Enable Image Security Scanning in Offline Environment¶
Trivy uses the
admin
account to pull the images for scanning. Before using it, ensure that you can performdocker login
using theadmin
account.
Download Offline Image Package¶
There are two versions of trivy
, and currently, both require downloading version 2
. Version 2
is no longer available in the https://github.com/aquasecurity/trivy-db project. You can directly download the offline trivy-db
package, which is packaged as an oci
package.
Use the oras
tool to download it. First, install oras
. Please note the following commands are for the linux
platform:
export VERSION="1.0.0"
$ curl -LO "https://github.com/oras-project/oras/releases/download/v${VERSION}/oras_${VERSION}_linux_amd64.tar.gz"
$ mkdir -p oras-install/
$ tar -zxf oras_${VERSION}_*.tar.gz -C oras-install/
$ sudo mv oras-install/oras /usr/local/bin/
$ rm -rf oras_${VERSION}_*.tar.gz oras-install/
Next, use the oras
tool to download trivy-db
:
$ oras pull ghcr.io/aquasecurity/trivy-db:2
db.tar.gz
$ tar -zxf db.tar.gz
# After extraction, you will have two files
db/metadata.json
db/trivy.db
Enable Offline Scan in Managed Harbor¶
Modify trivy with command¶
Run the following command to edit YAML for Kubernetes cluster where Harbor is hosted:
$ kubectl -n {namespace} edit harborclusters.goharbor.io {harbor-name}
# Modify trivy offlineScan and skipUpdate to true
trivy:
offlineScan: true
skipUpdate: true
Modify CRD YAML on UI¶
- Click Clusters, select a cluster and click CRDs.
- Select the resource harborcluster.
- Enter the namespace where the managed Harbor is located.
- Select YAML.
- Choose the version v1beta1.
- Edit YAML:
Upload trivy.db
and metadata.json
Files¶
Create the corresponding directory /home/scanner/.cache/trivy/db
in the trivy pod
¶
- Go to
Clusters
, click the proper cluster name. - Enter the namespace where Harbor is hosted.
- Locate the
trivy
workload. - Click
Console
to enter the container (if there are multiple replicas, set it for each replica). - Once inside the container, execute
cd /home/scanner/.cache/trivy
. - Run
mkdir db
to create the directory.
After creating the directory, upload the offline package¶
- Go to
Clusters
, click the proper cluster name. - Enter the namespace where Harbor is hosted.
- Locate the
trivy
workload. - Click
Upload File
. - In the popup window, enter the upload path as
/home/scanner/.cache/trivy/db
and clickOK
. - You will be taken to the file selection page. Upload the
trivy.db
andmetadata.json
files respectively.