github.com/devseccon/trivy@v0.47.1-0.20231123133102-bd902a0bd996/helm/trivy/README.md (about) 1 # Trivy Scanner 2 3 Trivy vulnerability scanner standalone installation. 4 5 ## TL;DR; 6 7 ``` 8 $ helm install trivy . --namespace trivy --create-namespace 9 ``` 10 11 ## Introduction 12 13 This chart bootstraps a Trivy deployment on a [Kubernetes](http://kubernetes.io) cluster using the 14 [Helm](https://helm.sh) package manager. 15 16 ## Prerequisites 17 18 - Kubernetes 1.12+ 19 - Helm 3+ 20 21 ## Installing from the DevSecCon Chart Repository 22 23 ``` 24 helm repo add aquasecurity https://aquasecurity.github.io/helm-charts/ 25 helm repo update 26 helm search repo trivy 27 helm install my-trivy devseccon/trivy 28 ``` 29 30 ## Installing the Chart 31 32 To install the chart with the release name `my-release`: 33 34 ``` 35 $ helm install my-release . 36 ``` 37 38 The command deploys Trivy on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) 39 section lists the parameters that can be configured during installation. 40 41 > **Tip**: List all releases using `helm list`. 42 43 ## Uninstalling the Chart 44 45 To uninstall/delete the `my-release` deployment: 46 47 ``` 48 $ helm delete my-release 49 ``` 50 51 The command removes all the Kubernetes components associated with the chart and deletes the release. 52 53 ## Parameters 54 55 The following table lists the configurable parameters of the Trivy chart and their default values. 56 57 | Parameter | Description | Default | 58 |---------------------------------------|-------------------------------------------------------------------------|----------------| 59 | `image.registry` | Image registry | `docker.io` | 60 | `image.repository` | Image name | `aquasec/trivy` | 61 | `image.tag` | Image tag | `{TAG_NAME}` | 62 | `image.pullPolicy` | Image pull policy | `IfNotPresent` | 63 | `image.pullSecret` | The name of an imagePullSecret used to pull trivy image from e.g. Docker Hub or a private registry | | 64 | `replicaCount` | Number of Trivy Pods to run | `1` | 65 | `trivy.debugMode` | The flag to enable or disable Trivy debug mode | `false` | 66 | `trivy.gitHubToken` | The GitHub access token to download Trivy DB. More info: https://github.com/devseccon/trivy#github-rate-limiting | | 67 | `trivy.registryUsername` | The username used to log in at dockerhub. More info: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/ | | 68 | `trivy.registryPassword` | The password used to log in at dockerhub. More info: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/ | | 69 | `trivy.registryCredentialsExistingSecret` | Name of Secret containing dockerhub credentials. Alternative to the 2 parameters above, has precedence if set. | | 70 | `trivy.serviceAccount.annotations` | Additional annotations to add to the Kubernetes service account resource | | 71 | `trivy.skipDBUpdate` | The flag to enable or disable Trivy DB downloads from GitHub | `false` | 72 | `trivy.dbRepository` | OCI repository to retrieve the trivy vulnerability database from | `ghcr.io/aquasecurity/trivy-db` | 73 | `trivy.cache.redis.enabled` | Enable Redis as caching backend | `false` | 74 | `trivy.cache.redis.url` | Specify redis connection url, e.g. redis://redis.redis.svc:6379 | `` | 75 | `trivy.cache.redis.ttl` | Specify redis TTL, e.g. 3600s or 24h | `` | 76 | `trivy.cache.redis.tls` | Enable Redis TLS with public certificates | `` | 77 | `trivy.serverToken` | The token to authenticate Trivy client with Trivy server | `` | 78 | `trivy.existingSecret` | existingSecret if an existing secret has been created outside the chart. Overrides gitHubToken, registryUsername, registryPassword, serverToken | `` | 79 | `trivy.podAnnotations` | Annotations for pods created by statefulset | `{}` | 80 | `trivy.extraEnvVars` | extraEnvVars to be set on the container | `{}` | 81 | `service.name` | If specified, the name used for the Trivy service | | 82 | `service.type` | Kubernetes service type | `ClusterIP` | 83 | `service.port` | Kubernetes service port | `4954` | 84 | `service.sessionAffinity` | Kubernetes service session affinity | `ClientIP` | 85 | `httpProxy` | The URL of the HTTP proxy server | | 86 | `httpsProxy` | The URL of the HTTPS proxy server | | 87 | `noProxy` | The URLs that the proxy settings do not apply to | | 88 | `nodeSelector` | Node labels for pod assignment | | 89 | `affinity` | Affinity settings for pod assignment | | 90 | `tolerations` | Tolerations for pod assignment | | 91 | `podAnnotations` | Annotations for pods created by statefulset | `{}` | 92 93 The above parameters map to the env variables defined in [trivy](https://github.com/devseccon/trivy#configuration). 94 95 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. 96 97 ``` 98 $ helm install my-release . \ 99 --namespace my-namespace \ 100 --set "service.port=9090" \ 101 --set "trivy.vulnType=os\,library" 102 ``` 103 104 ## Storage 105 106 This chart uses a PersistentVolumeClaim to reduce the number of database downloads between POD restarts or updates. The storageclass should have the reclaim policy `Retain`. 107 108 ## Caching 109 110 You can specify a Redis server as cache backend. This Redis server has to be already present. You can use the [bitnami chart](https://bitnami.com/stack/redis/helm). 111 More Information about the caching backends can be found [here](https://github.com/devseccon/trivy#specify-cache-backend).