-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deploy artifact to public.ecr.aws #262
base: main
Are you sure you want to change the base?
Conversation
AFAIK rate limit issues have only been experienced with the vuln-db and the java-db. Trivy already embeds misconfiguration checks into the binary today so there's always a fallback in the case checks bundle wasn't retrievable. |
@simar7 Thank you for the quick review! While the embedded misconfiguration checks do provide a fallback, I think we should still consider publishing to AWS registries. In certain network scenarios, users may only have connectivity to private AWS registries. Publishing to public AWS allows users to set up a pull-through cache for easy access, as outlined here: AWS Pull-Through Cache. Additionally, if users don’t frequently upgrade the Trivy binary —such as in environments with limited capacity to maintain up-to-date binaries— they may miss critical checks. Relying solely on the embedded checks could leave gaps if they aren’t retrieving the latest updates. They would be forced to use by default |
Hi, I met similar ghcr rate limits on trivy-checks as trivy-db and trivy-java-db. However while this bundle is not available on ECR Gallery, I have tried to publish it to a trivy-checks repository in my ECR Public registry using
same behavior with oras pull/push :
Did you succeed in publishing trivy-checks to ECR Gallery ? |
Hi @jlamande, |
Hi @simar7, just wanted to check if you could reconsider this PR when you have a moment. I believe publishing to AWS registries could still provide significant benefits for users in certain network scenarios, as mentioned earlier. Appreciate your time and input on this. Thank you! |
This would be very useful! Especially since it's pretty easy to hit the GHCR pull limits and it would be consistent with other trivy artifacts (trivy-db and trivy-java-db). Looking forward to it being merged! |
Hey @simar7! Could you please review this PR at your convenience? Merging it would greatly benefit us and others by enabling seamless integration of Trivy into the development workflow, which would be highly valuable. Thanks for considering it! |
Hi @simar7 , unfortunately trivy-checks is also getting rate-limited when using the trivy-operator. This PR would help the community immensely, not to mention sparing everyone from having to set up a pullthrough cache that, you may have guessed, is also getting rate-limited. |
can confirm were getting hit by the rate limit on policy download for trivy-operator via a helm install on aws eks |
Hi, Suddenly, my GH actions workflows are failing due to rate limit:
This PR would really be useful for the community. |
|
I've experienced rate limiting on both
and on
If it's possible to update the https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#updating-caches-in-the-default-branch section to include how to retrieve the |
@simar7 as others also noted, unfortunately trivy-checks is also rate limited so publishing it also to ecr would be much appreciated
|
I'm not seeing this behavior. The error message you've posted also describes the fact that it's falling back to using embedded checks. Are you running the latest version of trivy-action? |
Yes, version |
I am not using trivy-action or github at all in this context, I am using the trivy image from dockerhub (aquasec/trivy:0.57.0) to do the scans (in our onprem gitLAB ci pipeline) overwriting the following env vars in the image/container:
Last one is not working because trivy-checks is not populated on ecr, but using the ghcr still gives TOOMANYREQUESTS error, the other 2 works fine. The fallback to the built in checks is good to have, but the "error" in our logs gives noise and "alert fatige" |
We seem to have found a workaround using |
There is already an unused repository in the public AWS registry: aquasecurity/trivy-checks.
This PR follows the same approach as aquasecurity/trivy-java-db and aquasecurity/trivy-db, enabling publishing to both the GitHub registry and AWS.
Notes for reviewers:
Are the ECR_ACCESS_KEY_ID and ECR_SECRET_ACCESS_KEY secrets already available for this repo as organization secrets? If not, they will need to be added.