feat: avoid double TRIVY_INSECURE

sathieu · sathieu · commit 8ec813a6779c · 2026-01-23T16:20:16.000+01:00
diff --git a/pkg/plugins/trivy/filesystem.go b/pkg/plugins/trivy/filesystem.go
@@ -194,18 +194,18 @@ func GetPodSpecForStandaloneFSMode(ctx trivyoperator.PluginContext, config Confi
 				Name:  "TRIVY_INSECURE",
 				Value: "true",
 			})
+		} else {
+			env, err = appendTrivyInsecureEnv(config, c.Image, env)
+			if err != nil {
+				return corev1.PodSpec{}, nil, err
+			}
 		}
 
 		if config.OfflineScan() {
 			env = append(env, constructEnvVarSourceFromConfigMap("TRIVY_OFFLINE_SCAN",
 				trivyConfigName, keyTrivyOfflineScan))
 		}
 
-		env, err = appendTrivyInsecureEnv(config, c.Image, env)
-		if err != nil {
-			return corev1.PodSpec{}, nil, err
-		}
-
 		resourceRequirements, err := config.GetResourceRequirements()
 		if err != nil {
 			return corev1.PodSpec{}, nil, err
@@ -425,16 +425,16 @@ func GetPodSpecForClientServerFSMode(ctx trivyoperator.PluginContext, config Con
 				trivyConfigName, keyTrivyOfflineScan))
 		}
 
-		env, err = appendTrivyInsecureEnv(config, c.Image, env)
-		if err != nil {
-			return corev1.PodSpec{}, nil, err
-		}
-
 		if config.GetServerInsecure() {
 			env = append(env, corev1.EnvVar{
 				Name:  "TRIVY_INSECURE",
 				Value: "true",
 			})
+		} else {
+			env, err = appendTrivyInsecureEnv(config, c.Image, env)
+			if err != nil {
+				return corev1.PodSpec{}, nil, err
+			}
 		}
 
 		resourceRequirements, err := config.GetResourceRequirements()
diff --git a/pkg/plugins/trivy/image.go b/pkg/plugins/trivy/image.go
@@ -247,6 +247,11 @@ func GetPodSpecForStandaloneMode(ctx trivyoperator.PluginContext,
 				Name:  "TRIVY_INSECURE",
 				Value: "true",
 			})
+		} else {
+			env, err = appendTrivyInsecureEnv(config, c.Image, env)
+			if err != nil {
+				return corev1.PodSpec{}, nil, err
+			}
 		}
 		if _, ok := containersCredentials[c.Name]; ok && secret != nil {
 			registryUsernameKey := fmt.Sprintf("%s.username", c.Name)
@@ -281,11 +286,6 @@ func GetPodSpecForStandaloneMode(ctx trivyoperator.PluginContext,
 
 		}
 
-		env, err = appendTrivyInsecureEnv(config, c.Image, env)
-		if err != nil {
-			return corev1.PodSpec{}, nil, err
-		}
-
 		env, err = appendTrivyNonSSLEnv(config, c.Image, env)
 		if err != nil {
 			return corev1.PodSpec{}, nil, err
@@ -509,27 +509,21 @@ func GetPodSpecForClientServerMode(ctx trivyoperator.PluginContext, config Confi
 			}
 		}
 
-		env, err = appendTrivyInsecureEnv(config, container.Image, env)
-		if err != nil {
-			return corev1.PodSpec{}, nil, err
-		}
-
 		env, err = appendTrivyNonSSLEnv(config, container.Image, env)
 		if err != nil {
 			return corev1.PodSpec{}, nil, err
 		}
 
-		if config.GetServerInsecure() {
-			env = append(env, corev1.EnvVar{
-				Name:  "TRIVY_INSECURE",
-				Value: "true",
-			})
-		}
-		if config.GetDBRepositoryInsecure() {
+		if config.GetServerInsecure() || config.GetDBRepositoryInsecure() {
 			env = append(env, corev1.EnvVar{
 				Name:  "TRIVY_INSECURE",
 				Value: "true",
 			})
+		} else {
+			env, err = appendTrivyInsecureEnv(config, container.Image, env)
+			if err != nil {
+				return corev1.PodSpec{}, nil, err
+			}
 		}
 		requirements, err := config.GetResourceRequirements()
 		if err != nil {
