feat: support --skip-images scanning flag (aquasecurity#6334)

chen-keinan · web-flow · commit e739ab85063c · 2024-05-02T11:49:39.000Z
Signed-off-by: chenk &lt;hen.keinan@gmail.com&gt;
diff --git a/docs/docs/references/configuration/cli/trivy_kubernetes.md b/docs/docs/references/configuration/cli/trivy_kubernetes.md
@@ -96,6 +96,7 @@ trivy kubernetes [flags] [CONTEXT]
       --skip-db-update                    skip updating vulnerability database
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip
+      --skip-images                       skip the downloading and scanning of images (vulnerabilities and secrets) in the cluster resources
       --skip-java-db-update               skip updating Java index database
       --skip-policy-update                skip fetching rego policy updates
   -t, --template string                   output template
diff --git a/pkg/flag/kubernetes_flags.go b/pkg/flag/kubernetes_flags.go
@@ -47,6 +47,11 @@ var (
 		ConfigName: "kubernetes.exclude.owned",
 		Usage:      "exclude resources that have an owner reference",
 	}
+	SkipImages = Flag[bool]{
+		Name:       "skip-images",
+		ConfigName: "kubernetes.skipImages",
+		Usage:      "skip the downloading and scanning of images (vulnerabilities and secrets) in the cluster resources",
+	}
 	ExcludeNodes = Flag[[]string]{
 		Name:       "exclude-nodes",
 		ConfigName: "kubernetes.exclude.nodes",
@@ -95,6 +100,7 @@ type K8sFlagGroup struct {
 	NodeCollectorImageRef  *Flag[string]
 	NodeCollectorNamespace *Flag[string]
 	ExcludeOwned           *Flag[bool]
+	SkipImages             *Flag[bool]
 	ExcludeNodes           *Flag[[]string]
 	ExcludeKinds           *Flag[[]string]
 	IncludeKinds           *Flag[[]string]
@@ -118,6 +124,7 @@ type K8sOptions struct {
 	ExcludeNamespaces      []string
 	IncludeNamespaces      []string
 	QPS                    float32
+	SkipImages             bool
 	Burst                  int
 }
 
@@ -136,6 +143,7 @@ func NewK8sFlagGroup() *K8sFlagGroup {
 		IncludeNamespaces:      IncludeNamespaces.Clone(),
 		NodeCollectorImageRef:  NodeCollectorImageRef.Clone(),
 		QPS:                    QPS.Clone(),
+		SkipImages:             SkipImages.Clone(),
 		Burst:                  Burst.Clone(),
 	}
 }
@@ -159,6 +167,7 @@ func (f *K8sFlagGroup) Flags() []Flagger {
 		f.ExcludeNamespaces,
 		f.IncludeNamespaces,
 		f.QPS,
+		f.SkipImages,
 		f.Burst,
 	}
 }
@@ -199,6 +208,7 @@ func (f *K8sFlagGroup) ToOptions() (K8sOptions, error) {
 		ExcludeNodes:           exludeNodeLabels,
 		NodeCollectorImageRef:  f.NodeCollectorImageRef.Value(),
 		QPS:                    float32(f.QPS.Value()),
+		SkipImages:             f.SkipImages.Value(),
 		ExcludeKinds:           f.ExcludeKinds.Value(),
 		IncludeKinds:           f.IncludeKinds.Value(),
 		ExcludeNamespaces:      f.ExcludeNamespaces.Value(),
diff --git a/pkg/k8s/scanner/scanner.go b/pkg/k8s/scanner/scanner.go
@@ -89,7 +89,7 @@ func (s *Scanner) Scan(ctx context.Context, artifactsData []*artifacts.Artifact)
 
 	onItem := func(ctx context.Context, artifact *artifacts.Artifact) (scanResult, error) {
 		scanResults := scanResult{}
-		if s.opts.Scanners.AnyEnabled(types.VulnerabilityScanner, types.SecretScanner) {
+		if s.opts.Scanners.AnyEnabled(types.VulnerabilityScanner, types.SecretScanner) && !s.opts.SkipImages {
 			opts := s.opts
 			opts.Credentials = make([]ftypes.Credential, len(s.opts.Credentials))
 			copy(opts.Credentials, s.opts.Credentials)
