diff --git a/README.md b/README.md index f30598cc0..d3605641b 100644 --- a/README.md +++ b/README.md @@ -295,6 +295,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` | | `trivy.insecure` | The flag to skip verifying registry certificate | `false` | | `trivy.skipUpdate` | The flag to disable [Trivy DB][trivy-db] downloads from GitHub | `false` | +| `trivy.skipJavaDBUpdate` | If the flag is enabled you have to manually download the `trivy-java.db` file [Trivy Java DB][trivy-java-db] and mount it in the `/home/scanner/.cache/trivy/java-db/trivy-java.db` path | `false` | | `trivy.offlineScan` | The flag prevents Trivy from sending API requests to identify dependencies. | `false` | | `trivy.securityCheck` | Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. | `vuln` | | `trivy.timeout` | The duration to wait for scan completion | `5m0s` | @@ -404,4 +405,5 @@ The following table lists the configurable parameters of the Harbor chart and th [resources]: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ [trivy]: https://github.com/aquasecurity/trivy [trivy-db]: https://github.com/aquasecurity/trivy-db +[trivy-java-db]: https://github.com/aquasecurity/trivy-java-db [trivy-rate-limiting]: https://github.com/aquasecurity/trivy#github-rate-limiting diff --git a/templates/trivy/trivy-sts.yaml b/templates/trivy/trivy-sts.yaml index aba23c9e8..7ee4e1068 100644 --- a/templates/trivy/trivy-sts.yaml +++ b/templates/trivy/trivy-sts.yaml @@ -93,6 +93,8 @@ spec: value: {{ .Values.trivy.ignoreUnfixed | default false | quote }} - name: "SCANNER_TRIVY_SKIP_UPDATE" value: {{ .Values.trivy.skipUpdate | default false | quote }} + - name: "SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE" + value: {{ .Values.trivy.skipJavaDBUpdate | default false | quote }} - name: "SCANNER_TRIVY_OFFLINE_SCAN" value: {{ .Values.trivy.offlineScan | default false | quote }} - name: "SCANNER_TRIVY_SECURITY_CHECKS" diff --git a/values.yaml b/values.yaml index c120f8c56..d237eb7ae 100644 --- a/values.yaml +++ b/values.yaml @@ -684,6 +684,10 @@ trivy: # If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the # `/home/scanner/.cache/trivy/db/trivy.db` path. skipUpdate: false + # skipJavaDBUpdate If the flag is enabled you have to manually download the `trivy-java.db` file and mount it in the + # `/home/scanner/.cache/trivy/java-db/trivy-java.db` path + # + skipJavaDBUpdate: false # The offlineScan option prevents Trivy from sending API requests to identify dependencies. # # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it.