Skip to content

Vulnerability Database Persistence

Trivy utilizes a database containing vulnerability information in its scan. This database is updated every 6 hours.

When scanning JAR files, Trivy downloads a specific database for Java every 3 days.

Both databases are distributed via GitHub Container registry (GHCR) and cached by Trivy in local file system.

Starting with version 0.8.4, Zora persists Trivy databases by default, caching them between the scheduled scans. This means that scheduled scans may not need to download the databases, saving compute resources, time, and networking.

It's done by applying a PersistentVolumeClaim during a Zora installation/upgrade through Helm. A Job is also applied, which just downloads the vulnerability database to be ready for the first scheduled scan.

This persistence can be disabled or configured with the following Helm parameters:

Key Type Default Description
scan.plugins.trivy.persistence.enabled bool true Specifies whether Trivy vulnerabilities database should be persisted between the scans, using PersistentVolumeClaim
scan.plugins.trivy.persistence.accessMode string "ReadWriteOnce" Persistence access mode
scan.plugins.trivy.persistence.storageClass string "" Persistence storage class. Set to empty for default storage class
scan.plugins.trivy.persistence.storageRequest string "1Gi" Persistence storage size
scan.plugins.trivy.persistence.downloadJavaDB bool false Specifies whether Java vulnerability database should be downloaded on helm install/upgrade

These parameters can be specified using the --set key=value argument in helm upgrade --install command.