trivy-vulnerability-exporter

A Prometheus Exporter that collects all vulnerabilities detected by aquasecurity/trivy in kubernetes clusters.

Inspirated by kube-trivy-expoter.

This exporter is written on top of cobra library and trivy cli.

Grafana dashboards

Dashboard 1: Vulnerabilities overview

• Download directly from grafana here

• Or check the repo here

Dashboard 2: Image vulnerabilities

• Download directly from grafana here

• Or check the repo here

Dashboard 3: Vulnerabilities by CVE

• Download directly from grafana here

• Or check the repo here

Requirements

• Kubernetes cluster
• Install the exporter using helm to setup the RBAC
• Prometheus
• Grafana

Install the exporter

• Access the helm repository here for more details abount installation process.

Add trivy vulnerability exporter repository

helm repo add helm-trivy-vulnerability-exporter https://lucasafonsokremer.github.io/helm-trivy-vulnerability-exporter

Install trivy vulnerability exporter chart

helm upgrade -i trivyvulnerabilityexporter helm-trivy-vulnerability-exporter/trivyvulnerabilityexporter

Install trivy vulnerability exporter chart with custom values

helm upgrade -i trivyvulnerabilityexporter helm-trivy-vulnerability-exporter/trivyvulnerabilityexporter -f values-custom.yaml

Image Scan

Image Scan scans for vulnerabilities in container images of workloads deployed in kubernetes.

trivy_image_vulnerabilities

Node Scan

Image Scan scans vulnerabilities of the nodes of kuberntes cluster.

trivy_node_vulnerabilities

Development Environment

• You could upgrade trivy version on the Dockerfile:

ENV TRIVYVERSION=v0.22.0

• After that, import the new trivy library:

go get github.com/aquasecurity/trivy@v0.22.0
go mod tidy

ToDo

• Create liveness and readiness probes
• Support different namespace
• Add tolerations
• Bump golang version
• Bump trivy version
• Create a makefile for development environment
• Improve the unit tests