chore(docs): Update docs regarding trivy client/server for misconfiguration scanning #7177
Comments
simar7
added
kind/documentation
|
@knqyf263 I'm confused by the 3rd point. Are there restrictions for certain scanners in client/server mode? |
|
The misconfiguration and secret scanners do not support client/server mode. More strictly, detection still occurs in client/server mode, but the scanning is done on the client side and therefore works in the same way as in standalone mode. It may be clearer to mention which side the scan is performed on, as ‘not supported’ may sound like it doesn't work. The misconfiguration scans are performed on the client side, so the checks bundle also needs to be downloaded by the client. And this is not what many users want from client-server mode. They expect checks bundle to be downloaded and the scan is performed on the server side. |
|
Thank you! Is it also worth adding a log that secrets and misconfiguration scanning will be done on the client side in client/server mode? |
|
Yes, it helps. |
TODO:
Configto unsupported in the tableMisconfiguration scanning is performed on the client side. Otherwise, a client needs to send all the IaC files, which may include sensitive information, to the server.
Another benefit of the client/server mode is caching. In image scanning, the server stores the analysis result in the cache per layer, and the client can skip analyzing layers in subsequent scans. This is very useful for vulnerability scanning but not for misconfiguration scanning. In misconfiguration scanning, we need to cache the IaC file contents. In addition, filesystem scanning doesn't fit for cache.
For the above reasons, misconfiguration scanning (and secret scanning for the same reasons) doesn't support the client/server mode.
@simar7 @nikpivkin I think we should update the document.
Configto unsupported in the tableOriginally posted by @knqyf263 in #7172 (reply in thread)
The text was updated successfully, but these errors were encountered: