Working with Trivy's vulnerability database ratelimits
If you are new to Trivy, let me quickly explain; Trivy is a vulnerability scanner (created by Aquasecurity) for container images and various configuration languages; it can scan your Terraform, Helm and Kubernetes files for misconfigurations. To increase the security of your deployments, it is a very versatile tool.
If you are new to Trivy, let me quickly explain; Trivy is a vulnerability scanner (created by Aquasecurity) for container images and various configuration languages; it can scan your Terraform, Helm and Kubernetes files for misconfigurations. To increase the security of your deployments, it is a very versatile tool.
If you are working on DevSecOps projects, you might have encountered the same issue as we have lately; the public Trivy vulnerability database became victim of its own popularity.
To “fix” this problem, I created a simple “trivy database proxy”. It’s not really a proxy in the strict sense of the word, but it will (try to) download the public database, and put a copy in a container registry of your choice.
Because I was quite pleased with the result I decided to publish this little tool on my Github page, you can check it out here: github.com/worldwideward/trivy-db-proxy
The tool is publish as a Docker image so if you don’t need the source, you can just pull the image and get on with it: docker pull ghcr.io/worldwideward/trivy-db-proxy:main.
Dependencies
To keep the tool as lean as possible, I tried to use just a minimal set of dependencies: the Docker image is based on Alpine and I added cURL and ORAS.
Alpine is a very small Linux distribution with which you can create very secure container images. cURL doesn’t need much explanation I think, it’s a super versatile tool to work with URLs. ORAS is a very nifty tool to work with OCI artificats that aren’t necessarity containers. It was the first time I really needed it, and it works great!
Other than that there are no dependencies, so the total size of this tool is just 29 megabytes. The Trivy databases are a bit larger, but all in all you need less than 1 gigabyte of storage in your system to benefit from this little tool.
Kubernetes
The best way to deploy this tool is on Kubernetes. To make your life easier I added the necessary manifest to run it as a CronJob. This way your private Trivy vulnerability database gets periodically updated. I recommend to do set daily interval.
Secretless
For the tool to interact with a private container registry, it will need to authentication itself. These days the trend is to make use of secretless patterns whenever possible. Therefore I actually published two variants of the CronJob;
- a “classic” version depending on a Kubernetes Secret
- a “secretless” version that makes use of Azure Workload Identities (yes, I am sorry, this won’t work with other Identity Providers than Azure Entra, for now)
If you are an Azure end-user, you will probably want to use the second version.
CI/CD integration
So how does this work in a CI/CD environment? Quite simple:
First, deploy the tool and verify that your database was successfully stored in your private OCI registry.
Second, make sure that your CI/CD agent/runner (whatever you call it) downloads the database from your private registry (in regular intervals). The commands you want to use for this are:
trivy image --download-db-only --db-repository oci.example.com/trivy-db
# If you are working with Java based images also execute:
trivy image --download-java-db-only --db-repository oci.example.com/trivy-java-db
Finally, scan your images without downloading the database:
trivy image --skip-db-update container-image-to-scan
# If you are working with a Java base image execute:
trivy image --skip-db-update --skip-java-db-update container-image-to-scan
You could opt to combine the second and the final step into one, but that’s personal preference I suppose. I don’t want my build pipeline to spend a few seconds on downloading a database when it could be cached up front.
Aquasecurity
If you like Trivy, make sure you pay a visit to aquasec.com , the website of the creators. While Trivy is their most popular tool, they a few other great security products!
Feedback
If you like my little tool, consider starring it on Github (github.com/worldwideward/trivy-db-proxy). And if you have spotted a bug or potential improvement, don’t hesitate to open an Issue or Pull Request! Feedback is always appreciated!