Description | operator-trivy

Available in: EE

The module lifecycle stage: General Availability
The module has requirements for installation

The module allows you to run regular vulnerability scans of user images in runtime on known CVEs, including vulnerabilities from Astra Linux, RedOS, and ALT Linux databases. It is based on the Trivy project, using public vulnerability databases enriched with Astra Linux, ALT Linux, and RedOS data.

The module also performs cluster compliance analysis against the CIS Kubernetes Benchmark.

Main features

Automatic CVE scanning of container images in labeled namespaces every 24 hours.
CIS Kubernetes Benchmark compliance analysis with results stored in ClusterComplianceReport.
SBOM generation for all scanned container images (SbomReport).
Node host filesystem scanning for OS-level vulnerabilities (NodeVulnerabilityReport).
Exposed secrets detection in container images (ExposedSecretReport).
Metrics and Grafana dashboards for vulnerability scanning and compliance results.

You can read more about scanning, VulnerabilityReport and SbomReport reports, blocking vulnerable images, and CVE databases in the Vulnerability scanning section.

Scanning runs in namespaces that have the label security-scanning.deckhouse.io/enabled="". If the cluster has no namespaces with this label, the default namespace is scanned.

Once a namespace with the label security-scanning.deckhouse.io/enabled="" appears in the cluster, scanning of the default namespace stops. To turn scanning back on for the default namespace, set the label with:

d8 k label namespace default security-scanning.deckhouse.io/enabled=""

Conditions for starting scanning

Scanning starts:

automatically every 24 hours,
when components that use new images are deployed in namespaces where scanning is enabled.

Where to view scan results

In Grafana:

Security/Trivy Image Vulnerability Overview — a summary of vulnerabilities in images and cluster resources.
Security/CIS Kubernetes Benchmark — cluster compliance with the CIS Kubernetes Benchmark.

In cluster resources:

Cluster-wide security reports:
Resource-level security reports:
- VulnerabilityReport — vulnerabilities found in container images;
- SbomReport — software composition in container images (SBOM);
- ConfigAuditReport — misconfiguration issues in Kubernetes objects;
- ExposedSecretReport — secrets exposed in containers.

operator-trivy module

Main features

Conditions for starting scanning

Where to view scan results

An error has occurred

Tell us what you didn’t like.

operator-trivy module

Main features

Conditions for starting scanning

Where to view scan results

An error has occurred

Tell us what you didn’t like.

Request trial access

Thank you

Error

Request callback

Thank you

Something went wrong

Book your sessions

Thank you

Error

Request demo

Thank you

Error

Get the PCI SSC Compliance Report

Thank you

Error