This PR contains the following updates: | Package | Update | Change | |---|---|---| | [mirror.gcr.io/aquasec/trivy](https://www.aquasec.com/products/trivy/) ([source](https://github.com/aquasecurity/trivy)) | minor | `0.66.0` -> `0.67.0` | --- ### Release Notes <details> <summary>aquasecurity/trivy (mirror.gcr.io/aquasec/trivy)</summary> ### [`v0.67.0`](https://github.com/aquasecurity/trivy/blob/HEAD/CHANGELOG.md#0670-2025-09-30) [Compare Source](https://github.com/aquasecurity/trivy/compare/v0.66.0...v0.67.0) ##### Features - add documentation URL for database lock errors ([#​9531](https://github.com/aquasecurity/trivy/issues/9531)) ([eba48af](eba48afd58)) - **cli:** change --list-all-pkgs default to true ([#​9510](https://github.com/aquasecurity/trivy/issues/9510)) ([7b663d8](7b663d86ca)) - **cloudformation:** support default values and list results in Fn::FindInMap ([#​9515](https://github.com/aquasecurity/trivy/issues/9515)) ([42b3bf3](42b3bf37bb)) - **cyclonedx:** preserve SBOM structure when scanning SBOM files with vulnerability updates ([#​9439](https://github.com/aquasecurity/trivy/issues/9439)) ([aff03eb](aff03ebab2)) - **redhat:** add os-release detection for RHEL-based images ([#​9458](https://github.com/aquasecurity/trivy/issues/9458)) ([cb25a07](cb25a07450)) - **sbom:** added support for CoreOS ([#​9448](https://github.com/aquasecurity/trivy/issues/9448)) ([6d562a3](6d562a3b48)) - **seal:** add seal support ([#​9370](https://github.com/aquasecurity/trivy/issues/9370)) ([e4af279](e4af279b29)) ##### Bug Fixes - **aws:** use `BuildableClient` insead of `xhttp.Client` ([#​9436](https://github.com/aquasecurity/trivy/issues/9436)) ([fa6f1bf](fa6f1bfecf)) - close file descriptors and pipes on error paths ([#​9536](https://github.com/aquasecurity/trivy/issues/9536)) ([a4cbd6a](a4cbd6a138)) - **db:** Dowload database when missing but metadata still exists ([#​9393](https://github.com/aquasecurity/trivy/issues/9393)) ([92ebc7e](92ebc7e4d7)) - **k8s:** disable parallel traversal with fs cache for k8s images ([#​9534](https://github.com/aquasecurity/trivy/issues/9534)) ([c0c7a6b](c0c7a6bf1b)) - **misconf:** handle tofu files in module detection ([#​9486](https://github.com/aquasecurity/trivy/issues/9486)) ([bfd2f6b](bfd2f6ba69)) - **misconf:** strip build metadata suffixes from image history ([#​9498](https://github.com/aquasecurity/trivy/issues/9498)) ([c938806](c9388069a4)) - **misconf:** unmark cty values before access ([#​9495](https://github.com/aquasecurity/trivy/issues/9495)) ([8e40d27](8e40d27a43)) - **misconf:** wrap legacy ENV values in quotes to preserve spaces ([#​9497](https://github.com/aquasecurity/trivy/issues/9497)) ([267a970](267a9700fa)) - **nodejs:** parse workspaces as objects for package-lock.json files ([#​9518](https://github.com/aquasecurity/trivy/issues/9518)) ([404abb3](404abb3d91)) - **nodejs:** use snapshot string as `Package.ID` for pnpm packages ([#​9330](https://github.com/aquasecurity/trivy/issues/9330)) ([4517e8c](4517e8c0ef)) - **vex:** don't suppress vulns for packages with infinity loop ([#​9465](https://github.com/aquasecurity/trivy/issues/9465)) ([78f0d4a](78f0d4ae03)) - **vuln:** compare `nuget` package names in lower case ([#​9456](https://github.com/aquasecurity/trivy/issues/9456)) ([1ff9ac7](1ff9ac7948)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xMTYuNiIsInVwZGF0ZWRJblZlciI6IjQxLjExNi42IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJpbWFnZSJdfQ==--> Reviewed-on: #1622 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
		
			
				
	
	
		
			106 lines
		
	
	
		
			2.8 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
			
		
		
	
	
			106 lines
		
	
	
		
			2.8 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
| trivy-operator:
 | |
|   targetWorkloads: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job"
 | |
|   operator:
 | |
|     replicas: 1
 | |
|     vulnerabilityScannerEnabled: false
 | |
|     sbomGenerationEnabled: false
 | |
|     clusterSbomCacheEnabled: false
 | |
|     configAuditScannerEnabled: true
 | |
|     rbacAssessmentScannerEnabled: true
 | |
|     infraAssessmentScannerEnabled: false
 | |
|     clusterComplianceEnabled: false
 | |
|   serviceMonitor:
 | |
|     enabled: true
 | |
|   trivy:
 | |
|     createConfig: true
 | |
|     image:
 | |
|       registry: mirror.gcr.io
 | |
|       repository: aquasec/trivy
 | |
|       tag: 0.67.0
 | |
|     storageClassEnabled: true
 | |
|     storageClassName: ceph-block
 | |
|     storageSize: "5Gi"
 | |
|     registry:
 | |
|       mirror:
 | |
|         "registry-1.docker.io": proxy-registry-1.docker.io
 | |
|         "quay.io": proxy-quay.io
 | |
|         "registry.k8s.io": proxy-registry.k8s
 | |
|         "gcr.io": proxy-gcr.io
 | |
|         "ghcr.io": proxy-ghcr.io
 | |
|         "hub.docker": proxy-hub.docker
 | |
|     severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
 | |
|     slow: true
 | |
|     resources:
 | |
|       requests:
 | |
|         cpu: 100m
 | |
|         memory: 128M
 | |
|     supportedConfigAuditKinds: "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"
 | |
|     server:
 | |
|       resources:
 | |
|         requests:
 | |
|           cpu: 200m
 | |
|           memory: 512Mi
 | |
|       replicas: 1
 | |
|   compliance:
 | |
|     reportType: summary
 | |
|     cron: 0 5 * * *
 | |
|     specs:
 | |
|       - k8s-cis-1.23
 | |
|       - k8s-nsa-1.0
 | |
|       - k8s-pss-baseline-0.1
 | |
|       - k8s-pss-restricted-0.1
 | |
|   volumeMounts:
 | |
|     - mountPath: /tmp
 | |
|       name: cache-policies
 | |
|       readOnly: false
 | |
|   volumes:
 | |
|     - name: cache-policies
 | |
|       emptyDir: {}
 | |
|   resources:
 | |
|     requests:
 | |
|       cpu: 100m
 | |
|       memory: 128Mi
 | |
|   nodeCollector:
 | |
|     tolerations:
 | |
|       - key: node-role.kubernetes.io/control-plane
 | |
|         operator: Exists
 | |
|         effect: NoSchedule
 | |
|     volumeMounts:
 | |
|       - name: var-lib-etcd
 | |
|         mountPath: /var/lib/etcd
 | |
|         readOnly: true
 | |
|       - name: var-lib-kubelet
 | |
|         mountPath: /var/lib/kubelet
 | |
|         readOnly: true
 | |
|       - name: var-lib-kube-scheduler
 | |
|         mountPath: /var/lib/kube-scheduler
 | |
|         readOnly: true
 | |
|       - name: var-lib-kube-controller-manager
 | |
|         mountPath: /var/lib/kube-controller-manager
 | |
|         readOnly: true
 | |
|       - name: etc-kubernetes
 | |
|         mountPath: /etc/kubernetes
 | |
|         readOnly: true
 | |
|       - name: etc-cni-netd
 | |
|         mountPath: /etc/cni/net.d/
 | |
|         readOnly: true
 | |
|     volumes:
 | |
|       - name: var-lib-etcd
 | |
|         hostPath:
 | |
|           path: /var/lib/etcd
 | |
|       - name: var-lib-kubelet
 | |
|         hostPath:
 | |
|           path: /var/lib/kubelet
 | |
|       - name: var-lib-kube-scheduler
 | |
|         hostPath:
 | |
|           path: /var/lib/kube-scheduler
 | |
|       - name: var-lib-kube-controller-manager
 | |
|         hostPath:
 | |
|           path: /var/lib/kube-controller-manager
 | |
|       - name: etc-kubernetes
 | |
|         hostPath:
 | |
|           path: /etc/kubernetes
 | |
|       - name: etc-cni-netd
 | |
|         hostPath:
 | |
|           path: /etc/cni/net.d/
 |