support registry mirrors for image scanning

[itaysk]

Discussed in #4957

When scanning images, Trivy is pulling the container image from registry directly (using OCI API). Most container engines support "mirroring", which tells the engine to pull certain images from another registry instead of the user specified.
Example from Docker: https://docs.docker.com/docker-hub/mirror/#configure-the-docker-daemon

Trivy should support similar functionality for pulling images from a mirror if configured. Since mirror configuration varies between engines, we should not support one of the existing ones but allow users to configure specifically for Trivy.

As @caleb-devops suggested:

registry-mirrors:
  - src: "docker.io"
    dest: "harbor.example.com/docker.io"
  - src: "ghcr.io"
    dest: "harbor.example.com/ghcr.io"

it could be supported on cli as --registry-mirrors docker.io:harbor.example.com/docker.io, but since this is advanced use case it might be ok to keep it config file exclusive.

[knqyf263]

@DmitriyLewen Could you investigate how each container engine works with mirror settings? As I recall, the behavior is to try a mirror first and then pull from the original registry if the mirror returned a 404, but I think it would be better to investigate properly.

[ocebr]

I'm interested in this feature. We use a mirror to bypass Docker API Rate limit :)

[sathieu]

We have several mirrors for each registry. Please handle this use case.

The behavior of containerd is to try the mirrors in the specified order and try direct access as a last resort (or server if defined). We don't need this last resort feature.

There is also the /v2 path which should be configurable (see override_path.

I think using a configuration similar to containerd will help, like:

registry-mirrors:
  docker.io:
    # server: https://registry-1.docker.io
    # skip_verify: false
    # ca: [/etc/certs/test-1-ca.pem, /etc/certs/special.pem]
    # override_path: false
    host."https://mirror.registry": {}
    host."https://mirror2.registry/v2/external-registries/docker.io":
      override_path: true
      

[DmitriyLewen]

I checked docker, podman and containerd
They use same order:
mirrors (for location/prefix if exists) -> original registry (as @knqyf263 said).

I also checked go-containerregistry (Trivy uses this package to get images from registry).
go-containerregistry doesn't have logic for mirrors - google/go-containerregistry#2010

So we need to create this logic in Trivy.

cc. @knqyf263

[knqyf263]

Thanks, that sounds good to me.