wolfi-dev · rawlingsj · Jul 14, 2025 · Jul 14, 2025 · Jul 14, 2025 · Jul 14, 2025
diff --git a/docs/cmd/wolfictl_scan.md b/docs/cmd/wolfictl_scan.md
@@ -94,18 +94,19 @@ wolfictl scan package1 package2 --remote
 ### Options
 
 ```
-  -a, --advisories-repo-dir string   directory containing the advisories repository
-  -f, --advisory-filter string       exclude vulnerability matches that are referenced from the specified set of advisories (resolved|all|concluded)
-      --build-log                    treat input as a package build log file (or a directory that contains a packages.log file)
-  -D, --disable-sbom-cache           don't use the SBOM cache
-      --distro string                distro to use during vulnerability matching (default "wolfi")
-  -h, --help                         help for scan
-      --local-file-grype-db string   import a local grype db file
-  -o, --output string                output format (outline|json), defaults to outline
-  -r, --remote                       treat input(s) as the name(s) of package(s) in the Wolfi package repository to download and scan the latest versions of
-      --require-zero                 exit 1 if any vulnerabilities are found
-  -s, --sbom                         treat input(s) as SBOM(s) of APK(s) instead of as actual APK(s)
-      --use-cpes                     turn on all CPE matching in Grype
+  -a, --advisories-repo-dir string       directory containing the advisories repository
+  -f, --advisory-filter string           exclude vulnerability matches that are referenced from the specified set of advisories (resolved|all|concluded)
+      --build-log                        treat input as a package build log file (or a directory that contains a packages.log file)
+  -D, --disable-sbom-cache               don't use the SBOM cache
+      --distro string                    distro to use during vulnerability matching (default "wolfi")
+  -h, --help                             help for scan
+      --local-file-grype-db string       import a local grype db file
+      --max-allowed-built-age duration   Max allowed age for vulnerability database, age being the time since it was built. Default max age is 120h (or five days) (default 120h0m0s)
+  -o, --output string                    output format (outline|json), defaults to outline
+  -r, --remote                           treat input(s) as the name(s) of package(s) in the Wolfi package repository to download and scan the latest versions of
+      --require-zero                     exit 1 if any vulnerabilities are found
+  -s, --sbom                             treat input(s) as SBOM(s) of APK(s) instead of as actual APK(s)
+      --use-cpes                         turn on all CPE matching in Grype
 ```
 
 ### Options inherited from parent commands

diff --git a/docs/man/man1/wolfictl-scan.1 b/docs/man/man1/wolfictl-scan.1
@@ -134,6 +134,10 @@ found and the \-\-require\-zero flag is specified.
 \fB\-\-local\-file\-grype\-db\fP=""
     import a local grype db file
 
+.PP
+\fB\-\-max\-allowed\-built\-age\fP=120h0m0s
+    Max allowed age for vulnerability database, age being the time since it was built. Default max age is 120h (or five days)
+
 .PP
 \fB\-o\fP, \fB\-\-output\fP=""
     output format (outline|json), defaults to outline

diff --git a/pkg/cli/scan.go b/pkg/cli/scan.go
@@ -14,6 +14,7 @@ import (
 	"sort"
 	"strings"
 	"sync"
+	"time"
 
 	"chainguard.dev/apko/pkg/apk/apk"
 	"chainguard.dev/apko/pkg/apk/auth"
@@ -235,6 +236,9 @@ func scanEverything(ctx context.Context, p *scanParams, inputs []string, advGett
 	opts := scan.DefaultOptions
 	opts.UseCPEs = p.useCPEMatching
 	opts.PathOfDatabaseArchiveToImport = p.localDBFilePath
+	if p.dbMaxAllowedBuildAge > 0 {
+		opts.MaxAllowedBuildAge = p.dbMaxAllowedBuildAge
+	}
 
 	// Immediately start a goroutine, so we can initialize the vulnerability database.
 	// Once that's finished, we will start to pull sboms off of done as they become ready.
@@ -338,6 +342,7 @@ type scanParams struct {
 	disableSBOMCache     bool
 	remoteScanning       bool
 	useCPEMatching       bool
+	dbMaxAllowedBuildAge time.Duration
 }
 
 func (p *scanParams) addFlagsTo(cmd *cobra.Command) {
@@ -352,6 +357,7 @@ func (p *scanParams) addFlagsTo(cmd *cobra.Command) {
 	cmd.Flags().BoolVarP(&p.disableSBOMCache, "disable-sbom-cache", "D", false, "don't use the SBOM cache")
 	cmd.Flags().BoolVarP(&p.remoteScanning, "remote", "r", false, "treat input(s) as the name(s) of package(s) in the Wolfi package repository to download and scan the latest versions of")
 	cmd.Flags().BoolVar(&p.useCPEMatching, "use-cpes", false, "turn on all CPE matching in Grype")
+	cmd.Flags().DurationVar(&p.dbMaxAllowedBuildAge, "max-allowed-built-age", 120*time.Hour, "Max allowed age for vulnerability database, age being the time since it was built. Default max age is 120h (or five days)")
 }
 
 func (p *scanParams) resolveInputsToScan(ctx context.Context, args []string) (inputs []string, cleanup func() error, err error) {

diff --git a/pkg/scan/apk.go b/pkg/scan/apk.go
@@ -166,14 +166,22 @@ type Options struct {
 	// except for testing purposes.
 	DisableDatabaseAgeValidation bool
 
+	// MaxAllowedBuildAge defines the maximum allowed age for the vulnerability database.
+	// If the database is older than this duration, it will be considered invalid unless
+	// DisableDatabaseAgeValidation is set to true. If not specified, the default value
+	// of 48 hours will be used.
+	MaxAllowedBuildAge time.Duration
+
 	// DisableSBOMCache controls whether the scanner will cache SBOMs generated from
 	// APKs. If true, the scanner will not cache SBOMs or use existing cached SBOMs.
 	DisableSBOMCache bool
 }
 
 // DefaultOptions is the recommended default configuration for a new Scanner.
 // These options are suitable for most use scanning cases.
-var DefaultOptions = Options{}
+var DefaultOptions = Options{
+	MaxAllowedBuildAge: 120 * time.Hour,
+}
 
 // NewScanner initializes the grype DB for reuse across multiple scans.
 func NewScanner(opts Options) (*Scanner, error) {
@@ -182,11 +190,16 @@ func NewScanner(opts Options) (*Scanner, error) {
 		dbDestDir = DefaultGrypeDBDir
 	}
 
+	maxAllowedBuildAge := opts.MaxAllowedBuildAge
+	if maxAllowedBuildAge == 0 {
+		maxAllowedBuildAge = 120 * time.Hour
+	}
+
 	installCfg := installation.Config{
 		DBRootDir:               dbDestDir,
 		ValidateChecksum:        true,
 		ValidateAge:             !opts.DisableDatabaseAgeValidation,
-		MaxAllowedBuiltAge:      48 * time.Hour,
+		MaxAllowedBuiltAge:      maxAllowedBuildAge,
 		UpdateCheckMaxFrequency: 1 * time.Hour,
 	}