惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

GbyAI
GbyAI
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
N
Netflix TechBlog - Medium
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
F
Full Disclosure
V
Visual Studio Blog
aimingoo的专栏
aimingoo的专栏
NISL@THU
NISL@THU
S
Schneier on Security
T
The Exploit Database - CXSecurity.com
P
Privacy International News Feed
Latest news
Latest news
C
CERT Recently Published Vulnerability Notes
P
Privacy & Cybersecurity Law Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
C
CXSECURITY Database RSS Feed - CXSecurity.com
AWS News Blog
AWS News Blog
C
Cybersecurity and Infrastructure Security Agency CISA
L
Lohrmann on Cybersecurity
Apple Machine Learning Research
Apple Machine Learning Research
The GitHub Blog
The GitHub Blog
T
Tor Project blog
A
About on SuperTechFans
博客园 - 司徒正美
P
Proofpoint News Feed
T
Threat Research - Cisco Blogs
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Jina AI
Jina AI
Microsoft Security Blog
Microsoft Security Blog
Blog — PlanetScale
Blog — PlanetScale
罗磊的独立博客
Security Latest
Security Latest
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Hugging Face - Blog
Hugging Face - Blog
云风的 BLOG
云风的 BLOG
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
L
LINUX DO - 热门话题
Know Your Adversary
Know Your Adversary
T
Tenable Blog
K
Kaspersky official blog
Simon Willison's Weblog
Simon Willison's Weblog
宝玉的分享
宝玉的分享
有赞技术团队
有赞技术团队
Cisco Talos Blog
Cisco Talos Blog
U
Unit 42
T
The Blog of Author Tim Ferriss
T
Threatpost
D
DataBreaches.Net
Engineering at Meta
Engineering at Meta
P
Palo Alto Networks Blog

博客园 - fengjian1585

关闭ingress 8443 端口 tomcat 设置 catalina.out 按天切割 禁用 MinIO 的 Web Console 重定向功能 堆设置了8G,java进程却占用了12G内存 k8s优化选项 pod启动后一直containerCreating状态解决 Kubernetes Cilium网络组件和CoreDNS配置 mkfs对磁盘设置标签 K8S的CoreDns配置文件添加域名解析 nginx代理两套k8s ingress 不同域名 pip 搭建源 使用 kubectl debug 创建临时调试容器 openvpn server证书过期处理 - fengjian1585 Harbor Swagger接口泄露漏洞处理 "too many open files" 文件句柄 Kafka 常见故障及解决方案 华为昇腾 910B GPU Nginx与Upstream之间产生大量TIME_WAIT连接的解决办法 debian libc.musl-x86_64.so.1 => not found
Harbor 启用 Trivy
fengjian1585 · 2025-12-16 · via 博客园 - fengjian1585
# 1. 编辑 Harbor 配置文件
vim /path/to/harbor/harbor.yml

# 2. 添加或修改 Trivy 配置
trivy:
  enabled: true
  port: 8080
  skip_update: false
offline_scan: false
insecure: false

  修改docker-compose.yaml 文件

  trivy-adapter:
    container_name: trivy-adapter
    image: goharbor/trivy-adapter-photon:v2.11.0
    restart: always
    environment:
      # 核心配置 - Harbor 2.11 中正确的变量名
      SCANNER_TRIVY_DB_REPOSITORY: ghcr.m.daocloud.io/aquasecurity/trivy-db
      SCANNER_TRIVY_JAVA_DB_REPOSITORY: ghcr.m.daocloud.io/aquasecurity/trivy-java-db
      SCANNER_TRIVY_SKIP_DB_UPDATE: true
      SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE: true
      SCANNER_TRIVY_OFFLINE_SCAN: true
      TRIVY_DB_REPOSITORY: ghcr.m.daocloud.io/aquasecurity/trivy-db
      TRIVY_JAVA_DB_REPOSITORY: ghcr.m.daocloud.io/aquasecurity/trivy-java-db
    cap_drop:
      - ALL
    depends_on:
      - log
      - redis
    networks:
      - harbor
    volumes:
      - type: bind
        source: /data/usershare/harbor/trivy
        target: /home/scanner/.cache/trivy
      - type: bind
        source: /data/usershare/harbor/harbor/reports
        target: /home/scanner/.cache/reports
      - type: bind
        source: /data/usershare/harbor/harbor/trust-certificates
        target: /harbor_cust_cert
    logging:
      driver: "syslog"
      options:
        syslog-address: "tcp://localhost:1514"
        tag: "trivy-adapter"
    env_file:
      ./common/config/trivy-adapter/env
networks:
  harbor:
    external: false

#4. 修改配置文件,

vim  ./common/config/trivy-adapter/env

# Trivy DB 仓库(核心:改用国内镜像源加速下载)
SCANNER_TRIVY_DB_REPOSITORY=ghcr.m.daocloud.io/aquasecurity/trivy-db
SCANNER_TRIVY_JAVA_DB_REPOSITORY=ghcr.m.daocloud.io/aquasecurity/trivy-java-db
# 扫描超时时间(核心:解决 context deadline exceeded)
SCANNER_TRIVY_SERVER_TIMEOUT=10m

# DB 更新间隔(默认值,可保留)
SCANNER_TRIVY_DB_UPDATE_INTERVAL=24h

# 仓库连接超时(默认值,可保留)
SCANNER_TRIVY_REGISTRY_TIMEOUT=1m

# 3. 重新安装 Harbor(保留数据)

docker ps -a

docker restart 271eb1fce5d0

使用二进制 trivy 下载db, mirror.gci.io不可用,指定db目录

trivy image --java-db-repository ghcr.m.daocloud.io/aquasecurity/trivy-java-db     --cache-dir   /root/.cache/trivy/   --download-java-db-only 

trivy image   --db-repository ghcr.m.daocloud.io/aquasecurity/trivy-db   --cache-dir   /root/.cache/trivy/  --download-db-only 

使用trivy 检测镜像

trivy  image   --cache-dir   /root/.cache/trivy/    172.20.1.1/test/kylin-server-platform:v11-2026xxxxx