Skip to content

Commit

Permalink
feat(cli): add trivy auth (#7664)
Browse files Browse the repository at this point in the history
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
  • Loading branch information
knqyf263 and DmitriyLewen authored Oct 9, 2024
1 parent 1f2e91b commit a9c6c1f
Show file tree
Hide file tree
Showing 22 changed files with 511 additions and 23 deletions.
2 changes: 1 addition & 1 deletion contrib/Trivy.gitlab-ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,9 @@ Trivy_container_scanning:
before_script:
- export TRIVY_VERSION=${TRIVY_VERSION:-v0.19.2}
- apk add --no-cache curl docker-cli
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
- curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${TRIVY_VERSION}
- curl -sSL -o /tmp/trivy-gitlab.tpl /~https://github.com/aquasecurity/trivy/raw/${TRIVY_VERSION}/contrib/gitlab.tpl
- trivy auth login --username "$CI_REGISTRY_USER" --password "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
script:
- trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/tmp/trivy-gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
cache:
Expand Down
34 changes: 21 additions & 13 deletions docs/docs/advanced/private-registries/index.md
Original file line number Diff line number Diff line change
@@ -1,13 +1,30 @@
Trivy can download images from a private registry without the need for installing Docker or any other 3rd party tools.
This makes it easy to run within a CI process.

## Credential
To use Trivy with private images, simply install it and provide your credentials:
## Login
You can log in to a private registry using the `trivy auth login` command.
It uses the Docker configuration file (`~/.docker/config.json`) to store the credentials under the hood, and the configuration file path can be configured by `DOCKER_CONFIG` environment variable.

```shell
$ cat ~/my_password.txt | trivy auth login --username foo --password-stdin ghcr.io
$ trivy image ghcr.io/your/private_image
```

## Passing Credentials
You can also provide your credentials when scanning.

```shell
$ TRIVY_USERNAME=YOUR_USERNAME TRIVY_PASSWORD=YOUR_PASSWORD trivy image YOUR_PRIVATE_IMAGE
```

!!! warning
When passing credentials via environment variables or CLI flags, Trivy will attempt to use these credentials for all registries encountered during scanning, regardless of the target registry.
This can potentially lead to unintended credential exposure.
To mitigate this risk:

1. Set credentials cautiously and only when necessary.
2. Prefer using `trivy auth config` to pre-configure credentials with specific registries, which ensures credentials are only sent to appropriate registries.

Trivy also supports providing credentials through CLI flags:

```shell
Expand All @@ -17,6 +34,7 @@ $ TRIVY_PASSWORD=YOUR_PASSWORD trivy image --username YOUR_USERNAME YOUR_PRIVATE
!!! warning
The CLI flag `--password` is available, but its use is not recommended for security reasons.


You can also store your credentials in `trivy.yaml`.
For more information, please refer to [the documentation](../../references/configuration/config-file.md).

Expand All @@ -35,15 +53,5 @@ In the example above, Trivy attempts to use two pairs of credentials:

Please note that the number of usernames and passwords must be the same.

## docker login
If you have Docker configured locally and have set up the credentials, Trivy can access them.

```shell
$ docker login ghcr.io
Username:
Password:
$ trivy image ghcr.io/your/private_image
```

!!! note
`docker login` can be used with any container runtime, such as Podman.
`--password-stdin` doesn't support comma-separated passwords.
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ trivy [global flags] command [flags] target

### SEE ALSO

* [trivy auth](trivy_auth.md) - Authentication
* [trivy clean](trivy_clean.md) - Remove cached files
* [trivy config](trivy_config.md) - Scan config files for misconfigurations
* [trivy convert](trivy_convert.md) - Convert Trivy JSON report into a different format
Expand Down
29 changes: 29 additions & 0 deletions docs/docs/references/configuration/cli/trivy_auth.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
## trivy auth

Authentication

### Options

```
-h, --help help for auth
```

### Options inherited from parent commands

```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```

### SEE ALSO

* [trivy](trivy.md) - Unified security scanner
* [trivy auth login](trivy_auth_login.md) - Log in to a registry
* [trivy auth logout](trivy_auth_logout.md) - Log out of a registry

41 changes: 41 additions & 0 deletions docs/docs/references/configuration/cli/trivy_auth_login.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
## trivy auth login

Log in to a registry

```
trivy auth login SERVER [flags]
```

### Examples

```
# Log in to reg.example.com
cat ~/my_password.txt | trivy auth login --username foo --password-stdin reg.example.com
```

### Options

```
-h, --help help for login
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--username strings username. Comma-separated usernames allowed.
```

### Options inherited from parent commands

```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```

### SEE ALSO

* [trivy auth](trivy_auth.md) - Authentication

38 changes: 38 additions & 0 deletions docs/docs/references/configuration/cli/trivy_auth_logout.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
## trivy auth logout

Log out of a registry

```
trivy auth logout SERVER [flags]
```

### Examples

```
# Log out of reg.example.com
trivy auth logout reg.example.com
```

### Options

```
-h, --help help for logout
```

### Options inherited from parent commands

```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```

### SEE ALSO

* [trivy auth](trivy_auth.md) - Authentication

1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_config.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ trivy config [flags] DIR
-o, --output string output file name
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_filesystem.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ trivy filesystem [flags] PATH
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--pkg-relationships strings list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--redis-ca string redis ca file location, if using redis as cache backend
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_image.md
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,7 @@ trivy image [flags] IMAGE_NAME
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--pkg-relationships strings list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--platform string set platform in the form os/arch if image is multi-platform capable
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_kubernetes.md
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,7 @@ trivy kubernetes [flags] [CONTEXT]
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--pkg-relationships strings list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--qps float specify the maximum QPS to the master from this client (default 5)
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_repository.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--pkg-relationships strings list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--redis-ca string redis ca file location, if using redis as cache backend
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_rootfs.md
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@ trivy rootfs [flags] ROOTDIR
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--pkg-relationships strings list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--redis-ca string redis ca file location, if using redis as cache backend
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_server.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ trivy server [flags]
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--no-progress suppress progress bar
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
Expand Down
3 changes: 3 additions & 0 deletions docs/docs/references/configuration/config-file.md
Original file line number Diff line number Diff line change
Expand Up @@ -461,6 +461,9 @@ registry:
# Same as '--password'
password: []

# Same as '--password-stdin'
password-stdin: false

# Same as '--registry-token'
token: ""

Expand Down
2 changes: 1 addition & 1 deletion docs/docs/target/container_image.md
Original file line number Diff line number Diff line change
Expand Up @@ -297,7 +297,7 @@ Trivy supports registries that comply with the following specifications.
- [Docker Registry HTTP API V2](https://docs.docker.com/registry/spec/api/)
- [OCI Distribution Specification](/~https://github.com/opencontainers/distribution-spec)

You can configure credentials with `docker login`.
You can configure credentials with `trivy auth login`.
See [here](../advanced/private-registries/index.md) for the detail.

### Tar Files
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ require (
github.com/cheggaaa/pb/v3 v3.1.5
github.com/containerd/containerd v1.7.22
github.com/csaf-poc/csaf_distribution/v3 v3.0.0
github.com/docker/cli v27.2.1+incompatible
github.com/docker/docker v27.3.1+incompatible
github.com/docker/go-connections v0.5.0
github.com/fatih/color v1.17.0
Expand Down Expand Up @@ -210,7 +211,6 @@ require (
github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
github.com/distribution/reference v0.6.0 // indirect
github.com/dlclark/regexp2 v1.4.0 // indirect
github.com/docker/cli v27.2.1+incompatible // indirect
github.com/docker/distribution v2.8.3+incompatible // indirect
github.com/docker/docker-credential-helpers v0.8.2 // indirect
github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
Expand Down
39 changes: 33 additions & 6 deletions integration/registry_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,7 @@ type registryOption struct {
Username string
Password string
RegistryToken bool
AuthLogin bool
}

func TestRegistry(t *testing.T) {
Expand Down Expand Up @@ -164,7 +165,6 @@ func TestRegistry(t *testing.T) {
imageFile: "testdata/fixtures/images/alpine-310.tar.gz",
os: "alpine 3.10.2",
option: registryOption{
AuthURL: authURL,
Username: authUsername,
Password: authPassword,
},
Expand All @@ -183,13 +183,24 @@ func TestRegistry(t *testing.T) {
},
golden: "testdata/alpine-310.json.golden",
},
{
name: "authenticate with 'trivy auth login'",
imageName: "alpine:3.10",
imageFile: "testdata/fixtures/images/alpine-310.tar.gz",
os: "alpine 3.10.2",
option: registryOption{
Username: authUsername,
Password: authPassword,
AuthLogin: true,
},
golden: "testdata/alpine-310.json.golden",
},
{
name: "amazonlinux 2",
imageName: "amazonlinux:2",
imageFile: "testdata/fixtures/images/amazon-2.tar.gz",
os: "amazon 2 (Karoo)",
option: registryOption{
AuthURL: authURL,
Username: authUsername,
Password: authPassword,
},
Expand All @@ -201,7 +212,6 @@ func TestRegistry(t *testing.T) {
imageFile: "testdata/fixtures/images/debian-buster.tar.gz",
os: "debian 10.1",
option: registryOption{
AuthURL: authURL,
Username: authUsername,
Password: authPassword,
},
Expand All @@ -226,6 +236,7 @@ func TestRegistry(t *testing.T) {
require.NoError(t, err)

osArgs, err := scan(t, imageRef, baseDir, tt.option)
require.NoError(t, err)

// Run Trivy
runTest(t, osArgs, tt.golden, "", types.FormatJSON, runOptions{
Expand Down Expand Up @@ -262,7 +273,7 @@ func scan(t *testing.T, imageRef name.Reference, baseDir string, opt registryOpt
"json",
"--image-src",
"remote",
"--skip-update",
"--skip-db-update",
imageRef.Name(),
}

Expand All @@ -273,14 +284,30 @@ func setupEnv(t *testing.T, imageRef name.Reference, baseDir string, opt registr
t.Setenv("TRIVY_INSECURE", "true")

if opt.Username != "" && opt.Password != "" {
if opt.RegistryToken {
switch {
case opt.RegistryToken:
// Get a registry token in advance
token, err := requestRegistryToken(imageRef, baseDir, opt)
if err != nil {
return err
}
t.Setenv("TRIVY_REGISTRY_TOKEN", token)
} else {
case opt.AuthLogin:
t.Setenv("DOCKER_CONFIG", t.TempDir())
err := execute([]string{
"auth",
"login",
"--username",
opt.Username,
"--password",
opt.Password,
"--insecure",
imageRef.Context().RegistryStr(),
})
if err != nil {
return err
}
default:
t.Setenv("TRIVY_USERNAME", opt.Username)
t.Setenv("TRIVY_PASSWORD", opt.Password)
}
Expand Down
4 changes: 4 additions & 0 deletions mkdocs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,10 @@ nav:
- Configuration:
- CLI:
- Overview: docs/references/configuration/cli/trivy.md
- Auth:
- Auth: docs/references/configuration/cli/trivy_auth.md
- Auth Login: docs/references/configuration/cli/trivy_auth_login.md
- Auth Logout: docs/references/configuration/cli/trivy_auth_logout.md
- Clean: docs/references/configuration/cli/trivy_clean.md
- Config: docs/references/configuration/cli/trivy_config.md
- Convert: docs/references/configuration/cli/trivy_convert.md
Expand Down
Loading

0 comments on commit a9c6c1f

Please sign in to comment.