Security/Container/Trivy: Difference between revisions

Revision as of 02:45, 11 June 2025

cat <<'EXE'| sudo bash
wget -cq https://github.com/aquasecurity/trivy/releases/download/v0.63.0/trivy_0.63.0_Linux-64bit.tar.gz -P ${HOME}/Downloads
tar -xzf ${HOME}/Downloads/trivy_0.63.0_Linux-64bit.tar.gz -C ${HOME}/Downloads
rm  -rf  ${HOME}/Downloads/trivy_0.63.0_Linux-64bit.tar.gz
mv       ${HOME}/Downloads/trivy /usr/local/bin/
EXE

Trivy » Scan

trivy image haproxy:2.8-alpine
trivy image httpd:2.4-alpine
trivy image nginx:alpine
trivy image nginx:1.27

Trivy » Harbor

cat <<'EXE'| bash
wget   -cq https://github.com/goharbor/harbor/releases/download/v2.13.1/harbor-online-installer-v2.13.1.tgz -P ${HOME}/Downloads/
tar   -xzf ${HOME}/Downloads/harbor-online-installer-v2.13.1.tgz -C ${HOME}/Downloads/
rsync  -az ${HOME}/Downloads/harbor/ ${HOME}/Documents/harbor-playground/
rm  -rf    ${HOME}/Downloads/harbor-online-installer-v2.13.1.tgz
rm  -rf    ${HOME}/Downloads/harbor/
EXE

Trivy » Harbor » Internal

cat <<'YML'| tee ${HOME}/Documents/harbor-playground/harbor.yml >/dev/null
---
http:
  port: 1980
hostname: localhost
data_volume: ./harbor-data
harbor_admin_password: sadaqah!

database:
  password: sadaqah!
  max_idle_conns: 10
  max_open_conns: 20
  conn_max_lifetime: 5m
  conn_max_idle_time: 0

trivy:
  skip_java_db_update: false
  ignore_unfixed: false
  security_check: vuln
  offline_scan: false
  skip_update: false
  insecure: false

jobservice:
  max_job_workers: 5
  max_job_duration_hours: 24
  job_loggers:
    - STD_OUTPUT
    - FILE
  logger_sweeper_duration: 1

notification:
  webhook_job_max_retry: 3
  webhook_job_http_client_timeout: 3

log:
  level: warning
  local:
    rotate_count: 50
    rotate_size: 200M
    location: /var/log/harbor

upload_purging:
  enabled: true
  age: 168h
  interval: 24h
  dryrun: false

cache:
  enabled: false
  expire_hours: 24
YML

sudo ./install.sh
sudo docker compose down
docker images|grep harbor
sudo docker compose up -d
sudo docker compose logs -ft

Trivy » Harbor » External

export DOCKER_HOST_IP=host.docker.internal echo -n 'Password: ';read -s HARBOR_PASSWORD;export HARBOR_PASSWORD;echo # Password: sadaqah!

cat <<'SQL'\| psql SELECT usename AS "user" FROM pg_catalog.pg_user WHERE usename LIKE '%harbor%' ORDER BY 1 ASC; -- \du+ SELECT datname as "database" FROM pg_database WHERE datname LIKE '%harbor%' ORDER BY 1 ASC; -- \l+ SQL

cat <<'DDL'\| psql \! printf '\n' REVOKE ALL PRIVILEGES ON DATABASE harbor FROM harbor; DROP OWNED BY harbor; DROP DATABASE IF EXISTS harbor; DROP USER IF EXISTS harbor; DDL	cat << DDL \| psql SELECT 'CREATE DATABASE harbor' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'harbor')\gexec CREATE USER harbor WITH ENCRYPTED PASSWORD '${HARBOR_PASSWORD}'; GRANT ALL PRIVILEGES ON DATABASE harbor TO harbor; ALTER DATABASE harbor OWNER TO harbor; DDL

echo -n 'Password: ';read -s PGPASSWORD; export PGPASSWORD; echo # Password: sadaqah! psql -p 5432 -U harbor -d harbor -h 10.20.0.1 psql -p 5432 -U harbor -d harbor -h 10.19.83.10

sudo vim /etc/postgresql/16/main/postgresql.conf # :%s/listen_addresses/listen_addresses/gc sudo vim /etc/postgresql/16/main/pg_hba.conf # :%s/# IPv4 local/# IPv4 local/gc systemctl status postgresql.service systemctl restart postgresql.service systemctl status postgresql.service

cat <<'EXE'\| sudo bash cat /etc/redis/redis.conf > ./redis.conf sed 's\|bind 127.0.0.1 -::1\|bind 127.0.0.1 -::1 10.20.0.1 10.20.13.1\|' -i /etc/redis/redis.conf systemctl status redis.service systemctl restart redis.service systemctl status redis.service redis-cli info keyspace EXE

cat <<'YML'\| tee ${HOME}/Documents/harbor-playground/harbor.yml >/dev/null --- http: port: 1980 hostname: localhost data_volume: ./harbor-data harbor_admin_password: sadaqah! trivy: skip_java_db_update: false ignore_unfixed: false security_check: vuln offline_scan: false skip_update: false insecure: false jobservice: max_job_workers: 5 max_job_duration_hours: 24 job_loggers: - STD_OUTPUT - FILE logger_sweeper_duration: 1 notification: webhook_job_max_retry: 3 webhook_job_http_client_timeout: 3 log: level: warning local: rotate_count: 50 rotate_size: 200M location: /var/log/harbor external_database: harbor: host: host.docker.internal port: 5432 db_name: harbor username: harbor password: sadaqah! ssl_mode: disable max_idle_conns: 5 max_open_conns: 10 upload_purging: enabled: true age: 168h interval: 24h dryrun: false cache: enabled: true expire_hours: 24 YML

sudo ./prepare sudo docker compose down docker images\|grep harbor sudo docker compose up -d sudo docker compose logs -ft

yq eval '.services.core.extra_hosts += ["host.docker.internal:host-gateway"]' -i docker-compose.yml yq eval '.services.registry.extra_hosts += ["host.docker.internal:host-gateway"]' -i docker-compose.yml

Trivy » Harbor » Manage

sudo ./prepare
sudo ./install.sh
docker images|grep harbor
sudo docker compose logs -ft

sudo docker compose up -d
sudo docker compose down

Playground

trivy version
trivy help

trivy image haproxy:latest
trivy image httpd:latest

trivy image nginx:latest
trivy image php:latest

systemctl restart postgresql.service
systemctl status  postgresql.service
systemctl restart redis.service
systemctl status  redis.service

redis-cli info keyspace
redis-cli flushall
redis-cli flushdb

external_redis:
  host: host.docker.internal:6379
  tlsOptions:
    enable: false
  registry_db_index: 1
  jobservice_db_index: 2
  trivy_db_index: 5
  idle_timeout_seconds: 30

References

Security » Container » Trivy » Harbor » Release Plans Security » Container » Trivy » Harbor » Download Security » Container » Trivy » Harbor » HTTPS Security » Container » Trivy » Harbor » Wiki Security » Container » Trivy » Download Security » Container » Trivy » Harbor Security » Container » Trivy » Install Security » Container » Trivy » Docs Security » Container » Trivy

Security » OpenLDAP » BackSQL Security » `makepasswd` » SCM Security » `makepasswd` Security » Certificate Security » Password Security » ZA Proxy Security » Domain Security » Spring Security » HTTP Security » Java	Security » SSH » Public Key Authentication Security » HTTP » Basic Authentication Security » Container » Snyk Security » Certificate » TLS

Kubernetes Multipass Minikube Podman Vagrant Docker Qemu Helm K9s K8s	LXC » Alpine » Apache » PHP LXC » Alpine » Nginx » PHP LXC » Logrotate » Redhat Terraform Proxmox Kubectl Ansible CIDR UFW LXC	PostgreSQL » PgBouncer PostgreSQL » PgLoader Docker/Compose/SFTP PostgreSQL Git

export DOCKER_HOST_IP=host.docker.internal echo -n 'Password: ';read -s HARBOR_PASSWORD;export HARBOR_PASSWORD;echo # Password: sadaqah!

cat <<'SQL'\| psql SELECT usename AS "user" FROM pg_catalog.pg_user WHERE usename LIKE '%harbor%' ORDER BY 1 ASC; -- \du+ SELECT datname as "database" FROM pg_database WHERE datname LIKE '%harbor%' ORDER BY 1 ASC; -- \l+ SQL

cat <<'DDL'\| psql \! printf '\n' REVOKE ALL PRIVILEGES ON DATABASE harbor FROM harbor; DROP OWNED BY harbor; DROP DATABASE IF EXISTS harbor; DROP USER IF EXISTS harbor; DDL	cat << DDL \| psql SELECT 'CREATE DATABASE harbor' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'harbor')\gexec CREATE USER harbor WITH ENCRYPTED PASSWORD '${HARBOR_PASSWORD}'; GRANT ALL PRIVILEGES ON DATABASE harbor TO harbor; ALTER DATABASE harbor OWNER TO harbor; DDL

echo -n 'Password: ';read -s PGPASSWORD; export PGPASSWORD; echo # Password: sadaqah! psql -p 5432 -U harbor -d harbor -h 10.20.0.1 psql -p 5432 -U harbor -d harbor -h 10.19.83.10

sudo vim /etc/postgresql/16/main/postgresql.conf # :%s/listen_addresses/listen_addresses/gc sudo vim /etc/postgresql/16/main/pg_hba.conf # :%s/# IPv4 local/# IPv4 local/gc systemctl status postgresql.service systemctl restart postgresql.service systemctl status postgresql.service

cat <<'EXE'\| sudo bash cat /etc/redis/redis.conf > ./redis.conf sed 's\|bind 127.0.0.1 -::1\|bind 127.0.0.1 -::1 10.20.0.1 10.20.13.1\|' -i /etc/redis/redis.conf systemctl status redis.service systemctl restart redis.service systemctl status redis.service redis-cli info keyspace EXE

cat <<'YML'\| tee ${HOME}/Documents/harbor-playground/harbor.yml >/dev/null --- http: port: 1980 hostname: localhost data_volume: ./harbor-data harbor_admin_password: sadaqah! trivy: skip_java_db_update: false ignore_unfixed: false security_check: vuln offline_scan: false skip_update: false insecure: false jobservice: max_job_workers: 5 max_job_duration_hours: 24 job_loggers: - STD_OUTPUT - FILE logger_sweeper_duration: 1 notification: webhook_job_max_retry: 3 webhook_job_http_client_timeout: 3 log: level: warning local: rotate_count: 50 rotate_size: 200M location: /var/log/harbor external_database: harbor: host: host.docker.internal port: 5432 db_name: harbor username: harbor password: sadaqah! ssl_mode: disable max_idle_conns: 5 max_open_conns: 10 upload_purging: enabled: true age: 168h interval: 24h dryrun: false cache: enabled: true expire_hours: 24 YML

sudo ./prepare sudo docker compose down docker images\|grep harbor sudo docker compose up -d sudo docker compose logs -ft

yq eval '.services.core.extra_hosts += ["host.docker.internal:host-gateway"]' -i docker-compose.yml yq eval '.services.registry.extra_hosts += ["host.docker.internal:host-gateway"]' -i docker-compose.yml

Security/Container/Trivy: Difference between revisions

Revision as of 02:45, 11 June 2025

Contents

Trivy » Scan

Trivy » Harbor

Trivy » Harbor » Internal

Trivy » Harbor » External

Trivy » Harbor » Manage

Playground

References

Navigation menu

Security/Container/Trivy: Difference between revisions

Revision as of 02:45, 11 June 2025

Trivy » Scan

Trivy » Harbor

Trivy » Harbor » Internal

Trivy » Harbor » External

Trivy » Harbor » Manage

Playground

References

Navigation menu

Search