Skip to content

Commit

Permalink
feat: certificate authority scan-job support (#1212)
Browse files Browse the repository at this point in the history 
* feat: certificate authority scan-job support

Signed-off-by: chenk <hen.keinan@gmail.com>

* feat: certificate authority scan-job support

Signed-off-by: chenk <hen.keinan@gmail.com>

* feat: certificate authority scan-job support

Signed-off-by: chenk <hen.keinan@gmail.com>

* feat: certificate authority scan-job support

Signed-off-by: chenk <hen.keinan@gmail.com>

* feat: certificate authority scan-job support

Signed-off-by: chenk <hen.keinan@gmail.com>

* feat: certificate authority scan-job support

Signed-off-by: chenk <hen.keinan@gmail.com>

---------

Signed-off-by: chenk <hen.keinan@gmail.com>
  • Loading branch information
@chen-keinan
chen-keinan authored May 12, 2023
1 parent e5ba124 commit 4e63f0c
Show file tree
Hide file tree
Showing 5 changed files with 92 additions and 15 deletions.
16 changes: 8 additions & 8 deletions deploy/helm/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,14 +125,14 @@ The values of the `OPERATOR_NAMESPACE` and `OPERATOR_TARGET_NAMESPACES` determin
| `trivy.ignoreUnfixed` | N/A | Whether to show only fixed vulnerabilities in vulnerabilities reported by Trivy. Set to `"true"` to enable it. |
| `trivy.offlineScan` | N/A | Whether to enable the offline scan mode of Trivy preventing outgoing calls, e.g. to <search.maven.org> for additional vulnerability information. Set to `"true"` to enable it. |
| `trivy.skipFiles` | N/A | A comma separated list of file paths for Trivy to skip traversal. |
| `trivy.skipDirs` | N/A | A comma separated list of directories for Trivy to skip traversal. |

| `trivy.vulnType` | ``| this flag can be used to tell Trivy to filter vulnerabilities by a pkg-type (library, os) |
| `trivy.skipDirs` | N/A | A comma separated list of directories for Trivy to skip traversal. |
| `trivy.ignoreFile` | N/A | It specifies the `.trivyignore` file which contains a list of vulnerability IDs to be ignored from vulnerabilities reported by Trivy. |
| `trivy.vulnType` | `` | this flag can be used to tell Trivy to filter vulnerabilities by a pkg-type (library, os) |
| `trivy.ignorePolicy` | N/A | It specifies a fallback [policy](https://aquasecurity.github.io/trivy/latest/docs/vulnerability/examples/filter/#by-open-policy-agent) file which allows to customize which vulnerabilities are reported by Trivy. |
| `trivy.ignorePolicy.{ns}` | N/A | It specifies a namespace specific [policy](https://aquasecurity.github.io/trivy/latest/docs/vulnerability/examples/filter/#by-open-policy-agent) file which allows to customize which vulnerabilities are reported by Trivy. |
| `trivy.ignorePolicy.{ns}.{wl}` | N/A | It specifies a namespace/workload specific [policy](https://aquasecurity.github.io/trivy/latest/docs/vulnerability/examples/filter/#by-open-policy-agent) file which allows to customize which vulnerabilities are reported by Trivy. |
| `trivy.timeout` | `5m0s` | The duration to wait for scan completion |
| `trivy.sslCertDir` | N/A | sslCertDir can be used to override the system default locations for SSL certificate files directory , example: /ssl/certs |
| `trivy.serverURL` | N/A | The endpoint URL of the Trivy server. Required in `ClientServer` mode. |
| `trivy.serverTokenHeader` | `Trivy-Token` | The name of the HTTP header to send the authentication token to Trivy server. Only application in `ClientServer` mode when `trivy.serverToken` is specified. |
| `trivy.serverInsecure` | N/A | The Flag to enable insecure connection to the Trivy server. |
Expand All @@ -144,13 +144,13 @@ The values of the `OPERATOR_NAMESPACE` and `OPERATOR_TARGET_NAMESPACES` determin
| `trivy.noProxy` | N/A | A comma separated list of IPs and domain names that are not subject to proxy settings. |
| `trivy.resources.requests.cpu` | `100m` | The minimum amount of CPU required to run Trivy scanner pod. |
| `trivy.resources.requests.memory` | `100M` | The minimum amount of memory required to run Trivy scanner pod. |
| `trivy.resources.requests.ephemeral-storage` | `` | The minimum amount of ephemeral-storage required to run Trivy scanner pod. |
| `trivy.resources.requests.ephemeral-storage` |`` | The minimum amount of ephemeral-storage required to run Trivy scanner pod. |
| `trivy.resources.limits.cpu` | `500m` | The maximum amount of CPU allowed to run Trivy scanner pod. |
| `trivy.resources.limits.memory` | `500M` | The maximum amount of memory allowed to run Trivy scanner pod. |
| `trivy.resources.limits.ephemeral-storage` | `` | The maximum amount of ephemeral-storage allowed to run Trivy scanner pod. |
| `trivy.storageClassName` | `` | The name of the storage class to be used for Trivy server PVC. |
| `trivy.podLabels` | `` | The extra pod labels to be used for Trivy server. |
| `trivy.priorityClassName` | `` | PriorityClassName is the name of the priority class used for trivy server. |
| `trivy.resources.limits.ephemeral-storage` | ``| The maximum amount of ephemeral-storage allowed to run Trivy scanner pod. |
| `trivy.storageClassName` |`` | The name of the storage class to be used for Trivy server PVC. |
| `trivy.podLabels` | ``| The extra pod labels to be used for Trivy server. |
| `trivy.priorityClassName` |`` | PriorityClassName is the name of the priority class used for trivy server. |
| `trivy.debug` | `false` | Enable/disable Trivy's debug mode. |
| `trivy.server.resources.requests.cpu` | `200m` | The minimum amount of CPU required to run trivy server. |
| `trivy.server.resources.requests.memory` | `512Mi` | The minimum amount of memory required to run trivy server. |
Expand Down
3 changes: 3 additions & 0 deletions deploy/helm/templates/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,9 @@ data:
{{- if .Values.trivy.serverInsecure }}
trivy.serverInsecure: {{ .Values.trivy.serverInsecure | quote }}
{{- end }}
{{- if .Values.trivy.sslCertDir }}
trivy.sslCertDir: {{ .Values.trivy.sslCertDir | quote }}
{{- end }}
{{- if .Values.trivy.noProxy }}
trivy.noProxy: {{ .Values.trivy.noProxy | quote }}
{{- end }}
Expand Down
3 changes: 3 additions & 0 deletions deploy/helm/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -261,6 +261,9 @@ trivy:
# qaRegistry: qa.registry.aquasec.com
# internalRegistry: registry.registry.svc:5000

# sslCertDir can be used to override the system default locations for SSL certificate files directory, example: /ssl/certs
# sslCertDir:

# The registry to which insecure connections are allowed. There can be multiple registries with different keys.
insecureRegistries: {}
# pocRegistry: poc.myregistry.harbor.com.pl
Expand Down
Loading

0 comments on commit 4e63f0c

Please sign in to comment.