From 72ac532ab1a0d77a0a63131cf08392809ed24b6c Mon Sep 17 00:00:00 2001 From: simar7 <1254783+simar7@users.noreply.github.com> Date: Tue, 26 Nov 2024 01:48:27 -0700 Subject: [PATCH] chore: Use `mirror.gcr.io` instead `ghcr.io` as helm chart default (#2331) * chore: Use mirror.gcr.io instead ghcr.io as helm chart default * update docs * update goreleaser * chore: fix a registry name * chore: add space for rerun workflow * chore: add another space * ci: change a github running type * revert: keep target for private registry test --------- Co-authored-by: afdesk --- .github/workflows/build.yaml | 6 +- .github/workflows/chart-testing.yaml | 11 ++- .github/workflows/private-registries.yaml | 6 +- .github/workflows/release-snapshot.yaml | 2 +- .goreleaser.yaml | 40 ++++---- CONTRIBUTING.md | 6 +- deploy/helm/README.md | 10 +- deploy/helm/values.yaml | 10 +- deploy/static/kustomization.yaml | 2 +- deploy/static/trivy-operator.yaml | 4 +- docs/docs/vulnerability-scanning/trivy.md | 98 +++++++++---------- .../installation/configuration.md | 46 ++++----- goreleaser-e2e.yaml | 6 +- pkg/plugins/trivy/plugin.go | 6 +- pkg/trivyoperator/config.go | 2 +- .../fixture/cronjob-expected-scan.yaml | 6 +- .../fixture/daemonset-expected-scan.yaml | 6 +- .../testdata/fixture/job-expected-scan.yaml | 6 +- .../testdata/fixture/pod-expected-scan.yaml | 6 +- .../fixture/replicaset-expected-scan.yaml | 6 +- .../replicationcontroller-expected-scan.yaml | 6 +- .../fixture/statefulset-expected-scan.yaml | 6 +- 22 files changed, 149 insertions(+), 148 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 7aec92898..726e69e6c 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -188,10 +188,10 @@ jobs: kubectl describe node - name: Load operator image to cluster run: > - docker tag ghcr.io/aquasecurity/trivy-operator:${{ github.sha }}-amd64 - ghcr.io/aquasecurity/trivy-operator:e2e + docker tag mirror.gcr.io/aquasec/trivy-operator:${{ github.sha }}-amd64 + mirror.gcr.io/aquasec/trivy-operator:e2e - docker save -o trivy-operator.tar ghcr.io/aquasecurity/trivy-operator:e2e + docker save -o trivy-operator.tar mirror.gcr.io/aquasec/trivy-operator:e2e kind load image-archive trivy-operator.tar - name: Init E2E tests (Install kuttl & helm) diff --git a/.github/workflows/chart-testing.yaml b/.github/workflows/chart-testing.yaml index dd66f7016..d691300f1 100644 --- a/.github/workflows/chart-testing.yaml +++ b/.github/workflows/chart-testing.yaml @@ -42,8 +42,9 @@ jobs: - name: Release snapshot uses: goreleaser/goreleaser-action@v6 with: - version: v1.7.0 - args: release -f=goreleaser-e2e.yaml --snapshot --skip-publish --rm-dist + version: v2.4.8 + args: release -f=goreleaser-e2e.yaml --snapshot --skip=publish --clean + - name: Install kind and create cluster run: | curl -Lo ./kind https://kind.sigs.k8s.io/dl/${{ env.KIND_VERSION }}/kind-linux-amd64 @@ -69,10 +70,10 @@ jobs: cmd: yq -i '.appVersion = "ct"' ./deploy/helm/Chart.yaml - name: Load operator image to cluster run: > - docker tag ghcr.io/aquasecurity/trivy-operator:${{ github.sha }}-amd64 - ghcr.io/aquasecurity/trivy-operator:ct + docker tag mirror.gcr.io/aquasec/trivy-operator:${{ github.sha }}-amd64 + mirror.gcr.io/aquasec/trivy-operator:ct - docker save -o trivy-operator.tar ghcr.io/aquasecurity/trivy-operator:ct + docker save -o trivy-operator.tar mirror.gcr.io/aquasec/trivy-operator:ct kind load image-archive trivy-operator.tar - name: Set up python diff --git a/.github/workflows/private-registries.yaml b/.github/workflows/private-registries.yaml index cdd249d90..3debd887b 100644 --- a/.github/workflows/private-registries.yaml +++ b/.github/workflows/private-registries.yaml @@ -83,10 +83,10 @@ jobs: -n private - name: Load operator image to cluster run: > - docker tag ghcr.io/aquasecurity/trivy-operator:${{ github.sha }}-amd64 - ghcr.io/aquasecurity/trivy-operator:e2e + docker tag mirror.gcr.io/aquasec/trivy-operator:${{ github.sha }}-amd64 + mirror.gcr.io/aquasec/trivy-operator:e2e - docker save -o trivy-operator.tar ghcr.io/aquasecurity/trivy-operator:e2e + docker save -o trivy-operator.tar mirror.gcr.io/aquasec/trivy-operator:e2e kind load image-archive trivy-operator.tar - name: Init E2E tests (Install kuttl & helm) diff --git a/.github/workflows/release-snapshot.yaml b/.github/workflows/release-snapshot.yaml index a975e9bab..757537261 100644 --- a/.github/workflows/release-snapshot.yaml +++ b/.github/workflows/release-snapshot.yaml @@ -48,7 +48,7 @@ jobs: - name: Scan Trivy Operator image for vulnerabilities uses: aquasecurity/trivy-action@master with: - image-ref: 'ghcr.io/aquasecurity/trivy-operator:${{ github.sha }}-amd64' + image-ref: 'mirror.gcr.io/aquasec/trivy-operator:${{ github.sha }}-amd64' exit-code: '1' ignore-unfixed: true severity: 'CRITICAL,HIGH' diff --git a/.goreleaser.yaml b/.goreleaser.yaml index e28269cec..941f8980b 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -70,7 +70,7 @@ dockers: - image_templates: - "docker.io/aquasec/trivy-operator:{{ .Version }}-amd64" - "public.ecr.aws/aquasecurity/trivy-operator:{{ .Version }}-amd64" - - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-amd64" +# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-amd64" use: buildx goos: linux dockerfile: build/trivy-operator/Dockerfile @@ -90,7 +90,7 @@ dockers: - image_templates: - "docker.io/aquasec/trivy-operator:{{ .Version }}-ubi8-amd64" - "public.ecr.aws/aquasecurity/trivy-operator:{{ .Version }}-ubi8-amd64" - - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-amd64" +# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-amd64" use: buildx goos: linux dockerfile: build/trivy-operator/Dockerfile.ubi8 @@ -110,7 +110,7 @@ dockers: - image_templates: - "docker.io/aquasec/trivy-operator:{{ .Version }}-arm64" - "public.ecr.aws/aquasecurity/trivy-operator:{{ .Version }}-arm64" - - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-arm64" +# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-arm64" use: buildx goos: linux dockerfile: build/trivy-operator/Dockerfile @@ -130,7 +130,7 @@ dockers: - image_templates: - "docker.io/aquasec/trivy-operator:{{ .Version }}-ubi8-arm64" - "public.ecr.aws/aquasecurity/trivy-operator:{{ .Version }}-ubi8-arm64" - - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-arm64" +# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-arm64" use: buildx goos: linux dockerfile: build/trivy-operator/Dockerfile.ubi8 @@ -150,7 +150,7 @@ dockers: - image_templates: - "docker.io/aquasec/trivy-operator:{{ .Version }}-s390x" - "public.ecr.aws/aquasecurity/trivy-operator:{{ .Version }}-s390x" - - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-s390x" +# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-s390x" use: buildx goos: linux dockerfile: build/trivy-operator/Dockerfile @@ -170,7 +170,7 @@ dockers: - image_templates: - "docker.io/aquasec/trivy-operator:{{ .Version }}-ppc64le" - "public.ecr.aws/aquasecurity/trivy-operator:{{ .Version }}-ppc64le" - - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ppc64le" +# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ppc64le" use: buildx goos: linux dockerfile: build/trivy-operator/Dockerfile @@ -190,7 +190,7 @@ dockers: - image_templates: - "docker.io/aquasec/trivy-operator:{{ .Version }}-ubi8-s390x" - "public.ecr.aws/aquasecurity/trivy-operator:{{ .Version }}-ubi8-s390x" - - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-s390x" +# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-s390x" use: buildx goos: linux dockerfile: build/trivy-operator/Dockerfile.ubi8 @@ -210,7 +210,7 @@ dockers: - image_templates: - "docker.io/aquasec/trivy-operator:{{ .Version }}-ubi8-ppc64le" - "public.ecr.aws/aquasecurity/trivy-operator:{{ .Version }}-ubi8-ppc64le" - - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-ppc64le" +# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-ppc64le" use: buildx goos: linux dockerfile: build/trivy-operator/Dockerfile.ubi8 @@ -252,18 +252,18 @@ docker_manifests: - "public.ecr.aws/aquasecurity/trivy-operator:{{ .Version }}-ubi8-arm64" - "public.ecr.aws/aquasecurity/trivy-operator:{{ .Version }}-ubi8-s390x" - "public.ecr.aws/aquasecurity/trivy-operator:{{ .Version }}-ubi8-ppc64le" - - name_template: "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}" - image_templates: - - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-amd64" - - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-arm64" - - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-s390x" - - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ppc64le" - - name_template: "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8" - image_templates: - - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-amd64" - - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-arm64" - - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-s390x" - - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-ppc64le" +# - name_template: "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}" +# image_templates: +# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-amd64" +# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-arm64" +# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-s390x" +# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ppc64le" +# - name_template: "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8" +# image_templates: +# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-amd64" +# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-arm64" +# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-s390x" +# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-ppc64le" signs: - cmd: cosign diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 4f754ed54..915c1ab96 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -88,9 +88,9 @@ have to ## Build Binaries -| Binary | Image | Description | -|----------------------|------------------------------------------------|---------------------------------------------------------------| -| `trivy-operator` | `ghcr.io/aquasecurity/trivy-operator:dev` | Trivy Operator | +| Binary | Image | Description | +|------------------|-------------------------------------------|----------------| +| `trivy-operator` | `mirror.gcr.io/aquasec/trivy-operator:dev` | Trivy Operator | To build all Trivy-operator binary, run: diff --git a/deploy/helm/README.md b/deploy/helm/README.md index a31f7aa93..c94bbcf6c 100644 --- a/deploy/helm/README.md +++ b/deploy/helm/README.md @@ -23,8 +23,8 @@ Keeps security report resources updated | global | object | `{"image":{"registry":""}}` | global values provide a centralized configuration for 'image.registry', reducing the potential for errors. If left blank, the chart will default to the individually set 'image.registry' values | | image.pullPolicy | string | `"IfNotPresent"` | pullPolicy set the operator pullPolicy | | image.pullSecrets | list | `[]` | pullSecrets set the operator pullSecrets | -| image.registry | string | `"ghcr.io"` | | -| image.repository | string | `"aquasecurity/trivy-operator"` | | +| image.registry | string | `"mirror.gcr.io"` | | +| image.repository | string | `"aquasec/trivy-operator"` | | | image.tag | string | `""` | tag is an override of the image tag, which is by default set by the appVersion field in Chart.yaml. | | managedBy | string | `"Helm"` | managedBy is similar to .Release.Service but allows to overwrite the value | | nameOverride | string | `""` | nameOverride override operator name | @@ -143,8 +143,8 @@ Keeps security report resources updated | trivy.ignoreUnfixed | bool | `false` | ignoreUnfixed is the flag to show only fixed vulnerabilities in vulnerabilities reported by Trivy. Set to true to enable it. | | trivy.image.imagePullSecret | string | `nil` | imagePullSecret is the secret name to be used when pulling trivy image from private registries example : reg-secret It is the user responsibility to create the secret for the private registry in `trivy-operator` namespace | | trivy.image.pullPolicy | string | `"IfNotPresent"` | pullPolicy is the imge pull policy used for trivy image , valid values are (Always, Never, IfNotPresent) | -| trivy.image.registry | string | `"ghcr.io"` | registry of the Trivy image | -| trivy.image.repository | string | `"aquasecurity/trivy"` | repository of the Trivy image | +| trivy.image.registry | string | `"mirror.gcr.io"` | registry of the Trivy image | +| trivy.image.repository | string | `"aquasec/trivy"` | repository of the Trivy image | | trivy.image.tag | string | `"0.57.1"` | tag version of the Trivy image | | trivy.imageScanCacheDir | string | `"/tmp/trivy/.cache"` | imageScanCacheDir the flag to set custom path for trivy image scan `cache-dir` parameter. Only applicable in image scan mode. | | trivy.includeDevDeps | bool | `false` | includeDevDeps include development dependencies in the report (supported: npm, yarn) (default: false) note: this flag is only applicable when trivy.command is set to filesystem | @@ -183,7 +183,7 @@ Keeps security report resources updated | trivy.storageSize | string | `"5Gi"` | storageSize is the size of the trivy server PVC | | trivy.supportedConfigAuditKinds | string | `"Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"` | The Flag is the list of supported kinds separated by comma delimiter to be scanned by the config audit scanner | | trivy.timeout | string | `"5m0s"` | timeout is the duration to wait for scan completion. | -| trivy.useBuiltinRegoPolicies | string | `"false"` | The Flag to enable the usage of builtin rego policies by default, these policies are downloaded by default from ghcr.io/aquasecurity/trivy-checks | +| trivy.useBuiltinRegoPolicies | string | `"false"` | The Flag to enable the usage of builtin rego policies by default, these policies are downloaded by default from mirror.gcr.io/aquasec/trivy-checks | | trivy.useEmbeddedRegoPolicies | string | `"true"` | To enable the usage of embedded rego policies, set the flag useEmbeddedRegoPolicies. This should serve as a fallback for air-gapped environments. When useEmbeddedRegoPolicies is set to true, useBuiltinRegoPolicies should be set to false. | | trivy.valuesFromConfigMap | string | `""` | vaulesFromConfigMap name of a ConfigMap to apply TRIVY_* environment variables. Will override Helm values. | | trivy.valuesFromSecret | string | `""` | valuesFromSecret name of a Secret to apply TRIVY_* environment variables. Will override Helm AND ConfigMap values. | diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml index d14cdf860..af34eef59 100644 --- a/deploy/helm/values.yaml +++ b/deploy/helm/values.yaml @@ -185,8 +185,8 @@ operator: valuesFromSecret: "" image: - registry: "ghcr.io" - repository: "aquasecurity/trivy-operator" + registry: "mirror.gcr.io" + repository: "aquasec/trivy-operator" # -- tag is an override of the image tag, which is by default set by the # appVersion field in Chart.yaml. tag: "" @@ -336,9 +336,9 @@ trivy: createConfig: true image: # -- registry of the Trivy image - registry: ghcr.io + registry: mirror.gcr.io # -- repository of the Trivy image - repository: aquasecurity/trivy + repository: aquasec/trivy # -- tag version of the Trivy image tag: 0.57.1 # -- imagePullSecret is the secret name to be used when pulling trivy image from private registries example : reg-secret @@ -536,7 +536,7 @@ trivy: # dbRepositoryInsecure: "false" - # -- The Flag to enable the usage of builtin rego policies by default, these policies are downloaded by default from ghcr.io/aquasecurity/trivy-checks + # -- The Flag to enable the usage of builtin rego policies by default, these policies are downloaded by default from mirror.gcr.io/aquasec/trivy-checks # useBuiltinRegoPolicies: "false" # -- The Flag to enable the usage of external rego policies config-map, this should be used when the user wants to use their own rego policies diff --git a/deploy/static/kustomization.yaml b/deploy/static/kustomization.yaml index 360ece75f..affcb28a0 100644 --- a/deploy/static/kustomization.yaml +++ b/deploy/static/kustomization.yaml @@ -3,6 +3,6 @@ kind: Kustomization resources: - trivy-operator.yaml images: - - name: ghcr.io/aquasecurity/trivy-operator + - name: mirror.gcr.io/aquasec/trivy-operator newName: aquasecurity/trivy-operator newTag: dev diff --git a/deploy/static/trivy-operator.yaml b/deploy/static/trivy-operator.yaml index 3d91780f8..be1693403 100644 --- a/deploy/static/trivy-operator.yaml +++ b/deploy/static/trivy-operator.yaml @@ -3044,7 +3044,7 @@ metadata: app.kubernetes.io/version: "0.23.0" app.kubernetes.io/managed-by: kubectl data: - trivy.repository: "ghcr.io/aquasecurity/trivy" + trivy.repository: "mirror.gcr.io/aquasec/trivy" trivy.tag: "0.57.1" trivy.imagePullPolicy: "IfNotPresent" trivy.additionalVulnerabilityReportFields: "" @@ -3124,7 +3124,7 @@ spec: automountServiceAccountToken: true containers: - name: "trivy-operator" - image: "ghcr.io/aquasecurity/trivy-operator:0.23.0" + image: "mirror.gcr.io/aquasec/trivy-operator:0.23.0" imagePullPolicy: IfNotPresent env: - name: OPERATOR_NAMESPACE diff --git a/docs/docs/vulnerability-scanning/trivy.md b/docs/docs/vulnerability-scanning/trivy.md index c7483a959..21c49ae3b 100644 --- a/docs/docs/vulnerability-scanning/trivy.md +++ b/docs/docs/vulnerability-scanning/trivy.md @@ -91,55 +91,55 @@ EOF ## Settings -| CONFIGMAP KEY | DEFAULT | DESCRIPTION | -|------------------------------------------|-------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `trivy.repository` | `ghcr.io/aquasecurity/trivy` | Repository of the Trivy image | -| `trivy.tag` | `0.36.0` | Version of the Trivy image | -| `trivy.imagePullSecret` | N/A | imagePullSecret is the secret name to be used when pulling trivy image from private registries example: `reg-secret`. It is the user responsibility to create the secret for the private registry in `trivy-operator` namespace. | -| `trivy.imagePullPolicy` | `IfNotPresent` | imagePullPolicy is the pull policy used for trivy image | -| `trivy.dbRepository` | `ghcr.io/aquasecurity/trivy-db` | External OCI Registry to download the vulnerability database | -| `trivy.javaDbRepository` | `ghcr.io/aquasecurity/trivy-java-db` | External OCI Registry to download the vulnerability database for Java | -| `trivy.dbRepositoryInsecure` | `false` | The Flag to enable insecure connection for downloading trivy-db via proxy (air-gaped env) | -| `trivy.mode` | `Standalone` | Trivy client mode. Either `Standalone` or `ClientServer`. Depending on the active mode other settings might be applicable or required. | -| `additionalVulnerabilityReportFields` | N/A | A comma separated list of additional fields which can be added to the VulnerabilityReport. Possible values: `Description,Links,CVSS,Target,Class,PackagePath,PackageType`. Description will add more data about vulnerability. Links - all the references to a specific vulnerability. CVSS - data about CVSSv2/CVSSv3 scoring and vectors. Target - vulnerable element. Class - OS or library vulnerability | -| `trivy.command` | `image` | command. One of `image`, `filesystem` or `rootfs` scanning. Depending on the target type required for the scan. | -| `trivy.slow` | `true` | This flag is to use less CPU/memory for scanning though it takes more time than normal scanning. It fits small-footprint | -| `trivy.severity` | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | A comma separated list of severity levels reported by Trivy | -| `trivy.ignoreUnfixed` | N/A | Whether to show only fixed vulnerabilities in vulnerabilities reported by Trivy. Set to `"true"` to enable it. | -| `trivy.vulnType` | `` | This flag can be used to tell Trivy to filter vulnerabilities by a pkg-type (library, os) | -| `trivy.offlineScan` | N/A | Whether to enable the offline scan mode of Trivy preventing outgoing calls, e.g. to for additional vulnerability information. Set to `"true"` to enable it. | -| `trivy.skipFiles` | N/A | A comma separated list of file paths for Trivy to skip traversal. | -| `trivy.skipDirs` | N/A | A comma separated list of directories for Trivy to skip traversal. | -| `trivy.ignoreFile` | N/A | It specifies the `.trivyignore` file which contains a list of vulnerability IDs to be ignored from vulnerabilities reported by Trivy. | -| `trivy.ignorePolicy` | N/A | It specifies a fallback [policy](https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#by-rego) file which allows to customize which vulnerabilities are reported by Trivy. | -| `trivy.ignorePolicy.{ns}` | N/A | It specifies a namespace specific [policy](https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#by-rego) file which allows to customize which vulnerabilities are reported by Trivy. | -| `trivy.ignorePolicy.{ns}.{wl}` | N/A | It specifies a namespace/workload specific [policy](https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#by-rego) file which allows to customize which vulnerabilities are reported by Trivy. | -| `trivy.timeout` | `5m0s` | The duration to wait for scan completion | -| `trivy.serverURL` | N/A | The endpoint URL of the Trivy server. Required in `ClientServer` mode. | -| `node.collector.imageRef` | ghcr.io/aquasecurity/node-collector:0.0.6 | The imageRef use for node-collector job . | -| `node.collector.imagePullSecret` | N/A | imagePullSecret is the secret name to be used when pulling trivy node-collector from private registries . | -| `trivy.serverTokenHeader` | `Trivy-Token` | The name of the HTTP header to send the authentication token to Trivy server. Only application in `ClientServer` mode when `trivy.serverToken` is specified. | -| `trivy.serverInsecure` | N/A | The Flag to enable insecure connection to the Trivy server. | -| `trivy.insecureRegistry.` | N/A | The registry to which insecure connections are allowed. There can be multiple registries with different registry ``. | -| `trivy.nonSslRegistry.` | N/A | A registry without SSL. There can be multiple registries with different registry ``. | -| `trivy.sslCertDir` | N/A | sslCertDir can be used to override the system default locations for SSL certificate files directory , example: /ssl/certs | -| `trivy.registry.mirror.` | N/A | Mirror for the registry ``, e.g. `trivy.registry.mirror.index.docker.io: mirror.io` would use `mirror.io` to get images originated from `index.docker.io` | -| `trivy.httpProxy` | N/A | The HTTP proxy used by Trivy to download the vulnerabilities database from GitHub. | -| `trivy.httpsProxy` | N/A | The HTTPS proxy used by Trivy to download the vulnerabilities database from GitHub. | -| `trivy.noProxy` | N/A | A comma separated list of IPs and domain names that are not subject to proxy settings. | -| `trivy.resources.requests.cpu` | `100m` | The minimum amount of CPU required to run Trivy scanner pod. | -| `trivy.resources.requests.memory` | `100M` | The minimum amount of memory required to run Trivy scanner pod. | -| `trivy.resources.requests.ephemeral-storage` |`` | The minimum amount of ephemeral-storage required to run Trivy scanner pod. | -| `trivy.resources.limits.cpu` | `500m` | The maximum amount of CPU allowed to run Trivy scanner pod. | -| `trivy.resources.limits.memory` | `500M` | The maximum amount of memory allowed to run Trivy scanner pod. | -| `trivy.resources.limits.ephemeral-storage` | ``| The maximum amount of ephemeral-storage allowed to run Trivy scanner pod. | -| `trivy.storageClassName` | `` | The name of the storage class to be used for Trivy server PVC. | -| `trivy.podLabels` | ``| The extra pod labels to be used for Trivy server. | -| `trivy.priorityClassName` | `` | PriorityClassName is the name of the priority class used for trivy server. | -| `trivy.server.resources.requests.cpu` | `200m` | The minimum amount of CPU required to run trivy server. | -| `trivy.server.resources.requests.memory` | `512Mi` | The minimum amount of memory required to run trivy server. | -| `trivy.server.resources.limits.cpu` | `1` | The maximum amount of CPU allowed to run trivy server. | -| `trivy.server.resources.limits.memory` | `1Gi` | The maximum amount of memory allowed to run trivy server. | +| CONFIGMAP KEY | DEFAULT | DESCRIPTION | +|----------------------------------------------|-------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `trivy.repository` | `mirror.gcr.io/aquasec/trivy` | Repository of the Trivy image | +| `trivy.tag` | `0.36.0` | Version of the Trivy image | +| `trivy.imagePullSecret` | N/A | imagePullSecret is the secret name to be used when pulling trivy image from private registries example: `reg-secret`. It is the user responsibility to create the secret for the private registry in `trivy-operator` namespace. | +| `trivy.imagePullPolicy` | `IfNotPresent` | imagePullPolicy is the pull policy used for trivy image | +| `trivy.dbRepository` | `mirror.gcr.io/aquasec/trivy-db` | External OCI Registry to download the vulnerability database | +| `trivy.javaDbRepository` | `mirror.gcr.io/aquasec/trivy-java-db` | External OCI Registry to download the vulnerability database for Java | +| `trivy.dbRepositoryInsecure` | `false` | The Flag to enable insecure connection for downloading trivy-db via proxy (air-gaped env) | +| `trivy.mode` | `Standalone` | Trivy client mode. Either `Standalone` or `ClientServer`. Depending on the active mode other settings might be applicable or required. | +| `additionalVulnerabilityReportFields` | N/A | A comma separated list of additional fields which can be added to the VulnerabilityReport. Possible values: `Description,Links,CVSS,Target,Class,PackagePath,PackageType`. Description will add more data about vulnerability. Links - all the references to a specific vulnerability. CVSS - data about CVSSv2/CVSSv3 scoring and vectors. Target - vulnerable element. Class - OS or library vulnerability | +| `trivy.command` | `image` | command. One of `image`, `filesystem` or `rootfs` scanning. Depending on the target type required for the scan. | +| `trivy.slow` | `true` | This flag is to use less CPU/memory for scanning though it takes more time than normal scanning. It fits small-footprint | +| `trivy.severity` | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | A comma separated list of severity levels reported by Trivy | +| `trivy.ignoreUnfixed` | N/A | Whether to show only fixed vulnerabilities in vulnerabilities reported by Trivy. Set to `"true"` to enable it. | +| `trivy.vulnType` | `` | This flag can be used to tell Trivy to filter vulnerabilities by a pkg-type (library, os) | +| `trivy.offlineScan` | N/A | Whether to enable the offline scan mode of Trivy preventing outgoing calls, e.g. to for additional vulnerability information. Set to `"true"` to enable it. | +| `trivy.skipFiles` | N/A | A comma separated list of file paths for Trivy to skip traversal. | +| `trivy.skipDirs` | N/A | A comma separated list of directories for Trivy to skip traversal. | +| `trivy.ignoreFile` | N/A | It specifies the `.trivyignore` file which contains a list of vulnerability IDs to be ignored from vulnerabilities reported by Trivy. | +| `trivy.ignorePolicy` | N/A | It specifies a fallback [policy](https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#by-rego) file which allows to customize which vulnerabilities are reported by Trivy. | +| `trivy.ignorePolicy.{ns}` | N/A | It specifies a namespace specific [policy](https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#by-rego) file which allows to customize which vulnerabilities are reported by Trivy. | +| `trivy.ignorePolicy.{ns}.{wl}` | N/A | It specifies a namespace/workload specific [policy](https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#by-rego) file which allows to customize which vulnerabilities are reported by Trivy. | +| `trivy.timeout` | `5m0s` | The duration to wait for scan completion | +| `trivy.serverURL` | N/A | The endpoint URL of the Trivy server. Required in `ClientServer` mode. | +| `node.collector.imageRef` | ghcr.io/aquasecurity/node-collector:0.0.6 | The imageRef use for node-collector job . | +| `node.collector.imagePullSecret` | N/A | imagePullSecret is the secret name to be used when pulling trivy node-collector from private registries . | +| `trivy.serverTokenHeader` | `Trivy-Token` | The name of the HTTP header to send the authentication token to Trivy server. Only application in `ClientServer` mode when `trivy.serverToken` is specified. | +| `trivy.serverInsecure` | N/A | The Flag to enable insecure connection to the Trivy server. | +| `trivy.insecureRegistry.` | N/A | The registry to which insecure connections are allowed. There can be multiple registries with different registry ``. | +| `trivy.nonSslRegistry.` | N/A | A registry without SSL. There can be multiple registries with different registry ``. | +| `trivy.sslCertDir` | N/A | sslCertDir can be used to override the system default locations for SSL certificate files directory , example: /ssl/certs | +| `trivy.registry.mirror.` | N/A | Mirror for the registry ``, e.g. `trivy.registry.mirror.index.docker.io: mirror.io` would use `mirror.io` to get images originated from `index.docker.io` | +| `trivy.httpProxy` | N/A | The HTTP proxy used by Trivy to download the vulnerabilities database from GitHub. | +| `trivy.httpsProxy` | N/A | The HTTPS proxy used by Trivy to download the vulnerabilities database from GitHub. | +| `trivy.noProxy` | N/A | A comma separated list of IPs and domain names that are not subject to proxy settings. | +| `trivy.resources.requests.cpu` | `100m` | The minimum amount of CPU required to run Trivy scanner pod. | +| `trivy.resources.requests.memory` | `100M` | The minimum amount of memory required to run Trivy scanner pod. | +| `trivy.resources.requests.ephemeral-storage` | `` | The minimum amount of ephemeral-storage required to run Trivy scanner pod. | +| `trivy.resources.limits.cpu` | `500m` | The maximum amount of CPU allowed to run Trivy scanner pod. | +| `trivy.resources.limits.memory` | `500M` | The maximum amount of memory allowed to run Trivy scanner pod. | +| `trivy.resources.limits.ephemeral-storage` | `` | The maximum amount of ephemeral-storage allowed to run Trivy scanner pod. | +| `trivy.storageClassName` | `` | The name of the storage class to be used for Trivy server PVC. | +| `trivy.podLabels` | `` | The extra pod labels to be used for Trivy server. | +| `trivy.priorityClassName` | `` | PriorityClassName is the name of the priority class used for trivy server. | +| `trivy.server.resources.requests.cpu` | `200m` | The minimum amount of CPU required to run trivy server. | +| `trivy.server.resources.requests.memory` | `512Mi` | The minimum amount of memory required to run trivy server. | +| `trivy.server.resources.limits.cpu` | `1` | The maximum amount of CPU allowed to run trivy server. | +| `trivy.server.resources.limits.memory` | `1Gi` | The maximum amount of memory allowed to run trivy server. | | SECRET KEY| DESCRIPTION| |---|---| diff --git a/docs/getting-started/installation/configuration.md b/docs/getting-started/installation/configuration.md index b4e18c876..ef0e40c06 100644 --- a/docs/getting-started/installation/configuration.md +++ b/docs/getting-started/installation/configuration.md @@ -69,29 +69,29 @@ To change the target namespace from all namespaces to the `default` namespace ed # Scanning configuration -| CONFIGMAP KEY| DEFAULT| DESCRIPTION | -|---|---|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `vulnerabilityReports.scanner`| `Trivy`| The name of the plugin that generates vulnerability reports. Either `Trivy` or `Aqua`. | -| `vulnerabilityReports.scanJobsInSameNamespace` | `"false"`| Whether to run vulnerability scan jobs in same namespace of workload. Set `"true"` to enable. | -| `scanJob.affinity` | N/A| JSON representation of the [affinity] to be applied to the scanner pods and node-collector. Example: `'{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]},{"matchExpressions":[{"key":"virtual-kubelet.io/provider","operator":"DoesNotExist"}]}]}}}'` -| `scanJob.tolerations`| N/A| JSON representation of the [tolerations] to be applied to the scanner pods and node-collector so that they can run on nodes with matching taints. Example: `'[{"key":"key1", "operator":"Equal", "value":"value1", "effect":"NoSchedule"}]'` -| `nodeCollector.volumeMounts`| see helm/values.yaml | node-collector pod volumeMounts definition for collecting config files information -| `nodeCollector.volumes`| see helm/values.yaml | node-collector pod volumes definition for collecting config files information | -| `scanJob.nodeSelector`| N/A| JSON representation of the [nodeSelector] to be applied to the scanner pods so that they can run on nodes with matching labels. Example: `'{"example.com/node-type":"worker", "cpu-type": "sandylake"}'` | -| `scanJob.automountServiceAccountToken` | `"false"` | The flag to enable automount for service account token on scan job. Set `"true"` to enable. | -| `scanJob.skipInitContainers` | `"false"` | When this flag is set to true, the initContainers will be skipped for the scanner and node collector pod. Set `"true"` to enable. | -| `report.additionalLabels` | `""` | additionalReportLabels comma-separated representation of the labels which the user wants the reports to be labeled with. Example: `foo=bar,env=stage` will labeled the reports with the labels `foo: bar` and `env: stage` | -| `scanJob.annotations`| N/A| One-line comma-separated representation of the annotations which the user wants the scanner pods to be annotated with. Example: `foo=bar,env=stage` will annotate the scanner pods with the annotations `foo: bar` and `env: stage` | -| `scanJob.templateLabel`| N/A| One-line comma-separated representation of the template labels which the user wants the scanner pods to be labeled with. Example: `foo=bar,env=stage` will labeled the scanner pods with the labels `foo: bar` and `env: stage` | -| `scanJob.podTemplatePodSecurityContext`| N/A| One-line JSON representation of the template securityContext which the user wants the scanner pods to be secured with. Example: `{"RunAsUser": 1000, "RunAsGroup": 1000, "RunAsNonRoot": true}` | -| `scanJob.podTemplateContainerSecurityContext`| N/A| One-line JSON representation of the template securityContext which the user wants the scanner containers (and their initContainers) to be amended with. Example: `{"allowPrivilegeEscalation": false, "capabilities": { "drop": ["ALL"]},"privileged": false, "readOnlyRootFilesystem": true }` | -| `report.resourceLabels`| N/A| One-line comma-separated representation of the scanned resource labels which the user wants to include in the Prometheus metrics report. Example: `owner,app,tier`| -| `metrics.resourceLabelsPrefix`| `k8s_label`| Prefix that will be prepended to the labels names indicated in `report.ResourceLabels` when including them in the Prometheus metrics| -|`report.recordFailedChecksOnly`| `"true"`| this flag is to record only failed checks on misconfiguration reports (config-audit and rbac assessment) -| `skipResourceByLabels`| N/A| One-line comma-separated labels keys which trivy-operator will skip scanning on resources with matching labels. Example: `test,transient`| -| `node.collector.imageRef` | ghcr.io/aquasecurity/node-collector:0.0.6 | The imageRef use for node-collector job . | -| `node.collector.imagePullSecret` | N/A | imagePullSecret is the secret name to be used when pulling node-collector image from private registries . | -| `nodeCollector.excludeNodes` | `""` | excludeNodes comma-separated node labels that the node-collector job should exclude from scanning (example kubernetes.io/arch=arm64,team=dev) | +| CONFIGMAP KEY | DEFAULT | DESCRIPTION | +|------------------------------------------------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `vulnerabilityReports.scanner` | `Trivy` | The name of the plugin that generates vulnerability reports. Either `Trivy` or `Aqua`. | +| `vulnerabilityReports.scanJobsInSameNamespace` | `"false"` | Whether to run vulnerability scan jobs in same namespace of workload. Set `"true"` to enable. | +| `scanJob.affinity` | N/A | JSON representation of the [affinity] to be applied to the scanner pods and node-collector. Example: `'{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]},{"matchExpressions":[{"key":"virtual-kubelet.io/provider","operator":"DoesNotExist"}]}]}}}'` | +| `scanJob.tolerations` | N/A | JSON representation of the [tolerations] to be applied to the scanner pods and node-collector so that they can run on nodes with matching taints. Example: `'[{"key":"key1", "operator":"Equal", "value":"value1", "effect":"NoSchedule"}]'` | +| `nodeCollector.volumeMounts` | see helm/values.yaml | node-collector pod volumeMounts definition for collecting config files information | +| `nodeCollector.volumes` | see helm/values.yaml | node-collector pod volumes definition for collecting config files information | +| `scanJob.nodeSelector` | N/A | JSON representation of the [nodeSelector] to be applied to the scanner pods so that they can run on nodes with matching labels. Example: `'{"example.com/node-type":"worker", "cpu-type": "sandylake"}'` | +| `scanJob.automountServiceAccountToken` | `"false"` | The flag to enable automount for service account token on scan job. Set `"true"` to enable. | +| `scanJob.skipInitContainers` | `"false"` | When this flag is set to true, the initContainers will be skipped for the scanner and node collector pod. Set `"true"` to enable. | +| `report.additionalLabels` | `""` | additionalReportLabels comma-separated representation of the labels which the user wants the reports to be labeled with. Example: `foo=bar,env=stage` will labeled the reports with the labels `foo: bar` and `env: stage` | +| `scanJob.annotations` | N/A | One-line comma-separated representation of the annotations which the user wants the scanner pods to be annotated with. Example: `foo=bar,env=stage` will annotate the scanner pods with the annotations `foo: bar` and `env: stage` | +| `scanJob.templateLabel` | N/A | One-line comma-separated representation of the template labels which the user wants the scanner pods to be labeled with. Example: `foo=bar,env=stage` will labeled the scanner pods with the labels `foo: bar` and `env: stage` | +| `scanJob.podTemplatePodSecurityContext` | N/A | One-line JSON representation of the template securityContext which the user wants the scanner pods to be secured with. Example: `{"RunAsUser": 1000, "RunAsGroup": 1000, "RunAsNonRoot": true}` | +| `scanJob.podTemplateContainerSecurityContext` | N/A | One-line JSON representation of the template securityContext which the user wants the scanner containers (and their initContainers) to be amended with. Example: `{"allowPrivilegeEscalation": false, "capabilities": { "drop": ["ALL"]},"privileged": false, "readOnlyRootFilesystem": true }` | +| `report.resourceLabels` | N/A | One-line comma-separated representation of the scanned resource labels which the user wants to include in the Prometheus metrics report. Example: `owner,app,tier` | +| `metrics.resourceLabelsPrefix` | `k8s_label` | Prefix that will be prepended to the labels names indicated in `report.ResourceLabels` when including them in the Prometheus metrics | +| `report.recordFailedChecksOnly` | `"true"` | this flag is to record only failed checks on misconfiguration reports (config-audit and rbac assessment) | +| `skipResourceByLabels` | N/A | One-line comma-separated labels keys which trivy-operator will skip scanning on resources with matching labels. Example: `test,transient` | +| `node.collector.imageRef` | ghcr.io/aquasecurity/node-collector:0.0.6 | The imageRef use for node-collector job . | +| `node.collector.imagePullSecret` | N/A | imagePullSecret is the secret name to be used when pulling node-collector image from private registries . | +| `nodeCollector.excludeNodes` | `""` | excludeNodes comma-separated node labels that the node-collector job should exclude from scanning (example kubernetes.io/arch=arm64,team=dev) | ## Example - patch ConfigMap diff --git a/goreleaser-e2e.yaml b/goreleaser-e2e.yaml index 455453076..1b1f84698 100644 --- a/goreleaser-e2e.yaml +++ b/goreleaser-e2e.yaml @@ -38,7 +38,7 @@ changelog: - ^release dockers: - image_templates: - - ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-amd64 + - mirror.gcr.io/aquasec/trivy-operator:{{ .Version }}-amd64 use: buildx goos: linux dockerfile: build/trivy-operator/Dockerfile @@ -58,6 +58,6 @@ dockers: .Version }}/ - --platform=linux/amd64 docker_manifests: - - name_template: ghcr.io/aquasecurity/trivy-operator:{{ .Version }} + - name_template: mirror.gcr.io/aquasec/trivy-operator:{{ .Version }} image_templates: - - ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-amd64 + - mirror.gcr.io/aquasec/trivy-operator:{{ .Version }}-amd64 diff --git a/pkg/plugins/trivy/plugin.go b/pkg/plugins/trivy/plugin.go index 18aa47567..d3dae0b4c 100644 --- a/pkg/plugins/trivy/plugin.go +++ b/pkg/plugins/trivy/plugin.go @@ -34,9 +34,9 @@ const ( ) const ( - DefaultImageRepository = "ghcr.io/aquasecurity/trivy" - DefaultDBRepository = "ghcr.io/aquasecurity/trivy-db" - DefaultJavaDBRepository = "ghcr.io/aquasecurity/trivy-java-db" + DefaultImageRepository = "mirror.gcr.io/aquasec/trivy" + DefaultDBRepository = "mirror.gcr.io/aquasec/trivy-db" + DefaultJavaDBRepository = "mirror.gcr.io/aquasec/trivy-java-db" DefaultSeverity = "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" ) diff --git a/pkg/trivyoperator/config.go b/pkg/trivyoperator/config.go index c57d8874b..17b5b06f9 100644 --- a/pkg/trivyoperator/config.go +++ b/pkg/trivyoperator/config.go @@ -116,7 +116,7 @@ func GetDefaultConfig() ConfigData { keyComplianceFailEntriesLimit: "10", KeyReportRecordFailedChecksOnly: "true", KeyNodeCollectorImageRef: "ghcr.io/aquasecurity/node-collector:0.2.1", - KeyPoliciesBundleOciRef: "ghcr.io/aquasecurity/trivy-checks:0", + KeyPoliciesBundleOciRef: "mirror.gcr.io/aquasec/trivy-checks:0", } } diff --git a/tests/envtest/testdata/fixture/cronjob-expected-scan.yaml b/tests/envtest/testdata/fixture/cronjob-expected-scan.yaml index 21991c7ba..54b800441 100644 --- a/tests/envtest/testdata/fixture/cronjob-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/cronjob-expected-scan.yaml @@ -111,7 +111,7 @@ spec: key: trivy.noProxy name: trivy-operator-trivy-config optional: true - image: ghcr.io/aquasecurity/trivy:0.35.0 + image: mirror.gcr.io/aquasec/trivy:0.35.0 imagePullPolicy: IfNotPresent name: hello terminationMessagePath: /dev/termination-log @@ -131,7 +131,7 @@ spec: - image - --download-db-only - --db-repository - - ghcr.io/aquasecurity/trivy-db + - mirror.gcr.io/aquasec/trivy-db command: - trivy env: @@ -159,7 +159,7 @@ spec: key: trivy.githubToken name: trivy-operator-trivy-config optional: true - image: "ghcr.io/aquasecurity/trivy:0.35.0" + image: "mirror.gcr.io/aquasec/trivy:0.35.0" imagePullPolicy: IfNotPresent name: terminationMessagePath: /dev/termination-log diff --git a/tests/envtest/testdata/fixture/daemonset-expected-scan.yaml b/tests/envtest/testdata/fixture/daemonset-expected-scan.yaml index 694b9ab57..944149ff1 100644 --- a/tests/envtest/testdata/fixture/daemonset-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/daemonset-expected-scan.yaml @@ -111,7 +111,7 @@ spec: key: trivy.noProxy name: trivy-operator-trivy-config optional: true - image: ghcr.io/aquasecurity/trivy:0.35.0 + image: mirror.gcr.io/aquasec/trivy:0.35.0 imagePullPolicy: IfNotPresent name: fluentd-elasticsearch terminationMessagePath: /dev/termination-log @@ -131,7 +131,7 @@ spec: - image - --download-db-only - --db-repository - - ghcr.io/aquasecurity/trivy-db + - mirror.gcr.io/aquasec/trivy-db command: - trivy env: @@ -159,7 +159,7 @@ spec: key: trivy.githubToken name: trivy-operator-trivy-config optional: true - image: "ghcr.io/aquasecurity/trivy:0.35.0" + image: "mirror.gcr.io/aquasec/trivy:0.35.0" imagePullPolicy: IfNotPresent name: terminationMessagePath: /dev/termination-log diff --git a/tests/envtest/testdata/fixture/job-expected-scan.yaml b/tests/envtest/testdata/fixture/job-expected-scan.yaml index beef61500..8f7f0aa96 100644 --- a/tests/envtest/testdata/fixture/job-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/job-expected-scan.yaml @@ -111,7 +111,7 @@ spec: key: trivy.noProxy name: trivy-operator-trivy-config optional: true - image: ghcr.io/aquasecurity/trivy:0.35.0 + image: mirror.gcr.io/aquasec/trivy:0.35.0 imagePullPolicy: IfNotPresent name: pi terminationMessagePath: /dev/termination-log @@ -131,7 +131,7 @@ spec: - image - --download-db-only - --db-repository - - ghcr.io/aquasecurity/trivy-db + - mirror.gcr.io/aquasec/trivy-db command: - trivy env: @@ -159,7 +159,7 @@ spec: key: trivy.githubToken name: trivy-operator-trivy-config optional: true - image: "ghcr.io/aquasecurity/trivy:0.35.0" + image: "mirror.gcr.io/aquasec/trivy:0.35.0" imagePullPolicy: IfNotPresent name: terminationMessagePath: /dev/termination-log diff --git a/tests/envtest/testdata/fixture/pod-expected-scan.yaml b/tests/envtest/testdata/fixture/pod-expected-scan.yaml index b75434c50..f19ff835a 100644 --- a/tests/envtest/testdata/fixture/pod-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/pod-expected-scan.yaml @@ -111,7 +111,7 @@ spec: key: trivy.noProxy name: trivy-operator-trivy-config optional: true - image: ghcr.io/aquasecurity/trivy:0.35.0 + image: mirror.gcr.io/aquasec/trivy:0.35.0 imagePullPolicy: IfNotPresent name: app terminationMessagePath: /dev/termination-log @@ -131,7 +131,7 @@ spec: - image - --download-db-only - --db-repository - - ghcr.io/aquasecurity/trivy-db + - mirror.gcr.io/aquasec/trivy-db command: - trivy env: @@ -159,7 +159,7 @@ spec: key: trivy.githubToken name: trivy-operator-trivy-config optional: true - image: "ghcr.io/aquasecurity/trivy:0.35.0" + image: "mirror.gcr.io/aquasec/trivy:0.35.0" imagePullPolicy: IfNotPresent name: terminationMessagePath: /dev/termination-log diff --git a/tests/envtest/testdata/fixture/replicaset-expected-scan.yaml b/tests/envtest/testdata/fixture/replicaset-expected-scan.yaml index 9466cadc4..ef948cdf4 100644 --- a/tests/envtest/testdata/fixture/replicaset-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/replicaset-expected-scan.yaml @@ -111,7 +111,7 @@ spec: key: trivy.noProxy name: trivy-operator-trivy-config optional: true - image: ghcr.io/aquasecurity/trivy:0.35.0 + image: mirror.gcr.io/aquasec/trivy:0.35.0 imagePullPolicy: IfNotPresent name: wordpress terminationMessagePath: /dev/termination-log @@ -131,7 +131,7 @@ spec: - image - --download-db-only - --db-repository - - ghcr.io/aquasecurity/trivy-db + - mirror.gcr.io/aquasec/trivy-db command: - trivy env: @@ -159,7 +159,7 @@ spec: key: trivy.githubToken name: trivy-operator-trivy-config optional: true - image: "ghcr.io/aquasecurity/trivy:0.35.0" + image: "mirror.gcr.io/aquasec/trivy:0.35.0" imagePullPolicy: IfNotPresent name: terminationMessagePath: /dev/termination-log diff --git a/tests/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml b/tests/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml index 7830e60e0..3b0f023c2 100644 --- a/tests/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml @@ -111,7 +111,7 @@ spec: key: trivy.noProxy name: trivy-operator-trivy-config optional: true - image: ghcr.io/aquasecurity/trivy:0.35.0 + image: mirror.gcr.io/aquasec/trivy:0.35.0 imagePullPolicy: IfNotPresent name: nginx terminationMessagePath: /dev/termination-log @@ -131,7 +131,7 @@ spec: - image - --download-db-only - --db-repository - - ghcr.io/aquasecurity/trivy-db + - mirror.gcr.io/aquasec/trivy-db command: - trivy env: @@ -159,7 +159,7 @@ spec: key: trivy.githubToken name: trivy-operator-trivy-config optional: true - image: "ghcr.io/aquasecurity/trivy:0.35.0" + image: "mirror.gcr.io/aquasec/trivy:0.35.0" imagePullPolicy: IfNotPresent name: terminationMessagePath: /dev/termination-log diff --git a/tests/envtest/testdata/fixture/statefulset-expected-scan.yaml b/tests/envtest/testdata/fixture/statefulset-expected-scan.yaml index fb56b69eb..e1ff6d098 100644 --- a/tests/envtest/testdata/fixture/statefulset-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/statefulset-expected-scan.yaml @@ -111,7 +111,7 @@ spec: key: trivy.noProxy name: trivy-operator-trivy-config optional: true - image: ghcr.io/aquasecurity/trivy:0.35.0 + image: mirror.gcr.io/aquasec/trivy:0.35.0 imagePullPolicy: IfNotPresent name: nginx terminationMessagePath: /dev/termination-log @@ -131,7 +131,7 @@ spec: - image - --download-db-only - --db-repository - - ghcr.io/aquasecurity/trivy-db + - mirror.gcr.io/aquasec/trivy-db command: - trivy env: @@ -159,7 +159,7 @@ spec: key: trivy.githubToken name: trivy-operator-trivy-config optional: true - image: "ghcr.io/aquasecurity/trivy:0.35.0" + image: "mirror.gcr.io/aquasec/trivy:0.35.0" imagePullPolicy: IfNotPresent name: terminationMessagePath: /dev/termination-log