docs: update air-gapped docs

[itaysk]

discussed here #7029 (comment)

I did my best to restructure the docs in a way that makes sense, I have a few open comments:

1. not sure how authentication works with --checks-bundle-repository @simar7
2. do we have a "manually populate cache" option for checks? @simar7
3. inconsistency in naming between --checks-bundle-repository and --skip-check-update, not sure we want to fix this at this point.
4. --offline-scan isn't clearly explained, I presume this is about maven central? then the name is misleading (should be java specific). again, not sure we want to fix now but wanted to bring to attention. Also I thought this can be expanded to disable all the external dependencies (all the DBs) in one flag.

[knqyf263]

--offline-scan isn't clearly explained, I presume this is about maven central? then the name is misleading (should be java specific). again, not sure we want to fix now but wanted to bring to attention. Also I thought this can be expanded to disable all the external dependencies (all the DBs) in one flag.

--offline-scan should affect all scanning, not limited to JAR scanning (To complicate things, JAR scanning was switched to Java DB, so this flag is not used for anything now.). When we implement internet access in the future, it should be disabled by --offline-scan. Also, I think misconfiguration scanning should respect this flag (downloading Terraform modules, etc.).

[nikpivkin]

1. The checks bundle is distributed as an OCI artifacts and retrieved from the Artifact registry. Authentication methods are described here.

[itaysk]

The checks bundle is distributed as an OCI artifacts and retrieved from the Artifact registry. Authentication methods are described here.

@nikpivkin , @knqyf263 just said that the vuln DBs support only docker login, they don't support user/pass. is it the same for checks bundle as well? or checks bundle does support user/pass unlike vuln scanner?

[nikpivkin]

@itaysk supports login and password

[simar7]

overall lgtm, left a couple of comments.

[itaysk]

@knqyf263 wdyt about removing the manual cache manipulation guide? it seems very internal and i think using the flag is better

[knqyf263]

@itaysk We discussed it in #7029 and agreed not to add flags.

[knqyf263]

Or do you mean we should force users to upload DB to their OCI registry? In any case, users need to manually download the DB and copy it to the environment running Trivy, so copying it under the cache directory is not a big problem.

[itaysk]

I meant the latter. not saying it's a big problem, just seems redundant and makeshift to me. ok i'll keep it, but then I want to confirm what is the procedure for misconfig checks (@simar7 @nikpivkin )?

[itaysk]

Added another node about loading config from directory using --config-check flag. Also found many outdated references to this flag which I fixed in the same commit. FTR, also adding this to the list of inconsistencies (checks vs check) @simar7 can you please review

[simar7]

I meant the latter. not saying it's a big problem, just seems redundant and makeshift to me. ok i'll keep it, but then I want to confirm what is the procedure for misconfig checks (@simar7 @nikpivkin )?

The process would be the same as trivy-db, the users have to navigate Trivy's cache to place the checks in the right place in case of an air gap solution.

Maybe we should document this cache structure in more detail as a whole as it is a common place for all scanners?

[itaysk]

@knqyf263 I've addressed vex hub in air gapped env, let me know if it's ok 2327c5f

[knqyf263]

LGTM. Left some comments.

[knqyf263]

I have an idea about re-structuring this page, but we can do that in another PR.