github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-17 12:58:02 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat: Add TrivyConfig.VulnSeveritySources (Trivy's --vuln-severity-source) (#3943)

Browse Source 
And default it to ["auto"] when unset, with an info log from applyDefaultValues.

Refactor CVE NewScanner to take *CVEConfig instead of separate DB repository
strings so the full Trivy block is available to the scanner.

Extend CLI and search tests for the new field and logged config; document
CVE/Trivy in examples/README and add examples/config-cve-trivy.json.

Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com>
This commit is contained in:
Andrei Aaron
2026-04-08 09:39:26 +03:00
committed by GitHub
parent c6289ec5ba
commit 451e7b8e47
15 changed files with 285 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files
examples/README.md
+16
View File
@@ -32,6 +32,7 @@ Examples of working configurations for various use cases are available [here](..
- [Storage Drivers](#storage-drivers)
- [Specifying S3 credentials](#specifying-s3-credentials)
- [Sync](#sync)
- [Search and CVE scanning (Trivy)](#search-and-cve-scanning-trivy)
## Network
@@ -1164,3 +1165,18 @@ sync can also read the certificates directly under certDir:
### Sync's credentials
Besides sync-auth.json file, zot also reads and uses docker credentials by default: https://docs.docker.com/reference/cli/docker/login/#description
## Search and CVE scanning (Trivy)
The `search` extension can include a `cve` section so zot downloads the [Trivy](https://github.com/aquasecurity/trivy) vulnerability database and exposes CVE data via the search API (for example GraphQL).
A minimal configuration only sets how often the DB is refreshed; zot applies defaults for Trivy DB locations and severity selection:
- [config-cve.json](config-cve.json) — `updateInterval` only; defaults are applied for the Trivy DB, Java DB (for language packages), and `vulnSeveritySources`.
To set those options explicitly (for example to mirror standalone Trivys `--vuln-severity-source` behavior), use a `trivy` object under `cve`:
- [config-cve-trivy.json](config-cve-trivy.json) — shows optional `dbRepository`, `javaDBRepository`, and `vulnSeveritySources`.
`vulnSeveritySources` is a list of source names in priority order (for example `auto`, `nvd`, or vendor IDs such as `redhat`, `alpine`). If omitted, zot defaults it to `["auto"]`, consistent with the Trivy CLI. See [Trivy: severity selection](https://trivy.dev/docs/latest/scanner/vulnerability/#severity-selection).