MCPcopy Index your code
hub / github.com/aquasecurity/trivy-operator

github.com/aquasecurity/trivy-operator @v0.31.2 sqlite

repository ↗ · DeepWiki ↗ · release v0.31.2 ↗
1,371 symbols 5,156 edges 158 files 472 documented · 34%
README

Trivy-operator logo

Kubernetes-native security toolkit. (Documentation)

GitHub Release Build Action Release snapshot Action Go Report Card GitHub All Releases Artifact Hub

Introduction

The Trivy Operator leverages Trivy to continuously scan your Kubernetes cluster for security issues. The scans are summarised in security reports as Kubernetes Custom Resource Definitions, which become accessible through the Kubernetes API. The Operator does this by watching Kubernetes for state changes and automatically triggering security scans in response. For example, a vulnerability scan is initiated when a new Pod is created. This way, users can find and view the risks that relate to different resources in a Kubernetes-native way.

In-cluster Security Scans

The Trivy Operator automatically generates and updates security reports. These reports are generated in response to new workload and other changes on a Kubernetes cluster, generating the following reports:

  • Vulnerability Scans: Automated vulnerability scanning for Kubernetes workloads, control-plane and node components (api-server, controller-manager, kubelet and etc)
  • ConfigAudit Scans: Automated configuration audits for Kubernetes resources with predefined rules or custom Open Policy Agent (OPA) policies.
  • Exposed Secret Scans: Automated secret scans which find and detail the location of exposed Secrets within your cluster.
  • RBAC scans: Role Based Access Control scans provide detailed information on the access rights of the different resources installed.
  • K8s core component infra assessment scan Kubernetes infra core components (etcd,apiserver,scheduler,controller-manager and etc) setting and configuration.
  • k8s outdated api validation - a configaudit check will validate if the resource api has been deprecated and planned for removal
  • Compliance reports
  • NSA, CISA Kubernetes Hardening Guidance v1.1 cybersecurity technical report is produced.
  • CIS Kubernetes Benchmark v1.23 cybersecurity technical report is produced.
  • Kubernetes pss-baseline, Pod Security Standards
  • Kubernetes pss-restricted, Pod Security Standards
  • SBOM (Software Bill of Materials genertations) for Kubernetes workloads.

Trivy-operator Overview

Please star ⭐ the repo if you want us to continue developing and improving trivy-operator! 😀

Usage

The official Documentation provides detailed installation, configuration, troubleshooting, and quick start guides.

You can install the Trivy-operator Operator with Static YAML Manifests and follow the Getting Started guide to see how vulnerability and configuration audit reports are generated automatically.

Quick Start

The Trivy Operator can be installed easily through the Helm Chart. The Helm Chart can be downloaded by one of the two options:

Option 1: Install from traditional helm chart repository

Add the Aqua chart repository:

   helm repo add aqua https://aquasecurity.github.io/helm-charts/
   helm repo update

Install the Helm Chart:

   helm install trivy-operator aqua/trivy-operator \
     --namespace trivy-system \
     --create-namespace \
     --version 0.33.2

Option 2: Install from OCI registry (supported in Helm v3.8.0+)

Install the Helm Chart:

   helm install trivy-operator oci://ghcr.io/aquasecurity/helm-charts/trivy-operator \
     --namespace trivy-system \
     --create-namespace \
     --version 0.33.2

This will install the Trivy Helm Chart into the trivy-system namespace and start triggering the scans.

Status

Although we are trying to keep new releases backward compatible with previous versions, this project is still incubating, and some APIs and Custom Resource Definitions may change.

Contributing

At this early stage we would love your feedback on the overall concept of Trivy-Operator. Over time, we'd love to see contributions integrating different security tools so that users can access security information in standard, Kubernetes-native ways.

  • See Contributing for information about setting up your development environment, and the contribution workflow that we expect.
  • Please ensure that you are following our Code Of Conduct during any interaction with the Aqua projects and their community.

Trivy-Operator is an Aqua Security open source project.
Learn about our Open Source Work and Portfolio.
Join the community, and talk to us about any matter in GitHub Discussions or Slack.

Extension points exported contracts — how you extend this code

Plugin (Interface)
Plugin defines the interface between Trivy-operator and static vulnerability scanners. [4 implementers]
pkg/vulnerabilityreport/plugin.go
IDGenerator (Interface)
IDGenerator defines contract for generating universally unique identifiers. [2 implementers]
pkg/ext/id_generator.go
ConfigAuditConfig (Interface)
ConfigAuditConfig defines the interface between trivy-operator and trivy configuration which related to configauditrepor [2 …
pkg/configauditreport/plugin.go
Loader (Interface)
(no doc) [3 implementers]
pkg/policy/loader.go
SecretsReader (Interface)
SecretsReader defines methods for reading Secrets. [1 implementers]
pkg/kube/secrets.go
PluginContext (Interface)
PluginContext is plugin's execution context within the Trivy-operator toolkit. The context is used to grant access to ot [1 …
pkg/trivyoperator/plugin.go
Writer (Interface)
Writer is the interface that wraps the basic Write method. Write creates or updates the given slice of v1alpha1.SbomRep
pkg/sbomreport/io.go
Writer (Interface)
Writer is the interface for saving v1alpha1.ClusterConfigAuditReport and v1alpha1.ConfigAuditReport instances.
pkg/rbacassessment/io.go

Core symbols most depended-on inside this repo

Run
called by 209
magefile.go
Build
called by 94
tests/itest/helper/helper.go
Get
called by 78
pkg/sbomreport/builder.go
WithName
called by 57
pkg/trivyoperator/plugin.go
Delete
called by 53
pkg/trivyoperator/config.go
GetNamespace
called by 51
pkg/trivyoperator/plugin.go
ComputeHash
called by 46
pkg/kube/resources.go
NewObjectResolver
called by 45
pkg/kube/object.go

Shape

Method 699
Function 448
Struct 164
Interface 35
TypeAlias 23
FuncType 2

Languages

Go100%

Modules by API surface

pkg/apis/aquasecurity/v1alpha1/zz_generated.deepcopy.go158 symbols
pkg/trivyoperator/config.go58 symbols
tests/itest/helper/helper.go47 symbols
magefile.go46 symbols
pkg/kube/object.go44 symbols
pkg/plugins/trivy/config.go43 symbols
pkg/vulnerabilityreport/builder.go38 symbols
pkg/metrics/collector.go27 symbols
pkg/trivyoperator/plugin.go25 symbols
pkg/trivyoperator/config_test.go25 symbols
pkg/policy/policy_test.go25 symbols
pkg/policy/policy.go25 symbols

Dependencies from manifests, versioned

al.essio.dev/pkg/shellescapev1.6.0 · 1×
cel.dev/exprv0.25.1 · 1×
cloud.google.com/gov0.123.0 · 1×
cloud.google.com/go/auth/oauth2adaptv0.2.8 · 1×
cloud.google.com/go/compute/metadatav0.9.0 · 1×
cloud.google.com/go/monitoringv1.24.3 · 1×
cloud.google.com/go/storagev1.62.0 · 1×
dario.cat/mergov1.0.2 · 1×
github.com/Azure/azure-sdk-for-go/sdk/azcorev1.21.1 · 1×
github.com/Azure/azure-sdk-for-go/sdk/azidentityv1.13.1 · 1×

For agents

$ claude mcp add trivy-operator \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact