From ae9d52bb3d96442ae7aa18f6e5197ec6b1748d43 Mon Sep 17 00:00:00 2001 From: chenk Date: Thu, 2 May 2024 14:49:39 +0300 Subject: [PATCH] feat: support `--skip-images` scanning flag (#6334) Signed-off-by: chenk --- .../references/configuration/cli/trivy_kubernetes.md | 1 + pkg/flag/kubernetes_flags.go | 10 ++++++++++ pkg/k8s/scanner/scanner.go | 2 +- 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/docs/docs/references/configuration/cli/trivy_kubernetes.md b/docs/docs/references/configuration/cli/trivy_kubernetes.md index 4c3aaf5bb144..bcb1729fc91b 100644 --- a/docs/docs/references/configuration/cli/trivy_kubernetes.md +++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md @@ -96,6 +96,7 @@ trivy kubernetes [flags] [CONTEXT] --skip-db-update skip updating vulnerability database --skip-dirs strings specify the directories or glob patterns to skip --skip-files strings specify the files or glob patterns to skip + --skip-images skip the downloading and scanning of images (vulnerabilities and secrets) in the cluster resources --skip-java-db-update skip updating Java index database --skip-policy-update skip fetching rego policy updates -t, --template string output template diff --git a/pkg/flag/kubernetes_flags.go b/pkg/flag/kubernetes_flags.go index 996317e0be4f..b88d14cb8b9e 100644 --- a/pkg/flag/kubernetes_flags.go +++ b/pkg/flag/kubernetes_flags.go @@ -47,6 +47,11 @@ var ( ConfigName: "kubernetes.exclude.owned", Usage: "exclude resources that have an owner reference", } + SkipImages = Flag[bool]{ + Name: "skip-images", + ConfigName: "kubernetes.skipImages", + Usage: "skip the downloading and scanning of images (vulnerabilities and secrets) in the cluster resources", + } ExcludeNodes = Flag[[]string]{ Name: "exclude-nodes", ConfigName: "kubernetes.exclude.nodes", @@ -95,6 +100,7 @@ type K8sFlagGroup struct { NodeCollectorImageRef *Flag[string] NodeCollectorNamespace *Flag[string] ExcludeOwned *Flag[bool] + SkipImages *Flag[bool] ExcludeNodes *Flag[[]string] ExcludeKinds *Flag[[]string] IncludeKinds *Flag[[]string] @@ -118,6 +124,7 @@ type K8sOptions struct { ExcludeNamespaces []string IncludeNamespaces []string QPS float32 + SkipImages bool Burst int } @@ -136,6 +143,7 @@ func NewK8sFlagGroup() *K8sFlagGroup { IncludeNamespaces: IncludeNamespaces.Clone(), NodeCollectorImageRef: NodeCollectorImageRef.Clone(), QPS: QPS.Clone(), + SkipImages: SkipImages.Clone(), Burst: Burst.Clone(), } } @@ -159,6 +167,7 @@ func (f *K8sFlagGroup) Flags() []Flagger { f.ExcludeNamespaces, f.IncludeNamespaces, f.QPS, + f.SkipImages, f.Burst, } } @@ -199,6 +208,7 @@ func (f *K8sFlagGroup) ToOptions() (K8sOptions, error) { ExcludeNodes: exludeNodeLabels, NodeCollectorImageRef: f.NodeCollectorImageRef.Value(), QPS: float32(f.QPS.Value()), + SkipImages: f.SkipImages.Value(), ExcludeKinds: f.ExcludeKinds.Value(), IncludeKinds: f.IncludeKinds.Value(), ExcludeNamespaces: f.ExcludeNamespaces.Value(), diff --git a/pkg/k8s/scanner/scanner.go b/pkg/k8s/scanner/scanner.go index 68698ea1d3d2..b0c055e0b886 100644 --- a/pkg/k8s/scanner/scanner.go +++ b/pkg/k8s/scanner/scanner.go @@ -89,7 +89,7 @@ func (s *Scanner) Scan(ctx context.Context, artifactsData []*artifacts.Artifact) onItem := func(ctx context.Context, artifact *artifacts.Artifact) (scanResult, error) { scanResults := scanResult{} - if s.opts.Scanners.AnyEnabled(types.VulnerabilityScanner, types.SecretScanner) { + if s.opts.Scanners.AnyEnabled(types.VulnerabilityScanner, types.SecretScanner) && !s.opts.SkipImages { opts := s.opts opts.Credentials = make([]ftypes.Credential, len(s.opts.Credentials)) copy(opts.Credentials, s.opts.Credentials)