I recently deployed Harbor and Trivy with automatic updating disabled. I hadn’t realise that this would prevent images from being scanned at all and so needed to trigger a manual update. This note describes how to manually trigger an update to the Trviy database in Harbor deployed on top of VMware Tanzu Kubernetes Grid.
Demo
Instructions
Switch context to the cluster where you have deployed Harbor.
kubectl config use-context tkg-services-admin@tkg-services
Trigger a database update inside the Trivy container. If the databse is already up to date you will see no output.
kubectl -n tanzu-system-registry exec harbor-trivy-0 -it -- trivy server --download-db-only
Confirm that the database exists and hasbeen updated recently.
kubectl exec harbor-trivy-0 -it -- ls -al /home/scanner/.cache/trivy/db/
You are looking to confirm that both metadata.json and trivy.db are present and recent.
total 225136
drwxrws--- 2 scanner scanner 4096 2022-05-19 13:42 .
drwxrwsr-x 4 scanner scanner 4096 2022-05-16 12:55 ..
-rw-rw---- 1 scanner scanner 161 2022-05-19 13:42 metadata.json
-rw-rw-r-- 1 scanner scanner 230526976 2022-05-19 13:42 trivy.db
If you need to update the vulnerability database in an offline deployment, follow the guide for an Air-Gapped Environment in the Trivy documentation.