Open Frankkkkk opened 2 years ago
Hey there, So, FYI, this is the kind of report that the exporter actually brings up :
trivy_vulnerabilityreport_image_vulnerabilities{image_digest="",image_registry="index.docker.io",image_repository="library/alpine",image_tag="3.14.0",name="pod-critical-sleep",namespace="deleteme",severity="Critical"} 5
trivy_vulnerabilityreport_image_vulnerabilities{image_digest="",image_registry="index.docker.io",image_repository="library/alpine",image_tag="3.14.0",name="pod-critical-sleep",namespace="deleteme",severity="High"} 24
trivy_vulnerabilityreport_image_vulnerabilities{image_digest="",image_registry="index.docker.io",image_repository="library/alpine",image_tag="3.14.0",name="pod-critical-sleep",namespace="deleteme",severity="Low"} 0
trivy_vulnerabilityreport_image_vulnerabilities{image_digest="",image_registry="index.docker.io",image_repository="library/alpine",image_tag="3.14.0",name="pod-critical-sleep",namespace="deleteme",severity="Medium"} 4
trivy_vulnerabilityreport_image_vulnerabilities{image_digest="",image_registry="index.docker.io",image_repository="library/alpine",image_tag="3.14.0",name="pod-critical-sleep",namespace="deleteme",severity="Unknown"} 0
Please note the "name" field that point to the actually full report in the namespace of the pod.
Also, aquasecurity document how to use a private registry.
https://aquasecurity.github.io/trivy-operator/v0.0.8/vulnerability-scanning/private-registries/
The trivy-operator is a really recent project (created last month) which seems to be taking off fast. Their goal seems tightly related to kciss.
Among other things, it offers the
VulnerabilityReport
CRD which represents the trivy vulnerabilities for each of the running images in a cluster. For example:It would be interesting to know how kciss could delegate some of its tasks to the trivy operator (even maybe all of them).AFAIK, the following features of kciss are:
[ ] Ability to offer metrics as a prometheus exporter : https://github.com/aquasecurity/trivy-operator/issues/78
If a task is marked as completed, then it is supported by the trivy operator.
What do you think ? I think that we should wait a bit to see where the trivy operator project goes and then either deprecate kciss or convert it to a plugin that would rely on trivy-operator.