This document explains how to host Trivy's external dependencies in your own infrastructure to prevent external network access. If you haven't already, please familiarize yourself with the Databases document that explains about the different databases used by Trivy and the different configuration options that control them. This guide assumes you are already familiar with the concepts explained there.
Trivy uses a local cache directory to store the database files, as described in the cache document.
You can download the databases files and surgically populate the Trivy cache directory with them.
On a machine with internet access, pull the database container archive from the public registry into your local workspace:
Note that these examples operate in the current working directory.
This example uses ORAS, but you can use any other container registry manipulation tool.
oraspullghcr.io/aquasecurity/trivy-db:2
You should now have a file called db.tar.gz. Next, extract it to reveal the db files:
tar-xzfdb.tar.gz
This example uses Trivy to pull the database container archive. The --cache-dir flag makes Trivy download the database files into our current working directory. The --download-db-only flag tells Trivy to only download the database files, not to scan any images.
trivyimage--cache-dir.--download-db-only
You should now have 2 new files, metadata.json and trivy.db. These are the Trivy DB files, copy them over to the air-gapped environment.
In order to populate the cache, you need to identify the location of the cache directory. If it is under the default location, you can run the following command to find it:
trivy-h|grepcache
For the example, we will assume the TRIVY_CACHE_DIR variable holds the cache location:
TRIVY_CACHE_DIR=/home/user/.cache/trivy
Put the Trivy DB files in the Trivy cache directory under a db subdirectory:
# ensure cache db directory exists
mkdir-p${TRIVY_CACHE_DIR}/db
# copy the db files
cp/path/to/trivy.db/path/to/metadata.json${TRIVY_CACHE_DIR}/db/