Download the vulnerability database 

You must manually download the vulnerability database for use in air-gapped environments. Go to trivy-db and download trivy-offline.db.tgz in the latest release. If you download trivy-light-offline.db.tgz, you have to run Trivy with --light option.

wget https://github.com/aquasecurity/trivy-db/releases/latest/download/trivy-offline.db.tgz

Transfer the DB file into the air-gapped environment

• Transfer the DB file to a VM with access to Bosh CLI or the OpsMan VM
• Run a command similar to the following to copy the file to the Harbor VM via the bosh CLI:

bosh -d <HARBOR_SERVICE_INSTANCE> scp ~/Downloads/trivy-offline.db.tgz harbor-app/<UUID>:/tmp/trivy-offline.db.tgz

Put the DB file in Trivy's cache directory with permissions

Issue commands similar to the following:

bosh -d <HARBOR_SERVICE_INSTANCE> ssh harbor-app/<UUID>
sudo -i
mkdir -p /var/vcap/store/harbor/trivy-adapter/trivy/db/
mv /tmp/trivy-offline.db.tgz /var/vcap/store/harbor/trivy-adapter/trivy/db/trivy-offline.db.tgz
cd /var/vcap/store/harbor/trivy-adapter/trivy/db/
tar xvf trivy-offline.db.tgz
rm trivy-offline.db.tgz
chown 10000:10000 -R /data/trivy-adapter/trivy/db
chmod 700 /data/trivy-adapter/trivy/db $ chmod 644 /data/trivy-adapter/trivy/db/*

Note: In an air-gapped environment it is your responsibility to update the Trivy database on a regular basis, so that the scanner can detect recently-identified vulnerabilities.

Run Trivy with --skip-update option

In an air-gapped environment, specify --skip-update so that Trivy doesn't attempt to download the latest database file:

trivy image --skip-update alpine:3.12

Trivy Air-gap docs

Trivy Releases

Configure Trivy Scanner