# Default values for the trivy-operator Helm chart, these are used to render
# the templates into valid k8s Resources.

# managedBy is similar to .Release.Service but allows to overwrite the value
managedBy: Helm

# targetNamespace defines where you want trivy-operator to operate. By
# default, it's a blank string to select all namespaces, but you can specify
# another namespace, or a comma separated list of namespaces.
targetNamespaces: ""

# excludeNamespaces is a comma separated list of namespaces (or glob patterns)
# to be excluded from scanning. Only applicable in the all namespaces install
# mode, i.e. when the targetNamespaces values is a blank string.
excludeNamespaces: "kube-system,{{ .Release.Namespace }}"

nameOverride: ""
fullnameOverride: ""

operator:
  # replicas the number of replicas of the operator's pod
  replicas: 1

  # additional labels for the operator pod
  podLabels: {}

  # leaderElectionId determines the name of the resource that leader election
  # will use for holding the leader lock.
  leaderElectionId: "trivyoperator-lock"

  # logDevMode the flag to enable development mode (more human-readable output, extra stack traces and logging information, etc)
  logDevMode: false

  # scanJobTimeout the length of time to wait before giving up on a scan job
  scanJobTimeout: 5m

  # scanJobsConcurrentLimit the maximum number of scan jobs create by the operator
  scanJobsConcurrentLimit: 10

  # scanJobsRetryDelay the duration to wait before retrying a failed scan job
  scanJobsRetryDelay: 30s

  # vulnerabilityScannerEnabled the flag to enable vulnerability scanner
  vulnerabilityScannerEnabled: true
  # vulnerabilityScannerReportTTL the flag to set how long a vulnerability report should exist. "" means that the vulnerabilityScannerReportTTL feature is disabled
  vulnerabilityScannerReportTTL: "24h"
  # configAuditScannerEnabled the flag to enable configuration audit scanner
  configAuditScannerEnabled: true
  # rbacAssessmentScannerEnabled the flag to enable rbac assessment scanner
  rbacAssessmentScannerEnabled: true
  # clusterComplianceEnabled the flag to enable cluster compliance report generation
  clusterComplianceEnabled: false
  # batchDeleteLimit the maximum number of config audit reports deleted by the operator when the plugin's config has changed.
  batchDeleteLimit: 10
  # vulnerabilityScannerScanOnlyCurrentRevisions the flag to only create vulnerability scans on the current revision of a deployment.
  vulnerabilityScannerScanOnlyCurrentRevisions: true
  # configAuditScannerScanOnlyCurrentRevisions the flag to only create config audit scans on the current revision of a deployment.
  configAuditScannerScanOnlyCurrentRevisions: true
  # batchDeleteDelay the duration to wait before deleting another batch of config audit reports.
  batchDeleteDelay: 10s

  # metricsFindingsEnabled the flag to enable metrics for findings
  metricsFindingsEnabled: true

  # exposedSecretScannerEnabled the flag to enable exposed secret scanner
  exposedSecretScannerEnabled: true

  # webhookBroadcastURL the flag to set reports should be sent to a webhook endpoint. "" means that the webhookBroadcastURL feature is disabled
  webhookBroadcastURL: ""

  # webhookBroadcastTimeout the flag to set timeout for webhook requests if webhookBroadcastURL is enabled
  webhookBroadcastTimeout: 30s

image:
  repository: "ghcr.io/aquasecurity/trivy-operator"
  # tag is an override of the image tag, which is by default set by the
  # appVersion field in Chart.yaml.
  tag: ""
  pullPolicy: IfNotPresent
  pullSecrets: []

# service only expose a metrics endpoint for prometheus to scrape,
# trivy-operator does not have a user interface.
service:
  metricsPort: 80

# Prometheus ServiceMonitor configuration
serviceMonitor:
  # enabled determines whether a serviceMonitor should be deployed
  enabled: false
  # The namespace where Prometheus expects to find service monitors
  # namespace: ""
  interval: ""
  # Additional labels for the serviceMonitor
  labels: {}
  # honorLabels: true

trivyOperator:
  # vulnerabilityReportsPlugin the name of the plugin that generates vulnerability reports `Trivy`
  vulnerabilityReportsPlugin: "Trivy"
  # configAuditReportsPlugin the name of the plugin that generates config audit reports.
  configAuditReportsPlugin: "Trivy"

  # scanJobTolerations tolerations to be applied to the scanner pods so that they can run on nodes with matching taints
  scanJobTolerations: []
  # If you do want to specify tolerations, uncomment the following lines, adjust them as necessary, and remove the
  # square brackets after 'scanJobTolerations:'.
  # - key: "key1"
  #   operator: "Equal"
  #   value: "value1"
  #   effect: "NoSchedule"

  # scanJobNodeSelector nodeSelector to be applied to the scanner pods so that they can run on nodes with matching labels
  scanJobNodeSelector: {}
  # If you do want to specify nodeSelector, uncomment the following lines, adjust them as necessary, and remove the
  # square brackets after 'scanJobNodeSelector:'.
  #   nodeType: worker
  #   cpu: sandylake
  #   teamOwner: operators

  # scanJobAnnotations comma-separated representation of the annotations which the user wants the scanner pods to be
  # annotated with. Example: `foo=bar,env=stage` will annotate the scanner pods with the annotations `foo: bar` and `env: stage`
  scanJobAnnotations: ""

  # scanJobPodTemplateLabels comma-separated representation of the labels which the user wants the scanner pods to be
  # labeled with. Example: `foo=bar,env=stage` will labeled the scanner pods with the labels `foo: bar` and `env: stage`
  scanJobPodTemplateLabels: ""

  # scanJobPodTemplateSecurityContext podSecurityContext the user wants the scanner pods to be amended with.
  # Example:
  #   RunAsUser: 10000
  #   RunAsGroup: 10000
  #   RunAsNonRoot: true
  scanJobPodTemplateSecurityContext: ""

  # scanJobPodTemplateContainerSecurityContext SecurityContext the user wants the scanner containers (and their
  # initContainers) to be amended with.
  scanJobPodTemplateContainerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL
    privileged: false
    readOnlyRootFilesystem: true
    # For filesystem scanning, Trivy needs to run as the root user
    # runAsUser: 0

trivy:
  # createConfig indicates whether to create config objects
  createConfig: true

  # imageRef the Trivy image reference.
  imageRef: ghcr.io/aquasecurity/trivy:0.31.3

  # mode is the Trivy client mode. Either Standalone or ClientServer. Depending
  # on the active mode other settings might be applicable or required.
  mode: Standalone

  # additionalVulnerabilityReportFields is a comma separated list of additional fields which
  # can be added to the VulnerabilityReport. Supported parameters: Description, Links, CVSS and Target
  additionalVulnerabilityReportFields: ""

  # httpProxy is the HTTP proxy used by Trivy to download the vulnerabilities database from GitHub.
  #
  # httpProxy:

  # httpsProxy is the HTTPS proxy used by Trivy to download the vulnerabilities database from GitHub.
  #
  # httpsProxy:

  # noProxy is a comma separated list of IPs and domain names that are not subject to proxy settings.
  #
  # noProxy:

  # Registries without SSL. There can be multiple registries with different keys.
  nonSslRegistries: {}
  #  pocRegistry: poc.myregistry.harbor.com.pl
  #  qaRegistry: qa.registry.aquasec.com
  #  internalRegistry: registry.registry.svc:5000

  # The registry to which insecure connections are allowed. There can be multiple registries with different keys.
  insecureRegistries: {}
  #  pocRegistry: poc.myregistry.harbor.com.pl
  #  qaRegistry: qa.registry.aquasec.com
  #  internalRegistry: registry.registry.svc:5000

  # Mirrored registries. There can be multiple registries with different keys.
  # Make sure to quote registries containing dots
  registry:
    mirror: {}
    # "docker.io": docker-mirror.example.com

  # severity is a comma separated list of severity levels reported by Trivy.
  severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL

  # ignoreUnfixed is the flag to show only fixed vulnerabilities in
  # vulnerabilities reported by Trivy. Set to true to enable it.
  #
  ignoreUnfixed: false

  # timeout is the duration to wait for scan completion.
  timeout: "5m0s"

  # ignoreFile can be used to tell Trivy to ignore vulnerabilities by ID (one per line)
  #
  # ignoreFile: |
  #   CVE-1970-0001
  #   CVE-1970-0002

  # resources resource requests and limits
  resources:
    requests:
      cpu: 100m
      memory: 100M
    limits:
      cpu: 500m
      memory: 500M

  # githubToken is the GitHub access token used by Trivy to download the vulnerabilities
  # database from GitHub. Only applicable in Standalone mode.
  #
  # githubToken: "*****"

  # serverURL is the endpoint URL of the Trivy server. Required in ClientServer mode.
  #
  # serverURL: "https://trivy.trivy:4975"

  # serverInsecure is the flag to enable insecure connection to the Trivy server.
  #
  # serverInsecure: true
  # serverToken is the token to authenticate Trivy client with Trivy server. Only
  # applicable in ClientServer mode.
  #
  # serverToken: "*****"

  # serverTokenHeader is the name of the HTTP header used to send the authentication
  # token to Trivy server. Only application in ClientServer mode when
  # trivy.serverToken is specified.
  serverTokenHeader: "Trivy-Token"

  # serverCustomHeaders is a comma separated list of custom HTTP headers sent by
  # Trivy client to Trivy server. Only applicable in ClientServer mode.
  #
  # serverCustomHeaders: "foo=bar"

  dbRepository: "ghcr.io/aquasecurity/trivy-db"

  # The Flag to enable insecure connection for downloading trivy-db via proxy (air-gaped env)
  #
  dbRepositoryInsecure: "false"

  # The Flag to enable the usage of builtin rego policies by default
  #
  useBuiltinRegoPolicies: "true"

  # The Flag is the list of supported kinds separated by comma delimiter to be scanned by the config audit scanner
  #
  supportedConfigAuditKinds: "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"

  # command. Either `image` or `filesystem` scanning, depending on the target type required for the scan.
  # For 'filesystem' scanning, ensure that the `trivyOperator.scanJobPodTemplateContainerSecurityContext` is configured
  # to run as the root user (runAsUser = 0).
  command: image

compliance:
  # failEntriesLimit the flag to limit the number of fail entries per control check in the cluster compliance detail report
  failEntriesLimit: 10

rbac:
  create: true
serviceAccount:
  # Specifies whether a service account should be created.
  create: true
  annotations: {}
  # name specifies the name of the k8s Service Account. If not set and create is
  # true, a name is generated using the fullname template.
  name: ""

# podAnnotations annotations added to the operator's pod
podAnnotations: {}

podSecurityContext: {}
  # fsGroup: 2000

securityContext:
  privileged: false
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  capabilities:
    drop:
      - ALL

resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi

nodeSelector: {}

tolerations: []

affinity: {}

priorityClassName: ""

  # automountServiceAccountToken the flag to enable automount for service account token
automountServiceAccountToken: true