harbor集成trivy

Hort@IT 字数: 3533 阅读耗时: 8 分钟 2025/02/03 博客独享热度: 5 评论: 0

本文最后更新于 2025-02-03，文章内容可能已经过时。

harbor集成trivy

sudo ./install.sh --with-trivy

oras

VERSION="1.2.2"
curl -LO "https://github.com/oras-project/oras/releases/download/v${VERSION}/oras_${VERSION}_linux_amd64.tar.gz"
mkdir -p oras-install/
tar -zxf oras_${VERSION}_*.tar.gz -C oras-install/
sudo mv oras-install/oras /usr/local/bin/
rm -rf oras_${VERSION}_*.tar.gz oras-install/

oras version

oras pull ghcr.io/aquasecurity/trivy-db:2
oras pull ghcr.io/aquasecurity/trivy-java-db:1
国内代理下载地址，南大代理镜像
oras pull ghcr.nju.edu.cn/aquasecurity/trivy-db:2
oras pull ghcr.nju.edu.cn/aquasecurity/trivy-java-db:1

vim download_and_extract.sh

#!/bin/bash

#创建缓存目录
mkdir -p /home/application/trivy-db/{db,java-db}

# 清空 db 目录下的内容
rm -rf /home/application/trivy-db/db/*
# 清空 java-db 目录下的内容
rm -rf /home/application/trivy-db/java-db/*

# 下载离线库文件
cd /home/application/trivy-db/
/usr/local/bin/oras pull ghcr.nju.edu.cn/aquasecurity/trivy-java-db:1
/usr/local/bin/oras pull ghcr.nju.edu.cn/aquasecurity/trivy-db:2

# 解压 jdb.tar.gz 文件到 java-db 目录
tar -xvf /home/application/trivy-db/javadb.tar.gz -C /home/application/trivy-db/java-db

# 解压 db.tar.gz 文件到 db 目录
tar -xvf /home/application/trivy-db/db.tar.gz -C /home/application/trivy-db/db

# 删除压缩包文件
rm -f /home/application/trivy-db/javadb.tar.gz
rm -f /home/application/trivy-db/db.tar.gz

chmod +x /home/application/trivy-db/download_and_extract.sh

#文件下载情况

[root@harbor-server application]# yum install -y tree
[root@harbor-server application]# tree .
.
└── trivy-db
    ├── db
    │   ├── metadata.json
    │   └── trivy.db
    ├── fanal
    │   └── fanal.db
    └── java-db
        ├── metadata.json
        └── trivy-java.db

4 directories, 5 files
[root@harbor-server application]#

添加定时任务每天凌晨 3 点执行 /home/application/download_and_extract.sh 脚本，实现自动下载和解压离线库文件的操作

0 3 * * * /bin/bash /home/application/download_and_extract.sh

wget https://github.com/aquasecurity/trivy/releases/download/v0.49.1/trivy_0.49.1_Linux-64bit.tar.gz
tar -zxf trivy_0.49.1_Linux-64bit.tar.gz
mv ./trivy /usr/local/bin/
chmod +x /usr/local/bin/trivy
which trivy
trivy --version

#执行容器镜像扫描

trivy --cache-dir /home/application/trivy-db image mysql:5.7.44 --skip-db-update --severity CRITICAL

harbor 集成trivy

docker exec -it trivy-adapter /bin/bash

harbor

docker-compose.yml

harbor.yml

docker

vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://your-harbor-address"],
"insecure-registries": ["your-harbor-address:port"]
}

docker login "your-harbor-address:port"
docker tag mysql:5.7.44 reg.harbor.com/library/mysql:5.7.44
docker push reg.harbor.com/library/mysql:5.7.44

在harbor中遇到trivy扫描无权限读取扫描DB

chmod -R 777 /data/trivy-adapter/trivy/