Skip to content

Add trivy ignore policy #2268

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
hedgieinsocks wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add trivy ignore policy #2268

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -314,6 +314,7 @@ The following table lists the configurable parameters of the Harbor chart and th
| `trivy.vulnType` | Comma-separated list of vulnerability types. Possible values `os` and `library`. | `os,library` |
| `trivy.severity` | Comma-separated list of severities to be checked | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` |
| `trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` |
| `trivy.ignorePolicy` | The OPA Rego script to filter vulnerabilities. Refer to the [guide](https://trivy.dev/latest/docs/configuration/filtering/#by-rego) for more details. | `""` |
| `trivy.insecure` | The flag to skip verifying registry certificate | `false` |
| `trivy.skipUpdate` | The flag to disable [Trivy DB][trivy-db] downloads from GitHub | `false` |
| `trivy.skipJavaDBUpdate` | If the flag is enabled you have to manually download the `trivy-java.db` file [Trivy Java DB][trivy-java-db] and mount it in the `/home/scanner/.cache/trivy/java-db/trivy-java.db` path | `false` |
Expand Down
12 changes: 12 additions & 0 deletions templates/trivy/trivy-cm.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{{- if and .Values.trivy.enabled .Values.trivy.ignorePolicy }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "harbor.trivy" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
data:
policy.rego: |
{{ .Values.trivy.ignorePolicy | indent 4 }}
{{- end }}
15 changes: 14 additions & 1 deletion templates/trivy/trivy-sts.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,10 @@ spec:
secretKeyRef:
name: {{ template "harbor.trivy" . }}
key: gitHubToken
{{- if .Values.trivy.ignorePolicy }}
- name: "SCANNER_TRIVY_IGNORE_POLICY"
value: "/home/scanner/opa/policy.rego"
{{- end }}
- name: "SCANNER_TRIVY_SEVERITY"
value: {{ .Values.trivy.severity | quote }}
- name: "SCANNER_TRIVY_IGNORE_UNFIXED"
Expand Down Expand Up @@ -152,6 +156,10 @@ spec:
- name: trivy-internal-certs
mountPath: /etc/harbor/ssl/trivy
{{- end }}
{{- if .Values.trivy.ignorePolicy }}
- name: trivy-ignore-policy
mountPath: /home/scanner/opa
{{- end }}
{{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolumeMount" . | indent 10 }}
{{- end }}
Expand All @@ -175,7 +183,7 @@ spec:
failureThreshold: 3
resources:
{{ toYaml .Values.trivy.resources | indent 12 }}
{{- if or (or .Values.internalTLS.enabled .Values.caBundleSecretName) (or (not .Values.persistence.enabled) $trivy.existingClaim) }}
{{- if or (or .Values.internalTLS.enabled .Values.caBundleSecretName) (or (not .Values.persistence.enabled) $trivy.existingClaim) .Values.trivy.ignorePolicy }}
volumes:
{{- if .Values.internalTLS.enabled }}
- name: trivy-internal-certs
Expand All @@ -193,6 +201,11 @@ spec:
persistentVolumeClaim:
claimName: {{ $trivy.existingClaim }}
{{- end }}
{{- if .Values.trivy.ignorePolicy }}
- name: trivy-ignore-policy
configMap:
name: {{ template "harbor.trivy" . }}
{{- end }}
{{- end }}
{{- with .Values.trivy.nodeSelector }}
nodeSelector:
Expand Down
28 changes: 27 additions & 1 deletion test/unittest/trivy/trivy_statefulset_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,4 +113,30 @@ tests:
value: "mirror.gcr.io/aquasec/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db"
- equal:
path: spec.template.spec.containers[0].env[15].name
value: "SCANNER_TRIVY_JAVA_DB_REPOSITORY"
value: "SCANNER_TRIVY_JAVA_DB_REPOSITORY"

- it: TrivyIgnorePolicy
set:
trivy:
enabled: true
ignorePolicy: "OPA Rego script placeholder"
template: templates/trivy/trivy-sts.yaml
asserts:
- equal:
path: spec.template.spec.containers[0].env[10].name
value: "SCANNER_TRIVY_IGNORE_POLICY"
- equal:
path: spec.template.spec.containers[0].env[10].value
value: "/home/scanner/opa/policy.rego"
- equal:
path: spec.template.spec.containers[0].volumeMounts[1].name
value: "trivy-ignore-policy"
- lengthEqual:
path: spec.template.spec.containers[0].volumeMounts
count: 2
- equal:
path: spec.template.spec.volumes[0].name
value: "trivy-ignore-policy"
- lengthEqual:
path: spec.template.spec.volumes
count: 1
3 changes: 3 additions & 0 deletions values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -859,6 +859,9 @@ trivy:
severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
# ignoreUnfixed the flag to display only fixed vulnerabilities
ignoreUnfixed: false
# ignorePolicy the OPA Rego script to filter vulnerabilities
# See https://trivy.dev/latest/docs/configuration/filtering/#by-rego for more details
ignorePolicy: ""
# insecure the flag to skip verifying registry certificate
insecure: false
# gitHubToken the GitHub access token to download Trivy DB
Expand Down