Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add auth support for downloading OCI artifacts #3915

Merged
merged 12 commits into from
Mar 30, 2023
Merged

feat: add auth support for downloading OCI artifacts #3915

merged 12 commits into from
Mar 30, 2023

Conversation

knqyf263
Copy link
Collaborator

Description

Add authentication support for downloading OCI artifacts such as Trivy DB.

$ TRIVY_USERNAME=foo TRIVY_PASSWORD=bar trivy image --db-repository ghcr.io/your/private-db --download-db-only

Trivy currently supports keychains for private OCI artifacts. It requires docker login or something similar to configure credentials for registries. This PR allows taking credentials from environmental variables, CLI flags and trivy.yaml. It was implemented for private container images so that Trivy could scan them for vulnerabilities. This PR expands it to OCI artifacts as well.

Note that Java DB is out of scope in this PR.

  • Trivy DB (default: ghcr.io/aquasecurity/trivy-db)
  • Misconfiguration policies
  • Wasm modules
  • Java DB

Related issues

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@knqyf263 knqyf263 self-assigned this Mar 28, 2023
@knqyf263 knqyf263 marked this pull request as ready for review March 29, 2023 02:33
@knqyf263 knqyf263 requested a review from DmitriyLewen March 29, 2023 02:33
DmitriyLewen
DmitriyLewen reviewed Mar 29, 2023
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good work!
I added 1 comment.

Also I think we need to add information about support of private DB repositories and combination of credentials for DB and images.

pkg/commands/artifact/run.go Outdated
@@ -73,6 +73,9 @@ type ScannerConfig struct {

// Artifact options
ArtifactOption artifact.Option

// Registry options
RemoteOption ftypes.RemoteOptions
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this field is not used.
Also ArtifactOption has same field.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've removed it in this commit.
554e01c

I probably made a mistake when rebasing, and It has reappeared. Removed it again.
e2630d0

@knqyf263
Copy link
Collaborator Author

I updated the documentation. I'll restructure the entire doc shortly, though.
74a1aa4

DmitriyLewen
DmitriyLewen approved these changes Mar 30, 2023
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@knqyf263 knqyf263 merged commit f14bed4 into aquasecurity:main Mar 30, 2023
@knqyf263 knqyf263 deleted the db_auth branch March 30, 2023 02:53
@mfilotto mfilotto mentioned this pull request Mar 30, 2023
Closed
@chen-keinan
Copy link
Contributor

@knqyf263 this change is not supported for trivy server ... sub command ?

TRIVY_USERNAME=user TRIVY_PASSWORD=pass trivy server --listen 0.0.0.0:4975 --db-repository ghcr.io/private-repo/trivy-db  --download-db-only

@knqyf263
Copy link
Collaborator Author

knqyf263 commented Apr 9, 2023
edited
Loading

Right, server is not supported now.

@chen-keinan
Copy link
Contributor

chen-keinan commented Apr 9, 2023
edited
Loading

Right, server is not supported now.

Any plan to add support to server , the initial use-case in trivy-operator was for server subcommand

@knqyf263
Copy link
Collaborator Author

knqyf263 commented Apr 9, 2023

Yes, it is just adding 1 line here, like RegistryFlagGroup: flag.NewRegistryFlags(),

trivy/pkg/commands/app.go

Lines 520 to 525 in f14bed4

serverFlags := &flag.Flags{
CacheFlagGroup: flag.NewCacheFlagGroup(),
DBFlagGroup: flag.NewDBFlagGroup(),
ModuleFlagGroup: flag.NewModuleFlagGroup(),
RemoteFlagGroup: flag.NewServerFlags(),
}

But if you just want to download the database with --download-db-only, you can use other subcommands until server supports it.

TRIVY_USERNAME=user TRIVY_PASSWORD=pass trivy image --db-repository ghcr.io/private-repo/trivy-db  --download-db-only

Anyway, it is good to add registry flags to server. @chen-keinan Could you work on this change and test it with trivy-operator?

@DmitriyLewen DmitriyLewen mentioned this pull request Apr 14, 2023
Merged
7 tasks
@SaschaSchwarze0 SaschaSchwarze0 mentioned this pull request Sep 30, 2024
Closed
1 task
@SaschaSchwarze0 SaschaSchwarze0 mentioned this pull request Oct 28, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DmitriyLewen DmitriyLewen DmitriyLewen approved these changes

@AnaisUrlichs AnaisUrlichs Awaiting requested review from AnaisUrlichs

@itaysk itaysk Awaiting requested review from itaysk

Assignees

@knqyf263 knqyf263

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

download trivy DB from private repo
3 participants
@knqyf263 @chen-keinan @DmitriyLewen