Cache

The cache directory includes

• Cache of previous scans (Scan cache).
• Vulnerability Database¹
• Java Index Database²
• Misconfiguration Checks³
• VEX Repositories

The cache option is common to all scanners.

Clear Caches

tunnel clean subcommand removes caches.

$ tunnel clean --scan-cache

Result

2024-06-21T21:58:21+04:00       INFO    Removing scan cache...

If you want to delete cached vulnerability databases, use --vuln-db. You can also delete all caches with --all. See tunnel clean --help for details.

Cache Directory

Specify where the cache is stored with --cache-dir.

$ tunnel --cache-dir /tmp/tunnel/ image python:3.4-alpine3.9

Scan Cache Backend

EXPERIMENTAL

This feature might change without preserving backwards compatibility.

Tunnel utilizes a scan cache to store analysis results, such as package lists. It supports three types of backends for this cache:

• Local File System (fs)
  • The cache path can be specified by --cache-dir
• Memory (memory)
• Redis (redis://)
  • redis://[HOST]:[PORT]
  • TTL can be configured via --cache-ttl

Local File System

The local file system backend is the default choice for container image, VM image and repository scans.

Note

Internally, this backend uses BoltDB, which has an important limitation: only one process can access the cache at a time. Subsequent processes attempting to access the cache will be locked. For more details on this limitation, refer to the troubleshooting guide.

Memory

The memory backend stores analysis results in memory, which means the cache is discarded when the process ends. This makes it useful in scenarios where caching is not required or desired. It serves as the default for filesystem and SBOM scans and can also be employed for container image scans when caching is unnecessary.

To use the memory backend for a container image scan, you can use the following command:

$ tunnel image debian:11 --cache-backend memory

Redis

The Redis backend is particularly useful when you need to share the cache across multiple Tunnel instances. You can set up Tunnel to use a Redis backend with a command like this:

$ tunnel server --cache-backend redis://localhost:6379

This approach allows for centralized caching, which can be beneficial in distributed or high-concurrency environments.

If you want to use TLS with Redis, you can enable it by specifying the --redis-tls flag.

$ tunnel server --cache-backend redis://localhost:6379 --redis-tls

Tunnel also supports for connecting to Redis with your certificates. You need to specify --redis-ca , --redis-cert , and --redis-key options.

$ tunnel server --cache-backend redis://localhost:6379 \
  --redis-ca /path/to/ca-cert.pem \
  --redis-cert /path/to/cert.pem \
  --redis-key /path/to/key.pem

---

1. Downloaded when scanning for vulnerabilities ↩

2. Downloaded when scanning jar/war/par/ear files ↩

3. Downloaded when scanning for misconfigurations ↩