aquasecurity / trivy Public
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
trivy does not honor --insecure for vulnerability DB download #2093
Comments
|
I am in the exact same scenario. This is from the gitlab ci job: Here is my .gitlab-ci.yml variables edit: I fixed it by wget'ing our cert to /etc/ssl/certs/ca-certificates.crt |
|
Hello @mayrstefan , @maltewhiite Trivy currently uses the --insecure flag to get an image or repository, not to load a DB. Trivy currently uses Regards, Dmitriy |
|
@DmitriyLewen - Well, the expected behavior is
Could you update the documentation, so people don't expect something that is wrong? |
|
Trivy does the same thing for pulling images. We can add custom http.Transport here to skip TLS verification for downloading the DB. |
|
I would prefer that trivy is also able to ignore the certificate when pulling the db image as it can do when pulling an image for scanning. This would make it much easier to use trivy in a container or kubernetes context where we are restricted to a whitelisted private registry. Like @maltewhiite described the setup of his gitlab environment. |
Description
We have an air gapped environment without direct internet access. All necessary container images are mirrored to or proxied through an OnPrem registry (Artifactory). This registry uses a certificate from a private PKI. The vulnerability DB cannot be downloaded from this internal registry.
What did you expect to happen?
We expected that
--insecureignores the private PKI certificate when downloading the vulnerability DB.What happened instead?
In contrast to an image scan the download of the vulnerability DB ignores the
--insecureflag:Output of
trivy -v:Additional details (base image name, container registry info...):
--insecureflag (which is not documented)--insecureflag works if we scan images from our local registry with a prepopulated cache directory and--skip-db-updateThe text was updated successfully, but these errors were encountered: