Seeking Guidance for Scanning GCP Images Built with Packer Using Trivy
Hello Trivy and Google Cloud Users,
I am using Packer to build custom images on Google Cloud Platform (GCP) and am interested in implementing security scanning for these images using Trivy (all this is done in a Tekton pipeline). However, I’ve encountered challenges with integrating Trivy’s scanning capabilities with GCP, particularly since Trivy currently supports local VM images and Amazon EC2, but not Google Compute Engine (GCE) images directly.
From what I understand, Trivy employs a method in AWS that involves using the Direct API for EBS snapshots, allowing scanning of only the necessary blocks of an image, which significantly accelerates the scanning process. Unfortunately, GCP does not offer a directly comparable API, and the current method might require downloading the entire disk to perform the scan, which is not efficient.
Topics for Discussion and Questions:
-
API Availability: Does GCP offer any APIs similar to AWS’s Direct API for block-level image scanning that could be integrated with Trivy? This would be ideal for efficiently scanning only parts of the image.
-
Partial Download Techniques: Is there a way to implement partial image downloads in GCP, perhaps using Google Storage’s HTTP range parameter, to mimic the functionality of the AWS Direct API? This could potentially allow Trivy to scan sections of an image without needing the entire file.
-
Best Practices for Image Scanning in GCP: If direct API integration or partial downloads aren’t feasible, what are the recommended practices for scanning VM images built with Packer on GCP using Trivy?
-
Community Experience and Suggestions: I would also appreciate hearing from anyone who has successfully integrated Trivy with GCP or has found workarounds for similar challenges.
Your insights and recommendations would be greatly appreciated as they will help not only in enhancing security practices but also in optimizing the scanning process for GCP images.
Thank you!