Skip to content

Settings

Trivy Operator read configuration settings from ConfigMaps, as well as Secrets that holds confidential settings (such as a GitHub token). Trivy-Operator plugins read configuration and secret data from ConfigMaps and Secrets named after the plugin. For example, Trivy configuration is stored in the ConfigMap and Secret named trivy-operator-trivy-config.

You can change the default settings with kubectl patch or kubectl edit commands. For example, by default Trivy displays vulnerabilities with all severity levels (UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL). However, you can display only HIGH and CRITICAL vulnerabilities by patching the trivy.severity value in the trivy-operator-trivy-config ConfigMap:

TRIVY_OPERATOR_NAMESPACE=<your trivy operator namespace>
kubectl patch cm trivy-operator-trivy-config -n $TRIVY_OPERATOR_NAMESPACE \
  --type merge \
  -p "$(cat <<EOF
{
  "data": {
    "trivy.severity": "HIGH,CRITICAL"
  }
}
EOF
)"

To set the GitHub token used by Trivy add the trivy.githubToken value to the trivy-operator-trivy-config Secret:

TRIVY_OPERATOR_NAMESPACE=<your trivy opersator namespace>
GITHUB_TOKEN=<your token>
kubectl patch secret trivy-operator-trivy-config -n $TRIVY_OPERATOR_NAMESPACE \
  --type merge \
  -p "$(cat <<EOF
{
  "data": {
    "trivy.githubToken": "$(echo -n $GITHUB_TOKEN | base64)"
  }
}
EOF
)"

The following table lists available settings with their default values. Check plugins' documentation to see configuration settings for common use cases. For example, switch Trivy from [Standalone] to ClientServer mode.

CONFIGMAP KEY DEFAULT DESCRIPTION
vulnerabilityReports.scanner Trivy The name of the plugin that generates vulnerability reports. Either Trivy or Aqua.
vulnerabilityReports.scanJobsInSameNamespace "false" Whether to run vulnerability scan jobs in same namespace of workload. Set "true" to enable.
configAuditReports.scanner Polaris The name of the plugin that generates config audit reports. Either Polaris or Conftest.
scanJob.tolerations N/A JSON representation of the tolerations to be applied to the scanner pods so that they can run on nodes with matching taints. Example: '[{"key":"key1", "operator":"Equal", "value":"value1", "effect":"NoSchedule"}]'
scanJob.annotations N/A One-line comma-separated representation of the annotations which the user wants the scanner pods to be annotated with. Example: foo=bar,env=stage will annotate the scanner pods with the annotations foo: bar and env: stage
scanJob.templateLabel N/A One-line comma-separated representation of the template labels which the user wants the scanner pods to be labeled with. Example: foo=bar,env=stage will labeled the scanner pods with the labels foo: bar and env: stage
kube-bench.imageRef docker.io/aquasec/kube-bench:v0.6.6 kube-bench image reference
kube-hunter.imageRef docker.io/aquasec/kube-hunter:0.6.5 kube-hunter image reference
kube-hunter.quick "false" Whether to use kube-hunter's "quick" scanning mode (subnet 24). Set to "true" to enable.
compliance.failEntriesLimit "10" Limit the number of fail entries per control check in the cluster compliance detail report.

Tip

You can delete a configuration key.For example, the following kubectl patch command deletes the trivy.httpProxy key:

TRIVY_OPERATOR_NAMESPACE=<your trivy operator namespace>
kubectl patch cm trivy-operator-trivy-config -n $TRIVY_OPERATOR_NAMESPACE \
  --type json \
  -p '[{"op": "remove", "path": "/data/trivy.httpProxy"}]'