Get the Trivy reports from the Image Cleaner?

[sheeeng]

Where can I get the Trivy reports from the Image Cleaner?

The documentation does not explain how we get those Trivy reports.

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: abf71794-7a2a-bc5c-1791-057dcbc33128
• Version Independent ID: 389578e5-68f5-c634-875f-b9d991a251a7
• Content: Use Image Cleaner on Azure Kubernetes Service (AKS) - Azure Kubernetes Service
• Content Source: articles/aks/image-cleaner.md
• Service: azure-kubernetes-service
• GitHub Login: @Nickomang
• Microsoft Alias: nickoman

[sheeeng]

According to the documentation...

If you need to trigger another manual cleanup, you have to create a new ImageList or make changes to an existing one.

I have updated the existing ImageList using the following example.

cat <<EOF | kubectl apply -f -
apiVersion: eraser.sh/v1
kind: ImageList
metadata:
  name: imagelist
spec:
  images:
    - docker.io/library/alpine:3.7.3
EOF

But there is not a single Trivy string found in the logs after the ImageList is updated.

for pod in $(kubectl get pods --output json |  jq --raw-output '.items[] | select(.metadata.name|contains("eraser")) | .metadata.name') ; do
  echo $pod
  kubectl logs $pod | grep --ignore-case trivy
done

[sheeeng]

$ kubectl describe configmap --namespace kube-system eraser-manager-config | grep --after-context=10 scanner:
  scanner:
    enabled: true
    image:
      repo: mcr.microsoft.com/oss/eraser/eraser-trivy-scanner
      tag: v1.2.3
    request:
      mem: 500Mi
      cpu: 250m
    limit:
      mem: 2Gi
      # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#how-pods-with-resource-limits-are-run

[sheeeng]

According to Trivy's documentation...

Scan reports are saved as VulnerabilityReport resources, which are owned by a Kubernetes controller.

$ kubectl get vulnerabilityreports.aquasecurity.github.io --all-namespaces
No resources found

[PesalaPavan]

@sheeeng Thanks for your feedback! I've assigned this issue to the author who will investigate and update as appropriate.

[CocoWang-wql]

Image cleaner doesn't output trivy report as eraser doesn't have it. If you want to know the scanner results, you can check the scanner pod logs: kubectl logs -n kube-system -c trivy-scanner https://learn.microsoft.com/en-us/azure/aks/image-cleaner#how-to-review-images-were-cleaned-up-by-image-cleaner

[schaffererin]

please-close