Skip to content

Add resource & security context config options for trivy db cache #3037

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Reet00 merged 7 commits into from
May 23, 2025
Merged

Add resource & security context config options for trivy db cache #3037

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
a065510
Make trivy db cache resources configurable
J12934 May 14, 2025
e2a009c
Add sensible security context settings for trivy db cache
J12934 May 14, 2025
c3e6747
Explicitly run trivy db cache with a non root user id
J12934 May 14, 2025
935148e
Add volume mounts to trivy container to allow to set the general FS t…
J12934 May 14, 2025
4b3485b
Update JuiceShop example scan image
J12934 May 14, 2025
2289434
Update helm snapshot for security & volume changes
J12934 May 14, 2025
76c33c7
Set storage limits for cache volumes
J12934 May 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion scanners/trivy-sbom/examples/image-juice-shop/scan.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,4 @@ metadata:
spec:
scanType: "trivy-sbom-image"
parameters:
- "bkimminich/juice-shop:v15.0.0"
- "bkimminich/juice-shop:v17.3.0"
2 changes: 1 addition & 1 deletion scanners/trivy/examples/image-juice-shop/scan.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,4 @@ metadata:
spec:
scanType: "trivy-image"
parameters:
- "bkimminich/juice-shop:v10.2.0"
- "bkimminich/juice-shop:v17.3.0"
23 changes: 23 additions & 0 deletions scanners/trivy/templates/trivy-database-cache.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,14 +37,37 @@ spec:
labels:
app: trivy-database
spec:
automountServiceAccountToken: false
{{- with .Values.trivyDatabaseCache.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: cache-dir
emptyDir:
sizeLimit: {{ .Values.trivyDatabaseCache.cacheStorageLimit }}
- name: tmp-dir
emptyDir:
sizeLimit: {{ .Values.trivyDatabaseCache.cacheStorageLimit }}
containers:
- name: trivy-database
image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}"
volumeMounts:
- name: cache-dir
mountPath: /.cache
- name: tmp-dir
mountPath: /tmp
imagePullPolicy: IfNotPresent
{{- with .Values.trivyDatabaseCache.securityContext }}
securityContext:
{{- toYaml . | nindent 10 }}
{{- end }}
resources:
{{- toYaml .Values.trivyDatabaseCache.resources | nindent 10 }}
args:
- "server"
- "--listen"
Expand Down
48 changes: 48 additions & 0 deletions scanners/trivy/tests/__snapshot__/scanner_test.yaml.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ matches the snapshot:
labels:
app: trivy-database
spec:
automountServiceAccountToken: false
containers:
- args:
- server
Expand Down Expand Up @@ -61,8 +62,31 @@ matches the snapshot:
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
volumeMounts:
- mountPath: /.cache
name: cache-dir
- mountPath: /tmp
name: tmp-dir
imagePullSecrets:
- name: foo
securityContext:
runAsUser: 10001
volumes:
- emptyDir:
sizeLimit: 1Gi
name: cache-dir
- emptyDir:
sizeLimit: 1Gi
name: tmp-dir
3: |
apiVersion: execution.securecodebox.io/v1
kind: ParseDefinition
Expand Down Expand Up @@ -419,6 +443,7 @@ works properly in k8sScanScope=cluster:
labels:
app: trivy-database
spec:
automountServiceAccountToken: false
containers:
- args:
- server
Expand Down Expand Up @@ -449,6 +474,29 @@ works properly in k8sScanScope=cluster:
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
volumeMounts:
- mountPath: /.cache
name: cache-dir
- mountPath: /tmp
name: tmp-dir
securityContext:
runAsUser: 10001
volumes:
- emptyDir:
sizeLimit: 1Gi
name: cache-dir
- emptyDir:
sizeLimit: 1Gi
name: tmp-dir
3: |
apiVersion: execution.securecodebox.io/v1
kind: ParseDefinition
Expand Down
18 changes: 18 additions & 0 deletions scanners/trivy/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,24 @@ trivyDatabaseCache:
enabled: true
# -- amount of replicas to configure for the Deployment
replicas: 1
# -- Optional resource limits/requests for the trivy database cache container
resources: {}
# -- Optional securityContext set on database cache pod (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
podSecurityContext:
runAsUser: 10001

# -- storage limit for the trivy db cache emptyDir volumes. (applied to two volumes)
cacheStorageLimit: 1Gi

# -- Optional securityContext set on database cache container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
securityContext:
runAsNonRoot: true
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
capabilities:
drop:
- ALL

cascadingRules:
# cascadingRules.enabled -- Enables or disables the installation of the default cascading rules for this scanner
Expand Down
Loading