Self-Hosting Trivy's Databases¶
This document explains how to host Trivy's external dependencies in your own infrastructure to prevent external network access. If you haven't already, please familiarize yourself with the Databases document that explains about the different databases used by Trivy and the different configuration options that control them. This guide assumes you are already familiar with the concepts explained there.
OCI databases¶
The following Trivy Databases are packaged as OCI images:
trivy-dbtrivy-java-dbtrivy-checks
To host these databases in your own infrastructure:
Make a local copy¶
Use any container registry manipulation tool (e.g , crane, ORAS, regclient) to copy the images to your destination registry.
Note
You will need to keep the databases updated in order to maintain relevant scanning results over time.
Configure Trivy¶
Use the appropriate database location flags to change the db-repository location:
--db-repository--java-db-repository--checks-bundle-repository
Authentication¶
If the registry requires authentication, you can configure it as described in the private registry authentication document.
OCI Media Types¶
When serving, proxying, or manipulating Trivy's databases, note that the media type of the OCI layer is not a standard container image type:
| DB | Media Type | Reference |
|---|---|---|
trivy-db |
application/vnd.aquasec.trivy.db.layer.v1.tar+gzip |
https://github.com/aquasecurity/trivy-db/pkgs/container/trivy-db |
trivy-java-db |
application/vnd.aquasec.trivy.javadb.layer.v1.tar+gzip |
https://github.com/aquasecurity/trivy-java-db/pkgs/container/trivy-java-db |
trivy-checks |
application/vnd.oci.image.manifest.v1+json |
https://github.com/aquasecurity/trivy-checks/pkgs/container/trivy-checks |
Manual cache population¶
Trivy uses a local cache directory to store the database files, as described in the cache document. You can download the databases files and surgically populate the Trivy cache directory with them.
Downloading the DB files¶
On a machine with internet access, pull the database container archive from the public registry into your local workspace:
Note that these examples operate in the current working directory.
This example uses ORAS, but you can use any other container registry manipulation tool.
oras pull ghcr.io/aquasecurity/trivy-db:2
You should now have a file called db.tar.gz. Next, extract it to reveal the db files:
tar -xzf db.tar.gz
This example uses Trivy to pull the database container archive. The --cache-dir flag makes Trivy download the database files into our current working directory. The --download-db-only flag tells Trivy to only download the database files, not to scan any images.
trivy image --cache-dir . --download-db-only
You should now have 2 new files, metadata.json and trivy.db. These are the Trivy DB files, copy them over to the air-gapped environment.
Populating the Trivy Cache¶
In order to populate the cache, you need to identify the location of the cache directory. If it is under the default location, you can run the following command to find it:
trivy -h | grep cache
For the example, we will assume the TRIVY_CACHE_DIR variable holds the cache location:
TRIVY_CACHE_DIR=/home/user/.cache/trivy
Put the Trivy DB files in the Trivy cache directory under a db subdirectory:
# ensure cache db directory exists
mkdir -p ${TRIVY_CACHE_DIR}/db
# copy the db files
cp /path/to/trivy.db /path/to/metadata.json ${TRIVY_CACHE_DIR}/db/
Java DB adaptations¶
For Java DB the process is the same, except for the following:
- Image location is
ghcr.io/aquasecurity/trivy-java-db:1 - Archive file name is
javadb.tar.gz - DB file name is
trivy-java.db
VEX Hub¶
Make a local copy¶
To make a copy of VEX Hub in a location that is accessible to Trivy.
- Download the VEX Hub archive from: https://github.com/aquasecurity/vexhub/archive/refs/heads/main.zip.
- Download the VEX Hub Repository Manifest file from: https://github.com/aquasecurity/vexhub/blob/main/vex-repository.json.
- Create or identify an internal HTTP server that can serve the VEX Hub repository in your environment (e.g
https://server.local). - Make the downloaded archive file available for serving from your server (e.g
https://server.local/main.zip). - Modify the downloaded manifest file's Location URL field to the URL of the archive file on your server (e.g
url: https://server.local/main.zip). - Make the manifest file available for serving from your server under the
/.well-knownpath (e.ghttps://server.local/.well-known/vex-repository.json).
Configure Trivy¶
To configure Trivy to use the local VEX Repository:
- Locate your Trivy VEX configuration file by running
trivy vex repo init. Make the following changes to the file. - Disable the default VEX Hub repo (
enabled: false) - Add your internal VEX Hub repository as a custom repository with the URL pointing to your local server (e.g
url: https://server.local).
Authentication¶
If your server requires authentication, you can configure it as described in the VEX Repository Authentication document.