ArgoCD Trivy Operator Report Access

[MT5W4FLOP80]

Hi!

I am testing out different Docker and Kubernetes security scanning tools and I came across Trivy Operator. I deployed Trivy Operator as a HELM package via ArgoCD. The deployment in my sandbox environment was successful, however I do not understand on how I can access the scan reports when Trivy Operator is deployed via ArgoCD. Would you be able to give me some pointers? I had a look at the documentation at https://aquasecurity.github.io/trivy/dev/tutorials/kubernetes/gitops/, however I didn't understand on how I can retrieve the scan results. Ideally I would like to retrieve reports periodically and post the results via Slack alerts.

Thank you!

[chen-keinan]

@MT5W4FLOP80 there are various options :

1. kubectl get vulnerabilityreports --all-namespaces -o wide (same for other reports)
2. via grafana and metrics
3. lens-extension
4. webhook

[MT5W4FLOP80]

Hi @chen-keinan!

Thank you for your response.

My understanding is that when a webhook config is set then trivy-operator automatically posts the results in JSON format to the URL specified in the webhook configuration. I specified the webhook in the config as shown below, however I did not receive anything on the listening port.

1. Is it possible that my configuration below is incorrect and lacks some parameters?
2. Also, another question is how can I manually trigger trivy-operator scans when trivy-operator is deployed as Helm package via ArgoCD in Amazon EKS? I am a bit confused when the scans are actually ran in this configuration. When I deployed trivy locally it seemed straightforward since I had access to the kubctl.
3. I also have a question regarding scan reports, my understanding is that the CRDs below should contain scan findings, is that correct? To test the trivy-operator tool, I specified some fake credentials in the helm package configuration of another application within the same K8s cluster, however it seems that trivy-operator did not identify fake creds as exposed credentials. Is my understanding correct that findings are documented in the CRDs below and is my assumption correct that credentials in the HELM configuration would also be picked up by trivy-operator?

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: trivy-operator
  namespace: argocd
spec:
  project: default
  source:
    chart: trivy-operator
    repoURL: https://aquasecurity.github.io/helm-charts/
    targetRevision: 0.10.2
    helm:
      values: |
        trivy:
          ignoreUnfixed: true
        operator:
          OPERATOR_WEBHOOK_BROADCAST_URL: "http://example.com/trivy/webhook"
  destination:
    server: https://kubernetes.default.svc
    namespace: trivy-system
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - CreateNamespace=true

Thank you for your responses!

[chen-keinan]

@MT5W4FLOP80

1. Yes the param key look right (regarding the value it depend on the service accepting it) here is postee example , need to make sure trivy-operator has access to it if there is a problem you should see error in log (Note: only vulnerabilities and exposed secrets are supported now with webhook , we have an issue for it to add other reports Extend webhook to support all report types #918 )
2. When trivy operator is deployed it automatically listen to events and scan resources no need to trigger anything , no manual trigger , on the other hand I do not have much experience with agoCD , maybe you can throw a question in our slack channel there are many users who is argo CD and can help you.
3. expose secret support only expose secrets in side container , we have open issue the support it for resources

Let me know if I can help with something else