Trivy : CVEs Scanner | Docs | Trivy image

K8s : `trivy-operator`

The Trivy Operator automatically discovers and scans all images running in a K8s cluster, including images of application pods and system pods. Scan reports are summarized and saved as VulnerabilityReport (CRD) resources, which are owned by a Kubernetes controller.

Install by Helm

trivy-operator-install.sh

bash trivy-operator-install.sh

kubectl patch cm trivy-operator-trivy-config -n trivy-system \
  --type merge \
  -p "$(cat <<EOF
{
  "data": {
    "trivy.severity": "HIGH,CRITICAL"
  }
}
EOF
)"

Images :

ghcr.io/aquasecurity/trivy
ghcr.io/aquasecurity/trivy-operator
ghcr.io/aquasecurity/node-collector
ghcr.io/aquasecurity/trivy-db
ghcr.io/aquasecurity/trivy-java-db

`VulnerabilityReport`

Scan reports saved to CRD: kind: VulnerabilityReport

k get vulnerabilityreports -n kube-system -o yaml \
    |yq .items[].metadata.name

daemonset-kube-router-kube-router
pod-etcd-a1-etcd
pod-kube-apiserver-a1-kube-apiserver
...

kn kube-system
vr=pod-kube-apiserver-a1-kube-apiserver
k get VulnerabilityReport $vr -o json \
    |jq -Mr '.report.vulnerabilities | .[]? |select(.severity == "CRITICAL" or .severity == "HIGH")' \
    |jq . --slurp

Trivy : CVEs Scanner | Docs | Trivy image

K8s : trivy-operator

Install by Helm

VulnerabilityReport

K8s : `trivy-operator`

`VulnerabilityReport`