Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(misconf): Support private registries for misconf check bundle #6266

Closed
2 tasks done
simar7 opened this issue Mar 4, 2024 Discussed in #6265 · 0 comments · Fixed by #6327
Closed
2 tasks done

feat(misconf): Support private registries for misconf check bundle #6266

simar7 opened this issue Mar 4, 2024 Discussed in #6265 · 0 comments · Fixed by #6327
Assignees
@simar7
Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.51.0

Comments

@simar7
Copy link
Member

simar7 commented Mar 4, 2024

Similar to pulling the Trivy DB from private registries, we should also support pulling misconfiguration check bundles from such sources as well.

This change should go here as today we simply pass no registry options when initializing.

Discussed in #6265

Originally posted by JeffResc March 4, 2024

Description

OCI image set with --policy-bundle-repository does not utilize authentication credentials. I have tried setting the authentication credentials via environment variables TRIVY_USERNAME/TRIVY_PASSWORD as well as command line arguments --username/--password, but I am recieving an unauthorized error code from my private OCI container registry. I have tried with both the trivy filesystem. trivy image subcommands, but the results are the same.

Conversely, when setting the --db-repository and --java-db-repository options, these are able to pull my private OCI container registry using the credentials set with via environment variables TRIVY_USERNAME/TRIVY_PASSWORD.

Notice in the output below that ${MY_OCI_REGISTRY}/aquasecurity/trivy-db is pulled as expected, but ${MY_OCI_REGISTRY}/aquasecurity/defsec:0 fails.

$ TRIVY_USERNAME="example_user"
$ TRIVY_PASSWORD="example_pass"
$ TRIVY_NO_PROGRESS="true"
$ trivy filesystem ./ --db-repository ${MY_OCI_REGISTRY}/aquasecurity/trivy-db --java-db-repository ${MY_OCI_REGISTRY}/aquasecurity/trivy-java-db --policy-bundle-repository ${MY_OCI_REGISTRY}/aquasecurity/defsec:0 --scanners vuln,misconfig,secret,license
INFO	Need to update DB
INFO	DB Repository: ${MY_OCI_REGISTRY}/aquasecurity/trivy-db
INFO	Downloading DB...
INFO	Vulnerability scanning is enabled
INFO	Misconfiguration scanning is enabled
INFO	Need to update the built-in policies
INFO	Downloading the built-in policies...
ERROR   Falling back to embedded policies: failed to download built-in policies: download error: OCI repository error: 1 error occurred:
        * GET https://${MY_OCI_REGISTRY}/v2/aquasecurity/defsec/manifests/0: UNAUTHORIZED: access to the requested resource is not authorized
INFO	Secret scanning is enabled
INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
INFO	Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
INFO	License scanning is enabled
INFO	Number of language-specific files: 0
INFO	Detected config files: 7
INFO	Vulnerability scanning is enabled
INFO	Misconfiguration scanning is enabled
INFO	Need to update the built-in policies
INFO	Downloading the built-in policies...
ERROR   Falling back to embedded policies: failed to download built-in policies: download error: OCI repository error: 1 error occurred:
        * GET https://${MY_OCI_REGISTRY}/v2/aquasecurity/defsec/manifests/0: UNAUTHORIZED: access to the requested resource is not authorized
INFO	Secret scanning is enabled
INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
INFO	Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
INFO	License scanning is enabled
INFO	Number of language-specific files: 0
INFO	Detected config files: 7

Desired Behavior

I expect the OCI image set with --policy-bundle-repository to be pulled using the credentials specified via environment variables TRIVY_USERNAME/TRIVY_PASSWORD, similar to the functionality supported in --db-repository and --java-db-repository.

Actual Behavior

As shown in the command line output, the OCI image set with --policy-bundle-repository is not pulled using the the credentials specified via environment variables TRIVY_USERNAME/TRIVY_PASSWORD.

Reproduction Steps

1. Create an OCI registry that requires authentication and mirror the following images: `ghcr.io/aquasecurity/trivy-db` `ghcr.io/aquasecurity/trivy-java-db` and `ghcr.io/aquasecurity/defsec:0`.
2. Set `TRIVY_USERNAME` and `TRIVY_PASSWORD` environment variables to a username and password for your OCI registry.
3. Run the following Trivy command: `trivy filesystem ./ --db-repository ${MY_OCI_REGISTRY}/aquasecurity/trivy-db --java-db-repository ${MY_OCI_REGISTRY}/aquasecurity/trivy-java-db --policy-bundle-repository ${MY_OCI_REGISTRY}/aquasecurity/defsec:0 --scanners vuln,misconfig,secret,license`

Target

Filesystem

Scanner

vuln,misconfig,secret,license

Output Format

Table

Mode

Standalone

Debug Output

$ trivy filesystem ./ --db-repository ${MY_OCI_REGISTRY}/aquasecurity/trivy-db --java-db-repository ${MY_OCI_REGISTRY}/aquasecurity/trivy-java-db --policy-bundle-repository ${MY_OCI_REGISTRY}/aquasecurity/defsec:0 --scanners vuln,misconfig,secret,license --debug
DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
DEBUG   Ignore statuses {"statuses": null}
DEBUG   cache dir:  /home/scanner/.cache/trivy
DEBUG   There is no valid metadata file: unable to open a file: open /home/scanner/.cache/trivy/db/metadata.json: no such file or directory
INFO    Need to update DB
INFO    DB Repository: ${MY_OCI_REGISTRY}/aquasecurity/trivy-db
INFO    Downloading DB...
DEBUG   no metadata file
DEBUG   Updating database metadata...
DEBUG   DB Schema: 2, UpdatedAt: 2024-03-04 12:19:30.391554259 +0000 UTC, NextUpdate: 2024-03-04 18:19:30.391553979 +0000 UTC, DownloadedAt: 2024-03-04 20:23:58.631164038 +0000 UTC
INFO    Vulnerability scanning is enabled
DEBUG   Vulnerability type:  [os library]
INFO    Misconfiguration scanning is enabled
DEBUG   Failed to open the policy metadata: open /home/scanner/.cache/trivy/policy/metadata.json: no such file or directory
INFO    Need to update the built-in policies
INFO    Downloading the built-in policies...
DEBUG   Using URL: ${MY_OCI_REGISTRY}/aquasecurity/defsec:0 to load policy bundle
ERROR   Falling back to embedded policies: failed to download built-in policies: download error: OCI repository error: 1 error occurred:
        * GET https://${MY_OCI_REGISTRY}/v2/aquasecurity/defsec/manifests/0: UNAUTHORIZED: access to the requested resource is not authorized
INFO    Secret scanning is enabled
INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
INFO    Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
INFO    License scanning is enabled
DEBUG   Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
DEBUG   No secret config detected: trivy-secret.yaml
DEBUG   The nuget packages directory couldn't be found. License search disabled
DEBUG   Walk the file tree rooted at '.' in parallel
DEBUG   OS is not detected.
DEBUG   Detected OS: unknown
INFO    Number of language-specific files: 0
INFO    Detected config files: 0

Operating System

Ubuntu 22.04.3 LTS

Version

Version: 0.49.1

Checklist
@simar7 simar7 added kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning labels Mar 4, 2024
@simar7 simar7 self-assigned this Mar 4, 2024
@JeffResc JeffResc mentioned this issue Mar 14, 2024
Merged
6 tasks
@simar7 simar7 added this to the v0.51.0 milestone Mar 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@simar7 simar7

Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Archived in project
Milestone
v0.51.0
Development

Successfully merging a pull request may close this issue.

feat(misconf): Support private registries for misconf check bundle JeffResc/trivy
1 participant
@simar7