With trivy-operator, for the scan-vulnerabilityreport init container job - missing ssl_cert_file

[kirkpabk]

For the trivy-operator, regarding the scan-vulnerabilityreport init container job, in adding all of the tls cert entries... we noticed that it is not accepting entries and missing ssl_cert_file and we cannot determine how to reasonably inject it. (trivy-operator: 0.28.0 / chart: 0.30.0)

Thank you in advance for any assistance or guidance.

ERROR SEEN
For the terminated job, image: /acquasecurity/trivy:0.65.0, we get,
Error (2025-08-13T22:04:48Z INFO Adding schema version to the DB repository for backward compatibility repository="ghcr.io/aquasecurity/trivy-db:2" 2025-08-13T22:04:48Z INFO [vulndb] Need to update DB 2025-08-13T22:04:48Z INFO [vulndb] Downloading vulnerability DB... 2025-08-13T22:04:48Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2" 2025-08-13T22:04:49Z FATAL Fatal error run error: init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from ghcr.io/aquasecurity/trivy-db:2: OCI repository error: 1 error occurred: * Get "https://ghcr.io/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority )

WORKAROUND:

  FROM nexus.mysite.com:2222/aquasecurity/trivy:0.65.0
  RUN rm -rf /var/ssl-cert
  COPY cacerts /usr/local/share/ca-certificates/
  RUN update-ca-certificates
  RUN export SSL_CERT_FILE=/usr/local/share/ca-certificates/cacerts && export TRIVY_SSL_CERT_FILE=/usr/local/share/ca-certificates/cacerts

YAML (with redacted content)
See the initContainers: section... notice that elsewhere we're injecting cert bundles, but they don't convey to the initContainers and we're not seeing an easy way to get at these dynamic jobs in the chart. In particular initContainers.env for the SSL cert var--how would we inject: SSL_CERT_FILE in that section?

apiVersion: batch/v1
kind: Job
metadata:
  name: scan-vulnerabilityreport-5c7466abcd
  namespace: kyverno
spec:
  activeDeadlineSeconds: 300
  backoffLimit: 0
  completionMode: NonIndexed
  completions: 1
  manualSelector: false
  parallelism: 1
  podReplacementPolicy: TerminatingOrFailed
  selector:
    matchLabels:
      batch.kubernetes.io/controller-uid: <uid-redacted>
  suspend: false
  template:
    metadata:
      creationTimestamp: null
      labels:
	  <redacted-labels>
        vulnerabilityReport.scanner: Trivy
    spec:
     .
     .
     .
      containers:
        - args:
            - '-c'
            - >-
              trivy image
              nexus.site.com:2222/kubernetes:v1.30
              --cache-dir /tmp/trivy/.cache --format json
              --image-config-scanners secret --scanners vuln,secret
              --skip-db-update --slow --list-all-pkgs --output
              /tmp/scan/result_kube-proxy.json
              2>/tmp/scan/result_kube-proxy.json.log && bzip2 -c
              /tmp/scan/result_kube-proxy.json | base64
          command:
            - /bin/sh
          env:
            - name: TRIVY_SEVERITY
              valueFrom:
                configMapKeyRef:
                  key: trivy.severity
                  name: trivy-operator-trivy-config
                  optional: true
            - name: TRIVY_IGNORE_UNFIXED
              valueFrom:
                configMapKeyRef:
                  key: trivy.ignoreUnfixed
                  name: trivy-operator-trivy-config
                  optional: true
            - name: TRIVY_OFFLINE_SCAN
              valueFrom:
                configMapKeyRef:
                  key: trivy.offlineScan
                  name: trivy-operator-trivy-config
                  optional: true
            - name: TRIVY_JAVA_DB_REPOSITORY
              valueFrom:
                configMapKeyRef:
                  key: trivy.javaDbRepository
                  name: trivy-operator-trivy-config
                  optional: true
            - name: TRIVY_TIMEOUT
              valueFrom:
                configMapKeyRef:
                  key: trivy.timeout
                  name: trivy-operator-trivy-config
                  optional: true
            - name: TRIVY_SKIP_FILES
              valueFrom:
                configMapKeyRef:
                  key: trivy.skipFiles
                  name: trivy-operator-trivy-config
                  optional: true
            - name: TRIVY_SKIP_DIRS
              valueFrom:
                configMapKeyRef:
                  key: trivy.skipDirs
                  name: trivy-operator-trivy-config
                  optional: true
            - name: HTTP_PROXY
              valueFrom:
                configMapKeyRef:
                  key: trivy.httpProxy
                  name: trivy-operator-trivy-config
                  optional: true
            - name: HTTPS_PROXY
              valueFrom:
                configMapKeyRef:
                  key: trivy.httpsProxy
                  name: trivy-operator-trivy-config
                  optional: true
            - name: NO_PROXY
              valueFrom:
                configMapKeyRef:
                  key: trivy.noProxy
                  name: trivy-operator-trivy-config
                  optional: true
            - name: SSL_CERT_DIR
              value: /var/ssl-cert
          image: nexus.site.com:2222/aquasecurity/trivy:0.65.0
          imagePullPolicy: IfNotPresent
          name: kube-proxy
          resources:
            limits:
              cpu: 500m
              memory: 500M
            requests:
              cpu: 100m
              memory: 100M
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            privileged: false
            readOnlyRootFilesystem: true
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: FallbackToLogsOnError
          volumeMounts:
            - mountPath: /tmp
              name: tmp
            - mountPath: /var/ssl-cert
              name: ssl-cert-dir
              readOnly: true
            - mountPath: /tmp/scan
              name: scanresult
            - mountPath: /trivycerts
              name: somecacerts
              readOnly: true
      dnsPolicy: ClusterFirst
      initContainers:
        - args:
            - '--cache-dir'
            - /tmp/trivy/.cache
            - image
            - '--download-db-only'
            - '--db-repository'
            - ghcr.io/aquasecurity/trivy-db
          command:
            - trivy
          env:
            - name: HTTP_PROXY
              valueFrom:
                configMapKeyRef:
                  key: trivy.httpProxy
                  name: trivy-operator-trivy-config
                  optional: true
            - name: HTTPS_PROXY
              valueFrom:
                configMapKeyRef:
                  key: trivy.httpsProxy
                  name: trivy-operator-trivy-config
                  optional: true
            - name: NO_PROXY
              valueFrom:
                configMapKeyRef:
                  key: trivy.noProxy
                  name: trivy-operator-trivy-config
                  optional: true
            - name: GITHUB_TOKEN
              valueFrom:
                secretKeyRef:
                  key: trivy.githubToken
                  name: trivy-operator-trivy-config
                  optional: true
          image: nexus.site.com:2222/aquasecurity/trivy:0.65.0
          imagePullPolicy: IfNotPresent
          name: 7e921234-1234-4f96-829f-0b65df6d1234
          resources:
            limits:
              cpu: 500m
              memory: 500M
            requests:
              cpu: 100m
              memory: 100M
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            privileged: false
            readOnlyRootFilesystem: true
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: FallbackToLogsOnError
          volumeMounts:
            - mountPath: /tmp
              name: tmp
            - mountPath: /var/ssl-cert
              name: ssl-cert-dir
              readOnly: true
            - mountPath: /trivycerts
              name: somecacerts
              readOnly: true
      restartPolicy: Never
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: trivy-trivy-operator
      serviceAccountName: trivy-trivy-operator
      terminationGracePeriodSeconds: 30
      volumes:
        - emptyDir: {}
          name: tmp
        - hostPath:
            path: /trivycerts
            type: ''
          name: ssl-cert-dir
        - emptyDir: {}
          name: scanresult
        - name: somecacerts
          secret:
            defaultMode: 420
            secretName: somecacerts