gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-05 20:40:16 -08:00
Code Issues Packages Projects Releases Wiki Activity

feat(flag): add --cacert flag (#9781)

Browse Source
This commit is contained in:
DmitriyLewen
2025-11-12 13:03:44 +06:00
committed by GitHub
parent 08d51a8e08
commit 6048173266
51 changed files with 115 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs/docs/references/configuration/cli/trivy.md
View File

@@ -29,6 +29,7 @@ trivy [global flags] command [flags] target
### Options
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_clean.md
View File

@@ -35,6 +35,7 @@ trivy clean [flags]
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_cloud.md
View File

@@ -11,6 +11,7 @@ Control Trivy Cloud platform integration settings
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_cloud_config.md
View File

@@ -11,6 +11,7 @@ Control Trivy Cloud configuration
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_cloud_config_edit.md
View File

@@ -19,6 +19,7 @@ trivy cloud config edit [flags]
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_cloud_config_get.md
View File

@@ -28,6 +28,7 @@ trivy cloud config get [setting] [flags]
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_cloud_config_list.md
View File

@@ -19,6 +19,7 @@ trivy cloud config list [flags]
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_cloud_config_set.md
View File

@@ -28,6 +28,7 @@ trivy cloud config set [setting] [value] [flags]
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_cloud_config_unset.md
View File

@@ -28,6 +28,7 @@ trivy cloud config unset [setting] [flags]
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_config.md
View File

@@ -84,6 +84,7 @@ trivy config [flags] DIR
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_convert.md
View File

@@ -58,6 +58,7 @@ trivy convert [flags] RESULT_JSON
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_filesystem.md
View File

@@ -178,6 +178,7 @@ trivy filesystem [flags] PATH
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_image.md
View File

@@ -199,6 +199,7 @@ trivy image [flags] IMAGE_NAME
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_kubernetes.md
View File

@@ -187,6 +187,7 @@ trivy kubernetes [flags] [CONTEXT]
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_login.md
View File

@@ -29,6 +29,7 @@ trivy login [flags]
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_logout.md
View File

@@ -15,6 +15,7 @@ trivy logout [flags]
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_module.md
View File

@@ -13,6 +13,7 @@ Manage modules
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_module_install.md
View File

@@ -15,6 +15,7 @@ trivy module install [flags] REPOSITORY
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_module_uninstall.md
View File

@@ -15,6 +15,7 @@ trivy module uninstall [flags] REPOSITORY
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_plugin.md
View File

@@ -11,6 +11,7 @@ Manage plugins
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_plugin_info.md
View File

@@ -15,6 +15,7 @@ trivy plugin info PLUGIN_NAME
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_plugin_install.md
View File

@@ -28,6 +28,7 @@ trivy plugin install NAME | URL | FILE_PATH
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_plugin_list.md
View File

@@ -15,6 +15,7 @@ trivy plugin list
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_plugin_run.md
View File

@@ -15,6 +15,7 @@ trivy plugin run NAME | URL | FILE_PATH
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_plugin_search.md
View File

@@ -15,6 +15,7 @@ trivy plugin search [KEYWORD]
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_plugin_uninstall.md
View File

@@ -15,6 +15,7 @@ trivy plugin uninstall PLUGIN_NAME
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_plugin_update.md
View File

@@ -15,6 +15,7 @@ trivy plugin update
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_plugin_upgrade.md
View File

@@ -15,6 +15,7 @@ trivy plugin upgrade [PLUGIN_NAMES]
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_registry.md
View File

@@ -11,6 +11,7 @@ Manage registry authentication
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_registry_login.md
View File

@@ -25,6 +25,7 @@ trivy registry login SERVER [flags]
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_registry_logout.md
View File

@@ -22,6 +22,7 @@ trivy registry logout SERVER [flags]
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_repository.md
View File

@@ -177,6 +177,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_rootfs.md
View File

@@ -179,6 +179,7 @@ trivy rootfs [flags] ROOTDIR
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_sbom.md
View File

@@ -147,6 +147,7 @@ trivy sbom [flags] SBOM_PATH
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_server.md
View File

@@ -45,6 +45,7 @@ trivy server [flags]
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_version.md
View File

@@ -16,6 +16,7 @@ trivy version [flags]
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_vex.md
View File

@@ -11,6 +11,7 @@
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_vex_repo.md
View File

@@ -25,6 +25,7 @@ Manage VEX repositories
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_vex_repo_download.md
View File

@@ -19,6 +19,7 @@ trivy vex repo download [REPO_NAMES] [flags]
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_vex_repo_init.md
View File

@@ -15,6 +15,7 @@ trivy vex repo init [flags]
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_vex_repo_list.md
View File

@@ -15,6 +15,7 @@ trivy vex repo list [flags]
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

1
docs/docs/references/configuration/cli/trivy_vm.md
View File

@@ -163,6 +163,7 @@ trivy vm [flags] VM_IMAGE
### Options inherited from parent commands
```
--cacert string Path to PEM-encoded CA certificate file
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode

3
docs/docs/references/configuration/config-file.md
View File

@@ -9,6 +9,9 @@ These samples contain default values for flags.
## Global options
```yaml
# Same as '--cacert'
cacert: ""
cache:
# Same as '--cache-dir'
dir: "/path/to/cache"

20
docs/docs/references/troubleshooting.md
View File

@@ -78,16 +78,28 @@ Common mistakes include the following, depending on where you are pulling images
$ TRIVY_INSECURE=true trivy image [YOUR_IMAGE]
```
On Unix systems other than macOS, you can specify the location of your certificate using `SSL_CERT_FILE` or `SSL_CERT_DIR` environment variables.
If you need to trust a custom CA certificate, you can provide a PEM-encoded bundle.
```
$ SSL_CERT_FILE=/path/to/cert trivy image [YOUR_IMAGE]
=== "Unix (except macOS)"
You can specify the location of your certificate using the `SSL_CERT_FILE` or `SSL_CERT_DIR` environment variables.
```bash
$ SSL_CERT_FILE=/path/to/ca.pem trivy image [YOUR_IMAGE]
```
```
```bash
$ SSL_CERT_DIR=/path/to/certs trivy image [YOUR_IMAGE]
```
=== "All systems"
Use the `--cacert` flag to point Trivy to a PEM-encoded CA certificate file, regardless of the operating system.
```bash
$ trivy image --cacert /path/to/ca.pem [YOUR_IMAGE]
```
### GitHub Rate limiting
Trivy uses GitHub API for [VEX repositories](../supply-chain/vex/repo.md).

1
pkg/commands/artifact/run.go
View File

@@ -131,6 +131,7 @@ func NewRunner(ctx context.Context, cliOptions flag.Options, targetKind TargetKi
// Set the default HTTP transport
xhttp.SetDefaultTransport(xhttp.NewTransport(xhttp.Options{
Insecure: cliOptions.Insecure,
CACerts: cliOptions.CACerts,
Timeout: cliOptions.Timeout,
TraceHTTP: cliOptions.TraceHTTP,
}))

1
pkg/commands/server/run.go
View File

@@ -22,6 +22,7 @@ func Run(ctx context.Context, opts flag.Options) (err error) {
// Set the default HTTP transport
xhttp.SetDefaultTransport(xhttp.NewTransport(xhttp.Options{
Insecure: opts.Insecure,
CACerts: opts.CACerts,
Timeout: opts.Timeout,
}))

1
pkg/fanal/image/registry/ecr/ecr.go
View File

@@ -37,6 +37,7 @@ func getSession(domain, region string, option types.RegistryOptions) (aws.Config
// cf. https://github.com/aquasecurity/trivy/discussions/9429
client := awshttp.NewBuildableClient().WithTransportOptions(func(transport *http.Transport) {
transport.TLSClientConfig.InsecureSkipVerify = option.Insecure
transport.TLSClientConfig.RootCAs = option.CACerts
})
// create custom credential information if option is valid
if option.AWSSecretKey != "" && option.AWSAccessKey != "" && option.AWSRegion != "" {

3
pkg/fanal/types/image.go
View File

@@ -1,6 +1,8 @@
package types
import (
"crypto/x509"
v1 "github.com/google/go-containerregistry/pkg/v1"
)
@@ -87,6 +89,7 @@ type RegistryOptions struct {
// SSL/TLS
Insecure bool
CACerts *x509.CertPool
// Architecture
Platform Platform

39
pkg/flag/global_flags.go
View File

@@ -1,10 +1,12 @@
package flag
import (
"crypto/x509"
"os"
"time"
"github.com/spf13/cobra"
"golang.org/x/xerrors"
"github.com/aquasecurity/trivy/pkg/cache"
"github.com/aquasecurity/trivy/pkg/log"
@@ -49,6 +51,12 @@ var (
Persistent: true,
TelemetrySafe: true,
}
CACertFlag = Flag[string]{
Name: "cacert",
ConfigName: "cacert",
Usage: "Path to PEM-encoded CA certificate file",
Persistent: true,
}
TimeoutFlag = Flag[time.Duration]{
Name: "timeout",
ConfigName: "timeout",
@@ -87,6 +95,7 @@ type GlobalFlagGroup struct {
Quiet *Flag[bool]
Debug *Flag[bool]
Insecure *Flag[bool]
CACert *Flag[string]
Timeout *Flag[time.Duration]
CacheDir *Flag[string]
GenerateDefaultConfig *Flag[bool]
@@ -100,6 +109,7 @@ type GlobalOptions struct {
Quiet bool
Debug bool
Insecure bool
CACerts *x509.CertPool
Timeout time.Duration
CacheDir string
GenerateDefaultConfig bool
@@ -113,6 +123,7 @@ func NewGlobalFlagGroup() *GlobalFlagGroup {
Quiet: QuietFlag.Clone(),
Debug: DebugFlag.Clone(),
Insecure: InsecureFlag.Clone(),
CACert: CACertFlag.Clone(),
Timeout: TimeoutFlag.Clone(),
CacheDir: CacheDirFlag.Clone(),
GenerateDefaultConfig: GenerateDefaultConfigFlag.Clone(),
@@ -131,6 +142,7 @@ func (f *GlobalFlagGroup) Flags() []Flagger {
f.Quiet,
f.Debug,
f.Insecure,
f.CACert,
f.Timeout,
f.CacheDir,
f.GenerateDefaultConfig,
@@ -156,6 +168,10 @@ func (f *GlobalFlagGroup) Bind(cmd *cobra.Command) error {
func (f *GlobalFlagGroup) ToOptions(opts *Options) error {
// Keep TRIVY_NON_SSL for backward compatibility
insecure := f.Insecure.Value() || os.Getenv("TRIVY_NON_SSL") != ""
caCerts, err := loadRootCAs(f.CACert.Value())
if err != nil {
return xerrors.Errorf("failed to load root CA certificates: %w", err)
}
log.Debug("Cache dir", log.String("dir", f.CacheDir.Value()))
@@ -165,6 +181,7 @@ func (f *GlobalFlagGroup) ToOptions(opts *Options) error {
Quiet: f.Quiet.Value(),
Debug: f.Debug.Value(),
Insecure: insecure,
CACerts: caCerts,
Timeout: f.Timeout.Value(),
CacheDir: f.CacheDir.Value(),
GenerateDefaultConfig: f.GenerateDefaultConfig.Value(),
@@ -172,3 +189,25 @@ func (f *GlobalFlagGroup) ToOptions(opts *Options) error {
}
return nil
}
// loadRootCAs builds a cert pool from the system pool and the provided PEM bundle.
// Returns nil if caCertPath is empty or on failure.
func loadRootCAs(caCertPath string) (*x509.CertPool, error) {
if caCertPath == "" {
return nil, nil
}
rootCAs, err := x509.SystemCertPool()
if err != nil || rootCAs == nil {
rootCAs = x509.NewCertPool()
}
pem, err := os.ReadFile(caCertPath)
if err != nil {
return nil, xerrors.Errorf("failed to read root CA certificate: %w", err)
}
if ok := rootCAs.AppendCertsFromPEM(pem); !ok {
return nil, xerrors.Errorf("failed to append CA bundle")
}
return rootCAs, nil
}

1
pkg/flag/options.go
View File

@@ -514,6 +514,7 @@ func (o *Options) RegistryOpts() ftypes.RegistryOptions {
Credentials: o.Credentials,
RegistryToken: o.RegistryToken,
Insecure: o.Insecure,
CACerts: o.CACerts,
Platform: o.Platform,
AWSRegion: o.AWSOptions.Region,
RegistryMirrors: o.RegistryMirrors,

7
pkg/x/http/transport.go
View File

@@ -4,6 +4,7 @@ import (
"cmp"
"context"
"crypto/tls"
"crypto/x509"
"fmt"
"net"
"net/http"
@@ -30,6 +31,7 @@ func WithTransport(ctx context.Context, tr http.RoundTripper) context.Context {
type Options struct {
Insecure bool
Timeout time.Duration
CACerts *x509.CertPool
UserAgent string
TraceHTTP bool
}
@@ -68,10 +70,11 @@ func NewTransport(opts Options) http.RoundTripper {
}
tr.DialContext = d.DialContext
// Configure TLS
if opts.Insecure {
// Configure TLS only when needed.
if opts.CACerts != nil || opts.Insecure {
tr.TLSClientConfig = &tls.Config{
InsecureSkipVerify: opts.Insecure,
RootCAs: opts.CACerts,
}
}