aquasecurity · EricRoux · Oct 7, 2022 · Oct 7, 2022 · Oct 11, 2022 · Oct 19, 2022
diff --git a/helm/harbor-scanner-trivy/templates/statefulset.yaml b/helm/harbor-scanner-trivy/templates/statefulset.yaml
@@ -69,6 +69,8 @@ spec:
               value: {{ .Values.scanner.trivy.severity | default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" | quote }}
             - name: "SCANNER_TRIVY_IGNORE_UNFIXED"
               value: {{ .Values.scanner.trivy.ignoreUnfixed | default false | quote }}
+            - name: "SCANNER_TRIVY_REPOSITORY"
-            - name: "SCANNER_TRIVY_REPOSITORY"
+            - name: "SCANNER_TRIVY_DB_REPOSITORY"
-            - name: "SCANNER_TRIVY_REPOSITORY"
+            - name: "SCANNER_TRIVY_DB_REPOSITORY"
+              value: {{ .Values.scanner.trivy.repository | default "ghcr.io/aquasecurity/trivy-db" | quote }}
             - name: "SCANNER_TRIVY_TIMEOUT"
               value: {{ .Values.scanner.trivy.timeout | quote }}
             - name: "SCANNER_TRIVY_SKIP_UPDATE"

diff --git a/helm/harbor-scanner-trivy/values.yaml b/helm/harbor-scanner-trivy/values.yaml
@@ -66,6 +66,8 @@ scanner:
     severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
     ## ignoreUnfixed the flag to display only fixed vulnerabilities
     ignoreUnfixed: false
+    ## OCI repository to retrieve trivy-db
+    repository: "ghcr.io/aquasecurity/trivy-db"
     ## timeout the duration to wait for scan completion
     timeout: 5m0s
     ## skipUpdate the flag to enable or disable Trivy DB downloads from GitHub

diff --git a/pkg/etc/config.go b/pkg/etc/config.go
@@ -32,6 +32,7 @@ type Trivy struct {
 	Severity       string        `env:"SCANNER_TRIVY_SEVERITY" envDefault:"UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"`
 	IgnoreUnfixed  bool          `env:"SCANNER_TRIVY_IGNORE_UNFIXED" envDefault:"false"`
 	IgnorePolicy   string        `env:"SCANNER_TRIVY_IGNORE_POLICY"`
+	Repository     string        `env:"SCANNER_TRIVY_REPOSITORY"`
 	SkipUpdate     bool          `env:"SCANNER_TRIVY_SKIP_UPDATE" envDefault:"false"`
 	OfflineScan    bool          `env:"SCANNER_TRIVY_OFFLINE_SCAN" envDefault:"false"`
 	GitHubToken    string        `env:"SCANNER_TRIVY_GITHUB_TOKEN"`

diff --git a/pkg/etc/config_test.go b/pkg/etc/config_test.go
@@ -155,6 +155,7 @@ func TestGetConfig(t *testing.T) {
 				"SCANNER_TRIVY_SECURITY_CHECKS": "vuln",
 				"SCANNER_TRIVY_SEVERITY":        "CRITICAL",
 				"SCANNER_TRIVY_IGNORE_UNFIXED":  "true",
+				"SCANNER_TRIVY_REPOSITORY":      "",
 				"SCANNER_TRIVY_INSECURE":        "true",
 				"SCANNER_TRIVY_SKIP_UPDATE":     "true",
 				"SCANNER_TRIVY_OFFLINE_SCAN":    "true",

diff --git a/pkg/trivy/wrapper.go b/pkg/trivy/wrapper.go
@@ -140,10 +140,14 @@ func (w *wrapper) prepareScanCmd(imageRef ImageRef, outputFile string) (*exec.Cm
 		args = append([]string{"--offline-scan"}, args...)
 	}
 
+	if w.config.Repository != "" {
+		args = append([]string{"--db-repository", w.config.Repository}, args...)
+	}
+
 	if w.config.IgnorePolicy != "" {
 		args = append([]string{"--ignore-policy", w.config.IgnorePolicy}, args...)
 	}
-
+	
 	name, err := w.ambassador.LookPath(trivyCmd)
 	if err != nil {
 		return nil, err

diff --git a/pkg/trivy/wrapper_test.go b/pkg/trivy/wrapper_test.go
@@ -98,6 +98,7 @@ func TestWrapper_Scan(t *testing.T) {
 		Severity:       "CRITICAL,MEDIUM",
 		IgnoreUnfixed:  true,
 		IgnorePolicy:   "/home/scanner/opa/policy.rego",
+		Repository:     "ghcr.io/aquasecurity/trivy-db",
 		SkipUpdate:     true,
 		GitHubToken:    "<github_token>",
 		Insecure:       true,
@@ -118,6 +119,8 @@ func TestWrapper_Scan(t *testing.T) {
 		"image",
 		"--ignore-policy",
 		"/home/scanner/opa/policy.rego",
+		"--db-repository",
+		"ghcr.io/aquasecurity/trivy-db",
 		"--skip-update",
 		"--ignore-unfixed",
 		"--no-progress",