Webhook Integration

Trivy Operator allows you to send reports externally to a webhook as they get produced. This is useful in cases where you would like to "set-and-forget" the operator and monitor the reports elsewhere. It's also useful when you have to make decisions based on a report, e.g. prune a vulnerable image, remove a deployment with exposed secrets etc.

The latter use case can be fulfilled by using a SOAR tool Postee. Out of the box, Postee offers a variety of integrations with other third party services such as ServiceNow, Slack, AWS Security Hub and many more.

You can enable the Webhook integration as follows:

Required: Set OPERATOR_WEBHOOK_BROADCAST_URL to the webhook endpoint you'd like to send the reports to.
Optional: Set OPERATOR_WEBHOOK_BROADCAST_TIMEOUT to a time limit that suites your use case. Default is 30s.
Optional: Set OPERATOR_SEND_DELETED_REPORTS to true to send webhook notifications when reports are deleted. Default is false.
Optional: Set OPERATOR_WEBHOOK_BROADCAST_CUSTOM_HEADERS to comma seperated key:value to send webhook notifications with custom headers. Default is ``

The Webhook integration support the following reports types:

vulnerabilityreport
exposedsecretreport
configAuditReport
infraAssessmentReport
rbacAssessmentReport
clusterRbacAssessmentReport
clusterConfigAuditReport
clusterInfraAssessmentReport
clusterComplianceReport
sbomReport