Allow InitContainer to pull vulnerability-db from private registry

[yanehi]

I would like to run the trivy-operator in standalone mode in an air-gapped environment. For this we use our own trivy-image, which contains the vulnerability databases.

For all scan-jobs the project works as expected. However, the InitContainer started by the trivy-operator always bypasses the cache (since I can't give it a pvc) and unfortunately can't download our vulnerability-db from our private registry. An ImagePullSecret is set at the podlevel and already allows the InitContainer itself to pull the image from our private registry. However, in the trivy command it tries to load the db from our private registry:

Command

  InitContainer: 
   Command:
      trivy
    Args:
      --cache-dir
      /tmp/trivy/.cache
      image
      --download-db-only
      --db-repository
      <private-registry-name>

2023-07-06T10:23:04.261Z  ^[[34mINFO^[[0m           DB Repository: <private-registry-name>
2023-07-06T10:23:04.261Z  ^[[34mINFO^[[0m           Downloading DB...
2023-07-06T10:23:04.519Z  ^[[31mFATAL^[[0m          init error: DB error: failed to download vulnerability DB: database download error: OCI repository error: 1 error occurred:
                          * GET https://<registry-url>/jwt/auth?scope=repository%3A<repository-name>%2Foci%2F<image-name>%3Apull&service=container_registry: DENIED: access forbidden

Is there any way at this point to pass in credentials so that it can pull the db (image) from our private registry?

[chen-keinan]

@yanehi currently it is not supported as you mention , can you open an issue for it.

[yanehi]

Sure, thanks for your quick reply!

[yanehi]

I have created an issue with details about environment and feature request.

[crtvmn]

Hello,

What is the status of this request?