-
Notifications
You must be signed in to change notification settings - Fork 197
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow configuring HTTP proxy with Trivy scanner #84
Comments
Thank you for reporting this @larssb . I did check on my end and cannot reproduce it anymore. It looks like a temporary issue with GitHub release page from which Trivy downloads the Trivy DB artifact. Could you confirm that you still have the same problem? |
Bummer 👎 ... :-) I still get the same error. It could easily be something on my side. Network wise. Company proxy or the like. However, pointers on how-to troubleshoot this would be highly regarded. Thank you |
Tried with a cntlm proxy. To ensure proper authentication when required by our company proxy. This works with git, when required. But for starboard the issue remains. |
I'd first make sure that you can download Trivy DB from GitHub and run maybe Trivy directly, without Starboard:
|
Hi @danielpacak.
Apparently because of this issue I'll see if I can get around the WSL issue somehow. I'll get back to this. |
Circumvented the WSL issue for a moment by using |
Using trivy directly on Windows. It's the same error:
Any tips for pin-pointing the culprit here? Thank you @danielpacak |
LTM as some networking issue. I see that you're running behind a corporate proxy. Have you tried setting HTTP_PROXY or HTTPS_PROXY envs? First we need to resolve the issue of running standalone trivy in your env:
|
Also make sure that you can download trivy-db artifacts with curl or wget:
|
Thank you @danielpacak I've know tried out your suggestions. I can use trivy directly by sending/setting an environment variable with the So as I see it. The question that remains is. How can one specify the proxy that trivy should use when starboard is used. Executing Thank you. |
Starboard does not support specifying HTTP(S) proxy for Trivy. We have to implement that. It's somehow related to general topic of how we configure Starboard and other scanners. Let me think about it and I'll comment in this thread or create a follow up issue. |
Sure @danielpacak .. I'll happily let you think about this. Sounds good. I'll use trivy for now directly. And then see and go from there. It's likely not going to be an issue using starboard on our CI/CD platform. However, it would really be wonderful and useful to be able to use starboard locally. Thank you and looking forward to your thoughts. |
@larssb We have recently introduced a generic configuration map for Starboard CLI, which is created on init. So far it was only used by Polaris, but now we can use it to configure scanners by adding well known keys to the ConfigMap: apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/managed-by: starboard
name: starboard
namespace: starboard
data:
trivy.httpProxy: http://somehost:8080
trivy.severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
# ... So the workflow would be:
NB I renamed this issue to reflect the latest status and the problem that we're trying to solve |
Some people might run their (dev) clusters behind the proxy. It is possible to set the HTTP_PROXY environment variable when using Trivy directly. This commit makes it possible to use Starboard CLI and pass proxy confing to Trivy by setting the trivy.httpProxy configuration parameter before you run the starboard find vulnerabilities command. $ starboard init $ kubectl patch configmap starboard -n starboard \ --type merge \ -p '{"data": {"trivy.httpProxy":"http://your-proxy:9001"}}' $ starboard find vulnerabilities deploy/my-deployment Resolves: #84 Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
Some people might run their (dev) clusters behind the proxy. It is possible to set the HTTP_PROXY environment variable when using Trivy directly. This commit makes it possible to use Starboard CLI and pass HTTP proxy config to Trivy by setting the trivy.httpProxy configuration parameter before you run the starboard find vulnerabilities command. $ starboard init $ kubectl patch configmap starboard -n starboard \ --type merge \ -p '{"data": {"trivy.httpProxy":"http://your-proxy:9001"}}' $ starboard find vulnerabilities deploy/my-deployment Resolves: #84 Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
certificate signed by unknown authority
Some people might run their (dev) clusters behind the proxy. It is possible to set the HTTP_PROXY environment variable when using Trivy directly. This commit makes it possible to use Starboard CLI and pass HTTP proxy config to Trivy by setting the trivy.httpProxy configuration parameter before you run the starboard find vulnerabilities command. $ starboard init $ kubectl patch configmap starboard -n starboard \ --type merge \ -p '{"data": {"trivy.httpProxy":"http://your-proxy:9001"}}' $ starboard find vulnerabilities deploy/my-deployment Resolves: #84 Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
Some people might run their (dev) clusters behind the proxy. It is possible to set the HTTP_PROXY environment variable when using Trivy directly. This commit makes it possible to use Starboard CLI and pass HTTP proxy config to Trivy by setting the trivy.httpProxy configuration parameter before you run the starboard find vulnerabilities command. $ starboard init $ kubectl patch configmap starboard -n starboard \ --type merge \ -p '{"data": {"trivy.httpProxy":"http://your-proxy:9001"}}' $ starboard find vulnerabilities deploy/my-deployment Resolves: #84 Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
ISSUE
TECHNICAL DETAILS
EXPECTATIONS
To be able to execute
starboard find vulns deployment/some_deployment
without this issueDEBUGGING - TRIED
--insecure-skip-tls-verify
the issue remainedcertificate-authority-data
sections from the kubeconfig file. The issue remained--insecure-skip-tls-verify
parameter. Same issueOTHER
I'm posting this issue in this repo as the challenge seems to be related to specifically
trivy-db
. As that is being called viastarboard
.I created the same issue on the trivy-db repo as well. But was asked to create it here as well. See the issue here.
Looking forward to any tips and pointers. Let me know if more info is needed.
Thank you very much.
The text was updated successfully, but these errors were encountered: