Configure custom Certification Authorities for trivy

In some cases it might be usefull to provide custom certificate auhtority (CA) bundles to trivy. This is often the case if you are in an enterprise environment where a webproxy is used. Because trivy must connect to the internet to get the CVE data, it must pass the proxy. Trivy reads certificates from a bind-mount, thus it is possible to place certificates in this folder and trivy will validate against them, if new connections are created.

Preparation

  • You have a ca-bundle, or single public certificates of your CA, which is used by the webproxy.

Implementation

  1. Change into your harbor configuration folder
  2. Take a look at the docker-compose.yml and the configuration of trivy-adapter. It looks something like this:
  trivy-adapter:
    container_name: trivy-adapter
    image: goharbor/trivy-adapter-photon:dev
    restart: always
    cap_drop:
      - ALL
    dns_search: .
    depends_on:
      - log
      - redis
    networks:
      - harbor
    volumes:
      - type: bind
        source: /data/trivy-adapter/trivy
        target: /home/scanner/.cache/trivy
      - type: bind
        source: /data/trivy-adapter/reports
        target: /home/scanner/.cache/reports
      - type: bind
        source: ./common/config/shared/trust-certificates
        target: /harbor_cust_cert
  1. note the binding which mounts to /harbor_cust_cert and add your ca-bundle or the single public-certificates into the mount-location, by copying them.
  2. (opt) if the host-path doesn’t fit for your case, you can also configure another path in the docker-compose file. be aware, that you might have to manually change this, if there are changes on new releases of trivy/harbor.
  3. restart your containers (at least trivy-adapter) by using docker restart trivy-adapter or docker compose restart. If you changed the bind path, it is necessary to start the services by using docker compose up -d

Upgrades

Depending on if you changed the path or not an update might overwrite the folder or mount from a different location. The following process makes sure, you don’t run into anything unexpected

  1. backup your certificates to a folder, which is unrelated to harbor-configuration
  2. upgrade harbor as always
  3. check if the /harbor_cust_cert mount is the same as the folder where your certificates reside (normally ./common/config/shared/trust-certificates)
  4. check if the folder still holds your certificates, otherwise copy your backuped certificates to the location
  5. check if trivy is able to get CVE data