diff --git a/scanners/trivy-sbom/examples/image-juice-shop/scan.yaml b/scanners/trivy-sbom/examples/image-juice-shop/scan.yaml index 662be10a7d..63ca2c6f3f 100644 --- a/scanners/trivy-sbom/examples/image-juice-shop/scan.yaml +++ b/scanners/trivy-sbom/examples/image-juice-shop/scan.yaml @@ -9,4 +9,4 @@ metadata: spec: scanType: "trivy-sbom-image" parameters: - - "bkimminich/juice-shop:v15.0.0" + - "bkimminich/juice-shop:v17.3.0" diff --git a/scanners/trivy/examples/image-juice-shop/scan.yaml b/scanners/trivy/examples/image-juice-shop/scan.yaml index 8b2967617a..6163dbbb22 100644 --- a/scanners/trivy/examples/image-juice-shop/scan.yaml +++ b/scanners/trivy/examples/image-juice-shop/scan.yaml @@ -11,4 +11,4 @@ metadata: spec: scanType: "trivy-image" parameters: - - "bkimminich/juice-shop:v10.2.0" + - "bkimminich/juice-shop:v17.3.0" diff --git a/scanners/trivy/templates/trivy-database-cache.yaml b/scanners/trivy/templates/trivy-database-cache.yaml index 5e8e2bbaed..cd701f8b5c 100644 --- a/scanners/trivy/templates/trivy-database-cache.yaml +++ b/scanners/trivy/templates/trivy-database-cache.yaml @@ -37,14 +37,37 @@ spec: labels: app: trivy-database spec: + automountServiceAccountToken: false + {{- with .Values.trivyDatabaseCache.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + volumes: + - name: cache-dir + emptyDir: + sizeLimit: {{ .Values.trivyDatabaseCache.cacheStorageLimit }} + - name: tmp-dir + emptyDir: + sizeLimit: {{ .Values.trivyDatabaseCache.cacheStorageLimit }} containers: - name: trivy-database image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" + volumeMounts: + - name: cache-dir + mountPath: /.cache + - name: tmp-dir + mountPath: /tmp imagePullPolicy: IfNotPresent + {{- with .Values.trivyDatabaseCache.securityContext }} + securityContext: + {{- toYaml . | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.trivyDatabaseCache.resources | nindent 10 }} args: - "server" - "--listen" diff --git a/scanners/trivy/tests/__snapshot__/scanner_test.yaml.snap b/scanners/trivy/tests/__snapshot__/scanner_test.yaml.snap index 79eb4605cd..c1b5c93c07 100644 --- a/scanners/trivy/tests/__snapshot__/scanner_test.yaml.snap +++ b/scanners/trivy/tests/__snapshot__/scanner_test.yaml.snap @@ -31,6 +31,7 @@ matches the snapshot: labels: app: trivy-database spec: + automountServiceAccountToken: false containers: - args: - server @@ -61,8 +62,31 @@ matches the snapshot: initialDelaySeconds: 5 periodSeconds: 10 successThreshold: 1 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - mountPath: /.cache + name: cache-dir + - mountPath: /tmp + name: tmp-dir imagePullSecrets: - name: foo + securityContext: + runAsUser: 10001 + volumes: + - emptyDir: + sizeLimit: 1Gi + name: cache-dir + - emptyDir: + sizeLimit: 1Gi + name: tmp-dir 3: | apiVersion: execution.securecodebox.io/v1 kind: ParseDefinition @@ -419,6 +443,7 @@ works properly in k8sScanScope=cluster: labels: app: trivy-database spec: + automountServiceAccountToken: false containers: - args: - server @@ -449,6 +474,29 @@ works properly in k8sScanScope=cluster: initialDelaySeconds: 5 periodSeconds: 10 successThreshold: 1 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - mountPath: /.cache + name: cache-dir + - mountPath: /tmp + name: tmp-dir + securityContext: + runAsUser: 10001 + volumes: + - emptyDir: + sizeLimit: 1Gi + name: cache-dir + - emptyDir: + sizeLimit: 1Gi + name: tmp-dir 3: | apiVersion: execution.securecodebox.io/v1 kind: ParseDefinition diff --git a/scanners/trivy/values.yaml b/scanners/trivy/values.yaml index 806e62fc41..172c6eb321 100644 --- a/scanners/trivy/values.yaml +++ b/scanners/trivy/values.yaml @@ -117,6 +117,24 @@ trivyDatabaseCache: enabled: true # -- amount of replicas to configure for the Deployment replicas: 1 + # -- Optional resource limits/requests for the trivy database cache container + resources: {} + # -- Optional securityContext set on database cache pod (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + podSecurityContext: + runAsUser: 10001 + + # -- storage limit for the trivy db cache emptyDir volumes. (applied to two volumes) + cacheStorageLimit: 1Gi + + # -- Optional securityContext set on database cache container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + privileged: false + capabilities: + drop: + - ALL cascadingRules: # cascadingRules.enabled -- Enables or disables the installation of the default cascading rules for this scanner