Does trivy operator downloads the images of all containers in the cluster to check them ?

[togrulazizli]

Question 1: Does trivy operator downloads all the images of the containers in the cluster in order to check them against the vulnerability DB ?
Question 2: Lets say there are 100 containers in the cluster which use exact same image, now does trivy download the same image 100 times and runs the scan job 100 times or it is smart enough to depict that it already did the analysis for the image and skips 99 more scans ?

Issue we are facing: We have multiple clusters where the image repository sits in one of them and all images are pulled from that repository. Communication between all other clusters and the cluster which owns the image repository is done via Transit Gateway (AWS). After configuring trivy operator in our clusters , we are seeing substantial increase in cost/usage of transit gateway hence we want to know if trivy download images of all containers in the clusters each time it does the vulnerability scan.

[chen-keinan]

@togrulazizli

1. in general, yes, however there is an option for it to reuse images on node , when docker socket is be mounted (not supported yet) or use trivy with file system scanning mode , both require privileged mode
2. the answer is more complex , trivy can't tell if the image is exactly the same without opening it , relying on image tag is not strong enough
   in addition bare in mind that image that was scanned today (and no issues found) can be vulnerable tomorrow as vulnDB might change. we are looking on adding support to SBOM in cluster level , this will enable us to reduce the number of nightly scan (TTL exceeded) as operator will scan only if vulnDB has change.

regarding you question trivy is more design for single cluster mode less of multi-cluster.

Please feel free to share an ideas on how to improve scanning process and share resources