Trivy
The trivy scraper uses Trivy to scan for security vulnerabilities & misconfigurations in your configuration. At the moment, there's only support for scanning Kubernetes objects.
trivy-scraper.yaml
apiVersion: configs.flanksource.com/v1
kind: ScrapeConfig
metadata:
name: trivy-scraper
spec:
trivy:
- version: '0.40.0'
kubernetes:
namespace: production
Unlike other scrapers, this one does not scape new configs but rather look for security vulnerabilities in the existing configs. This scrapper, if configured to scan a kubernetes cluster, will map all the found vulnerabilities to the corresponding config item.
Fig: Config Insights generated by Trivy Scraper
Fig: A detailed view of the analysis on the postgres container
Scraper
| Field | Description | Scheme | Required |
|---|---|---|---|
logLevel | Specify the level of logging. | string | |
schedule | Specify the interval to scrape in cron format. Defaults to every 60 minutes. | string | |
trivy | Specifies the list of Trivy configurations to scrape. | []Trivy |
Trivy
| Field | Description | Scheme | Required |
|---|---|---|---|
compliance | compliance report to generates(k8s-nsa, k8s-cis, k8s-pss-baseline, k8s-pss-restricted). | string | |
ignoredLicenses | specify a list of license to ignore. | []string | |
ignoreUnfixed | display only fixed vulnerabilities. | bool | |
kubernetes | Specify the trivy option to scan kubernetes objects. | K8sOptions | true |
licenseFull | eagerly look for licenses in source code headers and license files. | bool | |
scanners | Scanners to use. | []string | |
severity | severities of security issues to be displayed s(comma separated)(default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"). | string | |
timeout | Trivy timeout | string | |
version | Specify the Trivy version to use. s(default 0.40.0) | string | |
vulnType | comma-separated list of vulnerability types s(comma separated)(default "os,library"). | string |
K8sOptions
Trivy Options consist of selected few flags that are passed on to trivy.
| Field | Description | Scheme | Required | |
|---|---|---|---|---|
components | Specify which components to scan(default workload, infra). | []string | s | |
kubeconfig | Specify the kubeconfig file path to use as a static value or as a JSONPath expression. | string | s | |
namespace | Specify a namespace to scan. | string | true | |
context | Specify a context to scan. | string | s |