Available in editions: EE
The module lifecycle stage: General Availability
The module allows you to run a regular vulnerability scans of user images in runtime on known CVEs. The module uses the Trivy project. Public databases are used for scanning vulnerabilities.
Scanning is performed in namespaces that contain the label security-scanning.deckhouse.io/enabled="".
If there are no namespaces with this label in the cluster, the default namespace is scanned.
Once a namespace with the label security-scanning.deckhouse.io/enabled="" is detected in the cluster, scanning of the default namespace stops.
To re-enable scanning for the default namespace, use the following command to set the label to the namespace:
d8 k label namespace default security-scanning.deckhouse.io/enabled=""
Conditions for starting scanning
Scanning starts:
- automatically every 24 hours,
- when components using new images are deployed in the namespaces for which scanning is enabled.
Where to view scan results
In Grafana:
Security/Trivy Image Vulnerability Overview— a summary of vulnerabilities found in container images and cluster resources.Security/CIS Kubernetes Benchmark— results of cluster compliance with the CIS Kubernetes Benchmark.
In cluster resources:
- Cluster-wide security reports:
- Resource-level security reports:
VulnerabilityReport— vulnerabilities found in container images;SbomReport— software composition in container images (SBOM);ConfigAuditReport— misconfiguration issues in Kubernetes objects;ExposedSecretReport— secrets exposed in containers.
Third-party components
List of third-party software used in the operator-trivy module:
-
License: Apache License 2.0
The Trivy-Operator leverages trivy security tools by incorporating their outputs into Kubernetes CRDs (Custom Resource Definitions) and from there, making security reports accessible through the Kubernetes API. This way users can find and view the risks that relate to different resources in what we call a Kubernetes-native way.