-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(scan): support offline option #1511
Conversation
docs/advanced/air-gap.md
Outdated
### Run Trivy with --skip-update option | ||
In an air-gapped environment, specify `--skip-update` so that Trivy doesn't attempt to download the latest database file. | ||
### Run Trivy with --skip-update and --offline option | ||
In an air-gapped environment, specify `--skip-update` and `--offline` so that Trivy doesn't attempt to download the latest database file and issue any API requests for vulnerability scanning. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would mention that it affects Maven only (as of Dec 2021)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done 558b8b7
docs/getting-started/cli/client.md
Outdated
@@ -22,6 +22,7 @@ OPTIONS: | |||
--timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT] | |||
--ignore-policy value specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY] | |||
--list-all-pkgs enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS] | |||
--offline try to scan without Internet access (default: false) [$TRIVY_OFFLINE] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
description is a bit ambiguous. Some new users may think it's enough to run trivy
in air-gapped environment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any suggestion?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
--offline-scan
is better?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Something like this:
"Do not download extra information about dependencies . Some dependency parsers (like Maven) uses public API to download entire dependency tree. Use this option to disable that behavior"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
--parse-offline
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
or --parse-deps-offline
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. It is a bit long for a help message. I fixed it based on your suggestion. I think it is clear enough to understand this option doesn't affect DB download.
558b8b7
Description
This option allows avoiding Internet access. The results with/without the option may differ. For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't exist in the local repositories. On the other hand, the online mode will resolve those dependencies in the remote repositories. It means the dependencies might be fewer in offline mode.
Supported
Issues
Close #1294
Close #1290
Close #1173
Close #1057
Close #982
Blockers