feat: support --skip-images scanning flag (#6334)

Signed-off-by: chenk <hen.keinan@gmail.com>
2025-12-12 15:50:15 -08:00 · 2024-05-02 14:49:39 +03:00
parent c6d5d856ce
commit e739ab8506
3 changed files with 12 additions and 1 deletions
--- a/docs/docs/references/configuration/cli/trivy_kubernetes.md
+++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md
@@ -96,6 +96,7 @@ trivy kubernetes [flags] [CONTEXT]
      --skip-db-update                    skip updating vulnerability database
      --skip-dirs strings                 specify the directories or glob patterns to skip
      --skip-files strings                specify the files or glob patterns to skip
+      --skip-images                       skip the downloading and scanning of images (vulnerabilities and secrets) in the cluster resources
      --skip-java-db-update               skip updating Java index database
      --skip-policy-update                skip fetching rego policy updates
  -t, --template string                   output template
--- a/pkg/flag/kubernetes_flags.go
+++ b/pkg/flag/kubernetes_flags.go
@@ -47,6 +47,11 @@ var (
 		ConfigName: "kubernetes.exclude.owned",
 		Usage:      "exclude resources that have an owner reference",
 	}
+	SkipImages = Flag[bool]{
+		Name:       "skip-images",
+		ConfigName: "kubernetes.skipImages",
+		Usage:      "skip the downloading and scanning of images (vulnerabilities and secrets) in the cluster resources",
+	}
 	ExcludeNodes = Flag[[]string]{
 		Name:       "exclude-nodes",
 		ConfigName: "kubernetes.exclude.nodes",
@@ -95,6 +100,7 @@ type K8sFlagGroup struct {
 	NodeCollectorImageRef  *Flag[string]
 	NodeCollectorNamespace *Flag[string]
 	ExcludeOwned           *Flag[bool]
+	SkipImages             *Flag[bool]
 	ExcludeNodes           *Flag[[]string]
 	ExcludeKinds           *Flag[[]string]
 	IncludeKinds           *Flag[[]string]
@@ -118,6 +124,7 @@ type K8sOptions struct {
 	ExcludeNamespaces      []string
 	IncludeNamespaces      []string
 	QPS                    float32
+	SkipImages             bool
 	Burst                  int
 }

@@ -136,6 +143,7 @@ func NewK8sFlagGroup() *K8sFlagGroup {
 		IncludeNamespaces:      IncludeNamespaces.Clone(),
 		NodeCollectorImageRef:  NodeCollectorImageRef.Clone(),
 		QPS:                    QPS.Clone(),
+		SkipImages:             SkipImages.Clone(),
 		Burst:                  Burst.Clone(),
 	}
 }
@@ -159,6 +167,7 @@ func (f *K8sFlagGroup) Flags() []Flagger {
 		f.ExcludeNamespaces,
 		f.IncludeNamespaces,
 		f.QPS,
+		f.SkipImages,
 		f.Burst,
 	}
 }
@@ -199,6 +208,7 @@ func (f *K8sFlagGroup) ToOptions() (K8sOptions, error) {
 		ExcludeNodes:           exludeNodeLabels,
 		NodeCollectorImageRef:  f.NodeCollectorImageRef.Value(),
 		QPS:                    float32(f.QPS.Value()),
+		SkipImages:             f.SkipImages.Value(),
 		ExcludeKinds:           f.ExcludeKinds.Value(),
 		IncludeKinds:           f.IncludeKinds.Value(),
 		ExcludeNamespaces:      f.ExcludeNamespaces.Value(),
--- a/pkg/k8s/scanner/scanner.go
+++ b/pkg/k8s/scanner/scanner.go
@@ -89,7 +89,7 @@ func (s *Scanner) Scan(ctx context.Context, artifactsData []*artifacts.Artifact)

 	onItem := func(ctx context.Context, artifact *artifacts.Artifact) (scanResult, error) {
 		scanResults := scanResult{}
-		if s.opts.Scanners.AnyEnabled(types.VulnerabilityScanner, types.SecretScanner) {
+		if s.opts.Scanners.AnyEnabled(types.VulnerabilityScanner, types.SecretScanner) && !s.opts.SkipImages {
 			opts := s.opts
 			opts.Credentials = make([]ftypes.Credential, len(s.opts.Credentials))
 			copy(opts.Credentials, s.opts.Credentials)