Details of ConfigAudit

[ilyassikai]

Hello,

Thanks for this exporter.

I need to use ConfigAudit details but it is not possible on the helm (unlike vulnerabilityReports)
configAuditReports:
enabled: true

vulnerabilityReports:
enabled: true
targetLabels:
# - image_namespace
# - image_repository
# - image_tag
# - vulnerability_id

I saw on the controllers that the details are not exposed
var metricLabels = []string{
"report_name",
"resource_name",
"resource_namespace",
"severity",
}

It would be very interesting to add this possibility.

Translated with www.DeepL.com/Translator (free version)

[stone-z]

Hi @ilyassikai, welcome 👋

What is your use case / what would your ideal metrics look like? The ConfigAuditReport controller does not currently expose details like the VulnerabilityReport controller does because we hadn't found them useful yet, but if someone wants to implement it we might be open to aligning the two controllers.

[ilyassikai]

Hi,
My use case, I would like to see the report config details on a readable format
I can export on a json format with trivy k8s but it's not a freindly format.

[stone-z]

In case it helps: If you are running trivy-operator in a cluster, you can also use the reports directly (VulnerabilityReport, ConfigAuditReport) or convert them to PolicyReports and view them nicely with policy-reporter.

As for metrics -- this feature is low priority for our customers' use cases right now, but we are open to accepting contributions adding it.
We are also planning to return to this exporter and expand it to include the new report types supported by Trivy operator. So this project will be getting some new attention soon. We might be able to implement ConfigAuditReport metrics as part of that effort, if there are no contributions first