This repository has been archived by the owner on Sep 20, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 85
/
Copy pathvalues.yaml
188 lines (179 loc) · 7.52 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
nameOverride: ""
fullnameOverride: ""
image:
registry: docker.io
repository: aquasec/harbor-scanner-trivy
tag: 0.31.4
pullPolicy: IfNotPresent
replicaCount: 1
persistence:
enabled: true
storageClass: ""
accessMode: ReadWriteOnce
size: 5Gi
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# requests:
# cpu: 200m
# memory: 512Mi
# limits:
# cpu: 1
# memory: 1Gi
podSecurityContext:
runAsUser: 10000
runAsNonRoot: true
fsGroup: 10000
securityContext:
privileged: false
readOnlyRootFilesystem: true
scanner:
## logLevel the log level of `trace`, `debug`, `info`, `warn`, `warning`, `error`, `fatal` or `panic`.
## The standard logger logs entries with that level or anything above it.
logLevel: info
api:
## tlsEnabled the flag to enable or disable TLS for HTTP
tlsEnabled: false
## tlsCertificate the absolute path to the x509 certificate file
tlsCertificate: ""
## tlsKey the absolute path to the x509 private key file
tlsKey: ""
## readTimeout the maximum duration for reading the entire request, including the body
readTimeout: "15s"
## writeTimeout the maximum duration before timing out writes of the response
writeTimeout: "15s"
## idleTimeout the maximum amount of time to wait for the next request when keep-alives are enabled
idleTimeout: "60s"
trivy:
## cacheDir Trivy cache directory
cacheDir: "/home/scanner/.cache/trivy"
## reportsDir Trivy reports directory
reportsDir: "/home/scanner/.cache/reports"
## debugMode the flag to enable Trivy debug mode
debugMode: false
## vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`.
vulnType: "os,library"
## severity a comma-separated list of vulnerabilities severities to be displayed
severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
## ignoreUnfixed the flag to display only fixed vulnerabilities
ignoreUnfixed: false
## timeout the duration to wait for scan completion
timeout: 5m0s
## skipUpdate the flag to enable or disable Trivy DB downloads from GitHub
##
## You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
## If the flag is enabled you have to manually download the `trivy.db` file and mount it in the
## `/home/scanner/.cache/trivy/db/trivy.db` path (see `cacheDir`).
skipUpdate: false
## If the flag is enabled you have to manually download the `trivy-java.db` file and mount it in the
## `/home/scanner/.cache/trivy/java-db/trivy-java.db` path (see `cacheDir`).
skipJavaDBUpdate: false
# offlineScan the flag to disable external API requests to identify dependencies.
offlineScan: false
## gitHubToken the GitHub access token to download Trivy DB
##
## Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
## It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
## in the local file system (`/home/scanner/.cache/trivy/db/trivy.db`). In addition, the database contains the update
## timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one.
## Currently, the database is updated every 12 hours and published as a new release to GitHub.
##
## Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
## for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
## requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
## https://developer.github.com/v3/#rate-limiting
##
## You can create a GitHub token by following the instructions in
## https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
gitHubToken: ""
## insecure the flag to skip verifying registry certificate
insecure: false
# See https://github.com/aquasecurity/trivy#filter-the-vulnerabilities-by-open-policy-agent-policy for details
ignorePolicy: ""
# ignorePolicy: |
# package trivy
#
# import data.lib.trivy
#
# default ignore = false
#
# ignore_pkgs := {"bash", "bind-license", "rpm", "vim", "vim-minimal"}
#
# ignore_severities := {"LOW", "MEDIUM"}
#
# nvd_v3_vector = v {
# v := input.CVSS.nvd.v3
# }
#
# ignore {
# input.PkgName == ignore_pkgs[_]
# }
#
# ignore {
# input.Severity == ignore_severities[_]
# }
#
# # Ignore a vulnerability which is not remotely exploitable
# ignore {
# cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
# cvss_vector.AttackVector != "Network"
# }
#
# # Ignore a vulnerability which requires high privilege
# ignore {
# cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
# cvss_vector.PrivilegesRequired == "High"
# }
#
# # Ignore a vulnerability which requires user interaction
# ignore {
# cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
# cvss_vector.UserInteraction == "Required"
# }
#
# # Ignore CSRF
# ignore {
# # https://cwe.mitre.org/data/definitions/352.html
# input.CweIDs[_] == "CWE-352"
# }
store:
## redisNamespace the namespace for keys in the Redis store
redisNamespace: "harbor.scanner.trivy:store"
## redisScanJobTTL the time to live for persisting scan jobs and associated scan reports
redisScanJobTTL: "1h"
jobQueue:
## redisNamespace the namespace for keys in the scan jobs queue backed by Redis
redisNamespace: "harbor.scanner.trivy:job-queue"
## workerConcurrency The number of workers to spin-up for the scan jobs queue
workerConcurrency: 1
redis:
## poolURL the Redis server URI. The URI supports schemas to connect to a standalone Redis server,
## i.e. `redis://:password@standalone_host:port/db-number` and Redis Sentinel deployment,
## i.e. `redis+sentinel://:password@sentinel_host1:port1,sentinel_host2:port2/monitor-name/db-number`.
poolURL: "redis://harbor-harbor-redis:6379"
## poolMaxActive the max number of connections allocated by the Redis connection pool
poolMaxActive: 5
## poolMaxIdle the max number of idle connections in the Redis connection pool
poolMaxIdle: 5
## poolIdleTimeout the duration after which idle connections to the Redis server are closed.
## If the value is zero, then idle connections are not closed.
poolIdleTimeout: 5m
## poolConnectionTimeout the timeout for connecting to the Redis server
poolConnectionTimeout: 1s
## poolReadTimeout the timeout for reading a single Redis command reply
poolReadTimeout: 1s
## poolWriteTimeout The timeout for writing a single Redis command
poolWriteTimeout: 1s
service:
## type Kubernetes service type
type: ClusterIP
## port Kubernetes service port
port: 8080
# httpProxy the URL of the HTTP proxy server
httpProxy:
# httpsProxy the URL of the HTTPS proxy server
httpsProxy:
# noProxy the URLs that the proxy settings do not apply to
noProxy: