-
Notifications
You must be signed in to change notification settings - Fork 2.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: provide more information on scanning Google's GCR (#1426)
Co-authored-by: Teppei Fukuda <[email protected]>
- Loading branch information
1 parent
f50e1f4
commit 7beed30
Showing
1 changed file
with
35 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,40 @@ | ||
Trivy uses Google Cloud SDK. You don't need to install `gcloud` command. | ||
# Requirements | ||
None, Trivy uses Google Cloud SDK. You don't need to install `gcloud` command. | ||
|
||
If you want to use target project's repository, you can settle via `GOOGLE_APPLICATION_CREDENTIAL`. | ||
# Privileges | ||
Credential file must have the `roles/storage.objectViewer` permissions. | ||
More information can be found in [Google's documentation](https://cloud.google.com/container-registry/docs/access-control) | ||
|
||
## JSON File Format | ||
The JSON file specified should have the following format provided by google's service account mechanisms: | ||
|
||
```json | ||
{ | ||
"type": "service_account", | ||
"project_id": "your_special_project", | ||
"private_key_id": "XXXXXXXXXXXXXXXXXXXXxx", | ||
"private_key": "-----BEGIN PRIVATE KEY-----\nNONONONO\n-----END PRIVATE KEY-----\n", | ||
"client_email": "somedude@your_special_project.iam.gserviceaccount.com", | ||
"client_id": "1234567890", | ||
"auth_uri": "https://accounts.google.com/o/oauth2/auth", | ||
"token_uri": "https://oauth2.googleapis.com/token", | ||
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", | ||
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/somedude%40your_special_project.iam.gserviceaccount.com" | ||
} | ||
``` | ||
|
||
# Usage | ||
If you want to use target project's repository, you can set them via `GOOGLE_APPLICATION_CREDENTIALS`. | ||
```bash | ||
# must set TRIVY_USERNAME empty char | ||
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential.json | ||
``` | ||
|
||
# Testing | ||
You can test credentials in the following manner (assuming they are in `/tmp` on host machine). | ||
|
||
```bash | ||
docker run -it --rm -v /tmp:/tmp\ | ||
-e GOOGLE_APPLICATION_CREDENTIALS=/tmp/service_account.json\ | ||
aquasec/trivy image gcr.io/your_special_project/your_special_image:your_special_tag | ||
``` |