trivy-dojo-report-operator

The trivy-dojo-report-operator is a Kubernetes operator developed using Kopf and Python. This operator listens for vulnerability reports generated by the Trivy Operator and forwards them to Defect Dojo for further analysis and tracking.

Features

Monitor Kubernetes for new Trivy vulnerability reports.
Push vulnerability reports to a configured Defect Dojo instance.
Seamless integration with your existing Kubernetes cluster and security workflow.
Developed using the Pythonic Kopf framework for easy maintenance and extensibility.

Supported Reports

Vulnerability reports
RBAC Assessment reports
Infra Assessment reports
Config Audit reports
Exposed secrets

Prerequisites

A running Kubernetes cluster (minikube, kind, or another environment)
Trivy Operator installed and configured in the cluster
An instance of Defect Dojo for storing vulnerability reports

Installation and usage

Configure Defect Dojo settings:

Update the variables in the values.yaml to match your Defect Dojo instance configuration, including the environment variables. The options closely match the options in the import-scan API-call found here.

defectDojoApiCredentials:
  apiKey: "YOUR_DEFECTDOJO_API_KEY"
  url: "https://YOUR.DEFECTDOJO.URL"

Deploy the chart from the repository:

helm repo add trivy-dojo-report-operator https://telekom-mms.github.io/trivy-dojo-report-operator/
helm repo update
helm install chart-name trivy-dojo-report-operator/trivy-dojo-report-operator --values your_values.yaml

or deploy the chart manually after cloning the git-repository:

git clone https://github.com/telekom-mms/trivy-dojo-report-operator.git
cd trivy-dojo-report-operator
helm install chart-name charts/

or deploy the trivy-dojo-report-operator using the Kubernetes manifests
- update the secret in the manifest
- apply manifests

kubectl create ns mgmt
kubectl apply -f deploy/trivy-dojo-report-operator.yaml

The operator is now running in your cluster and will monitor for Trivy vulnerability reports and push them to the configured Defect Dojo instance.

Running locally with Docker

You can also run the operator locally. This way you don't have to install anything in your cluster. Just provide the Defect Dojo URL and API-Key and optionally labels to the docker-run command. You also have to mount your kubeconfig into the container to access the cluster.

docker pull ghcr.io/telekom-mms/docker-trivy-dojo-operator

docker run -it -v /path/to/your/.kube/config:/root/.kube/config \
  -e DEFECT_DOJO_API_KEY=$DEFECT_DOJO_API_KEY \
  -e DEFECT_DOJO_URL=$DEFECT_DOJO_URL \
  -e DEFECT_DOJO_PRODUCT_TYPE_NAME="Research and Development" \
  -e LABEL="trivy-operator.resource.name" \
  -e LABEL_VALUE="master-live-server" \
  -e REPORTS="vulnerabilityreports"
  ghcr.io/telekom-mms/docker-trivy-dojo-operator

Configuration

Variable	Default Value	Description
`defectDojoActive`	`"true"`	Override the active setting from the tool.
`defectDojoAutoCreateContext`	`"true"`	Specifies whether to automatically create Engagements, Products and Product_Types
`defectDojoCloseOldFindings`	`"false"`	Select if old findings no longer present in the report get closed as mitigated when importing. If service has been set, only the findings for this service will be closed.
`defectDojoCloseOldFindingsProductScope`	`"false"`	Select if close_old_findings applies to all findings of the same type in the product. By default, it is false meaning that only old findings of the same type in the engagement are in scope.
`defectDojoDeduplicationOnEngagement`	`"true"`	restrict deduplication for imported Findings to the newly created Engagement.
`defectDojoEngagementName`	`engagement`	The name of the engagement in DefectDojo.
`defectDojoEvalEngagementName`	`"false"`	Specifies whether the engagement name should be evaluated as a python function.
`defectDojoEvalProductName`	`"false"`	Specifies whether the product name should be evaluated as a python function.
`defectDojoEvalProductTypeName`	`"false"`	Specifies whether the product type name should be evaluated as a python function.
`defectDojoEvalEnvName`	`"false"`	Specifies whether the enviroment type name should be evaluated as a python function.
`defectDojoEvalTestTitle`	`"false"`	Specifies whether the test title should be evaluated as a python function.
`defectDojoMinimumSeverity`	`Info`	The minimum severity level for findings in DefectDojo.
`defectDojoProductName`	`product`	The name of the product in DefectDojo.
`defectDojoProductTypeName`	``	The type of the product in DefectDojo.
`defectDojoEnvName`	`Development`	The type of the env in DefectDojo.
`defectDojoPushToJira`	`"false"`	Specifies whether findings should be pushed to Jira in DefectDojo.
`defectDojoTestTitle`	`Kubernetes`	The title of the test in DefectDojo.
`defectDojoVerified`	`"false"`	Specifies whether findings should be marked as verified in DefectDojo.
`defectDojoDoNotReactivate`	`"true"`	If true the importing/reimporting will ignore uploaded active findings and not reactivate previously closed findings, while still creating new findings if there are new ones
`reports`	`"vulnerabilityreports"`	Comma-separated list of reports that should be sent to DefectDojo. Possibilities: vulnerabilityreports, rbacassessmentreports, infraassessmentreports, configauditreports, exposedsecretreports

A note on eval

When setting one of the Eval*-settings to true, the corresponding name or title will be run as a python function.

For example, set defectDojoEvalEngagementName to true and defectDojoEngagementName to meta["creationTimestamp"], then the creationTimestamp of the vulnerability Report Resource in Kubernetes will be evaluated and used as the engagement name.

If you set defectDojoEngagementName to body["report"]["artifact"]["tag"], then the engagement will get the name of the specified image-tag.

Metrics

The operator provides a Prometheus metrics endpoint, where successful and failed requests are collected.

Uninstall

To remove the trivy-dojo-report-operator from your cluster, run the following command:

helm uninstall chart-name

Creating new Releases

On push to main
- a new release version is calculated
- versions in all files are automatically updated
- k8s manifests are rendered from the helm chart and updated in deploy/
- a draft release is created
On publish of the release a
- new tag is created
- new release is created
- new container image is built
- new helm chart is published

License

GPLv3

telekom-mms / trivy-dojo-report-operator

readme