Configure custom Certification Authorities for trivy
In some cases it might be usefull to provide custom certificate auhtority (CA) bundles to trivy. This is often the case if you are in an enterprise environment where a webproxy is used. Because trivy must connect to the internet to get the CVE data, it must pass the proxy. Trivy reads certificates from a bind-mount, thus it is possible to place certificates in this folder and trivy will validate against them, if new connections are created.
- You have a ca-bundle, or single public certificates of your CA, which is used by the webproxy.
- Change into your harbor configuration folder
- Take a look at the docker-compose.yml and the configuration of trivy-adapter. It looks something like this:
trivy-adapter: container_name: trivy-adapter image: goharbor/trivy-adapter-photon:dev restart: always cap_drop: - ALL dns_search: . depends_on: - log - redis networks: - harbor volumes: - type: bind source: /data/trivy-adapter/trivy target: /home/scanner/.cache/trivy - type: bind source: /data/trivy-adapter/reports target: /home/scanner/.cache/reports - type: bind source: ./common/config/shared/trust-certificates target: /harbor_cust_cert
- note the binding which mounts to
/harbor_cust_certand add your ca-bundle or the single public-certificates into the mount-location, by copying them.
- (opt) if the host-path doesn’t fit for your case, you can also configure another path in the docker-compose file. be aware, that you might have to manually change this, if there are changes on new releases of trivy/harbor.
- restart your containers (at least trivy-adapter) by using
docker restart trivy-adapteror
docker-compose restart. If you changed the bind path, it is necessary to start the services by using
docker-compose up -d
Depending on if you changed the path or not an update might overwrite the folder or mount from a different location. The following process makes sure, you don’t run into anything unexpected
- backup your certificates to a folder, which is unrelated to harbor-configuration
- upgrade harbor as always
- check if the
/harbor_cust_certmount is the same as the folder where your certificates reside (normally
- check if the folder still holds your certificates, otherwise copy your backuped certificates to the location
- check if trivy is able to get CVE data
On this page