Install Trivy for Supply Chain Security Tools - Scan (alpha)

This topic describes how you can install SCST - Scan (Trivy) from the VMware package repository.

Caution

This integration is in alpha, which means that it is still in early development by the Tanzu Practice Global Tech Team and might be subject to change at any point. You might encounter unexpected behavior.

Verify the latest alpha package version

List available tags by running:

imgpkg tag list -i projects.registry.vmware.com/tanzu_practice/tap-scanners-package/trivy-repo-scanning-bundle | sort -V

For example:

$ imgpkg tag list -i projects.registry.vmware.com/tanzu_practice/tap-scanners-package/trivy-repo-scanning-bundle | sort -V

0.1.0-alpha.19
0.1.4-alpha.1
0.1.4-alpha.3
0.1.4-alpha.5
0.1.4-alpha.6
0.1.4-alpha.7
0.1.4-alpha.9
0.1.4-alpha.10
0.1.4-alpha.11
0.1.5-alpha.1
0.1.5-alpha.2
0.1.5-alpha.3
0.1.6-alpha.1
0.1.6-alpha.2
0.1.6-alpha.4
0.1.6-alpha.6
0.1.6-alpha.7
0.1.7-alpha.1

Use the latest alpha version available for your version of Tanzu Application Platform.

For example, given the example output if you are using Tanzu Application Platform v1.4, you use 0.1.4-alpha.11.

Move images to a registry

You must relocate the images from tanzu.packages.broadcom.com to your own container image registry before installing.

Note

This topic assumes that you use SCST - Scan 1.0 because, although it is deprecated, it is still the default option in Supply Chain with Testing in this version of Tanzu Application Platform. For more information, see Add testing and scanning to your application.

VMware recommends using SCST - Scan 2.0 instead because SCST - Scan 1.0 will be removed from future versions of Tanzu Application Platform. For more information, see SCST - Scan versions. Trivy is in the alpha development phase, is not packaged as part of the Tanzu Application Platform package, and is hosted on tanzu.packages.broadcom.com.

For information about supported registries, see the registry’s documentation.

To move images from the VMware project registry to your registry:

  1. Install Docker if it is not already installed.

  2. Set up environment variables for installation by running:

    export INSTALL_REGISTRY_USERNAME=MY-REGISTRY-USER
    export INSTALL_REGISTRY_PASSWORD=MY-REGISTRY-PASSWORD
    export INSTALL_REGISTRY_HOSTNAME=MY-REGISTRY
    export VERSION=VERSION-NUMBER
    export INSTALL_REPO=TARGET-REPOSITORY
    

    Where:

    • MY-REGISTRY-USER is the user with write access to MY-REGISTRY.
    • MY-REGISTRY-PASSWORD is the password for MY-REGISTRY-USER.
    • MY-REGISTRY is your own registry.
    • VERSION is your Trivy version. For example, 0.1.4-alpha.6.
    • TARGET-REPOSITORY is your target repository, a directory, or a repository on MY-REGISTRY that serves as the location for the installation files for Trivy.
  3. Install the Carvel tool imgpkg CLI. For more information, see Deploying Cluster Essentials v1.4.

  4. Move the images with the imgpkg CLI by running:

    imgpkg copy -b projects.registry.vmware.com/tanzu_practice/tap-scanners-package/trivy-repo-scanning-bundle:${VERSION} \
    --to-repo ${INSTALL_REGISTRY_HOSTNAME}/${INSTALL_REPO}/trivy-repo-scanning-bundle
    
Note

The VMware project repository does not require authentication, so you don’t need to perform a Docker login.

Add Trivy package repository

Tanzu CLI packages are available on repositories. Adding the Trivy scanning package repository makes the Trivy scanning bundle and its packages available for installation.

VMware recommends installing Trivy objects in the existing tap-install namespace to keep Trivy grouped logically with the other Tanzu Application Platform components.

  1. Add the Trivy package repository to the cluster by running:

    tanzu package repository add trivy-scanner-repository \
     --url ${INSTALL_REGISTRY_HOSTNAME}/${INSTALL_REPO}/trivy-repo-scanning-bundle:$VERSION \
     --namespace tap-install
    
  2. Get the status of the Trivy package repository, and ensure that the status updates to Reconcile succeeded, by running:

    tanzu package repository get trivy-scanner-repository --namespace tap-install
    

    For example:

    $ tanzu package repository get trivy-scanner-repository --namespace tap-install
    
    NAME:          trivy-scanner-repository
    VERSION:       7750726
    REPOSITORY:    projects.registry.vmware.com/tanzu_practice/tap-scanners-package/trivy-repo-scanning-bundle
    TAG:           0.1.4-alpha.6
    STATUS:        Reconcile succeeded
    REASON:
    
  3. List the available packages by running:

    tanzu package available list --namespace tap-install
    

    For example:

    $ tanzu package available list --namespace tap-install
    / Retrieving available packages...
     NAME                                                 DISPLAY-NAME                       SHORT-DESCRIPTION
     trivy.scanning.apps.tanzu.vmware.com                   trivy                              Default scan templates using Trivy
    

Prepare Trivy configuration

Before installing Trivy, you must create the configuration for installing Trivy:

  1. Define the --values-file flag to customize the default configuration. You must define the following fields in the values.yaml file for the Trivy Scanner configuration. You can add fields as needed to activate or deactivate behaviors. You can append the values to the values.yaml file. Create a values.yaml file by using the following configuration:

    ---
    namespace: DEV-NAMESPACE
    targetImagePullSecret: TARGET-REGISTRY-CREDENTIALS-SECRET
    targetSourceSshSecret: TARGET-SOURCE-SSH-SECRET
    

    Where:

    • DEV-NAMESPACE is your developer namespace. To use a namespace other than the default namespace, ensure that the namespace exists before you install. If the namespace does not exist, the scanner installation fails.
    • TARGET-REGISTRY-CREDENTIALS-SECRET is the name of the secret that contains the credentials to pull an image from a private registry for scanning.
    • TARGET-SOURCE-SSH-SECRET is the name of the secret containing SSH credentials for cloning private repositories
  2. To see all available values, run the following command with the version that you want:

    VERSION="0.1.4-alpha.6"
    tanzu package available get trivy.scanning.apps.tanzu.vmware.com/$VERSION --values-schema -n tap-install
    

    Example output:

    KEY                                           DEFAULT                                                           TYPE    DESCRIPTION
    environmentVariables                          <nil>                                                             <nil>   Environment Variables you want added to the scan container to impact trivy behavior
    resources.limits.cpu                          1000m                                                             string  Limits describes the maximum amount of cpu resources allowed.
    resources.requests.cpu                        250m                                                              string  Requests describes the minimum amount of cpu resources required.
    resources.requests.memory                     128Mi                                                             string  Requests describes the minimum amount of memory resources
    scanner.docker.server                                                                                           string  <nil>
    scanner.docker.username                                                                                         string  <nil>
    scanner.docker.password                                                                                         string  <nil>
    scanner.pullSecret                                                                                              string  <nil>
    scanner.serviceAccount                        trivy-scanner                                                     string  Name of scan pod's service ServiceAccount
    scanner.serviceAccountAnnotations             <nil>                                                             <nil>   Annotations added to ServiceAccount
    trivy.cli.image.additionalArguments                                                                             string  additional arguments to be appended to the image scan command
    trivy.cli.plugins.aqua.repositoryUrl                                                                            string  location of the aqua plugin tar in an OCI registry to be used in place of the embedded version
    trivy.cli.repositoryUrl                                                                                         string  location of the CLI tar in an OCI registry to be used in place of the embedded version
    trivy.cli.source.additionalArguments                                                                            string  additional arguments to be appended to the fs scan command
    trivy.db.repositoryUrl                                                                                          string  location of the vulnerability database in an OCI registry to be used as the download location prior to running a scan
    caCertSecret                                                                                                    string  Reference to the secret containing the registry ca cert set as ca_cert_data
    metadataStore.authSecret.importFromNamespace                                                                    string  Namespace from which to import the Insight Metadata Store auth_token
    metadataStore.authSecret.name                                                                                   string  Name of deployed Secret with key auth_token
    metadataStore.caSecret.importFromNamespace    metadata-store                                                    string  Namespace from which to import the Insight Metadata Store CA Cert
    metadataStore.caSecret.name                   app-tls-cert                                                      string  Name of deployed Secret with key ca.crt holding the CA Cert of the Insight Metadata Store
    metadataStore.clusterRole                     metadata-store-read-write                                         string  Name of the deployed ClusterRole for read/write access to the Insight Metadata Store deployed in the same cluster
    metadataStore.url                             https://metadata-store-app.metadata-store.svc.cluster.local:8443  string  Url of the Insight Metadata Store
    namespace                                     default                                                           string  Deployment namespace for the Scan Templates
    targetImagePullSecret                                                                                           string  Reference to the secret used for pulling images from private registry
    targetSourceSshSecret                                                                                           string  Reference to the secret containing SSH credentials for cloning private repositories
    

SCST - Store integration

Trivy integration can work with or without the SCST - Store integration. The values.yaml file is slightly different for each configuration.

To persist the results found by the Trivy, enable the SCST - Store integration by appending the SCST - Scan fields to Trivy in the values.yaml file.

The Grype, Snyk, Prisma, and Trivy integrations enable the Metadata Store. To prevent conflicts, the configuration values are slightly different based on whether another scanner integration is installed or not. If Tanzu Application Platform was installed by using the Full Profile, the Grype Scanner integration is installed unless it is explicitly excluded.

Another scanner is installed
When installing Trivy, find your CA secret name and authentication token secret name for your values.yaml by looking at the configuration of an installed scanner in the same namespace as it already exists.

For information about how the scanner was initially created, see Set up multicluster Supply Chain Security Tools (SCST) - Scan 1.0.

The following example values.yaml has other scanners already installed in the same dev-namespace where Trivy is installed:

#! ...
metadataStore:
  #! The url where the Store deployment is accessible.
  #! Default value is: "https://metadata-store-app.metadata-store.svc.cluster.local:8443"
  url: "STORE-URL"
  caSecret:
    #! The name of the secret that contains the ca.crt to connect to the Store Deployment.
    #! Default value is: "app-tls-cert"
    name: "CA-SECRET-NAME"
    importFromNamespace: "" #! since both Trivy and Grype/Snyk both enable store, one must leave importFromNamespace blank
  #! authSecret is for multicluster configurations.
  authSecret:
    #! The name of the secret that contains the auth token to authenticate to the Store Deployment.
    name: "AUTH-SECRET-NAME"
    importFromNamespace: "" #! since both Trivy and Grype/Snyk both enable store, one must leave importFromNamespace blank

Where:

  • STORE-URL is the URL where the Store deployment is accessible.
  • CA-SECRET-NAME is the name of the secret that contains the ca.crt to connect to the Store Deployment. The default is app-tls-cert.
  • AUTH-SECRET-NAME is the name of the secret that contains the authentication token to authenticate to the Store Deployment.
No other scanner is installed
For a walkthrough of creating and exporting secrets for the Metadata Store CA and authentication token which referenced in the data values, see Set up multicluster Supply Chain Security Tools (SCST) - Scan 1.0.

The following example values.yaml has no other scanner integrations installed in the same dev-namespace where Trivy is installed:

#! ...
metadataStore:
  #! The url where the Store deployment is accessible.
  #! Default value is: "https://metadata-store-app.metadata-store.svc.cluster.local:8443"
  url: "STORE-URL"
  caSecret:
    #! The name of the secret that contains the ca.crt to connect to the Store Deployment.
    #! Default value is: "app-tls-cert"
    name: "CA-SECRET-NAME"
    #! The namespace where the secrets for the Store Deployment live.
    #! Default value is: "metadata-store"
    importFromNamespace: "STORE-SECRETS-NAMESPACE"
  #! authSecret is for multicluster configurations.
  authSecret:
    #! The name of the secret that contains the auth token to authenticate to the Store Deployment.
    name: "AUTH-SECRET-NAME"
    #! The namespace where the secrets for the Store Deployment live.
    importFromNamespace: "STORE-SECRETS-NAMESPACE"

Where:

  • STORE-URL is the URL where the Store deployment is accessible.
  • CA-SECRET-NAME is the name of the secret that contains the ca.crt to connect to the Store Deployment. Default is app-tls-cert.
  • STORE-SECRETS-NAMESPACE is the namespace where the secrets for the Store Deployment live. Default is metadata-store.
  • AUTH-SECRET-NAME is the name of the secret that contains the authentication token to authenticate to the Store Deployment.
Deactivate store integration
If you do not want to enable the SCST - Store integration, deactivate the integration by appending the following field in the values.yaml file that is enabled by default:
# ...
metadataStore:
  url: "" # Deactivate Supply Chain Security Tools - Store integration

Prepare the ScanPolicy

The following sample ScanPolicy allows you to control whether SupplyChain passes or fails based on the CycloneDX vulnerability results returned from the Trivy.

---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: ScanPolicy
metadata:
   name: trivy-scan-policy
   labels:
      app.kubernetes.io/part-of: enable-in-gui
spec:
   regoFile: |
      package main

      import future.keywords.in
      import future.keywords.every

      # Accepted Values: "critical", "high", "medium", "low", unknown"
      notAllowedSeverities := ["critical", "high", "unknown"]
      notAllowedSet := {x | x := notAllowedSeverities[_]}
      ignoreCves := []

      isSafe(match) {
        severities := { e | e := match.ratings.rating.severity } | { e | e := match.ratings.rating[_].severity }
        every severity in severities {
            not severity in notAllowedSet
        }
      }

      isIgnored(match) {
        match.id in ignoreCves
      }

      deny[msg] {
        notAllowedVulnerabilities := { vulnerability |
          vulnerabilities := {e | e := input.bom.vulnerabilities.vulnerability} | {e | e := input.bom.vulnerabilities.vulnerability[_]}
          some vulnerability in vulnerabilities
          not isIgnored(vulnerability)
          not isSafe(vulnerability)
        }
        formattedVulnerabilityMessages := { message |
          some vulnerability in notAllowedVulnerabilities
          ratings := {e | e := vulnerability.ratings.rating.severity} | {e | e := vulnerability.ratings.rating[_].severity}
          formattedRatings := concat(", ", ratings)
          affectedComponents := {e | e := vulnerability.affects.target.ref} | {e | e := vulnerability.affects.target[_].ref}
          formattedComponents := concat("\\n", affectedComponents)
          message = sprintf("CVE: %s \\nRatings: %s\\nAffected Components: \\n%s", [vulnerability.id, formattedRatings, formattedComponents])
        }
        some formattedVulnerabilityMessage in formattedVulnerabilityMessages
        msg := formattedVulnerabilityMessage
      }

To prepare ScanPolicy, run:

kubectl apply -n $DEV-NAMESPACE -f SCAN-POLICY-YAML-FILE

Where:

  • DEV-NAMESPACE is the name of the developer namespace you want to use.
  • SCAN-POLICY-YAML-FILE is the name of your SCST - Scan YAML file.

Install Trivy

After the following prerequisites are completed, install the Trivy:

Air-gapped configuration

This section explains how to configure Trivy in an air-gapped environment.

For information about additional flags and configuration, see Air-Gapped Environment in the Trivy documentation.

Move a Trivy database to your registry

If you have a host with access, you can use the ORAS CLI to perform a copy by running:

oras copy -r ghcr.io/aquasecurity/trivy-db:2 registry.company.com/project_name/trivy-db:2 # the tag of 2 is required

Copying 4a39b38cf2fd db.tar.gz
Copied  4a39b38cf2fd db.tar.gz
Copied ghcr.io/aquasecurity/trivy-db:2 => registry.company.com/project_name/trivy-db:2
Digest: sha256:ed57874a80499e858caac27fc92e4952346eb75a2774809ee989bcd2ce48897a
Caution

Using a relocated database means you are taking responsibility for keeping it up to date to ensure that security scans are relevant. Stale databases weaken your security posture.

If you do not have a host with access, you can use the ORAS CLI to download the database and manifest and then push to your registry:

  1. Download the trivy-db by running:

    oras pull ghcr.io/aquasecurity/trivy-db:2
    

    Example output:

    $ oras pull ghcr.io/aquasecurity/trivy-db:2
    Downloading 1612cc15d377 db.tar.gz
    Downloaded  1612cc15d377 db.tar.gz
    Pulled ghcr.io/aquasecurity/trivy-db:2
    Digest: sha256:af903c7ddbe7516f18b06254b6297cf53c0ece918def07322925c71d2f694860
    
  2. Download the manifest for trivy-db by running:

    oras manifest fetch ghcr.io/aquasecurity/trivy-db:2 > trivy-db-manifest.json
    
  3. Add the media type to the manifest by running:

    jq '.mediaType="application/vnd.oci.image.manifest.v1+json"' trivy-db-manifest.json > updated-trivy-db-manifest.json
    
  4. Push the downloaded trivy-db to your registry by running:

    oras push registry.company.com/project_name/trivy-db:2 ./db.tar.gz
    

    Example output:

    oras push registry.company.com/project_name/trivy-db:2 \
    ./db.tar.gz
    
    Uploading 1612cc15d377 db.tar.gz
    Uploaded  1612cc15d377 db.tar.gz
    Pushed registry.company.com/project_name/trivy-db:2
    Digest: sha256:41a7eeab8837e90d8a5afd56cfce73936e15d3db04c5294f992ecff9492971dc
    
  5. Push the updated trivy-db manifest to your registry by running:

    oras manifest push registry.company.com/project_name/trivy-db:2 updated-trivy-db-manifest.json
    

    Example output:

    oras manifest push registry.company.com/project_name/trivy-db:2 updated-trivy-db-manifest.json
    Pushed registry.company.com/project_name/trivy-db:2
    Digest: sha256:b51a2fccf38e723aac1a7217ba36ca52398b2b20e3d74c9d5089dfdcd9bb2f11
    
  6. Clean up files by running:

    rm trivy-db-manifest.json updated-trivy-db-manifest.json db.tar.gz
    
  7. Update data values with the database repository URL by adding this YAML to values.yaml:

    trivy:
      db:
        repositoryUrl: "registry.company.com/project_name/trivy-db"
    

    The URL omits the tag 2.

Use another Trivy version

This section describes how to use a different Trivy CLI version than what is bundled with the package. To use another Trivy version:

  1. Install the ORAS CLI by following steps in the ORAS documentation.

  2. Download the CLI version that you want from the GitHub releases page.

    For example, by running:

    $ wget -c https://github.com/aquasecurity/trivy/releases/download/v0.36.0/trivy_0.36.0_Linux-64bit.tar.gz -O trivy.tar.gz
    Length: 48363295 (46M) [application/octet-stream]
    Saving to: ‘trivy.tar.gz’
    
    trivy.tar.gz 100%[==>]  46.12M  50.7MB/s    in 0.9s
    
    2023-01-25 10:47:55 (50.7 MB/s) - ‘trivy.tar.gz’ saved [48363295/48363295]
    
  3. Move the CLI to your registry by running:

    oras push registry.company.com/project_name/trivy-cli:0.36.0 \
    --artifact-type trivy/cli \
    ./trivy.tar.gz:application/gzip
    
    Uploading 121f4d8282aa trivy.tar.gz
    Uploaded  121f4d8282aa trivy.tar.gz
    Pushed registry.company.com/project_name/trivy-cli:0.36.0
    Digest: sha256:5bdb18378e8f66a72f4bef4964edeccfcc2f21883e7a6caca6dbf7a3d7233696
    
  4. Edit your values.yaml to add the location of your CLI:

    trivy:
      cli:
        repositoryUrl: "registry.company.com/project_name/trivy-cli:0.36.0"
    

Use another Trivy Aqua plug-in version

Trivy Aqua plug-in enables Aqua SaaS integration with your Trivy scans. To use another Trivy Aqua plug-in version:

  1. Install the ORAS CLI by following steps in the ORAS documentation.

  2. Download the version of Trivy Aqua plug-in you want from the GitHub releases page.

    For example, v0.115.14 in GitHub:

    TRIVY-AQUA-PLUGIN-VERSION="v0.115.6"
    wget -c "https://github.com/aquasecurity/trivy-plugin-aqua/releases/download/${TRIVY-AQUA-PLUGIN-VERSION}/linux_amd64_${TRIVY-AQUA-PLUGIN-VERSION}.tar.gz" -O trivy-aqua-plugin.tar.gz
    
    --2023-01-30 10:44:05--  https://github.com/aquasecurity/trivy-plugin-aqua/releases/download/v0.115.6/linux_amd64_v0.115.6.tar.gz
    HTTP request sent, awaiting response... 200 OK
    Length: 50915539 (49M) [application/octet-stream]
    Saving to: ‘trivy-aqua-plugin.tar.gz’
    
    trivy-aqua-plugin.tar.gz 100%[==>]  48.56M  35.3MB/s    in 1.4s
    
    2023-01-30 10:44:07 (35.3 MB/s) - ‘trivy-aqua-plugin.tar.gz’ saved [50915539/50915539]
    
  3. The YAML file is a necessary component for telling Trivy that it has the plug-in already installed. Download the plugin.yml file associated with Trivy Aqua plug-in version you downloaded by running:

    TRIVY-AQUA-PLUGIN-VERSION="v0.115.6"
    wget -c "https://raw.githubusercontent.com/aquasecurity/trivy-plugin-aqua/${TRIVY-AQUA-PLUGIN-VERSION}/plugin.yaml" -O plugin.yaml
    
    --2023-01-30 10:46:32--  https://raw.githubusercontent.com/aquasecurity/trivy-plugin-aqua/v0.115.6/plugin.yaml
    HTTP request sent, awaiting response... 200 OK
    Length: 909 [text/plain]
    Saving to: ‘plugin.yaml’
    plugin.yaml 100%[==>]     909  --.-KB/s    in 0s
    
    2023-01-30 10:46:32 (54.2 MB/s) - ‘plugin.yaml’ saved [909/909]
    
  4. Move the plug-in and YAML to your registry by running:

    TRIVY-AQUA-PLUGIN-VERSION="v0.115.6"
    REPOSITORY-URL="registry.company.com/project_name/trivy-aqua-plugin:$TRIVY-AQUA-PLUGIN-VERSION"
    
    oras push ${REPOSITORY-URL} \
    --artifact-type trivy/aqua-plugin \
    ./trivy-aqua-plugin.tar.gz:application/gzip \
    ./plugin.yaml:text/yaml
    
    Uploading 6fb65adbfde2 plugin.yaml
    Uploading 7340855e31ff trivy-aqua-plugin.tar.gz
    Uploaded  6fb65adbfde2 plugin.yaml
    Uploaded  7340855e31ff trivy-aqua-plugin.tar.gz
    Pushed registry.company.com/project_name/trivy-aqua-plugin:v0.115.6
    Digest: sha256:791274e44b97fad98edf570205fddc1b0bc21c56d3d54565ad9475fd4da969ae
    

    Where:

    • TRIVY-AQUA-PLUGIN-VERSION is the version of Trivy Aqua plug-in you are using.
    • REPOSITORY-URL is the repository where you want to relocate the plug-in.
  5. Edit your values.yaml to add the location of your CLI as follows:

    trivy:
      plugins:
        aqua:
          repositoryUrl: "registry.company.com/project_name/trivy-aqua-plugin:v0.115.6"
    

Integrate with the Aqua SaaS platform

To integrate with the Aqua SaaS platform:

  1. To connect to the SaaS Platform you must have an API key. To create an API key:

    1. Log in to Aqua SaaS.
    2. Enter CSPM.
    3. Click Settings > API Keys.
    4. Click Generate Key.
    5. Save the information for the next steps.
  2. To integrate with the Aqua SaaS Platform you must have an API key. You pass this to the scanner through environment variables, referenced in a secret. Create an auth secret similar to this one:

    apiVersion: v1
    kind: Secret
    metadata:
      name: aqua-creds
      namespace: APP-NAMESPACE
    stringData:
      aqua-key: API-KEY
      aqua-secret: API-KEY-SECRET
    

    Where:

    • APP-NAMESPACE is the developer namespace your app uses.
    • API-KEY is the Aqua Platform API key.
    • API-KEY-SECRET is the Aqua Platform API key’s Secret.
  3. Set environment variables to tell Trivy to connect and report to Aqua SaaS. You can find plug-in options in the README file in GitHub.

    Here is an example of referencing your API key and secret from a Kubernetes Secret created earlier:

    namespace: dev
    targetImagePullSecret: registry-credentials
    environmentVariables:
      - name: TRIVY-RUN-AS-PLUGIN
        value: aqua
      - name: AQUA-KEY
        valueFrom:
          secretKeyRef:
            name: aqua-creds
            key: aqua-key
      - name: AQUA-SECRET
        valueFrom:
          secretKeyRef:
            name: aqua-creds
            key: aqua-secret
    

    Where:

    • TRIVY-RUN-AS-PLUGIN is the Trivy plug-in you want to enable without using the subcommand.
    • AQUA-KEY is the Aqua Platform API key.
    • AQUA-SECRET is the Aqua Platform API key’s Secret.

Self-signed registry certificate

You need additional configuration when attempting to pull an image from a registry with a self-signed certificate during image scans:

  1. If your tap-values.yaml file used during installation has the following shared section filled in, Trivy uses this section to connect to your registry without additional configuration. Use the following YAML with a Tanzu Application Platform values shared CA:

    shared:
      ca_cert_data: | # To be passed if using custom certificates.
          -----BEGIN CERTIFICATE-----
          MIIFXzCCA0egAwIBAgIJAJYm37SFocjlMA0GCSqGSIb3DQEBDQUAMEY...
          -----END CERTIFICATE-----
    
  2. Create a secret that holds the registry’s CA certificate data. For example:

    apiVersion: v1
    kind: Secret
    metadata:
      name: trivy-registry-cert
      namespace: dev
    type: Opaque
    data:
      ca_cert_data: BASE64_CERT
    
  3. Add caCertSecret to the root of trivy-values.yaml to update your Trivy installation. For example:

    namespace: dev
    targetImagePullSecret: tap-registry
    caCertSecret: trivy-registry-cert
    
check-circle-line exclamation-circle-line close-line
Scroll to top icon