fix: enable vulnerability ttl and scan active replicaset by default (#…

…394)

* fix: enable vulnerability ttl and scan active replicaset by default

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: enable vulnerability ttl and scan active replicaset by default

Signed-off-by: chenk <hen.keinan@gmail.com>

* docs: scan only current revisions

Signed-off-by: chenk <hen.keinan@gmail.com>

deploy/helm/values.yaml

@@ -40,7 +40,7 @@ operator:
   # vulnerabilityScannerEnabled the flag to enable vulnerability scanner
   vulnerabilityScannerEnabled: true
   # vulnerabilityScannerReportTTL the flag to set how long a vulnerability report should exist. "" means that the vulnerabilityScannerReportTTL feature is disabled
-  vulnerabilityScannerReportTTL: ""
+  vulnerabilityScannerReportTTL: "24h"
   # configAuditScannerEnabled the flag to enable configuration audit scanner
   configAuditScannerEnabled: true
   # rbacAssessmentScannerEnabled the flag to enable rbac assessment scanner
@@ -52,9 +52,9 @@ operator:
   # batchDeleteLimit the maximum number of config audit reports deleted by the operator when the plugin's config has changed.
   batchDeleteLimit: 10
   # vulnerabilityScannerScanOnlyCurrentRevisions the flag to only create vulnerability scans on the current revision of a deployment.
-  vulnerabilityScannerScanOnlyCurrentRevisions: false
+  vulnerabilityScannerScanOnlyCurrentRevisions: true
   # configAuditScannerScanOnlyCurrentRevisions the flag to only create config audit scans on the current revision of a deployment.
-  configAuditScannerScanOnlyCurrentRevisions: false
+  configAuditScannerScanOnlyCurrentRevisions: true
   # batchDeleteDelay the duration to wait before deleting another batch of config audit reports.
   batchDeleteDelay: 10s
 

deploy/static/trivy-operator.yaml

@@ -1275,15 +1275,15 @@ spec:
             - name: OPERATOR_VULNERABILITY_SCANNER_ENABLED
               value: "true"
             - name: OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS
-              value: "false"
+              value: "true"
             - name: OPERATOR_VULNERABILITY_SCANNER_REPORT_TTL
-              value: ""
+              value: "24h"
             - name: OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED
               value: "true"
             - name: OPERATOR_RBAC_ASSESSMENT_SCANNER_ENABLED
               value: "true"
             - name: OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS
-              value: "false"
+              value: "true"
             - name: OPERATOR_CLUSTER_COMPLIANCE_ENABLED
               value: "false"
           ports:

docs/operator/configuration.md

@@ -21,10 +21,10 @@ You can configure Trivy-Operator to control it's behavior and adapt it to your n
 | `OPERATOR_VULNERABILITY_SCANNER_ENABLED`| `true`                | The flag to enable vulnerability scanner                                                                                                                                                                    |
 | `OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED`| `false`               | The flag to enable configuration audit scanner                                                                                                                                                              |
 | `OPERATOR_RBAC_ASSESSMENT_SCANNER_ENABLED`| `true`                | The flag to enable rbac assessment scanner                                                                                                                                                                  |
-| `OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS`| `false`               | The flag to enable config audit scanner to only scan the current revision of a deployment                                                                                                                   |
+| `OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS`| `true`               | The flag to enable config audit scanner to only scan the current revision of a deployment                                                                                                                   |
 | `OPERATOR_CONFIG_AUDIT_SCANNER_BUILTIN`| `true`                | The flag to enable built-in configuration audit scanner                                                                                                                                                     |
-| `OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS`| `false`               | The flag to enable vulnerability scanner to only scan the current revision of a deployment                                                                                                                  |
-| `OPERATOR_VULNERABILITY_SCANNER_REPORT_TTL`| `""`                  | The flag to set how long a vulnerability report should exist. When a old report is deleted a new one will be created by the controller. It can be set to `""` to disabled the TTL for vulnerability scanner. |
+| `OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS`| `true`               | The flag to enable vulnerability scanner to only scan the current revision of a deployment                                                                                                                  |
+| `OPERATOR_VULNERABILITY_SCANNER_REPORT_TTL`| `"24h"`                  | The flag to set how long a vulnerability report should exist. When a old report is deleted a new one will be created by the controller. It can be set to `""` to disabled the TTL for vulnerability scanner. |
 | `OPERATOR_LEADER_ELECTION_ENABLED`| `false`               | The flag to enable operator replica leader election                                                                                                                                                         |
 | `OPERATOR_LEADER_ELECTION_ID`| `trivy-operator-lock` | The name of the resource lock for leader election                                                                                                                                                           |
 

docs/operator/quick-start.md

@@ -108,14 +108,14 @@ previous ReplicaSet named `nginx-78449c65d4` is deleted the VulnerabilityReport
 as well as the ConfigAuditReport named `replicaset-nginx-78449c65d46` are automatically garbage collected.
 
 !!! tip
-If you only want the latest ReplicaSet in your Deployment to be scanned for vulnerabilities, you can set the value
-of the `OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS` environment variable to `true` in the operator's
-deployment descriptor. This is useful to identify vulnerabilities that impact only the running workloads.
+If you do not want only the latest ReplicaSet in your Deployment to be scanned for vulnerabilities, you can set the value
+of the `OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS` environment variable to `false` in the operator's
+deployment descriptor.
 
 !!! tip
-If you only want the latest ReplicaSet in your Deployment to be scanned for config audit, you can set the value
-of the `OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS` environment variable to `true` in the operator's
-deployment descriptor. This is useful to identify config issues that impact only the running workloads.
+If you do not want only the latest ReplicaSet in your Deployment to be scanned for config audit, you can set the value
+of the `OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS` environment variable to `false` in the operator's
+deployment descriptor.
 
 !!! tip
 You can get and describe `vulnerabilityreports` and `configauditreports` as built-in Kubernetes objects:
@@ -176,9 +176,10 @@ No resources found in default namespace.
 Use `vuln` and `configaudit` as short names for `vulnerabilityreports` and `configauditreports` resources.
 
 !!! Note
-You can define the validity period for VulnerabilityReports by setting the duration as the value of the
-`OPERATOR_VULNERABILITY_SCANNER_REPORT_TTL` environment variable. For example, setting the value to `24h`
-would delete reports after 24 hours. When a VulnerabilityReport gets deleted Trivy-Operator will automatically
+The validity period for VulnerabilityReports by setting the duration as the value of the
+`OPERATOR_VULNERABILITY_SCANNER_REPORT_TTL` environment variable. The value is set to `24h` by default.
+
+The reports wil be deleted after 24 hours. When a VulnerabilityReport gets deleted Trivy-Operator will automatically rescan the resource.
 
 
 

pkg/operator/etc/config.go

@@ -25,12 +25,12 @@ type Config struct {
 	HealthProbeBindAddress                       string         `env:"OPERATOR_HEALTH_PROBE_BIND_ADDRESS" envDefault:":9090"`
 	CISKubernetesBenchmarkEnabled                bool           `env:"OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED" envDefault:"false"`
 	VulnerabilityScannerEnabled                  bool           `env:"OPERATOR_VULNERABILITY_SCANNER_ENABLED" envDefault:"true"`
-	VulnerabilityScannerScanOnlyCurrentRevisions bool           `env:"OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS" envDefault:"false"`
-	VulnerabilityScannerReportTTL                *time.Duration `env:"OPERATOR_VULNERABILITY_SCANNER_REPORT_TTL"`
+	VulnerabilityScannerScanOnlyCurrentRevisions bool           `env:"OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS" envDefault:"true"`
+	VulnerabilityScannerReportTTL                *time.Duration `env:"OPERATOR_VULNERABILITY_SCANNER_REPORT_TTL" envDefault:"24h"`
 	ClusterComplianceEnabled                     bool           `env:"OPERATOR_CLUSTER_COMPLIANCE_ENABLED" envDefault:"false"`
 	ConfigAuditScannerEnabled                    bool           `env:"OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED" envDefault:"true"`
 	RbacAssessmentScannerEnabled                 bool           `env:"OPERATOR_RBAC_ASSESSMENT_SCANNER_ENABLED" envDefault:"true"`
-	ConfigAuditScannerScanOnlyCurrentRevisions   bool           `env:"OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS" envDefault:"false"`
+	ConfigAuditScannerScanOnlyCurrentRevisions   bool           `env:"OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS" envDefault:"true"`
 	LeaderElectionEnabled                        bool           `env:"OPERATOR_LEADER_ELECTION_ENABLED" envDefault:"false"`
 	LeaderElectionID                             string         `env:"OPERATOR_LEADER_ELECTION_ID" envDefault:"trivyoperator-lock"`
 }