the parser work)
# But don't add the --no-progress switch.
- "--format"
- "json"
- "--output"
- "/home/securecodebox/trivy-results.json"
# Specify the rule service internal DNS name here.
# (Substitute a different namespace if you changed it)
- "--remote"
- "http://trivy-rules.default.svc:8080"
# Finally, specify the image you want to scan
- "securecodebox/operator:3.0.0"
```
This mode is implemented and active by default.
A separate Deployment for the trivy server will be created during the installation and the trivy scanTypes are automatically configured to run in client mode and connect to the server.

If you want to scan anything other than docker images, you currently [cannot use the client-server mode](https://github.com/aquasecurity/trivy/issues/634) described above.
Instead, you have to [manually download the ruleset and provide it to trivy](https://aquasecurity.github.io/trivy/latest/advanced/air-gap/).
In practice, this is a difficult problem because the most natural method for providing these files in kubernetes, ConfigMaps, has a size limit of 1 MB, while the vulnerability database is over 200 MB in size (28 MB after compression).
Your best bet would thus be to serve the files from your own servers and load them into the scanner [using an initContainer](https://www.securecodebox.io/docs/api/crds/scan#initcontainers-optional), taking care to keep the databases on your server up to date.
Consult the [trivy documentation](https://aquasecurity.github.io/trivy/latest/advanced/air-gap/) for additional details on the required steps.
In case only a single scan or very few are run, and you want to avoid the small performance overhead, client/server mode can be disabled by setting `--set="trivyDatabaseCache.enabled=false"` during helm install.

## Requirements

Expand Down
70 changes: 70 additions & 0 deletions scanners/trivy/templates/trivy-database-cache.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0

{{ if .Values.trivyDatabaseCache.enabled }}
# We use trivy in client/server mode for central storing of the trivy vulnerability database to prevent downloading it for each scan again, enabled by default.
# First declare a service that will serve requests to the database cache pod
kind: Service
apiVersion: v1
metadata:
name: trivy-database
labels:
app: trivy-database
spec:
selector:
app: trivy-database
ports:
- port: 8080
protocol: TCP
targetPort: 8080
type: ClusterIP
---
# Now declare the actual deployment of the database cache server
apiVersion: apps/v1
kind: Deployment
metadata:
name: trivy-database
labels:
app: trivy-database
spec:
replicas: {{ .Values.trivyDatabaseCache.replicas }}
selector:
matchLabels:
app: trivy-database
template:
metadata:
labels:
app: trivy-database
spec:
containers:
- name: trivy-database
image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: IfNotPresent
args:
- "server"
- "--listen"
- "0.0.0.0:8080"
ports:
- containerPort: 8080
protocol: TCP
name: trivy-http
livenessProbe:
httpGet:
scheme: HTTP
path: /healthz
port: trivy-http
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 10
readinessProbe:
httpGet:
scheme: HTTP
path: /healthz
port: trivy-http
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
{{- end }}
Loading