Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

trivy-db repository (again) #229

Merged
merged 2 commits into from
Oct 29, 2024
Merged

trivy-db repository (again) #229

merged 2 commits into from
Oct 29, 2024

Conversation

andrewmackett
Copy link
Member

@andrewmackett andrewmackett commented Oct 24, 2024
edited by jira bot
Loading

Jira:

Trivy scans the source code and any container image for vulnerabilities. However, when using the default repository for the trivy database, we see rate limiting issues from GitHub Container Registry:

Fatal error	init error: DB error: failed to download vulnerability DB: database download error: OCI repository error: 1 error occurred:
	* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 669.3µs, allowed: 44000/minute

This has been widely reported on the Trivy git repositories and the Trivy maintainers are making changes in an attempt to improve the situation. However it's unclear how long these changes will take and it appears the changes will only be available in the latest versions.

We've previously setup a Google Artifact Registry "remote repository" which effectively caches images from the default GitHub Container Registry. However, this has not been as successful as we had hoped because the Google Artifact Registry remote repository still has to go to GitHub Container Registry to collect new images, and we experience the rate limiting errors again.

We now have a new, standard, Google Artifact Registry image repository to hold the trivy-db images. This is updated from a scheduled job every 6 hours, rather than pulling new images when Trivy executes. This may result in Trivy using a slightly older vulnerabilities database, but should ensure that when executing Trivy there's always a trivy-db image available.

This PR updates the settings trivy uses to get the database from this new repository, and avoiding the rate limiting from ghcr.

This PR was generated using turbolift.

@douglaseggleton douglaseggleton added the internal Changes only affect the internal API label Oct 29, 2024
@douglaseggleton douglaseggleton merged commit 16255a2 into main Oct 29, 2024
5 checks passed
@douglaseggleton douglaseggleton deleted the trivy-db-again branch October 29, 2024 16:55
@gr4vy-code
Copy link
Collaborator

🚀 PR was released in v2.30.0 🚀

@gr4vy-code gr4vy-code added the released Issue or pull request released label Nov 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@douglaseggleton douglaseggleton douglaseggleton approved these changes

Assignees
No one assigned
Labels
internal Changes only affect the internal API released Issue or pull request released
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@andrewmackett @gr4vy-code @douglaseggleton