Updating the Trivy database in an air-gapped environment

Another technical deep dive in the field of infrastructure virtualization in the SPIRIT/21 blog. vSphere with Tanzu is a VMware solution that enables Kubernetes workloads to be run on existing IT infrastructure. By integrating Kubernetes with vSphere, organizations can manage advanced applications and bridge the gap between IT and developers. Here, we look at a specific feature of the solution.

What is an air-gapped system?

An air-gapped system is a security measure in which a computer or network system is physically and logically isolated from other systems in order to prevent the transmission of data. This also implies that the system is disconnected from the Internet.

What is Trivy?

Trivy is an open-source security scanner used for container and application protection. It scans container images for security vulnerabilities by caching a database locally and downloading only changes in the future. This allows for faster subsequent scans. The database contains information about security vulnerabilities and vulnerabilities used to analyze container images.

Trivy in an air-gapped environment

After VMware has implemented Supervisor Services, the Trivy Vulnerability Scanner is included in the Harbor Supervisor Service installation. To use Trivy, the Trivy DB must be updated or downloaded at least once, since it is not included in the standard package.

The trivy database can be updated by copying files from a live trivy instance (trivy with Internet access) to an air-gapped trivy instance.

Install Trivy on an Ubuntu VM with Internet access:

sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
Update Trivy-DB:

trivy server —download-db-only
Copy the files “trivy.db” and “metadata.json” to Trivy Container:

Find Trivy Pod

kubectl -n svc-harbor-domain-c10 get pods
NAME READY STATUS RESTARTS AGE
harbor-core-79485fdb96-v9hnf 1/1 Running 1 (11h ago) 11h
harbor-database-0 1/1 Running 11h
harbor-exporter-7f6d468c67-4hzql 1/1 11h
harbor-jobservice-5bd8445875-sbq26 1/1 Running 3 (11h ago) 11h
harbor-portal-8667958c6c-csbq5 1/1 Running 11h
harbor-redis-0 1/1 Running 11h
harbor-registry-648cf9d757-vlwkz 2/2 11h
harbor-trivy-0 1/1 11h

Open terminal in the Trivy container

kubectl -n svc-harbor-domain-c10 exec harbor-trivy-0 -it — /bin/sh

Create a directory where to copy the db and json files

sh-5.0 mkdir / home/ scanner/. cache/ trivy/ db
sh-5.0$ exit

Find Trivy Pod

kubectl -n svc-harbor-domain-c10 get pods
NAME READY STATUS RESTARTS AGE
harbor-core-79485fdb96-v9hnf 1/1 Running 1 (11h ago) 11h
harbor-database-0 1/1 Running 11h
harbor-exporter-7f6d468c67-4hzql 1/1 11h
harbor-jobservice-5bd8445875-sbq26 1/1 Running 3 (11h ago) 11h
harbor-portal-8667958c6c-csbq5 1/1 Running 11h
harbor-redis-0 1/1 Running 11h
harbor-registry-648cf9d757-vlwkz 2/2 11h
harbor-trivy-0 1/1 11h

Open terminal in the Trivy container

kubectl -n svc-harbor-domain-c10 exec harbor-trivy-0 -it — /bin/sh

Create a directory where to copy the db and json files

sh-5.0 mkdir / home/ scanner/. cache/ trivy/ db
sh-5.0$ exit

Conclusion

Even in air-gapped environments, the Trivy database can be updated with a little twist. If you have any further challenges in your infrastructure, suggestions or questions, don’t hesitate to contact us.