Trivy is an open-source vulnerability scanner for containers that can detect vulnerabilities in OS packages and application dependencies. The Trivy Operator is a Kubernetes operator that automates the process of scanning container images for vulnerabilities using Trivy.

This integration utilizes the logzio-trivy Helm Chart to deploy:

  • Trivy-Operator Helm Chart that scans the cluster and creates Trivy reports.
  • A deployment that looks for the Trivy reports in the cluster, processes them, and sends them to Logz.io

At present, only vulnerability reports are being collected.

This integration is presently in its beta phase and may be subject to modifications.

Before you begin, you’ll need:

  • an active account with Logz.io
  • Kubernetes cluster to send reports from
Add logzio-helm repo
helm repo add logzio-helm https://logzio.github.io/logzio-helm
helm repo update
Run the Helm deployment code
helm install -n monitoring --create-namespace \
--set env_id="<<ENV-ID>>" \
--set secrets.logzioShippingToken="<<LOG-SHIPPING-TOKEN>>" \
--set secrets.logzioListener="<<LISTENER-HOST>>" \
logzio-trivy logzio-helm/logzio-trivy

With this command, we instruct Helm to create the monitoring namespace if it does not already exist.

Parameter Description
<<ENV-ID>> A unique name assigned to your environment’s identifier, to differentiate telemetry data across various environments. If you’re collecting metrics, this should match the env-id/p8s_logzio_name you used for the metrics.
<<LOG-SHIPPING-TOKEN>> Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.
<<LISTENER-HOST>> Replace <<LISTENER-HOST>> with the host for your region, without the http/https prefix. For example, listener.logz.io if your account is hosted on AWS US East, or listener-nl.logz.io if hosted on Azure West Europe.
Check Logz.io for your reports

Give your reports some time to get from your system to ours, and then open Open Search Dashboards.

Customizing Helm chart parameters

Configure customization options

You can use the following options to update the Helm chart parameters:

  • Specify parameters using the --set key=value[,key=value] argument to helm install

  • Edit the values.yaml

  • Overide default values with your own my_values.yaml and apply it in the helm install command.

Custom parameters
Parameter Description Default
trivy-operator.trivy.ignoreUnfixed Determines whether to display only fixed vulnerabilities in the reports generated by Trivy. false
nameOverride Overrides the Chart name for resources. ""
fullnameOverride Overrides the full name of the resources. ""
schedule Time for daily scanning for security reports and sending them to Logz.io, in the “HH:MM” format. "07:00"
restartPolicy Container restart policy OnFailure
image Container image logzio/trivy-to-logzio
imageTag Container image tag 0.1.0
env_id A unique name assigned to your environment’s identifier, to differentiate telemetry data across various environments. ""
terminationGracePeriodSeconds Termination period (in seconds) to wait before killing Fluentd pod process on pod shutdown. 30
serviceAccount.create Specifies whether to create a service account for the cron job. true
serviceAccount.name Name of the service account. ""
secrets.enabled Specifies wheter to create a secret for the deployment true
secrets.name Secret name "logzio-logs-secret-trivy"
secrets.logzioShippingToken Your logz.io log shipping token ""
secrets.logzioListener Your logz.io listener host "" (defaults to us region)
scriptLogLevel Log level of the script that sends security risk to Logz.io. Can be one of: DEBUG, INFO, WARNING, ERROR, CRITICAL. INFO

Uninstalling the Chart

The Uninstall command is used to remove all the Kubernetes components associated with the chart and to delete the release.

To uninstall the logzio-trivy deployment, use the following command:

helm uninstall logzio-trivy -n monitoring

Handling image pull rate limit

In certain cases, such as spot clusters, where pods or nodes are frequently replaced, the pull rate limit for images retrieved from Docker Hub may be reached, resulting in an error:

You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limits.

In these cases we can use the following --set command to use an alternative image repository:

--set image=public.ecr.aws/logzio/trivy-to-logzio