-
Notifications
You must be signed in to change notification settings - Fork 118
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: load rego embedded libs by default #926
feat: load rego embedded libs by default #926
Conversation
94ac4e1
to
a2d27e8
Compare
8bd0c83
to
6356b74
Compare
Signed-off-by: chenk <[email protected]>
Signed-off-by: chenk <[email protected]>
Signed-off-by: chenk <[email protected]>
Signed-off-by: chenk <[email protected]>
6356b74
to
92585fc
Compare
hi @chen-keinan - we're trying to bring back policy fetching into trivy if a new bundle is found upstream. This is so that we can decouple trivy releases from policy updates. tldr: Currently this behaviour doesn't allow trivy to download a bundle (with both policies and libraries in it) as libraries are unconditionally embedded into the trivy binary, causing rego namespace collisions. Bundle will include both policies and libraries. Context is here: d128e52#r86794387 I understand you had made this change to solve https://github.com/aquasecurity/defsec/issues/925 - is it possible we (for the users of trivy operator) can provide the libraries in another way? Maybe they could be stored as configmaps within the operator deployment charts? Just a thought. Ideally, it'd be best to keep policies and libraries together behind the same flag. In other words, Thoughts? |
Reverts: aquasecurity#926 Signed-off-by: Simar <[email protected]>
Created #1012 to address this. |
sure , lets discuss the options |
Reverts: aquasecurity#926 Signed-off-by: Simar <[email protected]>
Previously, in the case of Trivy for using custom policies the users have to supply their own libraries in case they need them. Having said that, maybe we can instead create a reference deployment in Trivy Operator (example helm chart, for instance) that includes some scaffolding to help them do so? Long term, decoupling policies from Trivy binary helps us as policies get updated often compared to Trivy itself. This is the same model that Trivy DB follows for updating vulnerability definitions. What do you think? Maybe we can jump on a call and sort it out. |
@simar7 sure I'll be happy to have a call to discuss it |
Reverts: aquasecurity#926 Signed-off-by: Simar <[email protected]>
Reverts: aquasecurity#926 Signed-off-by: Simar <[email protected]>
Reverts: #926 Signed-off-by: Simar <[email protected]>
Signed-off-by: chenk [email protected]
Close: #925