Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FEATURE] Check if Trivy database download could be done authenticated #1689

Closed
1 task done
HeavyWombat opened this issue Sep 23, 2024 · 5 comments
Closed
1 task done
Assignees
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@HeavyWombat
Copy link
Contributor

Is there an existing feature request for this?

  • I have searched the existing feature requests

Is your feature request related to a problem or use-case? Please describe.

Trivy is used as part of the Test Suite and upon it's first start, it needs to download a database, which is hosted in a container registry. This can lead to a 429 response by the container registry with TOOMANYREQUESTS.

Describe the solution that you would like.

Check if we can authentication against the GitHub Container Registry so that the requests are not anonymously.

Describe alternatives you have considered.

Alternative would be to use an alternative location for the registry, where rate limiting isn't an issue. Need to check, whether quay.io would be an option. The location can be defined using TRIVY_DB_REPOSITORY environment variable.

Anything else?

No response

@HeavyWombat HeavyWombat added the kind/feature Categorizes issue or PR as related to a new feature. label Sep 23, 2024
HeavyWombat added a commit that referenced this issue Sep 26, 2024
Ref: #1689

Log into GitHub Container Registry for unit test so that Trivy database
download can be done in an authenticated context.

Signed-off-by: Matthias Diester <[email protected]>
HeavyWombat added a commit that referenced this issue Sep 26, 2024
Ref: #1689

Log into GitHub Container Registry for unit test so that Trivy database
download can be done in an authenticated context.

Signed-off-by: Matthias Diester <[email protected]>
@qu1queee
Copy link
Contributor

Some notes:

@SaschaSchwarze0
Copy link
Member

SaschaSchwarze0 commented Sep 30, 2024

@HeavyWombat can you provide more details of where else a fix is needed = can you reference where you have seen the failures? In #1691, you only mention that it "potentially mitigates (parts of)" this issue and the scope is therefore unclear.

BTW: related Trivy feature: aquasecurity/trivy#3915

@SaschaSchwarze0
Copy link
Member

From today's sync meeting:

#1689 is a pain we need to look at. Something that I have set up at home is the following:

kubectl -n shipwright-build set env deployment/shipwright-build-controller 'IMAGE_PROCESSING_CONTAINER_TEMPLATE={"image": "ghcr.io/shipwright-io/build/image-processing:latest", "command": ["/ko-app/image-processing"], "env": [{"name": "HOME","value": "/shared-home"}], "envFrom": [{"secretRef": {"name": "trivy-user", "optional": true}}], "securityContext": {"allowPrivilegeEscalation": false, "capabilities": {"add": ["DAC_OVERRIDE"], "drop": ["ALL"]}, "runAsUser": 0, "runAsgGroup": 0}}'

The relevant addition is the envFrom pointing to an optional secret trivy-user. That secret is opaque and contains the keys TRIVY_USER (GitHub username) and TRIVY_PASSWORD (GitHub token). That way, the two environment variables are available and it should authenticate for the database download as Trivy supports it based on aquasecurity/trivy#3915 - though those flags are not documented in trivy image --help. Therefore need to check if they are really supported.

Other idea: in the image-processing step implementation, we can try to determine that Trivy failed to download the database based on the command output, and retry the command.

And:

On our Trivy scan issues:

  • Environment variables are really existing for the --username and --password flags.
  • Next step: try the solution in e2e and integration
  • Sascha to open PR with retry of trivy if it fails during database download
    -> we then have two PRs that potentially fix the problem and we can take both or just one
  • Matthias: side note, noticed that we use different Ginkgo terms for the vulnerability tests = you must skip two things to skip them all

dorzel pushed a commit to dorzel/build that referenced this issue Oct 30, 2024
Ref: shipwright-io#1689

Log into GitHub Container Registry for unit test so that Trivy database
download can be done in an authenticated context.

Signed-off-by: Matthias Diester <[email protected]>
@SaschaSchwarze0
Copy link
Member

SaschaSchwarze0 commented Nov 10, 2024

The retry is working fine so far. In addition, Trivy has already enabled itself to have multiple database locations referenced since v0.56.0. They're also having the database synchronized to ECR. They still have not yet changed the default to contain both locations. So, for now, one can set TRIVY_DB_REPOSITORY=ghcr.io/aquasecurity/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2.

Though, I tend to not do that for the v0.14.0 release.

@SaschaSchwarze0
Copy link
Member

We have not seen any failures in the past weeks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
Status: Done
Development

No branches or pull requests

3 participants