Using Trivy for Security Management#
We use the Trivy Operator to continually scan running clusters and generate reports on vulnerabilities, configuration audit, exposed secrets, RBAC assessment, Kubernetes infra assessment, and SBOM (Software Bill of Materials).
Available Dashboards#
-
Headlamp:
There is a Vulnerability Reports section under the "Trivy" sidebar item. -
Grafana Vulnerability Dashboards:
Prometheus has metrics about vulnerabilities and the Platform presents this data in Grafana. These metrics do not show specific CVEs, just the namespace or image affected and a count of vulnerabilities by criticality.
CLI View with Kubectl#
Trivy CRDs can be viewed on the command line using kubectl, and the output can be changed to meet your needs (json, yaml, name, wide, etc).
To execute any of the following examples you will first need to retrieve your token from Headlamp for the cluster you are working with. Click on "Get Token" in the sidebar.
Vulnerabilities#
- Get all vulnerabilities from a namespace
- Get a summary of vulnerabilities from a namespace
SBOM (Software Bill of Materials)#
- Get an overview of all SBOM reports in a namespace
- Get details of a specific SBOM
Building Block for CI Pipelines#
You can perform Trivy scans in your CI pipelines to prevent pushing vulnerabilities to production. You can see our building block for this:
- CI Pipeline Building Block: https://code.vt.edu/it-common-platform/tenant-support/ci-templates/-/blob/main/building-blocks/trivy-scan.yml
You can include this building block in your .gitlab-ci.yml:
include:
project: it-common-platform/tenant-support/ci-templates
file:
- building-blocks/trivy-scan.yml
Other Integrations#
-
Lens Extension: https://github.com/aquasecurity/trivy-operator-lens-extension/
-
K9s: https://k9scli.io/