Requirements

None, Trivy uses Google Cloud SDK. You don’t need to install gcloud command.

Privileges

Credential file must have the roles/storage.objectViewer permissions. More information can be found in Google’s documentation

JSON File Format

The JSON file specified should have the following format provided by google’s service account mechanisms:

  1. {
  2. "type": "service_account",
  3. "project_id": "your_special_project",
  4. "private_key_id": "XXXXXXXXXXXXXXXXXXXXxx",
  5. "private_key": "-----BEGIN PRIVATE KEY-----\nNONONONO\n-----END PRIVATE KEY-----\n",
  6. "client_email": "somedude@your_special_project.iam.gserviceaccount.com",
  7. "client_id": "1234567890",
  8. "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  9. "token_uri": "https://oauth2.googleapis.com/token",
  10. "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  11. "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/somedude%40your_special_project.iam.gserviceaccount.com"
  12. }

Usage

If you want to use target project’s repository, you can set them via GOOGLE_APPLICATION_CREDENTIALS.

  1. # must set TRIVY_USERNAME empty char
  2. export GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential.json

Testing

You can test credentials in the following manner (assuming they are in /tmp on host machine).

  1. docker run -it --rm -v /tmp:/tmp\
  2. -e GOOGLE_APPLICATION_CREDENTIALS=/tmp/service_account.json\
  3. aquasec/trivy image gcr.io/your_special_project/your_special_image:your_special_tag