Available in editions: EE
The module allows you to run a regular vulnerability scans of user images in runtime on known CVEs. The module uses the Trivy project. Public databases are used for scanning vulnerabilities.
Scanning is performed in namespaces that contain the label security-scanning.deckhouse.io/enabled="".
If there are no namespaces with this label in the cluster, the default namespace is scanned.
Once a namespace with the label security-scanning.deckhouse.io/enabled="" is detected in the cluster, scanning of the default namespace stops.
To re-enable scanning for the default namespace, use the following command to set the label to the namespace:
d8 k label namespace default security-scanning.deckhouse.io/enabled=""
Conditions for starting scanning
Scanning starts:
- automatically every 24 hours,
- when components using new images are deployed in the namespaces for which scanning is enabled.
Where to view scan results
In Grafana:
Security/Trivy Image Vulnerability Overview— a summary of vulnerabilities found in container images and cluster resources.Security/CIS Kubernetes Benchmark— results of cluster compliance with the CIS Kubernetes Benchmark.
In cluster resources:
- Cluster-wide security reports:
- Resource-level security reports:
VulnerabilityReport— vulnerabilities found in container images;SbomReport— software composition in container images (SBOM);ConfigAuditReport— misconfiguration issues in Kubernetes objects;ExposedSecretReport— secrets exposed in containers.