An instance of the VulnerabilityReport represents the latest vulnerabilities found in a container image of a given
Kubernetes workload. It consists of a list of OS package and application vulnerabilities with a summary of
vulnerabilities grouped by severity. For a multi-container workload trivy-operator creates multiple instances
of VulnerabilityReports in the workload's namespace with the owner reference set to that workload.
Each report follows the naming convention
<workload kind>-<workload name>-<container-name>.
The following listing shows a sample VulnerabilityReport associated with the ReplicaSet named
nginx-6d4cf56db6 in the
default namespace that has the
apiVersion: aquasecurity.github.io/v1alpha1 kind: VulnerabilityReport metadata: name: replicaset-nginx-6d4cf56db6-nginx namespace: default labels: trivy-operator.container.name: nginx trivy-operator.resource.kind: ReplicaSet trivy-operator.resource.name: nginx-6d4cf56db6 trivy-operator.resource.namespace: default resource-spec-hash: 7cb64cb677 uid: 8aa1a7cb-a319-4b93-850d-5a67827dfbbf ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: false controller: true kind: ReplicaSet name: nginx-6d4cf56db6 uid: aa345200-cf24-443a-8f11-ddb438ff8659 report: artifact: repository: library/nginx tag: '1.16' registry: server: index.docker.io scanner: name: Trivy vendor: Aqua Security version: 0.30.0 summary: criticalCount: 2 highCount: 0 lowCount: 0 mediumCount: 0 unknownCount: 0 vulnerabilities: - fixedVersion: 0.9.1-2+deb10u1 installedVersion: 0.9.1-2 links:  primaryLink: 'https://avd.aquasec.com/nvd/cve-2019-20367' resource: libbsd0 score: 9.1 severity: CRITICAL target: library/nginx:1.21.6 title: '' vulnerabilityID: CVE-2019-20367 - fixedVersion: '' installedVersion: 0.6.1-2 links:  primaryLink: 'https://avd.aquasec.com/nvd/cve-2018-25009' resource: libwebp6 score: 9.1 severity: CRITICAL target: library/nginx:1.16 title: 'libwebp: out-of-bounds read in WebPMuxCreateInternal' vulnerabilityID: CVE-2018-25009
For various reasons we'll probably change the naming convention to name VulnerabilityReports by image digest (see #288).
Any static vulnerability scanner that is compliant with the VulnerabilityReport schema can be integrated with trivy-operator. You can find the list of available integrations here.