Skip to main content

Trivy

The trivy scraper uses Trivy to scan for security vulnerabilities & misconfigurations in your configuration. At the moment, there's only support for scanning Kubernetes objects.

trivy-scraper.yaml
apiVersion: configs.flanksource.com/v1
kind: ScrapeConfig
metadata:
  name: trivy-scraper
spec:
  trivy:
    - version: "0.40.0"
      ignoreUnfixed: true
      severity:
        - critical
        - high
      scanners:
        - config
        - license
        - rbac
        - secret
        - vuln
      kubernetes: {}
      timeout: "20m" # Increased from the default 5m timeout

Unlike other scrapers, this one does not scape new configs but rather look for security vulnerabilities in the existing configs. This scrapper, if configured to scan a kubernetes cluster, will map all the found vulnerabilities to the corresponding config item.

Config Insights generated by Trivy Scraper Fig: Config Insights generated by Trivy Scraper

Config Insights generated by Trivy Scraper Fig: A detailed view of the analysis on the postgres container

Scraper

FieldDescriptionSchemeRequired
logLevelSpecify the level of logging.string
scheduleSpecify the interval to scrape in cron format. Defaults to every 60 minutes.string
trivySpecifies the list of Trivy configurations to scrape.[]Trivy

Trivy

FieldDescriptionSchemeRequired
compliancecompliance report to generates(k8s-nsa, k8s-cis, k8s-pss-baseline, k8s-pss-restricted).string
ignoredLicensesspecify a list of license to ignore.[]string
ignoreUnfixeddisplay only fixed vulnerabilities.bool
kubernetesSpecify the trivy option to scan kubernetes objects.K8sOptionstrue
licenseFulleagerly look for licenses in source code headers and license files.bool
scannersScanners to use.[]string
severityseverities of security issues to be displayed s(comma separated)(default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL").string
timeoutTrivy timeoutstring
versionSpecify the Trivy version to use. (default 0.40.0)string
vulnTypecomma-separated list of vulnerability types s(comma separated)(default "os,library").string

K8sOptions

Trivy Options consist of selected few flags that are passed on to trivy.

| Field | Description | Scheme | Required | | ------------ | -------------------------------------------------------------------------------------- | ---------- | -------- | --- | | components | Specify which components to scan*(default workload, infra).* | []string | | s | | kubeconfig | Specify the kubeconfig file path to use as a static value or as a JSONPath expression. | string | | s | | namespace | Specify a namespace to scan. | string | true | | context | Specify a context to scan. | string | | s | import from "@flanksource/icons/mi"