-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE] Check if Trivy database download could be done authenticated #1689
Comments
Ref: #1689 Log into GitHub Container Registry for unit test so that Trivy database download can be done in an authenticated context. Signed-off-by: Matthias Diester <matthias.diester@de.ibm.com>
Ref: #1689 Log into GitHub Container Registry for unit test so that Trivy database download can be done in an authenticated context. Signed-off-by: Matthias Diester <matthias.diester@de.ibm.com>
Some notes:
|
@HeavyWombat can you provide more details of where else a fix is needed = can you reference where you have seen the failures? In #1691, you only mention that it "potentially mitigates (parts of)" this issue and the scope is therefore unclear. BTW: related Trivy feature: aquasecurity/trivy#3915 |
From today's sync meeting:
And:
|
Ref: shipwright-io#1689 Log into GitHub Container Registry for unit test so that Trivy database download can be done in an authenticated context. Signed-off-by: Matthias Diester <matthias.diester@de.ibm.com>
The retry is working fine so far. In addition, Trivy has already enabled itself to have multiple database locations referenced since v0.56.0. They're also having the database synchronized to ECR. They still have not yet changed the default to contain both locations. So, for now, one can set TRIVY_DB_REPOSITORY=ghcr.io/aquasecurity/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2. Though, I tend to not do that for the v0.14.0 release. |
Is there an existing feature request for this?
Is your feature request related to a problem or use-case? Please describe.
Trivy is used as part of the Test Suite and upon it's first start, it needs to download a database, which is hosted in a container registry. This can lead to a 429 response by the container registry with
TOOMANYREQUESTS
.Describe the solution that you would like.
Check if we can authentication against the GitHub Container Registry so that the requests are not anonymously.
Describe alternatives you have considered.
Alternative would be to use an alternative location for the registry, where rate limiting isn't an issue. Need to check, whether quay.io would be an option. The location can be defined using
TRIVY_DB_REPOSITORY
environment variable.Anything else?
No response
The text was updated successfully, but these errors were encountered: