Skip to content

Using Trivy for Security Management#

We use the Trivy Operator to continually scan running clusters and generate reports on vulnerabilities, configuration audit, exposed secrets, RBAC assessment, Kubernetes infra assessment, and SBOM (Software Bill of Materials).

Available Dashboards#

  • Platform Dashboard:
    There is a Vulnerability Reports section under each tenant that provides counts by criticality.

  • Grafana Vulnerability Dashboards:
    Prometheus has metrics about vulnerabilities and the Platform presents this data in Grafana. These metrics do not show specific CVEs, just the namespace or image affected and a count of vulnerabilities by criticality.

CLI View with Kubectl#

Trivy CRDs can be viewed on the command line using kubectl, and the output can be changed to meet your needs (json, yaml, name, wide, etc).

To execute any of the following examples you will first need to retrieve your token from the Platform Dashboard for the cluster you are working with.

Vulnerabilities#

  • Get all vulnerabilities from a namespace
kubectl get vulnerabilityreports.aquasecurity.github.io -n <namespace> -o yaml
  • Get a summary of vulnerabilities from a namespace
kubectl get vulnerabilityreports.aquasecurity.github.io -n <namespace> -o wide

SBOM (Software Bill of Materials)#

  • Get an overview of all SBOM reports in a namespace
kubectl -n <tenant namespace> get sbomreports.aquasecurity.github.io -o wide
  • Get details of a specific SBOM
kubectl -n <tenant namespace> get sbomreports.aquasecurity.github.io <report name> -o [yaml|json]

Building Block for CI Pipelines#

You can perform Trivy scans in your CI pipelines to prevent pushing vulnerabilities to production. You can see our building block for this:

You can include this building block in your .gitlab-ci.yml:

include:
  project: it-common-platform/tenant-support/ci-templates
  file:
    - building-blocks/trivy-scan.yml

Other Integrations#