feat(image): add registry options (#3906)

Author: knqyf263

.github/workflows/test.yaml

@@ -41,7 +41,7 @@ jobs:
       - name: Lint
         uses: golangci/[email protected]
         with:
-          version: v1.49
+          version: v1.52
           args: --deadline=30m
           skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778
         if: matrix.operating-system == 'ubuntu-latest'

Makefile

@@ -28,7 +28,7 @@ $(GOBIN)/crane:
 	go install github.com/google/go-containerregistry/cmd/[email protected]
 
 $(GOBIN)/golangci-lint:
-	curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.49.0
+	curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.52.2
 
 $(GOBIN)/labeler:
 	go install github.com/knqyf263/labeler@latest

docs/docs/advanced/private-registries/docker-hub.md

@@ -1,7 +1,2 @@
-Docker Hub needs `TRIVY_USERNAME` and `TRIVY_PASSWORD`.
-You don't need to set ENV vars when download from public repository.
-
-```bash
-export TRIVY_USERNAME={DOCKERHUB_USERNAME}
-export TRIVY_PASSWORD={DOCKERHUB_PASSWORD}
-```
+See [here](./index.md) for the detail.
+You don't need to provide a credential when download from public repository.

docs/docs/advanced/private-registries/index.md

@@ -1,4 +1,49 @@
-Trivy can download images from a private registry, without installing `Docker` or any other 3rd party tools.
-That's because it's easy to run in a CI process.
+Trivy can download images from a private registry without the need for installing Docker or any other 3rd party tools.
+This makes it easy to run within a CI process.
 
-All you have to do is install `Trivy` and set ENV vars.
+## Credential
+To use Trivy with private images, simply install it and provide your credentials:
+
+```shell
+$ TRIVY_USERNAME=YOUR_USERNAME TRIVY_PASSWORD=YOUR_PASSWORD trivy image YOUR_PRIVATE_IMAGE
+```
+
+Trivy also supports providing credentials through CLI flags:
+
+```shell
+$ TRIVY_PASSWORD=YOUR_PASSWORD trivy image --username YOUR_USERNAME YOUR_PRIVATE_IMAGE
+```
+
+!!! warning
+    The CLI flag `--password` is available, but its use is not recommended for security reasons.
+
+You can also store your credentials in `trivy.yaml`.
+For more information, please refer to [the documentation](../../references/customization/config-file.md).
+
+It can handle multiple sets of credentials as well:
+
+```shell
+$ export TRIVY_USERNAME=USERNAME1,USERNAME2
+$ export TRIVY_PASSWORD=PASSWORD1,PASSWORD2
+$ trivy image YOUR_PRIVATE_IMAGE
+```
+
+In the example above, Trivy attempts to use two pairs of credentials:
+
+- USERNAME1/PASSWORD1
+- USERNAME2/PASSWORD2
+
+Please note that the number of usernames and passwords must be the same.
+
+## docker login
+If you have Docker configured locally and have set up the credentials, Trivy can access them.
+
+```shell
+$ docker login ghcr.io
+Username: 
+Password:
+$ trivy image ghcr.io/your/private_image
+```
+
+!!! note
+    `docker login` can be used with any container runtime, such as Podman.

docs/docs/references/customization/config-file.md

@@ -163,6 +163,23 @@ db:
   java-repository: ghcr.io/aquasecurity/trivy-java-db
 ```
 
+## Registry Options
+
+```yaml
+registry:
+  # Same as '--username'
+  # Default is empty
+  username:
+
+  # Same as '--password'
+  # Default is empty
+  password:
+    
+  # Same as '--registry-token'
+  # Default is empty
+  registry-token:
+```
+
 ## Image Options
 Available with container image scanning
 

docs/docs/target/container_image.md

@@ -437,6 +437,9 @@ $ trivy image --compliance docker-cis [YOUR_IMAGE_NAME]
 !!! note
     The `Issues` column represent the total number of failed checks for this control.
 
+## Authentication
+Please reference [this page](../advanced/private-registries/index.md).
+
 ## Options
 ### Scan Image on a specific Architecture and OS
 By default, Trivy loads an image on a "linux/amd64" machine.

go.mod

@@ -32,7 +32,6 @@ require (
 	github.com/aws/aws-sdk-go-v2/config v1.18.15
 	github.com/aws/aws-sdk-go-v2/service/ec2 v1.89.1
 	github.com/aws/aws-sdk-go-v2/service/sts v1.18.5
-	github.com/caarlos0/env/v6 v6.10.1
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.1.2
 	github.com/containerd/containerd v1.6.19

go.sum

@@ -513,8 +513,6 @@ github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0 h1:nvj0OLI3YqYXe
 github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE=
 github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
 github.com/bytecodealliance/wasmtime-go v1.0.0 h1:9u9gqaUiaJeN5IoD1L7egD8atOnTGyJcNp8BhkL9cUU=
-github.com/caarlos0/env/v6 v6.10.1 h1:t1mPSxNpei6M5yAeu1qtRdPAK29Nbcf/n3G7x+b3/II=
-github.com/caarlos0/env/v6 v6.10.1/go.mod h1:hvp/ryKXKipEkcuYjs9mI4bBCg+UI0Yhgm5Zu0ddvwc=
 github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4=
 github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM=
 github.com/cenkalti/backoff/v4 v4.1.1/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw=

pkg/commands/app.go

@@ -228,6 +228,7 @@ func NewImageCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 		MisconfFlagGroup:       flag.NewMisconfFlagGroup(),
 		ModuleFlagGroup:        flag.NewModuleFlagGroup(),
 		RemoteFlagGroup:        flag.NewClientFlags(), // for client/server mode
+		RegistryFlagGroup:      flag.NewRegistryFlagGroup(),
 		RegoFlagGroup:          flag.NewRegoFlagGroup(),
 		ReportFlagGroup:        reportFlagGroup,
 		ScanFlagGroup:          flag.NewScanFlagGroup(),
@@ -304,6 +305,7 @@ func NewFilesystemCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 		MisconfFlagGroup:       flag.NewMisconfFlagGroup(),
 		ModuleFlagGroup:        flag.NewModuleFlagGroup(),
 		RemoteFlagGroup:        flag.NewClientFlags(), // for client/server mode
+		RegistryFlagGroup:      flag.NewRegistryFlagGroup(),
 		RegoFlagGroup:          flag.NewRegoFlagGroup(),
 		ReportFlagGroup:        reportFlagGroup,
 		ScanFlagGroup:          flag.NewScanFlagGroup(),
@@ -359,6 +361,7 @@ func NewRootfsCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 		MisconfFlagGroup:       flag.NewMisconfFlagGroup(),
 		ModuleFlagGroup:        flag.NewModuleFlagGroup(),
 		RemoteFlagGroup:        flag.NewClientFlags(), // for client/server mode
+		RegistryFlagGroup:      flag.NewRegistryFlagGroup(),
 		RegoFlagGroup:          flag.NewRegoFlagGroup(),
 		ReportFlagGroup:        reportFlagGroup,
 		ScanFlagGroup:          flag.NewScanFlagGroup(),
@@ -415,6 +418,7 @@ func NewRepositoryCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 		LicenseFlagGroup:       flag.NewLicenseFlagGroup(),
 		MisconfFlagGroup:       flag.NewMisconfFlagGroup(),
 		ModuleFlagGroup:        flag.NewModuleFlagGroup(),
+		RegistryFlagGroup:      flag.NewRegistryFlagGroup(),
 		RegoFlagGroup:          flag.NewRegoFlagGroup(),
 		RemoteFlagGroup:        flag.NewClientFlags(), // for client/server mode
 		ReportFlagGroup:        reportFlagGroup,
@@ -472,6 +476,7 @@ func NewClientCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 		CacheFlagGroup:         flag.NewCacheFlagGroup(),
 		DBFlagGroup:            flag.NewDBFlagGroup(),
 		MisconfFlagGroup:       flag.NewMisconfFlagGroup(),
+		RegistryFlagGroup:      flag.NewRegistryFlagGroup(),
 		RegoFlagGroup:          flag.NewRegoFlagGroup(),
 		RemoteFlagGroup:        remoteFlags,
 		ReportFlagGroup:        flag.NewReportFlagGroup(),
@@ -567,10 +572,11 @@ func NewConfigCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 	}
 
 	configFlags := &flag.Flags{
-		CacheFlagGroup:   flag.NewCacheFlagGroup(),
-		MisconfFlagGroup: flag.NewMisconfFlagGroup(),
-		ModuleFlagGroup:  flag.NewModuleFlagGroup(),
-		RegoFlagGroup:    flag.NewRegoFlagGroup(),
+		CacheFlagGroup:    flag.NewCacheFlagGroup(),
+		MisconfFlagGroup:  flag.NewMisconfFlagGroup(),
+		ModuleFlagGroup:   flag.NewModuleFlagGroup(),
+		RegistryFlagGroup: flag.NewRegistryFlagGroup(),
+		RegoFlagGroup:     flag.NewRegoFlagGroup(),
 		K8sFlagGroup: &flag.K8sFlagGroup{
 			// disable unneeded flags
 			K8sVersion: &flag.K8sVersionFlag,

pkg/commands/artifact/inject.go

@@ -22,7 +22,7 @@ import (
 // initializeDockerScanner is for container image scanning in standalone mode
 // e.g. dockerd, container registry, podman, etc.
 func initializeDockerScanner(ctx context.Context, imageName string, artifactCache cache.ArtifactCache,
-	localArtifactCache cache.LocalArtifactCache, dockerOpt types.DockerOption, artifactOption artifact.Option) (
+	localArtifactCache cache.LocalArtifactCache, remoteOpt types.RemoteOptions, artifactOption artifact.Option) (
 	scanner.Scanner, func(), error) {
 	wire.Build(scanner.StandaloneDockerSet)
 	return scanner.Scanner{}, nil, nil
@@ -69,7 +69,7 @@ func initializeVMScanner(ctx context.Context, filePath string, artifactCache cac
 // initializeRemoteDockerScanner is for container image scanning in client/server mode
 // e.g. dockerd, container registry, podman, etc.
 func initializeRemoteDockerScanner(ctx context.Context, imageName string, artifactCache cache.ArtifactCache,
-	remoteScanOptions client.ScannerOption, dockerOpt types.DockerOption, artifactOption artifact.Option) (
+	remoteScanOptions client.ScannerOption, remoteOpt types.RemoteOptions, artifactOption artifact.Option) (
 	scanner.Scanner, func(), error) {
 	wire.Build(scanner.RemoteDockerSet)
 	return scanner.Scanner{}, nil, nil