The trivy-dojo-report-operator is a Kubernetes operator developed using Kopf and Python. This operator listens for vulnerability reports generated by the Trivy Operator and forwards them to Defect Dojo for further analysis and tracking.
- Monitor Kubernetes for new Trivy vulnerability reports.
- Push vulnerability reports to a configured Defect Dojo instance.
- Seamless integration with your existing Kubernetes cluster and security workflow.
- Developed using the Pythonic Kopf framework for easy maintenance and extensibility.
- A running Kubernetes cluster (minikube, kind, or another environment)
- Trivy Operator installed and configured in the cluster
- An instance of Defect Dojo for storing vulnerability reports
- Clone this repository:
git clone https://github.com/telekom-mms/trivy-dojo-report-operator.git
cd trivy-dojo-report-operator
- Configure Defect Dojo settings:
Update the environment variables in the secret manifest to match your Defect Dojo instance configuration:
data:
url: "https://your.defectdojo.instance"
api-key: "your_defect_dojo_api_key"
Replace https://your.defectdojo.instance with the URL of your Defect Dojo instance, and your_defect_dojo_api_key with your API key.
Change the environment variables in the deployment manifest to your liking. The options closely match the options
in the import-scan API-call found here.
- Deploy the trivy-dojo-report-operator:
kubectl apply -f deploy/
- Configure Defect Dojo settings:
Update the variables in the values.yaml to match your Defect Dojo instance configuration:
defectDojoApiCredentials:
apiKey: "your_defect_dojo_api_key"
url: "https://your.defectdojo.instance"
- Deploy the chart from the repository:
helm repo add trivy-dojo-report-operator https://telekom-mms.github.io/trivy-dojo-report-operator/
helm install chart-name trivy-dojo-report-operator/trivy-dojo-report-operator
- Deploy the chart manually after cloning the git-repository:
helm install chart-name charts/
The operator is now running in your cluster and will monitor for Trivy vulnerability reports and push them to the configured Defect Dojo instance.
You can also run the operator locally. This way you don't have to install anything in your cluster. Just provide the Defect Dojo URL and API-Key and optionally labels to the docker-run command. You also have to mount your kubeconfig into the container to access the cluster.
docker pull ghcr.io/telekom-mms/docker-trivy-dojo-operator
docker run -it -v /path/to/your/.kube/config:/root/.kube/config -e DEFECT_DOJO_API_KEY=$DEFECT_DOJO_API_KEY -e DEFECT_DOJO_URL=$DEFECT_DOJO_URL -e LABEL="trivy-operator.resource.name" -e LABEL_VALUE="master-live-server" ghcr.io/telekom-mms/docker-trivy-dojo-operatorThe operator provides a Prometheus metrics endpoint, where successful and failed requests are collected.
To remove the trivy-dojo-report-operator from your cluster, run the following command:
kubectl delete -f deploy/
GPLv3