Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat!: add clean subcommand #6993

Merged
merged 13 commits into from
Jun 25, 2024
2 changes: 1 addition & 1 deletion .github/DISCUSSION_TEMPLATE/bugs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ body:
label: Checklist
description: Have you tried the following?
options:
- label: Run `trivy image --reset`
- label: Run `trivy clean --all`
- label: Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)
- type: markdown
attributes:
Expand Down
13 changes: 7 additions & 6 deletions docs/docs/configuration/cache.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,24 +9,25 @@ The cache directory includes
The cache option is common to all scanners.

## Clear Caches
The `--clear-cache` option removes caches.

**The scan is not performed.**
`trivy clean` subcommand removes caches.

```
$ trivy image --clear-cache
$ trivy clean --scan-cache
DmitriyLewen marked this conversation as resolved.
Show resolved Hide resolved
```

<details>
<summary>Result</summary>

```
2019-11-15T15:13:26.209+0200 INFO Reopening vulnerability DB
2019-11-15T15:13:26.209+0200 INFO Removing image caches...
2024-06-21T21:58:21+04:00 INFO Removing scan cache...
```

</details>

If you want to delete cached vulnerability databases, use `--vuln-db`.
You can also delete all caches with `--all`.
See `trivy clean --help` for details.

## Cache Directory
Specify where the cache is stored with `--cache-dir`.

Expand Down
6 changes: 4 additions & 2 deletions docs/docs/configuration/db.md
Original file line number Diff line number Diff line change
Expand Up @@ -78,8 +78,10 @@ $ trivy image --java-db-repository registry.gitlab.com/gitlab-org/security-produ
`java-db-registry:latest` => `java-db-registry:latest`, but `java-db-registry` => `java-db-registry:1`.

## Remove DBs
The `--reset` flag removes all caches and databases.
"trivy clean" command removes caches and databases.

```
$ trivy image --reset
$ trivy clean --vuln-db --java-db
2024-06-24T11:42:31+06:00 INFO Removing vulnerability database...
2024-06-24T11:42:31+06:00 INFO Removing Java database...
```
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ trivy [global flags] command [flags] target

### SEE ALSO

* [trivy clean](trivy_clean.md) - Remove cached files
DmitriyLewen marked this conversation as resolved.
Show resolved Hide resolved
* [trivy config](trivy_config.md) - Scan config files for misconfigurations
* [trivy convert](trivy_convert.md) - Convert Trivy JSON report into a different format
* [trivy filesystem](trivy_filesystem.md) - Scan local filesystem
Expand Down
50 changes: 50 additions & 0 deletions docs/docs/references/configuration/cli/trivy_clean.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
## trivy clean

Remove cached files

```
trivy clean [flags]
```

### Examples

```
# Remove all caches
$ trivy clean --all

# Remove scan cache
$ trivy clean --scan-cache

# Remove vulnerability database
$ trivy clean --vuln-db

```

### Options

```
-a, --all remove all caches
--checks-bundle remove checks bundle
-h, --help help for clean
--java-db remove Java database
--scan-cache remove scan cache (container and VM image analysis results)
--vuln-db remove vulnerability database
```

### Options inherited from parent commands

```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```

### SEE ALSO

* [trivy](trivy.md) - Unified security scanner

2 changes: 0 additions & 2 deletions docs/docs/references/configuration/cli/trivy_config.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@ trivy config [flags] DIR
--cf-params strings specify paths to override the CloudFormation parameters files
--check-namespaces strings Rego namespaces
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--clear-cache clear image caches without scanning
--compliance string compliance report to generate
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
Expand Down Expand Up @@ -45,7 +44,6 @@ trivy config [flags] DIR
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--report string specify a compliance report format for the output (all,summary) (default "all")
--reset-checks-bundle remove checks bundle
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--skip-check-update skip fetching rego check updates
--skip-dirs strings specify the directories or glob patterns to skip
Expand Down
3 changes: 0 additions & 3 deletions docs/docs/references/configuration/cli/trivy_filesystem.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@ trivy filesystem [flags] PATH
--cf-params strings specify paths to override the CloudFormation parameters files
--check-namespaces strings Rego namespaces
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--clear-cache clear image caches without scanning
--compliance string compliance report to generate
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
Expand Down Expand Up @@ -71,8 +70,6 @@ trivy filesystem [flags] PATH
--registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--report string specify a compliance report format for the output (all,summary) (default "all")
--reset remove all caches and database
--reset-checks-bundle remove checks bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
Expand Down
3 changes: 0 additions & 3 deletions docs/docs/references/configuration/cli/trivy_image.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,6 @@ trivy image [flags] IMAGE_NAME
--cache-ttl duration cache TTL when using redis as cache backend
--check-namespaces strings Rego namespaces
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--clear-cache clear image caches without scanning
--compliance string compliance report to generate (docker-cis)
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
Expand Down Expand Up @@ -92,8 +91,6 @@ trivy image [flags] IMAGE_NAME
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--removed-pkgs detect vulnerabilities of removed packages (only for Alpine)
--report string specify a format for the compliance report. (all,summary) (default "summary")
--reset remove all caches and database
--reset-checks-bundle remove checks bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
Expand Down
3 changes: 0 additions & 3 deletions docs/docs/references/configuration/cli/trivy_kubernetes.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,6 @@ trivy kubernetes [flags] [CONTEXT]
--cache-ttl duration cache TTL when using redis as cache backend
--check-namespaces strings Rego namespaces
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--clear-cache clear image caches without scanning
--compliance string compliance report to generate (k8s-nsa,k8s-cis,k8s-pss-baseline,k8s-pss-restricted)
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
Expand Down Expand Up @@ -87,8 +86,6 @@ trivy kubernetes [flags] [CONTEXT]
--registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--report string specify a report format for the output (all,summary) (default "all")
--reset remove all caches and database
--reset-checks-bundle remove checks bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,rbac) (default [vuln,misconfig,secret,rbac])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
Expand Down
3 changes: 0 additions & 3 deletions docs/docs/references/configuration/cli/trivy_repository.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--cf-params strings specify paths to override the CloudFormation parameters files
--check-namespaces strings Rego namespaces
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--clear-cache clear image caches without scanning
--commit string pass the commit hash to be scanned
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
Expand Down Expand Up @@ -70,8 +69,6 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--reset remove all caches and database
--reset-checks-bundle remove checks bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
Expand Down
3 changes: 0 additions & 3 deletions docs/docs/references/configuration/cli/trivy_rootfs.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@ trivy rootfs [flags] ROOTDIR
--cf-params strings specify paths to override the CloudFormation parameters files
--check-namespaces strings Rego namespaces
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--clear-cache clear image caches without scanning
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--custom-headers strings custom headers in client mode
Expand Down Expand Up @@ -72,8 +71,6 @@ trivy rootfs [flags] ROOTDIR
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--reset remove all caches and database
--reset-checks-bundle remove checks bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
Expand Down
2 changes: 0 additions & 2 deletions docs/docs/references/configuration/cli/trivy_sbom.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ trivy sbom [flags] SBOM_PATH
```
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--compliance string compliance report to generate
--custom-headers strings custom headers in client mode
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
Expand All @@ -49,7 +48,6 @@ trivy sbom [flags] SBOM_PATH
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--reset remove all caches and database
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,license) (default [vuln])
--server string server address in client mode
Expand Down
2 changes: 0 additions & 2 deletions docs/docs/references/configuration/cli/trivy_server.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ trivy server [flags]
```
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
--download-db-only download/update vulnerability database but don't run a scan
--enable-modules strings [EXPERIMENTAL] module names to enable
Expand All @@ -36,7 +35,6 @@ trivy server [flags]
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--reset remove all caches and database
--skip-db-update skip updating vulnerability database
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
Expand Down
3 changes: 0 additions & 3 deletions docs/docs/references/configuration/cli/trivy_vm.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@ trivy vm [flags] VM_IMAGE
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--clear-cache clear image caches without scanning
--compliance string compliance report to generate
--custom-headers strings custom headers in client mode
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
Expand Down Expand Up @@ -62,8 +61,6 @@ trivy vm [flags] VM_IMAGE
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--reset remove all caches and database
--reset-checks-bundle remove checks bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/references/troubleshooting.md
Original file line number Diff line number Diff line change
Expand Up @@ -264,10 +264,10 @@ $ brew install aquasecurity/trivy/trivy
## Others
### Unknown error

Try again with `--reset` option:
Try again after running `trivy clean --all`:

```
$ trivy image --reset
$ trivy clean --all
```

[air-gapped]: ../advanced/air-gap.md
Expand Down
2 changes: 0 additions & 2 deletions docs/tutorials/integrations/gitlab-ci.md
Original file line number Diff line number Diff line change
Expand Up @@ -85,8 +85,6 @@ container_scanning:
FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
script:
- trivy --version
# cache cleanup is needed when scanning images with the same tags, it does not remove the database
- time trivy image --clear-cache
DmitriyLewen marked this conversation as resolved.
Show resolved Hide resolved
# update vulnerabilities db
- time trivy image --download-db-only
# Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there
Expand Down
39 changes: 5 additions & 34 deletions pkg/cache/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,6 @@ const (
TypeRedis Type = "redis"
)

type Client struct {
dir string
Cache
}

type Type string

type Options struct {
Expand Down Expand Up @@ -115,9 +110,8 @@ func NewType(backend string) (Type, error) {
}
}

// NewClient returns a new cache client
func NewClient(dir string, opts Options) (*Client, error) {
client := &Client{dir: dir}
// New returns a new cache client
func New(dir string, opts Options) (Cache, error) {
if opts.Type == TypeRedis {
log.Info("Redis cache", log.String("url", opts.Redis.BackendMasked()))
options, err := redis.ParseURL(opts.Redis.Backend)
Expand All @@ -142,38 +136,15 @@ func NewClient(dir string, opts Options) (*Client, error) {
}
}

client.Cache = NewRedisCache(options, opts.TTL)
return client, nil
return NewRedisCache(options, opts.TTL), nil
}

// standalone mode
var err error
client.Cache, err = NewFSCache(dir)
fsCache, err := NewFSCache(dir)
if err != nil {
return nil, xerrors.Errorf("unable to initialize fs cache: %w", err)
}
return client, nil
}

// Reset resets the cache
func (c *Client) Reset() error {
log.Info("Removing all caches...")
if err := c.Clear(); err != nil {
return xerrors.Errorf("failed to remove the cache: %w", err)
}
if err := os.RemoveAll(c.dir); err != nil {
return xerrors.Errorf("failed to remove the directory (%s) : %w", c.dir, err)
}
return nil
}

// ClearArtifacts clears the artifact cache
func (c *Client) ClearArtifacts() error {
log.Info("Removing artifact caches...")
if err := c.Clear(); err != nil {
return xerrors.Errorf("failed to remove the cache: %w", err)
}
return nil
return fsCache, nil
}

// GetTLSConfig gets tls config from CA, Cert and Key file
Expand Down
Loading