Skip to content

Commit

Permalink
feat: support --skip-images scanning flag (aquasecurity#6334)
Browse files Browse the repository at this point in the history
Signed-off-by: chenk <[email protected]>
  • Loading branch information
chen-keinan authored and fl0pp5 committed May 6, 2024
1 parent 30546d5 commit ae9d52b
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 1 deletion.
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_kubernetes.md
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,7 @@ trivy kubernetes [flags] [CONTEXT]
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
--skip-images skip the downloading and scanning of images (vulnerabilities and secrets) in the cluster resources
--skip-java-db-update skip updating Java index database
--skip-policy-update skip fetching rego policy updates
-t, --template string output template
Expand Down
10 changes: 10 additions & 0 deletions pkg/flag/kubernetes_flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,11 @@ var (
ConfigName: "kubernetes.exclude.owned",
Usage: "exclude resources that have an owner reference",
}
SkipImages = Flag[bool]{
Name: "skip-images",
ConfigName: "kubernetes.skipImages",
Usage: "skip the downloading and scanning of images (vulnerabilities and secrets) in the cluster resources",
}
ExcludeNodes = Flag[[]string]{
Name: "exclude-nodes",
ConfigName: "kubernetes.exclude.nodes",
Expand Down Expand Up @@ -95,6 +100,7 @@ type K8sFlagGroup struct {
NodeCollectorImageRef *Flag[string]
NodeCollectorNamespace *Flag[string]
ExcludeOwned *Flag[bool]
SkipImages *Flag[bool]
ExcludeNodes *Flag[[]string]
ExcludeKinds *Flag[[]string]
IncludeKinds *Flag[[]string]
Expand All @@ -118,6 +124,7 @@ type K8sOptions struct {
ExcludeNamespaces []string
IncludeNamespaces []string
QPS float32
SkipImages bool
Burst int
}

Expand All @@ -136,6 +143,7 @@ func NewK8sFlagGroup() *K8sFlagGroup {
IncludeNamespaces: IncludeNamespaces.Clone(),
NodeCollectorImageRef: NodeCollectorImageRef.Clone(),
QPS: QPS.Clone(),
SkipImages: SkipImages.Clone(),
Burst: Burst.Clone(),
}
}
Expand All @@ -159,6 +167,7 @@ func (f *K8sFlagGroup) Flags() []Flagger {
f.ExcludeNamespaces,
f.IncludeNamespaces,
f.QPS,
f.SkipImages,
f.Burst,
}
}
Expand Down Expand Up @@ -199,6 +208,7 @@ func (f *K8sFlagGroup) ToOptions() (K8sOptions, error) {
ExcludeNodes: exludeNodeLabels,
NodeCollectorImageRef: f.NodeCollectorImageRef.Value(),
QPS: float32(f.QPS.Value()),
SkipImages: f.SkipImages.Value(),
ExcludeKinds: f.ExcludeKinds.Value(),
IncludeKinds: f.IncludeKinds.Value(),
ExcludeNamespaces: f.ExcludeNamespaces.Value(),
Expand Down
2 changes: 1 addition & 1 deletion pkg/k8s/scanner/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ func (s *Scanner) Scan(ctx context.Context, artifactsData []*artifacts.Artifact)

onItem := func(ctx context.Context, artifact *artifacts.Artifact) (scanResult, error) {
scanResults := scanResult{}
if s.opts.Scanners.AnyEnabled(types.VulnerabilityScanner, types.SecretScanner) {
if s.opts.Scanners.AnyEnabled(types.VulnerabilityScanner, types.SecretScanner) && !s.opts.SkipImages {
opts := s.opts
opts.Credentials = make([]ftypes.Credential, len(s.opts.Credentials))
copy(opts.Credentials, s.opts.Credentials)
Expand Down

0 comments on commit ae9d52b

Please sign in to comment.