Vulnerability Database Persistence¶
Trivy utilizes a database containing vulnerability information in its scan. This database is updated every 6 hours.
When scanning JAR files, Trivy downloads a specific database for Java every 3 days.
Both databases are distributed via GitHub Container registry (GHCR) and cached by Trivy in local file system.
Starting with version 0.8.4, Zora persists Trivy databases by default, caching them between the scheduled scans. This means that scheduled scans may not need to download the databases, saving compute resources, time, and networking.
It's done by applying a PersistentVolumeClaim during a Zora installation/upgrade through Helm. A Job is also applied, which just downloads the vulnerability database to be ready for the first scheduled scan.
This persistence can be disabled or configured with the following Helm parameters:
| Key | Type | Default | Description |
|---|---|---|---|
| scan.plugins.trivy.persistence.enabled | bool | true |
Specifies whether Trivy vulnerabilities database should be persisted between the scans, using PersistentVolumeClaim |
| scan.plugins.trivy.persistence.accessMode | string | "ReadWriteOnce" |
Persistence access mode |
| scan.plugins.trivy.persistence.storageClass | string | "" |
Persistence storage class. Set to empty for default storage class |
| scan.plugins.trivy.persistence.storageRequest | string | "2Gi" |
Persistence storage size |
| scan.plugins.trivy.persistence.downloadJavaDB | bool | false |
Specifies whether Java vulnerability database should be downloaded on helm install/upgrade |
These parameters can be specified using the --set key=value argument in helm upgrade --install command.