Skip to content

Enable Image Security Scanning in Offline Environment

Trivy uses the admin account to pull the images for scanning. Before using it, ensure that you can perform docker login using the admin account.

Download Offline Image Package

There are two versions of trivy, and currently, both require downloading version 2. Version 2 is no longer available in the https://github.com/aquasecurity/trivy-db project. You can directly download the offline trivy-db package, which is packaged as an oci package.

Use the oras tool to download it. First, install oras. Please note the following commands are for the linux platform:

export VERSION="1.0.0"
$ curl -LO "https://github.com/oras-project/oras/releases/download/v${VERSION}/oras_${VERSION}_linux_amd64.tar.gz"
$ mkdir -p oras-install/
$ tar -zxf oras_${VERSION}_*.tar.gz -C oras-install/
$ sudo mv oras-install/oras /usr/local/bin/
$ rm -rf oras_${VERSION}_*.tar.gz oras-install/

Next, use the oras tool to download trivy-db:

$ oras pull ghcr.io/aquasecurity/trivy-db:2
db.tar.gz
$ tar -zxf db.tar.gz
# After extraction, you will have two files
db/metadata.json
db/trivy.db

Enable Offline Scan in Managed Harbor

Modify trivy with command

Run the following command to edit YAML for Kubernetes cluster where Harbor is hosted:

$ kubectl -n {namespace} edit harborclusters.goharbor.io {harbor-name}
# Modify trivy offlineScan and skipUpdate to true
trivy:
    offlineScan: true
    skipUpdate: true

Modify CRD YAML on UI

edit-harborcluster

  1. Click Clusters, select a cluster and click CRDs.
  2. Select the resource harborcluster.
  3. Enter the namespace where the managed Harbor is located.
  4. Select YAML.
  5. Choose the version v1beta1.
  6. Edit YAML:
trivy:
    offlineScan: true
    skipUpdate: true

Upload trivy.db and metadata.json Files

Create the corresponding directory /home/scanner/.cache/trivy/db in the trivy pod

  1. Go to Clusters, click the proper cluster name.
  2. Enter the namespace where Harbor is hosted.
  3. Locate the trivy workload.
  4. Click Console to enter the container (if there are multiple replicas, set it for each replica).
  5. Once inside the container, execute cd /home/scanner/.cache/trivy.
  6. Run mkdir db to create the directory.

After creating the directory, upload the offline package

  1. Go to Clusters, click the proper cluster name.
  2. Enter the namespace where Harbor is hosted.
  3. Locate the trivy workload.
  4. Click Upload File.
  5. In the popup window, enter the upload path as /home/scanner/.cache/trivy/db and click OK.
  6. You will be taken to the file selection page. Upload the trivy.db and metadata.json files respectively.

Comments