Skip to main content
Skip table of contents

Update the Trivy Database Version - Air-Gapped Environment

All Trivy versions include databases that are updated regularly.

In non-air-gapped environments, DKP Insights automatically updates the Trivy database before each scheduled run (every two hours, by default) to support the latest security updates.

In air-gapped environments, DKP Insights uses the Trivy database bundled with the DKP release, but you can manually update this database as required.

This section shows you how to update the Trivy databases manually in your air-gapped environments.

Prerequisites

Verify the Trivy Version

Obtain the currently used Trivy version:

CODE 
kubectl get cronjob -n <workspace_namespace> dkp-insights-trivy -o jsonpath='{.spec.jobTemplate.spec.template.spec.initContainers[?(@.name=="trivy")].image}' | cut -d ":" -f 2

The output displays the Trivy version, followed by the database timestamp:

CODE 
0.42.1-20230816T060333Z

In the above example output, the Trivy version is 0.42.1, and the database timestamp is 20230816T060333Z.

Create a Bundle with the new Trivy Database

Create an air-gapped Trivy bundle from the trivy-bundles public repository.

On an internet-connected machine:

  1. Clone the DKP Insights - Trivy Bundles repository to your local machine:

    CODE 
    git clone https://github.com/mesosphere/trivy-bundles.git

  2. Specify the Trivy Version included in this version of DKP Insights:

    CODE 
    export TRIVY_VERSION=<trivy-version>

  3. Build the air-gapped bundle:

    CODE 
    make create-airgapped-image-bundle

    The output looks similar to this:

    CODE 
    Executing target: install-mindthegap
Executing target: latest_image_tag
[+] Building 7.3s (10/10) FINISHED                                                                                                                                                                                            docker:default
 => [internal] load build definition from Dockerfile                                                                                                                                                                                    0.0s
 => => transferring dockerfile: 534B                                                                                                                                                                                                    0.0s
 => [internal] load .dockerignore                                                                                                                                                                                                       0.0s
 => => transferring context: 2B                                                                                                                                                                                                         0.0s
 => [internal] load metadata for docker.io/aquasec/trivy:0.42.1                                                                                                                                                                         0.3s
 => [1/7] FROM docker.io/aquasec/trivy:0.42.1@sha256:49a0b08589b7577f3e21a7d479284c69dc4d27cbb86bd07ad36773f075581313                                                                                                                   0.0s
 => CACHED [2/7] RUN mkdir /trivy_cache                                                                                                                                                                                                 0.0s
 => CACHED [3/7] RUN chown 65532:65532 /trivy_cache                                                                                                                                                                                     0.0s
 => [4/7] RUN echo 20230908T185308Z                                                                                                                                                                                                     0.3s
 => [5/7] RUN trivy image --download-db-only --cache-dir /trivy_cache                                                                                                                                                                   4.5s
 => [6/7] RUN ls -Rl /trivy_cache                                                                                                                                                                                                       0.3s
 => exporting to image                                                                                                                                                                                                                  1.8s 
 => => exporting layers                                                                                                                                                                                                                 1.8s 
 => => writing image sha256:62f71725212e5b680a3cef771bcb312e931e05445c50632fa4495e216793c9cf                                                                                                                                            0.0s 
 => => naming to docker.io/mesosphere/trivy-bundles:0.42.1-20230908T185308Z                                                                                                                                                             0.0s 
Executing target: create-airgapped-image-bundle                                                                                                                                                                                              
 ✓ Checking if output file already exists
 ✓ Parsing image bundle config
 ✓ Creating temporary directory
 ✓ Starting temporary Docker registry
 ✓ Pulling requested images [====================================>1/1] (time elapsed 23s) 
 ✓ Archiving images to trivy-bundles-0.42.1-20230908T185308Z.tar.gz

    In this example, the bundle is called trivy-bundles-0.42.1-20230908T185308Z.tar.gz.

  4. Transfer the created bundle to the air-gapped bastion host or node that you used to install DKP.

Upload the Bundle to your Air-Gapped Environment

The air-gapped bundle can now be uploaded to the private registry.

  1. Go to the air-gapped bastion host or node that you used to install DKP.

  2. Export the environment variables for your registry:
    (info) Refer to the Local Registry for details.

    CODE 
    export REGISTRY_ADDRESS=<registry-address>:<registry-port>
export REGISTRY_USERNAME=<username>
export REGISTRY_PASSWORD=<password>

  3. Run the following command to load the air-gapped Trivy bundle into your private registry:
    (info) Replace <trivy-bundle-name.tar.gz> with the name of the bundle you created in the previous section.

    CODE 
    dkp push bundle --bundle <trivy-bundle-name.tar.gz> --to-registry $REGISTRY_ADDRESS --to-registry-username $REGISTRY_USERNAME --to-registry-password $REGISTRY_PASSWORD

  4. Update DKP Insights in the air-gapped environment to use the refreshed database. Edit the service configuration on each workspace by providing the path to the Docker image:
    (info) To modify an existing installation, select Workspace, Applications, DKP-Insights, and then Edit.
    (info) Replace <docker-image-name> with the path to the Docker image. It looks similarly to docker.io/mesosphere/trivy-bundles:0.42.1-20230908T185308Z.

    CODE 
    trivy:
  enabled: true
  image:
    imageFull: <docker-image-path>

Verify the Database

After Insights has completed deploying, check the currently used Trivy database as shown in Verify the Trivy Version to ensure the configuration has been deployed correctly.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close