Setting up Trivy for AirGap Approach within CI/CD
I recently had some connectivity issue using the Trivy image from inside a very restrictive environment. The Trivy image would not communicate to the DB. I saw some documentation about an AirGap exchange of the database. This article is to explain how to set this up and run it.
- That you have an OpenShift Cluster or Kubernetes Cluster with Tekton
- Assume that you have privileges to run Tekton Tasks and Task Runs.
- Have access to Quay.io
Pulling Down the Trivy Database
The first process of this is to pull down the Trivy Database. In order to do this I used wget instead of curl. I also used a specific image that contained Ubuntu Operating System and then installed wget on it. I make it into its own image so i can use it on the Tekton steps.
Why do we need to do this?
Well when the Trivy scanner first starts it will request a need for an initial CVE database. Yes, there is a skip-update argument however you cannot use this argument when the trivy scanner first starts up. So how do we get by this? Well we can get by this by first downloading the database from Github within a Tekton Task like this:
- name: get-latest-cve-findings
mkdir -p /tekton/home/.cache/trivy/db
wget -O /tekton/home/.cache/trivy/db/trivy-offline.db.tgz https://github.com/aquasecurity/trivy-db/releases/latest/download/trivy-offline.db.tgz --no-check-certificate
tar xvf trivy-offline.db.tgz
So this step is utilizing the ubuntu image with wget installed. Then it is pulling from the Github repo the tgz file. For my purposes I wanted to remove the TLS verification. So I added the no check certificate flag.
Next you need to make sure that it is placed into the correct cache directory that will be used. In this case the Trivy image that I am using had the cache directory for the database at: