harbor安全扫描
-
使用
--with-trivy
参数开启功能 -
扫描报错
离线下载病毒库报错
DB Error: failed to download vulnerability DB
解决方法 https://developpaper.com/haobor2-2-1-configuration-trivy-scanner-image-signature/
需要试着安装完整的trivy,然后做目录替换。
harbor.yml
1
2
3
4
5
6
7
8
9trivy: # ignoreUnfixed The flag to display only fixed vulnerabilities ignore_unfixed: false # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub # # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues. # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path. skip_update: false
把skip_update设置成true
通过docker-compose.yml 找到
/home/scanner/.cache/trivy/db
对应宿主机对应目录/data/trivy-adapter/trivy
1
2
3
4
5# ll total 0 drwx------ 2 10000 10000 22 Jun 28 11:29 fanal # pwd /data/trivy-adapter/trivy
下载漏洞数据库,trivy-offline.db.tgz
1
2
3
4
5
6
7mkdir -p /data/trivy-adapter/trivy/db cp trivy-offline.db.tgz /data/trivy-adapter/trivy/db cd /data/trivy-adapter/trivy/db tar xvf trivy-offline.db.tgz # 非常重要 解压出来的文件权限不够只有600 chmod 666 * rm -rf trivy-offline.db.tgz
重启
1
./install.sh --with-chartmuseum --with-trivy
日志路径
1
tail -f /var/log/harbor/trivy-adapter.log
验证
harbor升级
参考https://goharbor.io/docs/2.4.0/administration/upgrade/
1 |
|
harbor2.4使用trivyv.24.0,不能再使用原来的漏洞库https://github.com/aquasecurity/trivy-db/releases
The local DB has an old schema version whitch is not supported by the current version of Trivy CLI
参考https://aquasecurity.github.io/trivy/v0.24.0/advanced/air-gap/获取最新db.tar.gz
1 |
|