Experimental version. The functionality may undergo significant changes. Compatibility with future versions is not guaranteed.

Viewing resources that failed CIS compliance checks

kubectl get clustercompliancereports.aquasecurity.github.io cis -ojson | 
  jq '.status.detailReport.results | map(select(.checks | map(.success) | all | not))'

Viewing resources that have not passed a specific CIS compliance check

By check id:

check_id="5.7.3"
kubectl get clustercompliancereports.aquasecurity.github.io cis -ojson | 
  jq --arg check_id "$check_id" '.status.detailReport.results | map(select(.id == $check_id))'

By check description:

check_desc="Apply Security Context to Your Pods and Containers"
kubectl get clustercompliancereports.aquasecurity.github.io cis -ojson |
  jq --arg check_desc "$check_desc" '.status.detailReport.results | map(select(.description == $check_desc))'

Manual rescan of a resource

The module rescans resources every 24 hours according to the following algorithm:

  1. A VulnerabilityReport object is created in the namespace with each scanned resource.
  2. This object contains the annotation trivy-operator.aquasecurity.github.io/report-ttl, which specifies the report lifetime (the default is 24h).
  3. After the lifetime expires, the object is deleted, which triggers a rescan of the resource.

You can force a resource rescan in one of the following ways:

  • Overwrite the annotation trivy-operator.aquasecurity.github.io/report-ttl, specifying a short report lifetime.
  • Delete the VulnerabilityReport object from the namespace where the scanned resource is located.

Example command for overwriting the annotation trivy-operator.aquasecurity.github.io/report-ttl:

kubectl annotate VulnerabilityReport -n <namespace> <reportName> trivy-operator.aquasecurity.github.io/report-ttl=1s --overwrite

Who has access to scan results

Access to scan results (including the ability to view resources with results) is granted to users with the following access roles:

  • d8:manage:networking:viewer or higher;
  • d8:manage:permission:module:operator-trivy:view.

How to limit the list of resources scanned in a namespace

The current version does not support limiting the list of scanned resources within a namespace.
The operator scans all resources located in any namespace labeled with security-scanning.deckhouse.io/enabled="".

How to view the scan report for your application

To view the scan results of your application, use the Grafana dashboard Security / Trivy Image Vulnerability Overview.
You can filter the results by the desired namespace and resource.

You can also directly view the resources that contain scan results created for each scanned object.
Details about naming structure and resource location are available in the documentation.