feat: Add config option to enable vex-support for trivy#34
feat: Add config option to enable vex-support for trivy#34reasonerjt merged 2 commits intogoharbor:mainfrom
Conversation
|
Hi @Vad1mo, would it be possible to check the PR? I'm happy to answer any questions. |
|
@hteichmann-strato please sign-off the commit. |
hteichmann-strato
force-pushed
the
feat/add-vex-support
branch
from
8374434 to
3531ebc
Compare
|
@reasonerjt yeah, done, pls check it. Sorry for the delay |
Signed-off-by: Henrik Teichmann <teichmann@strato-rz.de>
hteichmann-strato
force-pushed
the
feat/add-vex-support
branch
from
3531ebc to
6e9eb68
Compare
|
@Vad1mo I accidentally f'ed up the commit sign-off, but that is fixed now and DCO-Bot is happy. Pls let me know if something else is missing. Thanks! |
pkg/etc/config_test.go
Outdated
| "SCANNER_TRIVY_OFFLINE_SCAN": "true", | ||
| "SCANNER_TRIVY_GITHUB_TOKEN": "<GITHUB_TOKEN>", | ||
| "SCANNER_TRIVY_TIMEOUT": "15m30s", | ||
| "SCANNER_TRIVY_VEX_SOURCE": "oci", |
There was a problem hiding this comment.
nit: I checked the doc https://trivy.dev/docs/latest/supply-chain/vex/oci/#discover-vex-attestation-in-oci-registry
It seems the user should never set "--vex oci", instead, it should be "--vex oci $image".
Could you update the testcase to avoid confusion?
There was a problem hiding this comment.
The named argument --vex oci and the seperate positional argument $image are independent and don't need to be adjacent :) so it should be all good.
|
…s.yaml, fix tests Signed-off-by: Henrik Teichmann <teichmann@strato-rz.de>
|
@reasonerjt done, skip-vex-repo-update is now exposed as well, I don't error on the combination of VEXSource=oci and SkipVEXRepoUpdate=true because trivy also silently ignores this. Happy for any Feedback! |
3 participants
This PR introduces support for Trivy's VEX (Vulnerability Exploitability eXchange) functionality, allowing users to suppress vulnerabilities by setting the new SCANNER_TRIVY_VEX_SOURCE environment variable. This value, which can be "oci" or "repo", is passed directly to Trivy's --vex flag. To ensure a complete implementation, the Helm chart has been updated to expose this setting.