In some cases it might be usefull to provide custom certificate auhtority (CA) bundles to trivy. This is often the case if you are in an enterprise environment where a webproxy is used. Because trivy must connect to the internet to get the CVE data, it must pass the proxy. Trivy reads certificates from a bind-mount, thus it is possible to place certificates in this folder and trivy will validate against them, if new connections are created.

Preparation

  • You have a ca-bundle, or single public certificates of your CA, which is used by the webproxy.

Implementation

  1. Change into your harbor configuration folder
  2. Take a look at the docker-compose.yml and the configuration of trivy-adapter. It looks something like this:
  1.   trivy-adapter:
  2.     container_name: trivy-adapter
  3.     image: goharbor/trivy-adapter-photon:dev
  4.     restart: always
  5.     cap_drop:
  6.       - ALL
  7.     dns_search: .
  8.     depends_on:
  9.       - log
  10.       - redis
  11.     networks:
  12.       - harbor
  13.     volumes:
  14.       - type: bind
  15.         source: /data/trivy-adapter/trivy
  16.         target: /home/scanner/.cache/trivy
  17.       - type: bind
  18.         source: /data/trivy-adapter/reports
  19.         target: /home/scanner/.cache/reports
  20.       - type: bind
  21.         source: ./common/config/shared/trust-certificates
  22.         target: /harbor_cust_cert
  1. note the binding which mounts to /harbor_cust_cert and add your ca-bundle or the single public-certificates into the mount-location, by copying them.
  2. (opt) if the host-path doesn’t fit for your case, you can also configure another path in the docker-compose file. be aware, that you might have to manually change this, if there are changes on new releases of trivy/harbor.
  3. restart your containers (at least trivy-adapter) by using docker restart trivy-adapter or docker-compose restart. If you changed the bind path, it is necessary to start the services by using docker-compose up -d

Upgrades

Depending on if you changed the path or not an update might overwrite the folder or mount from a different location. The following process makes sure, you don’t run into anything unexpected

  1. backup your certificates to a folder, which is unrelated to harbor-configuration
  2. upgrade harbor as always
  3. check if the /harbor_cust_cert mount is the same as the folder where your certificates reside (normally ./common/config/shared/trust-certificates)
  4. check if the folder still holds your certificates, otherwise copy your backuped certificates to the location
  5. check if trivy is able to get CVE data