VulnerabilityReport¶
An instance of the VulnerabilityReport represents the latest vulnerabilities found in a container image of a given
Kubernetes workload. It consists of a list of OS package and application vulnerabilities with a summary of
vulnerabilities grouped by severity. For a multi-container workload trivy-operator creates multiple instances
of VulnerabilityReports in the workload's namespace with the owner reference set to that workload.
Each report follows the naming convention <workload kind>-<workload name>-<container-name>
.
The following listing shows a sample VulnerabilityReport associated with the ReplicaSet named nginx-6d4cf56db6
in the
default
namespace that has the nginx
container.
apiVersion: aquasecurity.github.io/v1alpha1
kind: VulnerabilityReport
metadata:
name: replicaset-nginx-6d4cf56db6-nginx
namespace: default
labels:
trivy-operator.container.name: nginx
trivy-operator.resource.kind: ReplicaSet
trivy-operator.resource.name: nginx-6d4cf56db6
trivy-operator.resource.namespace: default
resource-spec-hash: 7cb64cb677
uid: 8aa1a7cb-a319-4b93-850d-5a67827dfbbf
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: false
controller: true
kind: ReplicaSet
name: nginx-6d4cf56db6
uid: aa345200-cf24-443a-8f11-ddb438ff8659
report:
artifact:
repository: library/nginx
tag: '1.16'
registry:
server: index.docker.io
scanner:
name: Trivy
vendor: Aqua Security
version: 0.16.0
summary:
criticalCount: 2
highCount: 0
lowCount: 0
mediumCount: 0
unknownCount: 0
vulnerabilities:
- fixedVersion: 0.9.1-2+deb10u1
installedVersion: 0.9.1-2
links: []
primaryLink: 'https://avd.aquasec.com/nvd/cve-2019-20367'
resource: libbsd0
score: 9.1
severity: CRITICAL
title: ''
vulnerabilityID: CVE-2019-20367
- fixedVersion: ''
installedVersion: 0.6.1-2
links: []
primaryLink: 'https://avd.aquasec.com/nvd/cve-2018-25009'
resource: libwebp6
score: 9.1
severity: CRITICAL
title: 'libwebp: out-of-bounds read in WebPMuxCreateInternal'
vulnerabilityID: CVE-2018-25009
Note
For various reasons we'll probably change the naming convention to name VulnerabilityReports by image digest (see #288).
Any static vulnerability scanner that is compliant with the VulnerabilityReport schema can be integrated with trivy-operator. You can find the list of available integrations here.