feat: add dbRepositoryUsername and dbRepositoryPassword for dbReposit… (

#1657) * feat: add dbRepositoryUsername and dbRepositoryPassword for dbRepository authentication * fix lint issue * refactor documentation * test: condition for repo-db credentials Signed-off-by: chenk <hen.keinan@gmail.com> --------- Signed-off-by: chenk <hen.keinan@gmail.com> Co-authored-by: chenk <hen.keinan@gmail.com>
aquasecurity · Dec 27, 2023 · 1ecf6a0 · 1ecf6a0
1 parent e717828
commit 1ecf6a0
Show file tree

Hide file tree

Showing 6 changed files with 36 additions and 0 deletions.
diff --git a/deploy/helm/README.md b/deploy/helm/README.md
@@ -105,6 +105,8 @@ Keeps security report resources updated
 | trivy.dbRegistry | string | `"ghcr.io"` |  |
 | trivy.dbRepository | string | `"aquasecurity/trivy-db"` |  |
 | trivy.dbRepositoryInsecure | string | `"false"` | The Flag to enable insecure connection for downloading trivy-db via proxy (air-gaped env)  |
+| trivy.dbRepositoryPassword | string | `nil` | The password for dbRepository authentication  |
+| trivy.dbRepositoryUsername | string | `nil` | The username for dbRepository authentication  |
 | trivy.debug | bool | `false` | debug One of `true` or `false`. Enables debug mode. |
 | trivy.filesystemScanCacheDir | string | `"/var/trivyoperator/trivy-db"` | filesystemScanCacheDir the flag to set custom path for trivy filesystem scan `cache-dir` parameter. Only applicable in filesystem scan mode. |
 | trivy.githubToken | string | `nil` | githubToken is the GitHub access token used by Trivy to download the vulnerabilities database from GitHub. Only applicable in Standalone mode. |

diff --git a/deploy/helm/templates/secrets/trivy.yaml b/deploy/helm/templates/secrets/trivy.yaml
@@ -10,6 +10,12 @@ data:
   {{- with .Values.trivy.githubToken }}
   trivy.githubToken: {{ . | b64enc | quote }}
   {{- end }}
+  {{- with .Values.trivy.dbRepositoryUsername }}
+  trivy.dbRepositoryUsername: {{ . | b64enc | quote }}
+  {{- end }}
+  {{- with .Values.trivy.dbRepositoryPassword }}
+  trivy.dbRepositoryPassword: {{ . | b64enc | quote }}
+  {{- end }}
   {{- if or (eq .Values.trivy.mode "ClientServer") .Values.operator.builtInTrivyServer }}
   {{- with .Values.trivy.serverToken }}
   trivy.serverToken: {{ . | b64enc | quote }}

diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
@@ -436,6 +436,14 @@ trivy:
   dbRegistry: "ghcr.io"
   dbRepository: "aquasecurity/trivy-db"
 
+  # -- The username for dbRepository authentication
+  #
+  dbRepositoryUsername: ~
+
+  # -- The password for dbRepository authentication
+  #
+  dbRepositoryPassword: ~
+
   # -- javaDbRegistry is the registry for the Java vulnerability database.
   javaDbRegistry: "ghcr.io"
   javaDbRepository: "aquasecurity/trivy-java-db"

diff --git a/pkg/plugins/trivy/config.go b/pkg/plugins/trivy/config.go
@@ -49,6 +49,8 @@ const (
 	keyTrivySkipFiles            = "trivy.skipFiles"
 	keyTrivySkipDirs             = "trivy.skipDirs"
 	keyTrivyDBRepository         = "trivy.dbRepository"
+	keyTrivyDBRepositoryUsername = "trivy.dbRepositoryUsername"
+	keyTrivyDBRepositoryPassword = "trivy.dbRepositoryPassword" // #nosec G101
 	keyTrivyJavaDBRepository     = "trivy.javaDbRepository"
 	keyTrivyDBRepositoryInsecure = "trivy.dbRepositoryInsecure"
 
@@ -221,6 +223,12 @@ func (c Config) GetSkipJavaDBUpdate() bool {
 	return boolVal
 }
 
+func (c Config) TrivyDBRepositoryCredentialsSet() bool {
+	_, userOk := c.Data[keyTrivyDBRepositoryUsername]
+	_, passOk := c.Data[keyTrivyDBRepositoryPassword]
+	return userOk && passOk
+}
+
 func (c Config) GetImageScanCacheDir() string {
 	val, ok := c.Data[keyTrivyImageScanCacheDir]
 	if !ok || val == "" {

diff --git a/pkg/plugins/trivy/filesystem.go b/pkg/plugins/trivy/filesystem.go
@@ -576,6 +576,12 @@ func initContainerFSEnvVar(trivyConfigName string, config Config) []corev1.EnvVa
 		constructEnvVarSourceFromConfigMap("NO_PROXY", trivyConfigName, keyTrivyNoProxy),
 		constructEnvVarSourceFromSecret("GITHUB_TOKEN", trivyConfigName, keyTrivyGitHubToken),
 	}
+	if config.TrivyDBRepositoryCredentialsSet() {
+		envs = append(envs, []corev1.EnvVar{
+			constructEnvVarSourceFromSecret("TRIVY_USERNAME", trivyConfigName, keyTrivyDBRepositoryUsername),
+			constructEnvVarSourceFromSecret("TRIVY_PASSWORD", trivyConfigName, keyTrivyDBRepositoryPassword),
+		}...)
+	}
 	if config.GetDBRepositoryInsecure() {
 		envs = append(envs, corev1.EnvVar{
 			Name:  "TRIVY_INSECURE",

diff --git a/pkg/plugins/trivy/image.go b/pkg/plugins/trivy/image.go
@@ -543,6 +543,12 @@ func initContainerEnvVar(trivyConfigName string, config Config) []corev1.EnvVar
 		constructEnvVarSourceFromConfigMap("NO_PROXY", trivyConfigName, keyTrivyNoProxy),
 		constructEnvVarSourceFromSecret("GITHUB_TOKEN", trivyConfigName, keyTrivyGitHubToken),
 	}
+	if config.TrivyDBRepositoryCredentialsSet() {
+		envs = append(envs, []corev1.EnvVar{
+			constructEnvVarSourceFromSecret("TRIVY_USERNAME", trivyConfigName, keyTrivyDBRepositoryUsername),
+			constructEnvVarSourceFromSecret("TRIVY_PASSWORD", trivyConfigName, keyTrivyDBRepositoryPassword),
+		}...)
+	}
 
 	if config.GetDBRepositoryInsecure() {
 		envs = append(envs, corev1.EnvVar{