Air-Gapped Environment

    At first, you need to download the vulnerability database for use in air-gapped environments. Go to trivy-db and download in the latest release. If you download trivy-light-offline.db.tgz, you have to run Trivy with --light option.

    Transfer the DB file into the air-gapped environment

    The way of transfer depends on the environment.

    1. $ rsync -av -e ssh /path/to/trivy-offline.db.tgz [user]@[host]:dst

    You have to know where to put the DB file. The following command shows the default cache directory.

    1. $ ssh user@host
    2. $ trivy -h | grep cache
    3.    --cache-dir value  cache directory (default: "/home/myuser/.cache/trivy") [$TRIVY_CACHE_DIR]

    Put the DB file in the cache directory + /db.

    1. $ mkdir -p /home/myuser/.cache/trivy/db
    2. $ cd /home/myuser/.cache/trivy/db
    3. $ mv /path/to/trivy-offline.db.tgz .

    In an air-gapped environment it is your responsibility to update the Trivy database on a regular basis, so that the scanner can detect recently-identified vulnerabilities.

    Run Trivy with —skip-update option

    In an air-gapped environment, specify --skip-update so that Trivy doesn’t attempt to download the latest database file.

    1. $ trivy image --skip-update alpine:3.12

    Air-Gapped Environment for misconfigurations

    At first, you need to download misconfiguration policies for use in air-gapped environments. Please follow oras installation instruction. \ Download bundle.tar.gz:

    1. $ oras pull ghcr.io/aquasecurity/appshield:latest -a

    Transfer misconfiguration policies into the air-gapped environment

    The way of transfer depends on the environment.

      Put the misconfiguration policies file in the cache directory + /policy/content.

      1. $ mkdir -p /home/myuser/.cache/trivy/policy/content
      2. $ cd /home/myuser/.cache/trivy/policy/content
      3. $ mv /path/to/bundle.tar.gz .

      Then, decompress it. bundle.tar.gz file includes two folders: , kubernetes and file: .manifest.

      1. $ tar xvf bundle.tar.gz 
      2. x ./docker/
      3. ...
      4. x ./kubernetes/
      5. ...
      6. x ./.manifest

      In an air-gapped environment it is your responsibility to update policies on a regular basis, so that the scanner can detect recently-identified misconfigurations.

      Run Trivy with —skip-policy-update option

      In an air-gapped environment, specify --skip-policy-update so that Trivy doesn’t attempt to download the latest misconfiguration policies.

      1. $ trivy conf --skip-policy-update /path/to/conf