Trivy k8s - private registry support for vulnerabilities scan

[Anc0r]

Description

Hi everyone!

We are using Trivy in several GitLab CI/CD pipelines.

Currently we are testing the possibility to perform a kuberetes scan. I noticed that, in contrast to scanning images, none of our images from the private registry could be scanned. While looking through the documentation of 'trivy k8s' I noticed that unlike 'trivy image' the parameters '--username' and '--password' are not present. (and therefore also not the environment variables)

So it seems that you can't give 'trivy k8s' the credentials for private registrations? Is that right? Could you, like with 'trivy image', add these parameters?

What I have tested

• 'trivy k8s' with TRIVY_PASSWORD & TRIVY_USERNAME
• 'trivy k8s' with configured trivy.yaml

Target

Kubernetes

Scanner

Vulnerability

[AnaisUrlichs]

Hi there, the usage/use cases for both trivy image and trivy k8s are different. Trivy image needs acess to remote private registries where images are stored. Similarly trivy repo for remote repository scans needs access to also private registries.
In comparison, trivy k8s uses the kubeconfig for the running Kubernetes cluster that you would like to scan to authenticate and access the cluster. You can either scan the cluster locally by having connected to it as the default kubeconfig or you can set the kubeconfig and then scan the cluster or you can pass in the kubeconfig to trivy when performing the scan:

trivy k8s --kubeconfig ~/.kube/config2 -n kube-system --report=summary all

https://aquasecurity.github.io/trivy/v0.41/docs/target/kubernetes/#commands

If you want to scan container images inside your cluster for vulnerabilities specifically, I would recommend scanning them with the trivy image command or using the Trivy operator installed inside your cluster for more continuous K8s scanning.

The trivy k8s command is mainly useful to go through cluster security issues incl. vulnerabilities (I am thinking here of different workflows but maybe other people perceive it differently).

[Anc0r]

Unfortunately, the Trivy Operator is not so suitable for our use case.

[knqyf263]

@chen-keinan Can you please take a look?

[AnaisUrlichs]

hmm, so I tried to replicate something similar for my own understanding
I pushed a container image to ghcr (private) and installed it in my cluster through a K8s deployment:

spec:
      containers:
      - name: cns-website
        image: ghcr.io/cloud-native-security/secret-repo:0.0.9
        ports:
 .....
       imagePullSecrets:
      - name: dockerconfigjson-github-com

with a pullsecret:

kind: Secret
type: kubernetes.io/dockerconfigjson
apiVersion: v1
metadata:
  name: dockerconfigjson-github-com
  namespace: demo
  labels:
    run: cns-website
data:
  .dockerconfigjson: <info for the ghcr credentials>

And trivy can scan that container image (I deleted it locally before I performed the cluster scan) so if trivy is not using the local credentials from docker but only the in-cluster info, then the scan of private images should work @chen-keinan

[knqyf263]

@AnaisUrlichs You logged in ghcr.io with docker login, right? It works as mentioned above, but @Anc0r wants to pass credential via CLI.

After some trial and error I found out that I can enable access to the private registry by modifying the ' ~/.docker/config.json'.

[AnaisUrlichs]

true, never mind

[chen-keinan]

I have created issue #4517 for it