Skip to content

VulnerabilityReport

An instance of the VulnerabilityReport represents the latest vulnerabilities found in a container image of a given Kubernetes workload. It consists of a list of OS package and application vulnerabilities with a summary of vulnerabilities grouped by severity. For a multi-container workload trivy-operator creates multiple instances of VulnerabilityReports in the workload's namespace with the owner reference set to that workload. Each report follows the naming convention <workload kind>-<workload name>-<container-name>.

The following listing shows a sample VulnerabilityReport associated with the ReplicaSet named nginx-6d4cf56db6 in the default namespace that has the nginx container.

apiVersion: aquasecurity.github.io/v1alpha1
kind: VulnerabilityReport
metadata:
  name: replicaset-nginx-6d4cf56db6-nginx
  namespace: default
  labels:
    trivy-operator.container.name: nginx
    trivy-operator.resource.kind: ReplicaSet
    trivy-operator.resource.name: nginx-6d4cf56db6
    trivy-operator.resource.namespace: default
    resource-spec-hash: 7cb64cb677
  uid: 8aa1a7cb-a319-4b93-850d-5a67827dfbbf
  ownerReferences:
    - apiVersion: apps/v1
      blockOwnerDeletion: false
      controller: true
      kind: ReplicaSet
      name: nginx-6d4cf56db6
      uid: aa345200-cf24-443a-8f11-ddb438ff8659
report:
  artifact:
    repository: library/nginx
    tag: '1.16'
  registry:
    server: index.docker.io
  scanner:
    name: Trivy
    vendor: Aqua Security
    version: 0.30.0
  summary:
    criticalCount: 2
    highCount: 0
    lowCount: 0
    mediumCount: 0
    unknownCount: 0
  vulnerabilities:
    - fixedVersion: 0.9.1-2+deb10u1
      installedVersion: 0.9.1-2
      links: []
      primaryLink: 'https://avd.aquasec.com/nvd/cve-2019-20367'
      resource: libbsd0
      score: 9.1
      severity: CRITICAL
      target: library/nginx:1.21.6
      title: ''
      vulnerabilityID: CVE-2019-20367
    - fixedVersion: ''
      installedVersion: 0.6.1-2
      links: []
      primaryLink: 'https://avd.aquasec.com/nvd/cve-2018-25009'
      resource: libwebp6
      score: 9.1
      severity: CRITICAL
      target: library/nginx:1.16
      title: 'libwebp: out-of-bounds read in WebPMuxCreateInternal'
      vulnerabilityID: CVE-2018-25009

Note

For various reasons we'll probably change the naming convention to name VulnerabilityReports by image digest (see #288).

Any static vulnerability scanner that is compliant with the VulnerabilityReport schema can be integrated with trivy-operator. You can find the list of available integrations here.