How To Install Trivy Image Scanning Offline DB On Air-Gapped Harbor in Tanzu Kubernetes Grid Integrated Edition
search cancel

How To Install Trivy Image Scanning Offline DB On Air-Gapped Harbor in Tanzu Kubernetes Grid Integrated Edition

book

Article ID: 316851

calendar_today

Updated On:

Products

VMware Tanzu Kubernetes Grid Integrated Edition

Issue/Introduction

This article will provide the instructions needed for installing Trivy on an air-gapped env running Tanzu Kubernetes Grid Integrated Edition (TKGI) deployed Harbor.

Resolution

Download the vulnerability database

Trivy DB v2 is hosted on GHCR and can be downloaded with the trivy cli.

Once the CLI has been installed, download the database:

  • TRIVY_TEMP_DIR=$(mktemp -d)
  • trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
  • tar -cf ./trivydb.tar.gz -C $TRIVY_TEMP_DIR/db/ metadata.json trivy.db
  • rm -rf $TRIVY_TEMP_DIR

The Java Database is also downloaded in the same way:

  • TRIVY_TEMP_DIR=$(mktemp -d)
  • trivy --cache-dir $TRIVY_TEMP_DIR image --download-java-db-only
  • tar -cf ./javadb.tar.gz -C $TRIVY_TEMP_DIR/java-db metadata.json trivy-java.db
  • rm -rf $TRIVY_TEMP_DIR

Transfer the Database files to the air gapped Harbor instance

Next, we need to transfer the database files to harbor. 

  • Transfer the two DB tar files, trivydb.tar.gz and javadb.tar.gz to a VM with access to Bosh CLI or the OpsMan VM
  • Run a command similar to the following to copy the files to the Harbor VM via the bosh CLI:
    • bosh -d <harbor-deployment> scp trivydb.tar.gz harbor-app/0:/tmp
    • bosh -d <harbor-deployment> scp javadb.tar.gz harbor-app/0:/tmp

Put the DB files in the correct directory with permissions

Next, we must move the database files to the Harbor persistent disk, to ensure trivy can access them.

First, SSH to the harbor VM and become root:

  • bosh -d <harbor-deployment> ssh
  • sudo -i
  • Ensure that the following folders are not present:
    • /var/vcap/store/harbor/trivy-adapter/trivy/db
    • /var/vcap/store/harbor/trivy-adapter/trivy/java-db
    • Remove them with rm -rf <path> if they are present.

For the Trivy Database:

  • mkdir /var/vcap/store/harbor/trivy-adapter/trivy/db
  • chown 10000:10000 /var/vcap/store/harbor/trivy-adapter/trivy/db
  • tar xvf /tmp/trivydb.tar.gz -C /var/vcap/store/harbor/trivy-adapter/trivy/db
  • chown 10000:10000 /var/vcap/store/harbor/trivy-adapter/trivy/db/*

Then for the Java DB:

  • mkdir /var/vcap/store/harbor/trivy-adapter/trivy/java-db
  • chown 10000:10000 /var/vcap/store/harbor/trivy-adapter/trivy/java-db
  • tar xvf /tmp/javadb.tar.gz -C /var/vcap/store/harbor/trivy-adapter/trivy/java-db
  • chown 10000:10000 /var/vcap/store/harbor/trivy-adapter/trivy/java-db/*

 

Finally, we can run the trivy scan. The steps to do so are:

  • alias docker='/var/vcap/packages/docker/bin/docker -H unix:///var/vcap/sys/run/docker/dockerd.sock'
  • docker exec -it trivy-adapter bash
  • trivy image --skip-db-update --skip-java-db-update --offline-scan <image> --insecure
  • You can also validate the trivy version and Databases with trivy -v

 

Additional Information

Powered by Wolken Software