# Default values for the trivy-operator Helm chart, these are used to render
# the templates into valid k8s Resources.

# managedBy is similar to .Release.Service but allows to overwrite the value
managedBy: Helm

# targetNamespace defines where you want trivy-operator to operate. By
# default, it's a blank string to select all namespaces, but you can specify
# another namespace, or a comma separated list of namespaces.
targetNamespaces: ""

# excludeNamespaces is a comma separated list of namespaces (or glob patterns)
# to be excluded from scanning. Only applicable in the all namespaces install
# mode, i.e. when the targetNamespaces values is a blank string.
excludeNamespaces: ""

# targetWorkloads is a comma seperated list of Kubernetes workload resources
# to be included in the vulnerability and config-audit scans
# if left blank, all workload resources will be scanned
targetWorkloads: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job"

nameOverride: ""
fullnameOverride: ""

operator:
  # namespace to install the operator, defaults to the .Release.Namespace
  namespace: ""
  # replicas the number of replicas of the operator's pod
  replicas: 1

  # additional labels for the operator pod
  podLabels: {}

  # leaderElectionId determines the name of the resource that leader election
  # will use for holding the leader lock.
  leaderElectionId: "trivyoperator-lock"

  # logDevMode the flag to enable development mode (more human-readable output, extra stack traces and logging information, etc)
  logDevMode: false

  # scanJobTimeout the length of time to wait before giving up on a scan job
  scanJobTimeout: 5m

  # scanJobsConcurrentLimit the maximum number of scan jobs create by the operator
  scanJobsConcurrentLimit: 10

  # scanJobsRetryDelay the duration to wait before retrying a failed scan job
  scanJobsRetryDelay: 30s

  # vulnerabilityScannerEnabled the flag to enable vulnerability scanner
  vulnerabilityScannerEnabled: true
  # scannerReportTTL the flag to set how long a report should exist. "" means that the ScannerReportTTL feature is disabled
  scannerReportTTL: "24h"
  # configAuditScannerEnabled the flag to enable configuration audit scanner
  configAuditScannerEnabled: true
  # rbacAssessmentScannerEnabled the flag to enable rbac assessment scanner
  rbacAssessmentScannerEnabled: true
  # infraAssessmentScannerEnabled the flag to enable infra assessment scanner
  infraAssessmentScannerEnabled: true
  # batchDeleteLimit the maximum number of config audit reports deleted by the operator when the plugin's config has changed.
  batchDeleteLimit: 10
  # vulnerabilityScannerScanOnlyCurrentRevisions the flag to only create vulnerability scans on the current revision of a deployment.
  vulnerabilityScannerScanOnlyCurrentRevisions: true
  # configAuditScannerScanOnlyCurrentRevisions the flag to only create config audit scans on the current revision of a deployment.
  configAuditScannerScanOnlyCurrentRevisions: true
  # batchDeleteDelay the duration to wait before deleting another batch of config audit reports.
  batchDeleteDelay: 10s
  # accessGlobalSecretsAndServiceAccount The flag to enable access to global secrets/service accounts to allow `vulnerability scan job` to pull images from private registries
  accessGlobalSecretsAndServiceAccount: true
  # builtInTrivyServer The flag enable the usage of built-in trivy server in cluster ,its also override the following trivy params with built-in values
  # trivy.mode = ClientServer and serverURL = http://<serverServiceName>.<trivy operator namespace>:4975
  builtInTrivyServer: false

  # trivyServerHealthCheckCacheExpiration The flag to set the interval for trivy server health cache before it invalidate
  trivyServerHealthCheckCacheExpiration: 10h

  # metricsFindingsEnabled the flag to enable metrics for findings
  metricsFindingsEnabled: true

  # metricsVulnIdEnabled the flag to enable metrics about cve vulns id
  # be aware of metrics cardinality is significantly increased with this feature enabled.
  metricsVulnIdEnabled: false

  # exposedSecretScannerEnabled the flag to enable exposed secret scanner
  exposedSecretScannerEnabled: true

  # webhookBroadcastURL the flag to set reports should be sent to a webhook endpoint. "" means that the webhookBroadcastURL feature is disabled
  webhookBroadcastURL: ""

  # webhookBroadcastTimeout the flag to set timeout for webhook requests if webhookBroadcastURL is enabled
  webhookBroadcastTimeout: 30s

  # privateRegistryScanSecretsNames is map of namespace:secrets which can be used to authenticate in private registries in case if there no imagePullSecrets provided
  privateRegistryScanSecretsNames: {}
  # mergeRbacFindingWithConfigAudit the flag to enable merging rbac finding with config-audit report
  mergeRbacFindingWithConfigAudit: false

image:
  repository: "ghcr.io/aquasecurity/trivy-operator"
  # tag is an override of the image tag, which is by default set by the
  # appVersion field in Chart.yaml.
  tag: ""
  pullPolicy: IfNotPresent
  pullSecrets: []

# service only expose a metrics endpoint for prometheus to scrape,
# trivy-operator does not have a user interface.
service:
  metricsPort: 80

# Prometheus ServiceMonitor configuration -- to install the trivy operator with the ServiceMonitor
# you must have Prometheus already installed and running
serviceMonitor:
  # enabled determines whether a serviceMonitor should be deployed
  enabled: false
  # The namespace where Prometheus expects to find service monitors
  # namespace: ""
  interval: ""
  # Additional labels for the serviceMonitor
  labels: {}
  # honorLabels: true

trivyOperator:
  # vulnerabilityReportsPlugin the name of the plugin that generates vulnerability reports `Trivy`
  vulnerabilityReportsPlugin: "Trivy"
  # configAuditReportsPlugin the name of the plugin that generates config audit reports.
  configAuditReportsPlugin: "Trivy"
  # scanJobCompressLogs control whether scanjob output should be compressed or plain
  scanJobCompressLogs: true
  # scanJobTolerations tolerations to be applied to the scanner pods so that they can run on nodes with matching taints
  scanJobTolerations: []
  # If you do want to specify tolerations, uncomment the following lines, adjust them as necessary, and remove the
  # square brackets after 'scanJobTolerations:'.
  # - key: "key1"
  #   operator: "Equal"
  #   value: "value1"
  #   effect: "NoSchedule"

  # scanJobNodeSelector nodeSelector to be applied to the scanner pods so that they can run on nodes with matching labels
  scanJobNodeSelector: {}
  # If you do want to specify nodeSelector, uncomment the following lines, adjust them as necessary, and remove the
  # square brackets after 'scanJobNodeSelector:'.
  #   nodeType: worker
  #   cpu: sandylake
  #   teamOwner: operators

  # scanJobAutomountServiceAccountToken the flag to enable automount for service account token on scan job
  scanJobAutomountServiceAccountToken: false

  # scanJobAnnotations comma-separated representation of the annotations which the user wants the scanner pods to be
  # annotated with. Example: `foo=bar,env=stage` will annotate the scanner pods with the annotations `foo: bar` and `env: stage`
  scanJobAnnotations: ""

  # scanJobPodTemplateLabels comma-separated representation of the labels which the user wants the scanner pods to be
  # labeled with. Example: `foo=bar,env=stage` will labeled the scanner pods with the labels `foo: bar` and `env: stage`
  scanJobPodTemplateLabels: ""

  # scanJobPodTemplatePodSecurityContext podSecurityContext the user wants the scanner pods to be amended with.
  # Example:
  #   RunAsUser: 10000
  #   RunAsGroup: 10000
  #   RunAsNonRoot: true
  scanJobPodTemplatePodSecurityContext: {}

  # scanJobPodTemplateContainerSecurityContext SecurityContext the user wants the scanner containers (and their
  # initContainers) to be amended with.
  scanJobPodTemplateContainerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL
    privileged: false
    readOnlyRootFilesystem: true
    # For filesystem scanning, Trivy needs to run as the root user
    # runAsUser: 0

  # reportResourceLabels comma-separated scanned resource labels which the user wants to include in the Prometheus
  # metrics report. Example: `owner,app`
  reportResourceLabels: ""

  # reportRecordFailedChecksOnly flag is to record only failed checks on misconfiguration reports (config-audit and rbac assessment)
  reportRecordFailedChecksOnly: true

  # skipResourceByLabels  comma-separated labels keys which trivy-operator will skip scanning on resources with matching labels
  skipResourceByLabels: ""

  # metricsResourceLabelsPrefix Prefix that will be prepended to the labels names indicated in `reportResourceLabels`
  # when including them in the Prometheus metrics
  metricsResourceLabelsPrefix: "k8s_label_"

trivy:
  # createConfig indicates whether to create config objects
  createConfig: true

  # repository of the Trivy image
  repository: ghcr.io/aquasecurity/trivy
  # tag version of the Trivy image
  tag: 0.35.0
  # imagePullSecret is the secret name to be used when pulling trivy image from private registries example : reg-secret
  # It is the user responsibility to create the secret for the private registry in `trivy-operator` namespace
  # imagePullSecret:

  # mode is the Trivy client mode. Either Standalone or ClientServer. Depending
  # on the active mode other settings might be applicable or required.
  mode: Standalone

  # additionalVulnerabilityReportFields is a comma separated list of additional fields which
  # can be added to the VulnerabilityReport. Supported parameters: Description, Links, CVSS, Target, Class and PackageType
  additionalVulnerabilityReportFields: ""

  # httpProxy is the HTTP proxy used by Trivy to download the vulnerabilities database from GitHub.
  #
  # httpProxy:

  # httpsProxy is the HTTPS proxy used by Trivy to download the vulnerabilities database from GitHub.
  #
  # httpsProxy:

  # noProxy is a comma separated list of IPs and domain names that are not subject to proxy settings.
  #
  # noProxy:

  # Registries without SSL. There can be multiple registries with different keys.
  nonSslRegistries: {}
  #  pocRegistry: poc.myregistry.harbor.com.pl
  #  qaRegistry: qa.registry.aquasec.com
  #  internalRegistry: registry.registry.svc:5000

  # The registry to which insecure connections are allowed. There can be multiple registries with different keys.
  insecureRegistries: {}
  #  pocRegistry: poc.myregistry.harbor.com.pl
  #  qaRegistry: qa.registry.aquasec.com
  #  internalRegistry: registry.registry.svc:5000

  # Mirrored registries. There can be multiple registries with different keys.
  # Make sure to quote registries containing dots
  registry:
    mirror: {}
    # "docker.io": docker-mirror.example.com

  # severity is a comma separated list of severity levels reported by Trivy.
  severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL

  # slow this flag is to use less CPU/memory for scanning though it takes more time than normal scanning. It fits small-footprint
  slow: true
  # ignoreUnfixed is the flag to show only fixed vulnerabilities in
  # vulnerabilities reported by Trivy. Set to true to enable it.
  #
  ignoreUnfixed: false
  # a comma separated list of directories for Trivy to skip
  skipDirs:

  # offlineScan is the flag to enable the offline scan functionality in Trivy
  # This will prevent outgoing HTTP requests, e.g. to search.maven.org
  offlineScan: false

  # timeout is the duration to wait for scan completion.
  timeout: "5m0s"

  # ignoreFile can be used to tell Trivy to ignore vulnerabilities by ID (one per line)
  #
  # ignoreFile: |
  #   CVE-1970-0001
  #   CVE-1970-0002

  # resources resource requests and limits
  resources:
    requests:
      cpu: 100m
      memory: 100M
    limits:
      cpu: 500m
      memory: 500M

  # githubToken is the GitHub access token used by Trivy to download the vulnerabilities
  # database from GitHub. Only applicable in Standalone mode.
  #
  # githubToken: "*****"

  # serverURL is the endpoint URL of the Trivy server. Required in ClientServer mode.
  #
  # serverURL: "https://trivy.trivy:4975"

  # serverInsecure is the flag to enable insecure connection to the Trivy server.
  #
  # serverInsecure: true
  # serverToken is the token to authenticate Trivy client with Trivy server. Only
  # applicable in ClientServer mode.
  #
  # serverToken: "*****"

  # existingSecret if a secret containing gitHubToken, serverToken or serverCustomHeaders has been created outside the chart (e.g external-secrets, sops, etc...).
  # Keys must be at least one of the following: trivy.githubToken, trivy.serverToken, trivy.serverCustomHeaders
  # Overrides trivy.gitHubToken, trivy.serverToken, trivy.serverCustomHeaders values.
  # Note: The secret has to be named "trivy-operator-trivy-config".
  # existingSecret: true

  # serverTokenHeader is the name of the HTTP header used to send the authentication
  # token to Trivy server. Only application in ClientServer mode when
  # trivy.serverToken is specified.
  serverTokenHeader: "Trivy-Token"

  # serverCustomHeaders is a comma separated list of custom HTTP headers sent by
  # Trivy client to Trivy server. Only applicable in ClientServer mode.
  #
  # serverCustomHeaders: "foo=bar"

  dbRepository: "ghcr.io/aquasecurity/trivy-db"

  # The Flag to enable insecure connection for downloading trivy-db via proxy (air-gaped env)
  #
  dbRepositoryInsecure: "false"

  # The Flag to enable the usage of builtin rego policies by default
  #
  useBuiltinRegoPolicies: "true"

  # The Flag is the list of supported kinds separated by comma delimiter to be scanned by the config audit scanner
  #
  supportedConfigAuditKinds: "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"

  # command. One of `image`, `filesystem` or `rootfs` scanning, depending on the target type required for the scan.
  # For 'filesystem' and `rootfs` scanning, ensure that the `trivyOperator.scanJobPodTemplateContainerSecurityContext` is configured
  # to run as the root user (runAsUser = 0).
  command: image
  # serverUser this param is the server user to be used to download db from private registry
  serverUser: ""
  # serverPassword this param is the server user to be used to download db from private registry
  serverPassword: ""
  # serverServiceName this param is the server service name to be used in cluster
  serverServiceName: "trivy-service"

compliance:
  # failEntriesLimit the flag to limit the number of fail entries per control check in the cluster compliance detail report
  failEntriesLimit: 10

rbac:
  create: true
serviceAccount:
  # Specifies whether a service account should be created.
  create: true
  annotations: {}
  # name specifies the name of the k8s Service Account. If not set and create is
  # true, a name is generated using the fullname template.
  name: ""

# podAnnotations annotations added to the operator's pod
podAnnotations: {}

podSecurityContext: {}
  # fsGroup: 2000

securityContext:
  privileged: false
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  capabilities:
    drop:
      - ALL

# volumeMounts:
# Example:
#  - mountPath: /tmp
#    name: tmp-data
#    readOnly: false

# volumes:
# Example:
#  - name: tmp-data
#    emptyDir: {}

resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi

nodeSelector: {}

tolerations: []

affinity: {}

priorityClassName: ""

  # automountServiceAccountToken the flag to enable automount for service account token
automountServiceAccountToken: true