Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

possible migration to the trivy-operator #12

Open
1 of 3 tasks
Frankkkkk opened this issue Jun 16, 2022 · 1 comment
Open
1 of 3 tasks

possible migration to the trivy-operator #12

Frankkkkk opened this issue Jun 16, 2022 · 1 comment
Assignees
@fabricev @Frankkkkk @alexgaud
Labels
enhancement New feature or request question Further information is requested

Comments

@Frankkkkk
Copy link

The trivy-operator is a really recent project (created last month) which seems to be taking off fast. Their goal seems tightly related to kciss.

Among other things, it offers the VulnerabilityReport CRD which represents the trivy vulnerabilities for each of the running images in a cluster. For example:

$ kl get vulnerabilityreports.aquasecurity.github.io  -o wide
NAME                                REPOSITORY       TAG      SCANNER   AGE     CRITICAL   HIGH   MEDIUM   LOW   UNKNOWN
replicaset-nginx-59776c8fb-nginx    library/nginx    1.16     Trivy     105s    37         75     53       116   1
replicaset-nginx-59776c8fb-ubuntu   library/ubuntu   latest   Trivy     105s    0          0      6        15    0

It would be interesting to know how kciss could delegate some of its tasks to the trivy operator (even maybe all of them).AFAIK, the following features of kciss are:

If a task is marked as completed, then it is supported by the trivy operator.

What do you think ? I think that we should wait a bit to see where the trivy operator project goes and then either deprecate kciss or convert it to a plugin that would rely on trivy-operator.
@Frankkkkk Frankkkkk added enhancement New feature or request question Further information is requested labels Jun 16, 2022
@JGodin-C2C
Copy link
Contributor

Hey there,
So, FYI, this is the kind of report that the exporter actually brings up :

trivy_vulnerabilityreport_image_vulnerabilities{image_digest="",image_registry="index.docker.io",image_repository="library/alpine",image_tag="3.14.0",name="pod-critical-sleep",namespace="deleteme",severity="Critical"} 5
trivy_vulnerabilityreport_image_vulnerabilities{image_digest="",image_registry="index.docker.io",image_repository="library/alpine",image_tag="3.14.0",name="pod-critical-sleep",namespace="deleteme",severity="High"} 24
trivy_vulnerabilityreport_image_vulnerabilities{image_digest="",image_registry="index.docker.io",image_repository="library/alpine",image_tag="3.14.0",name="pod-critical-sleep",namespace="deleteme",severity="Low"} 0
trivy_vulnerabilityreport_image_vulnerabilities{image_digest="",image_registry="index.docker.io",image_repository="library/alpine",image_tag="3.14.0",name="pod-critical-sleep",namespace="deleteme",severity="Medium"} 4
trivy_vulnerabilityreport_image_vulnerabilities{image_digest="",image_registry="index.docker.io",image_repository="library/alpine",image_tag="3.14.0",name="pod-critical-sleep",namespace="deleteme",severity="Unknown"} 0

Please note the "name" field that point to the actually full report in the namespace of the pod.
Also, aquasecurity document how to use a private registry.
https://aquasecurity.github.io/trivy-operator/v0.0.8/vulnerability-scanning/private-registries/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fabricev fabricev

@Frankkkkk Frankkkkk

@alexgaud alexgaud

Labels
enhancement New feature or request question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fabricev @Frankkkkk @JGodin-C2C @alexgaud