refactor(cli): Rework Trivy Cloud integration logic #9717

owenrumney · 2025-10-27T12:32:58Z

Description

After having discussions internally, the logic for working with the Trivy Cloud integration is going to be simplified greatly. This involves removing the Cloud specific config file and bringing the config into the existing Trivy config. The cloud config commands will be removed as they aren't needed anymore.

As the focus is going to be on CI/CD integration with the Trivy Cloud platform, there isn't currently a need to have the Login and Logout and credential storage, so this has been removed.

Docs have been updated to remove the cloud config docs.

Related issues

Close refactor(cloud): rework the cloud integration to be more CI focused #9693

Remove this section if you don't have related PRs.

Checklist

I've read the guidelines for contributing to this repository.
I've followed the conventions in the PR title.
I've added tests that prove my fix is effective or that my feature works.
I've updated the documentation with the relevant information (if needed).

github-actions · 2025-10-27T12:37:22Z

📊 API Changes Detected

Semver impact: major

github.com/aquasecurity/trivy/pkg/flag
  Incompatible changes:
  - CloudApiUrlFlag: removed
  - CloudFlagGroup: removed
  - CloudLoginCredentials: removed
  - CloudOptions: removed
  - CloudTokenFlag: removed
  - CloudTrivyServerUrlFlag: removed
  - NewCloudFlagGroup: removed
  - Options.ApiUrl: removed
  - Options.CloudOptions: removed
  - Options.LoginCredentials: removed
  - Options.TrivyServerUrl: removed
  Compatible changes:
  - DefaultApiURL: added
  - DefaultTrivyServerURL: added
  - NewProFlagGroup: added
  - Options.ApiURL: added
  - Options.ProOptions: added
  - Options.ProToken: added
  - Options.SecretConfig: added
  - Options.TrivyServerURL: added
  - Options.UploadResults: added
  - Options.UseServerSideScanning: added
  - ProAPIURLFlag: added
  - ProFlagGroup: added
  - ProLoginCredentials: added
  - ProOptions: added
  - ProSecretConfigFlag: added
  - ProTokenFlag: added
  - ProTrivyServerURLFlag: added
  - ProUploadResultsFlag: added
  - ProUseServerSideScanningFlag: added

github.com/aquasecurity/trivy/pkg/pro
  Compatible changes:
  - ConfigType: added
  - ConfigTypeSecret: added
  - GetAccessToken: added
  - GetConfigs: added
  - SecretConfigPath: added

github.com/aquasecurity/trivy/pkg/cloud/hooks
  Incompatible changes:
  - CloudPlatformResultsHook: removed
  - NewResultsHook: removed

github.com/aquasecurity/trivy/pkg/pro/hooks
  Compatible changes:
  - NewReportHook: added
  - ReportHook: added

github.com/aquasecurity/trivy/pkg/commands
  Incompatible changes:
  - NewCloudCommand: removed
  - NewLoginCommand: removed
  - NewLogoutCommand: removed

github.com/aquasecurity/trivy/pkg/commands/pro
  Compatible changes:
  - UpdateOptsForProIntegration: added

github.com/aquasecurity/trivy/pkg/commands/cloud
  Incompatible changes:
  - CheckTrivyCloudStatus: removed
  - EditConfig: removed
  - GetConfig: removed
  - GroupCloud: removed
  - ListConfig: removed
  - Login: removed
  - Logout: removed
  - SetConfig: removed
  - UnsetConfig: removed

github.com/aquasecurity/trivy/pkg/cloud
  Incompatible changes:
  - Api: removed
  - Clear: removed
  - Config: removed
  - DefaultApiUrl: removed
  - DefaultTrivyServerUrl: removed
  - Get: removed
  - GetWithDefault: removed
  - ListConfig: removed
  - Load: removed
  - OpenConfigForEditing: removed
  - Scanning: removed
  - Server: removed
  - ServiceName: removed
  - Set: removed
  - TokenKey: removed
  - Unset: removed

pkg/flag/cloud_flags.go

pkg/cloud/hooks/report_hook_test.go

pkg/cloud/token.go

pkg/cloud/config.go

pkg/flag/cloud_flags.go

DmitriyLewen · 2025-10-29T08:41:05Z

pkg/cloud/config.go

-		return &config, nil
+	configFilename := filepath.Join(configDir, "config.yaml")
+	// Return cached config if it was updated within the last hour
+	if stat, err := os.Stat(configFilename); err == nil && stat.ModTime().After(time.Now().Add(configCacheTTL)) {


correct me, if i an wrong or missing something.
I see two problems with this:
1. After one hour, we’ll download the file again.
2. If the user finds an issue in the config on the server and updates the file there, they’ll need to remove the local file to download the new one from the server.

Maybe we could send the hash of the local file to the server?
Server will have the hash of the config file and will compare it.
If the hash is empty (config file doesn’t exist) or doesn’t match, the server will send a new config file.
If the config is still valid, there’s no need to send the file again (unwrap it, etc.).

I'll give this some thought - The config isn't user maintainable so we will have prepared and tested it, but I can see the argument for wanting to invalidate the cache quickly if there is a network issue during download or similar.

I'll have a think

pkg/cloud/config.go

pkg/commands/cloud/run_test.go

DmitriyLewen

LGTM

docs/docs/references/configuration/cli/trivy_config.md

pkg/cloud/token_test.go

docs/docs/references/configuration/cli/trivy_config.md

After having discussions internally, the logic for working with the Trivy Cloud integration is going to be simplified greatly. This involves removing the Cloud specific config file and bringing the config into the existing Trivy config. The `cloud config` commands will be removed as they aren't needed anymore. As the focus is going to be on CI/CD integration with the Trivy Cloud platform, there isn't currently a need to have the Login and Logout mechanisms.

Updates based on the PR comments and regeneration of the docs

Co-authored-by: DmitriyLewen <[email protected]>

Updates to logging and tests based on the PR comments

Co-authored-by: DmitriyLewen <[email protected]>

github-actions bot added the apidiff Indicates Go API changes relevant to library consumers (CLI compatibility may be unaffected) label Oct 27, 2025

aqua-bot requested a review from a team October 27, 2025 12:37

owenrumney force-pushed the refactor/rework-cloud-config branch 3 times, most recently from 4834c6c to 17dbf9a Compare October 27, 2025 14:29

knqyf263 removed the request for review from a team October 28, 2025 05:10

owenrumney force-pushed the refactor/rework-cloud-config branch from 76475e3 to d319541 Compare October 28, 2025 09:40

aqua-bot requested a review from a team October 28, 2025 09:44

owenrumney removed the request for review from a team October 28, 2025 10:36

owenrumney marked this pull request as ready for review October 28, 2025 10:36

owenrumney requested review from knqyf263, nikpivkin and simar7 as code owners October 28, 2025 10:36

owenrumney requested a review from DmitriyLewen October 28, 2025 10:45

DmitriyLewen reviewed Oct 29, 2025

View reviewed changes

owenrumney force-pushed the refactor/rework-cloud-config branch from d319541 to a80a0fa Compare October 29, 2025 11:08

aqua-bot requested a review from a team October 29, 2025 11:13

owenrumney force-pushed the refactor/rework-cloud-config branch from a80a0fa to 756a70c Compare October 29, 2025 12:17

owenrumney removed the request for review from a team October 29, 2025 12:48

aqua-bot requested a review from a team October 29, 2025 12:53