PT-BR Version: Here
Warning
This project is no longer maintained. It has been deprecated and favor of Trivy Operator, which now provides the same functionality (and more) as part of its supported feature set.
Please migrate to Trivy Operator for ongoing updates, security fixes, and improvements.
This docker image scanner scans the entire kubernetes cluster looking for pods, performing a vulnerability scan on images.
The result of the scans is provided by the trivy and is converted to the Prometheus format.
When the software starts, it performs a "setup", which creates the necessary directories for operation;
After that, the http server is started, but without information (/metrics response nothing).
Afterwards, the scan threads are started. As the internal queue objects are consumed, the results are stored in memory for the following steps (generation of prometheus points and finding out if the pod is available on the internet via ingress).
The final step is to perform a cleanup that removes all temporary files generated by trivy.
After all, the script "sleeps" (but the http endpoints continue to work), waiting for its next execution.
After executing the scans, when consolidating the scans, a query is made on all entries in the cluster.
In ingress, it contains the service that that path is associated with;
With the service, we find out which selector was used to create the endpoint (referring to that service);
Reading the endpoint, we have information about which pods are part of that endpoint.
When the pod is found at the endpoints, a mark is made: isPublic: true
When a pod has in its specification the entry `` yaml imagePullSecrets:
- name: secret
``
The script reads the specified secret and looks for the key
.dockerconfigjson. If not found, an error is reported and the scanning for that image does not happen. If you don't find the secret, that image will not be scanned either.
| Metric name | Metric type | Labels / tags |
|---|---|---|
| pod_security_issue | Gauge | PodName = pod-name; Namespace = pod-namespace Image = Docker image with tag IsPublic = Is exposed on ingress? BaseOS = SO Base of image VulnerabilityID = CVE ID PkgName = Vulnerable package name InstalledVersion = Vulnerable package version FixedVersion = Corrected package version Severity = CVE severity |
All parameters of this scanner are adjustable via environment variables.
| Variable | Default Value | Required | Description |
|---|---|---|---|
| LOG_LEVEL | info | no | App log level. Supported values: info, warning, debug, fatal, critical. |
| TRIVY_REPORT_DIR | /tmp/trivyreport | no | Temporary location where trivy reports will be saved |
| SCAN_INTERVAL | 43200 | no | Time in seconds of the execution interval |
| HTTP_PORT | 8080 | no | Port where the endpoint will listen |
| TRIVY_BIN_PATH | ./trivy | no | trivy binary path |
| IGNORE_UNFIXED | true | no | hide unfixed vulnerabilities |
| TRIVY_DEBUG | false | no | enable log debug mode from trivy binary |
| TRIVY_PARALLEL_THREADS | 5 | no | number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5) |
| TRIVY_CACHE_DIR | /tmp/cache/trivy | no | cache directory |
| TRIVY_CACHE_BACKEND | fs | no | cache type fs or memory |
| TRIVY_SCAN_TIMEOUT | 300s | no | timeout (default 5m0s) for trivy command |
| TRIVY_CMD_SCAN_TIMEOUT | 1200 | no | timeout (default 20m0s) for command OS |
| DB_REPOSITORY | public.ecr.aws/aquasecurity/trivy-db, aquasec/trivy-db, ghcr.io/aquasecurity/trivy-db |
no | db vulnerabilities images (copy from images maintained aquasecurity for revolve issue ratelimit ghcr) |
| JAVA_DB_REPOSITORY | public.ecr.aws/aquasecurity/trivy-java-db,aquasec/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db | no | db vulnerabilities images (copy from images maintained aquasecurity for revolve issue ratelimit ghcr) |
| TRIVY_SCAN_COMMUNICATE | no | no | how python's os.exec executes command in bash and gets output log |
Test coverage: 
make testsThe production build is done in Google Build
By creating a new tag, this will sensitize a new build. (the trigger is v. +)
Makefile uses the bumpversion utility to create the tags and push to the git repo.
| Make Option | Action |
|---|---|
| patch | Generates a patch version (X.Y. ** Z **). |
| minor | Generates a minor version (X. ** Y **. Z). |
| major | Ger a major version (** X **. Y.Z). |
| build-dev | local build |
-
Scan of images hosted on quay.io. Quay does not support the registry api v2 so it is not possible to scan these images.
This error can happen with any other registry that does not implement api v2.
See more about this error at: google/go-containerregistry#377