diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 55f592b5c..9f295ca4f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -351,7 +351,7 @@ kubectl apply -f https://github.com/operator-framework/operator-lifecycle-manage or ``` -curl -L https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.21.2/install.sh -o install.sh +curl -L https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.21.3/install.sh -o install.sh chmod +x install.sh ./install.sh v0.20.0 ``` diff --git a/README.md b/README.md index c8cf92efc..d98ed5817 100644 --- a/README.md +++ b/README.md @@ -67,7 +67,7 @@ Install the Helm Chart: helm install trivy-operator aqua/trivy-operator \ --namespace trivy-system \ --create-namespace \ - --version 0.21.2 + --version 0.21.3 ``` #### Option 2: Install from OCI registry (supported in Helm v3.8.0+) @@ -78,7 +78,7 @@ Install the Helm Chart: helm install trivy-operator oci://ghcr.io/aquasecurity/helm-charts/trivy-operator \ --namespace trivy-system \ --create-namespace \ - --version 0.21.2 + --version 0.21.3 ``` This will install the Trivy Helm Chart into the `trivy-system` namespace and start triggering the scans. diff --git a/RELEASING.md b/RELEASING.md index 2da6937f6..3e92a46e8 100644 --- a/RELEASING.md +++ b/RELEASING.md @@ -46,17 +46,17 @@ 5. Create an annotated git tag and push it to the `upstream`. This will trigger the [`.github/workflows/release.yaml`] workflow ```sh - git tag -v0.19.2 -m 'Release v0.19.2' - git push upstream v0.19.2 + git tag -v0.19.3 -m 'Release v0.19.3' + git push upstream v0.19.3 ``` 6. Verify that the `release` workflow has built and published the following artifacts 1. Trivy-operator container images published to DockerHub - `docker.io/aquasec/trivy-operator:0.19.2` + `docker.io/aquasec/trivy-operator:0.19.3` 2. Trivy-operator container images published to Amazon ECR Public Gallery - `public.ecr.aws/aquasecurity/trivy-operator:0.19.2` + `public.ecr.aws/aquasecurity/trivy-operator:0.19.3` 3. Trivy-operator container images published to GitHub Container Registry - `ghcr.io/aquasecurity/trivy-operator:0.19.2` + `ghcr.io/aquasecurity/trivy-operator:0.19.3` 7. Submit trivy-operator Operator to OperatorHub and ArtifactHUB by opening the PR to the repository. diff --git a/deploy/helm/Chart.yaml b/deploy/helm/Chart.yaml index d784be8e4..153f2cbd6 100644 --- a/deploy/helm/Chart.yaml +++ b/deploy/helm/Chart.yaml @@ -6,12 +6,12 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.21.2 +version: 0.21.3 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 0.19.2 +appVersion: 0.19.3 # kubeVersion: A SemVer range of compatible Kubernetes versions (optional) diff --git a/deploy/helm/README.md b/deploy/helm/README.md index 6731ce903..a12fb1644 100644 --- a/deploy/helm/README.md +++ b/deploy/helm/README.md @@ -1,6 +1,6 @@ # trivy-operator -![Version: 0.21.2](https://img.shields.io/badge/Version-0.21.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.19.2](https://img.shields.io/badge/AppVersion-0.19.2-informational?style=flat-square) +![Version: 0.21.3](https://img.shields.io/badge/Version-0.21.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.19.3](https://img.shields.io/badge/AppVersion-0.19.3-informational?style=flat-square) Keeps security report resources updated diff --git a/deploy/helm/templates/specs/cis-1.23.yaml b/deploy/helm/templates/specs/cis-1.23.yaml index c3cb2e5d9..fcc2624e5 100644 --- a/deploy/helm/templates/specs/cis-1.23.yaml +++ b/deploy/helm/templates/specs/cis-1.23.yaml @@ -5,7 +5,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.19.2 + app.kubernetes.io/version: 0.19.3 app.kubernetes.io/managed-by: kubectl spec: cron: {{ .Values.compliance.cron | quote}} diff --git a/deploy/helm/templates/specs/nsa-1.0.yaml b/deploy/helm/templates/specs/nsa-1.0.yaml index d28b1a716..f49a1c8a3 100644 --- a/deploy/helm/templates/specs/nsa-1.0.yaml +++ b/deploy/helm/templates/specs/nsa-1.0.yaml @@ -5,7 +5,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.19.2" + app.kubernetes.io/version: "0.19.3" app.kubernetes.io/managed-by: kubectl spec: cron: {{ .Values.compliance.cron | quote }} diff --git a/deploy/helm/templates/specs/pss-baseline.yaml b/deploy/helm/templates/specs/pss-baseline.yaml index cc2dc11c4..1990f1e41 100644 --- a/deploy/helm/templates/specs/pss-baseline.yaml +++ b/deploy/helm/templates/specs/pss-baseline.yaml @@ -5,7 +5,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.19.2 + app.kubernetes.io/version: 0.19.3 app.kubernetes.io/managed-by: kubectl spec: cron: {{ .Values.compliance.cron | quote }} diff --git a/deploy/helm/templates/specs/pss-restricted.yaml b/deploy/helm/templates/specs/pss-restricted.yaml index 6ed5a7214..719f333c3 100644 --- a/deploy/helm/templates/specs/pss-restricted.yaml +++ b/deploy/helm/templates/specs/pss-restricted.yaml @@ -5,7 +5,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.19.2 + app.kubernetes.io/version: 0.19.3 app.kubernetes.io/managed-by: kubectl spec: cron: {{ .Values.compliance.cron | quote }} diff --git a/deploy/static/namespace.yaml b/deploy/static/namespace.yaml index 7f55d1fdd..0b33c7bc4 100644 --- a/deploy/static/namespace.yaml +++ b/deploy/static/namespace.yaml @@ -6,5 +6,5 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.19.2" + app.kubernetes.io/version: "0.19.3" app.kubernetes.io/managed-by: kubectl diff --git a/deploy/static/trivy-operator.yaml b/deploy/static/trivy-operator.yaml index 9285c9ad1..8485de230 100644 --- a/deploy/static/trivy-operator.yaml +++ b/deploy/static/trivy-operator.yaml @@ -2864,7 +2864,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.19.2" + app.kubernetes.io/version: "0.19.3" app.kubernetes.io/managed-by: kubectl --- # Source: trivy-operator/templates/configmaps/operator.yaml @@ -2876,7 +2876,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.19.2" + app.kubernetes.io/version: "0.19.3" app.kubernetes.io/managed-by: kubectl data: nodeCollector.volumes: "[{\"hostPath\":{\"path\":\"/var/lib/etcd\"},\"name\":\"var-lib-etcd\"},{\"hostPath\":{\"path\":\"/var/lib/kubelet\"},\"name\":\"var-lib-kubelet\"},{\"hostPath\":{\"path\":\"/var/lib/kube-scheduler\"},\"name\":\"var-lib-kube-scheduler\"},{\"hostPath\":{\"path\":\"/var/lib/kube-controller-manager\"},\"name\":\"var-lib-kube-controller-manager\"},{\"hostPath\":{\"path\":\"/etc/systemd\"},\"name\":\"etc-systemd\"},{\"hostPath\":{\"path\":\"/lib/systemd\"},\"name\":\"lib-systemd\"},{\"hostPath\":{\"path\":\"/etc/kubernetes\"},\"name\":\"etc-kubernetes\"},{\"hostPath\":{\"path\":\"/etc/cni/net.d/\"},\"name\":\"etc-cni-netd\"}]" @@ -2900,7 +2900,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.19.2" + app.kubernetes.io/version: "0.19.3" app.kubernetes.io/managed-by: kubectl data: --- @@ -2913,7 +2913,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.19.2" + app.kubernetes.io/version: "0.19.3" app.kubernetes.io/managed-by: kubectl data: OPERATOR_LOG_DEV_MODE: "false" @@ -2965,7 +2965,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.19.2" + app.kubernetes.io/version: "0.19.3" app.kubernetes.io/managed-by: kubectl data: trivy.repository: "ghcr.io/aquasecurity/trivy" @@ -3001,7 +3001,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.19.2" + app.kubernetes.io/version: "0.19.3" app.kubernetes.io/managed-by: kubectl data: --- @@ -3014,7 +3014,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.19.2" + app.kubernetes.io/version: "0.19.3" app.kubernetes.io/managed-by: kubectl data: --- @@ -3027,7 +3027,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.19.2" + app.kubernetes.io/version: "0.19.3" app.kubernetes.io/managed-by: kubectl spec: replicas: 1 @@ -3047,7 +3047,7 @@ spec: automountServiceAccountToken: true containers: - name: "trivy-operator" - image: "ghcr.io/aquasecurity/trivy-operator:0.19.2" + image: "ghcr.io/aquasecurity/trivy-operator:0.19.3" imagePullPolicy: IfNotPresent env: - name: OPERATOR_NAMESPACE @@ -3108,7 +3108,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.19.2" + app.kubernetes.io/version: "0.19.3" app.kubernetes.io/managed-by: kubectl spec: clusterIP: None @@ -3500,7 +3500,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.19.2" + app.kubernetes.io/version: "0.19.3" app.kubernetes.io/managed-by: kubectl roleRef: apiGroup: rbac.authorization.k8s.io @@ -3521,7 +3521,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.19.2" + app.kubernetes.io/version: "0.19.3" app.kubernetes.io/managed-by: kubectl rules: - apiGroups: @@ -3548,7 +3548,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.19.2" + app.kubernetes.io/version: "0.19.3" app.kubernetes.io/managed-by: kubectl roleRef: apiGroup: rbac.authorization.k8s.io @@ -3568,7 +3568,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.19.2" + app.kubernetes.io/version: "0.19.3" app.kubernetes.io/managed-by: kubectl rules: - apiGroups: @@ -3598,7 +3598,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.19.2" + app.kubernetes.io/version: "0.19.3" app.kubernetes.io/managed-by: kubectl roleRef: apiGroup: rbac.authorization.k8s.io @@ -3618,7 +3618,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.19.2" + app.kubernetes.io/version: "0.19.3" app.kubernetes.io/managed-by: kubectl rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -3643,7 +3643,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.19.2" + app.kubernetes.io/version: "0.19.3" app.kubernetes.io/managed-by: kubectl rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -3668,7 +3668,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.19.2" + app.kubernetes.io/version: "0.19.3" app.kubernetes.io/managed-by: kubectl rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -3693,5 +3693,5 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.19.2" + app.kubernetes.io/version: "0.19.3" app.kubernetes.io/managed-by: kubectl diff --git a/docs/docs/crds/clustercompliance-report.md b/docs/docs/crds/clustercompliance-report.md index 75b11cbd9..30dc2cee7 100644 --- a/docs/docs/crds/clustercompliance-report.md +++ b/docs/docs/crds/clustercompliance-report.md @@ -1346,7 +1346,7 @@ status: "app.kubernetes.io/instance": "trivy-operator", "app.kubernetes.io/managed-by": "kubectl", "app.kubernetes.io/name": "trivy-operator", - "app.kubernetes.io/version": "0.19.2" + "app.kubernetes.io/version": "0.19.3" }, "name": "cis", "resourceVersion": "8985", diff --git a/docs/docs/crds/configaudit-report.md b/docs/docs/crds/configaudit-report.md index 439e54d96..18fda67c4 100644 --- a/docs/docs/crds/configaudit-report.md +++ b/docs/docs/crds/configaudit-report.md @@ -34,7 +34,7 @@ report: scanner: name: Trivy vendor: Aqua Security - version: '0.19.2' + version: '0.19.3' summary: criticalCount: 2 highCount: 0 diff --git a/docs/docs/crds/exposedsecret-report.md b/docs/docs/crds/exposedsecret-report.md index 9c8de5486..be928d947 100644 --- a/docs/docs/crds/exposedsecret-report.md +++ b/docs/docs/crds/exposedsecret-report.md @@ -33,7 +33,7 @@ metadata: report: artifact: repository: myimagewithsecret - tag: v0.19.2 + tag: v0.19.3 registry: server: index.docker.io scanner: diff --git a/docs/docs/crds/rbacassessment-report.md b/docs/docs/crds/rbacassessment-report.md index c2685ab77..68edce016 100644 --- a/docs/docs/crds/rbacassessment-report.md +++ b/docs/docs/crds/rbacassessment-report.md @@ -176,7 +176,7 @@ report: scanner: name: Trivy vendor: Aqua Security - version: '0.19.2' + version: '0.19.3' summary: criticalCount: 1 highCount: 0 diff --git a/docs/docs/design/caching_scan_results_by_repo_digest.md b/docs/docs/design/caching_scan_results_by_repo_digest.md index 4f602a8e8..0d24b37ed 100644 --- a/docs/docs/design/caching_scan_results_by_repo_digest.md +++ b/docs/docs/design/caching_scan_results_by_repo_digest.md @@ -129,5 +129,5 @@ We can't use something like ownerReference since it would delete all vulnerabili a gate. * Both Trivy-Operator CLI and Trivy-Operator Operator can read and leverage ClusterVulnerabilityReports. -[Standalone]: https://aquasecurity.github.io/trivy-operator/v0.19.2/integrations/vulnerability-scanners/trivy/#standalone -[ClientServer]: https://aquasecurity.github.io/trivy-operator/v0.19.2/integrations/vulnerability-scanners/trivy/#clientserver +[Standalone]: https://aquasecurity.github.io/trivy-operator/v0.19.3/integrations/vulnerability-scanners/trivy/#standalone +[ClientServer]: https://aquasecurity.github.io/trivy-operator/v0.19.3/integrations/vulnerability-scanners/trivy/#clientserver diff --git a/docs/docs/design/design_compliance_report.md b/docs/docs/design/design_compliance_report.md index b9a61afc0..769e3112f 100644 --- a/docs/docs/design/design_compliance_report.md +++ b/docs/docs/design/design_compliance_report.md @@ -542,7 +542,7 @@ metadata: name: clustercompliancereports.aquasecurity.github.io labels: app.kubernetes.io/managed-by: trivy-operator - app.kubernetes.io/version: "0.19.2" + app.kubernetes.io/version: "0.19.3" spec: group: aquasecurity.github.io scope: Cluster @@ -678,7 +678,7 @@ metadata: name: clustercompliancedetailreports.aquasecurity.github.io labels: app.kubernetes.io/managed-by: trivy-operator - app.kubernetes.io/version: "0.19.2" + app.kubernetes.io/version: "0.19.3" spec: group: aquasecurity.github.io versions: diff --git a/docs/docs/design/design_starboard_at_scale.excalidraw b/docs/docs/design/design_starboard_at_scale.excalidraw index 6cedffb57..9203ee38e 100644 --- a/docs/docs/design/design_starboard_at_scale.excalidraw +++ b/docs/docs/design/design_starboard_at_scale.excalidraw @@ -11835,7 +11835,7 @@ "versionNonce": 596868769, "isDeleted": false, "boundElementIds": null, - "text": "apiVersion: batch/v1\nkind: Job\nmetadata:\n name: scan-vulnerabilityreport-\n namespace: trivy-system\nspec:\n template:\n spec:\n containers:\n - name: nginx\n image: aquasec/trivy:0.19.2\n command: [\"trivy\", \"image\", \"nginx:1.16\"]\n restartPolicy: Never\n backoffLimit: 1", + "text": "apiVersion: batch/v1\nkind: Job\nmetadata:\n name: scan-vulnerabilityreport-\n namespace: trivy-system\nspec:\n template:\n spec:\n containers:\n - name: nginx\n image: aquasec/trivy:0.19.3\n command: [\"trivy\", \"image\", \"nginx:1.16\"]\n restartPolicy: Never\n backoffLimit: 1", "fontSize": 20, "fontFamily": 3, "textAlign": "left", @@ -11895,7 +11895,7 @@ "boundElementIds": [], "fontSize": 20, "fontFamily": 3, - "text": "apiVersion: v1\nkind: Pod\nmetadata:\n name: scan-vulnerabilityreport--\n namespace: trivy-system\nspec:\n containers:\n - name: nginx\n image: aquasec/trivy:0.19.2\n command: [\"trivy\", \"image\", \"nginx:1.16\"]\n", + "text": "apiVersion: v1\nkind: Pod\nmetadata:\n name: scan-vulnerabilityreport--\n namespace: trivy-system\nspec:\n containers:\n - name: nginx\n image: aquasec/trivy:0.19.3\n command: [\"trivy\", \"image\", \"nginx:1.16\"]\n", "baseline": 259, "textAlign": "left", "verticalAlign": "top" diff --git a/docs/docs/design/design_trivy_file_system_scanner.md b/docs/docs/design/design_trivy_file_system_scanner.md index 6494a2e21..2a9f82e9e 100644 --- a/docs/docs/design/design_trivy_file_system_scanner.md +++ b/docs/docs/design/design_trivy_file_system_scanner.md @@ -13,17 +13,18 @@ and `TRIVY_PASSWORD` environment variables. Since ImagePullSecrets are not the only way to provide registry credential, the following alternatives are not currently supported by Trivy-Operator: + 1. Pre-pulled images 2. [Configuring nodes to authenticate to a private registry] 3. Vendor-specific or local extension. For example, methods described on [AWS ECR Private registry authentication]. Even though we could resolve some of above-mentioned limitations with hostPath volume mounts to the container runtime socket, it would have its own disadvantages that we are trying to avoid. For example, more permissions to schedule scan -Jobs and additional information about cluster's infrastructure such as location of the container runtime socket. +Jobs and additional information about cluster's infrastructure such as location of the container runtime socket. ## Solution -### TL;DR; +### TL;DR Use Trivy filesystem scanning to scan container images. The main idea, which is discussed in this proposal, is to schedule a scan Job on the same cluster node where the scanned workload. This allows Trivy to scan a filesystem of @@ -89,7 +90,7 @@ spec: containers: - name: nginx image: example.registry.com/nginx:1.16 -``` +``` To scan the `nginx` container of the `nginx` Deployment, Trivy-Operator will create the following scan Job in the `trivy-system` namespace and observe it until it's Completed or Failed. @@ -116,10 +117,10 @@ spec: emptyDir: { } initContainers: # The trivy-get-binary init container is used to copy out the trivy executable - # binary from the upstream Trivy container image, i.e. aquasec/trivy:0.19.2, + # binary from the upstream Trivy container image, i.e. aquasec/trivy:0.19.3, # to a shared emptyDir volume. - name: trivy-get-binary - image: aquasec/trivy:0.19.2 + image: aquasec/trivy:0.19.3 command: - cp - -v @@ -134,7 +135,7 @@ spec: # This won't be required once Trivy supports ClientServer mode # for the fs subcommand. - name: trivy-download-db - image: aquasec/trivy:0.19.2 + image: aquasec/trivy:0.19.3 command: - /var/trivy-operator/trivy - --download-db-only @@ -198,4 +199,3 @@ Trivy must run as root so the scan Job defined the `securityContext` with the `r [AWS ECR Private registry authentication]: https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html [AlwaysPullImages]: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages [kfox1111]: https://github.com/kfox1111 - diff --git a/docs/docs/design/design_vuln_scan_job_in_same_namespace_of_workload.md b/docs/docs/design/design_vuln_scan_job_in_same_namespace_of_workload.md index a6ac08d67..945d0a016 100644 --- a/docs/docs/design/design_vuln_scan_job_in_same_namespace_of_workload.md +++ b/docs/docs/design/design_vuln_scan_job_in_same_namespace_of_workload.md @@ -167,7 +167,7 @@ spec: emptyDir: { } initContainers: - name: trivy-get-binary - image: aquasec/trivy:0.19.2 + image: aquasec/trivy:0.19.3 command: - cp - -v @@ -177,7 +177,7 @@ spec: - name: scan-volume mountPath: /var/trivy-operator - name: trivy-download-db - image: aquasec/trivy:0.19.2 + image: aquasec/trivy:0.19.3 command: - /var/trivy-operator/trivy - --download-db-only @@ -219,6 +219,6 @@ With this approach trivy operator will not have to worry about managing(create/d - As we will run scan job with service account of workload and if there are some very strict PSP defined in the cluster then scan job will be blocked due to the PSP. -[ECR registry configuration]: https://aquasecurity.github.io/trivy-operator/v0.19.2/integrations/managed-registries/#amazon-elastic-container-registry-ecr +[ECR registry configuration]: https://aquasecurity.github.io/trivy-operator/v0.19.3/integrations/managed-registries/#amazon-elastic-container-registry-ecr [IAM role to service account]: https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html [Trivy fs command]: https://github.com/aquasecurity/trivy-operator/blob/main/docs/design/design_trivy_file_system_scanner.md diff --git a/docs/docs/design/ttl_scans.md b/docs/docs/design/ttl_scans.md index 39c5acf33..837d620e5 100644 --- a/docs/docs/design/ttl_scans.md +++ b/docs/docs/design/ttl_scans.md @@ -44,13 +44,13 @@ metadata: report: artifact: repository: fluxcd/source-controller - tag: v0.19.2 + tag: v0.19.3 registry: server: ghcr.io scanner: name: Trivy vendor: Aqua Security - version: 0.19.2 + version: 0.19.3 summary: criticalCount: 0 highCount: 0 diff --git a/docs/index.md b/docs/index.md index af51267b5..0f490ef91 100644 --- a/docs/index.md +++ b/docs/index.md @@ -66,7 +66,7 @@ Install the Helm Chart: helm install trivy-operator oci://ghcr.io/aquasecurity/helm-charts/trivy-operator \ --namespace trivy-system \ --create-namespace \ - --version 0.21.2 + --version 0.21.3 ``` This will install the Trivy Helm Chart into the `trivy-system` namespace and start triggering the scans. diff --git a/docs/tutorials/private-registries.md b/docs/tutorials/private-registries.md index 9a1c088cb..dded6c511 100644 --- a/docs/tutorials/private-registries.md +++ b/docs/tutorials/private-registries.md @@ -303,4 +303,4 @@ data: The last way that you could give the Trivy operator access to your private container registry is through managed registries. In this case, the container registry and your Kubernetes cluster would have to be on the same cloud provider; then you can define access to your container namespace as part of the IAM account. Once defined, trivy will already have the permissions for the registry. -For additional information, please refer to the [documentation on managed registries.](https://aquasecurity.github.io/trivy-operator/v0.19.2/docs/vulnerability-scanning/managed-registries/) +For additional information, please refer to the [documentation on managed registries.](https://aquasecurity.github.io/trivy-operator/v0.19.3/docs/vulnerability-scanning/managed-registries/) diff --git a/mkdocs.yml b/mkdocs.yml index 087ff664f..a5a77542a 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -89,8 +89,8 @@ extra: method: mike provider: mike var: - prev_git_tag: "v0.19.1" - chart_version: "0.21.2" + prev_git_tag: "v0.19.2" + chart_version: "0.21.3" plugins: - search diff --git a/tests/itest/helper/helper.go b/tests/itest/helper/helper.go index e15ff207c..d34562f3a 100644 --- a/tests/itest/helper/helper.go +++ b/tests/itest/helper/helper.go @@ -236,7 +236,7 @@ var ( trivyScanner = v1alpha1.Scanner{ Name: v1alpha1.ScannerNameTrivy, Vendor: "Aqua Security", - Version: "0.19.2", + Version: "0.19.3", } )