Update Trivy Database in Harbor

I recently deployed Harbor and Trivy with automatic updating disabled. I hadn’t realise that this would prevent images from being scanned at all and so needed to trigger a manual update. This note describes how to manually trigger an update to the Trviy database in Harbor deployed on top of VMware Tanzu Kubernetes Grid.

Demo

Instructions

Switch context to the cluster where you have deployed Harbor.

kubectl config use-context tkg-services-admin@tkg-services

Trigger a database update inside the Trivy container. If the databse is already up to date you will see no output.

kubectl -n tanzu-system-registry exec harbor-trivy-0 -it -- trivy server --download-db-only

Confirm that the database exists and hasbeen updated recently.

kubectl exec harbor-trivy-0 -it -- ls -al /home/scanner/.cache/trivy/db/

You are looking to confirm that both metadata.json and trivy.db are present and recent.

total 225136
drwxrws--- 2 scanner scanner      4096 2022-05-19 13:42 .
drwxrwsr-x 4 scanner scanner      4096 2022-05-16 12:55 ..
-rw-rw---- 1 scanner scanner       161 2022-05-19 13:42 metadata.json
-rw-rw-r-- 1 scanner scanner 230526976 2022-05-19 13:42 trivy.db

If you need to update the vulnerability database in an offline deployment, follow the guide for an Air-Gapped Environment in the Trivy documentation.