Trivy : CVEs Scanner | Docs | Trivy image

K8s : trivy-operator

The Trivy Operator automatically discovers and scans all images running in a K8s cluster, including images of application pods and system pods. Scan reports are summarized and saved as VulnerabilityReport (CRD) resources, which are owned by a Kubernetes controller.

Install by Helm

trivy-operator-install.sh

bash trivy-operator-install.sh

kubectl patch cm trivy-operator-trivy-config -n trivy-system \
  --type merge \
  -p "$(cat <<EOF
{
  "data": {
    "trivy.severity": "HIGH,CRITICAL"
  }
}
EOF
)"

VulnerabilityReport

Scan reports saved to CRD: kind: VulnerabilityReport

k get vulnerabilityreports -n kube-system -o yaml \
    |yq .items[].metadata.name
daemonset-kube-router-kube-router
pod-etcd-a1-etcd
pod-kube-apiserver-a1-kube-apiserver
...
kn kube-system
vr=pod-kube-apiserver-a1-kube-apiserver
k get VulnerabilityReport $vr -o json \
    |jq -Mr '.report.vulnerabilities | .[]? |select(.severity == "CRITICAL" or .severity == "HIGH")' \
    |jq . --slurp