Ship reports from Trivy Operator

Trivy is an open-source vulnerability scanner for containers that can detect vulnerabilities in OS packages and application dependencies. The Trivy Operator is a Kubernetes operator that automates the process of scanning container images for vulnerabilities using Trivy.

This integration utilizes the logzio-trivy Helm Chart to deploy:

Trivy-Operator Helm Chart that scans the cluster and creates Trivy reports.
A deployment that looks for the Trivy reports in the cluster, processes them, and sends them to Logz.io

At present, only vulnerability reports are being collected.

This integration is presently in its beta phase and may be subject to modifications.

Before you begin, you’ll need:

an active account with Logz.io
Kubernetes cluster to send reports from

Add `logzio-helm` repo

helm repo add logzio-helm https://logzio.github.io/logzio-helm
helm repo update

Run the Helm deployment code

helm install -n monitoring --create-namespace \
--set env_id="<<ENV-ID>>" \
--set secrets.logzioShippingToken="<<LOG-SHIPPING-TOKEN>>" \
--set secrets.logzioListener="<<LISTENER-HOST>>" \
logzio-trivy logzio-helm/logzio-trivy

With this command, we instruct Helm to create the monitoring namespace if it does not already exist.

Parameter	Description
`<<ENV-ID>>`	A unique name assigned to your environment’s identifier, to differentiate telemetry data across various environments. If you’re collecting metrics, this should match the env-id/p8s_logzio_name you used for the metrics.
`<<LOG-SHIPPING-TOKEN>>`	Replace `<<LOG-SHIPPING-TOKEN>>` with the token of the account you want to ship to.
`<<LISTENER-HOST>>`	Replace `<<LISTENER-HOST>>` with the host for your region, without the `http/https` prefix. For example, `listener.logz.io` if your account is hosted on AWS US East, or `listener-nl.logz.io` if hosted on Azure West Europe.

Check Logz.io for your reports

Give your reports some time to get from your system to ours, and then open Open Search Dashboards.

Customizing Helm chart parameters

Configure customization options

You can use the following options to update the Helm chart parameters:

Specify parameters using the --set key=value[,key=value] argument to helm install
Edit the values.yaml
Overide default values with your own my_values.yaml and apply it in the helm install command.

Custom parameters

Parameter	Description	Default
`trivy-operator.trivy.ignoreUnfixed`	Determines whether to display only fixed vulnerabilities in the reports generated by Trivy.	`false`
`nameOverride`	Overrides the Chart name for resources.	`""`
`fullnameOverride`	Overrides the full name of the resources.	`""`
`schedule`	Time for daily scanning for security reports and sending them to Logz.io, in the “HH:MM” format.	`"07:00"`
`restartPolicy`	Container restart policy	`OnFailure`
`image`	Container image	`logzio/trivy-to-logzio`
`imageTag`	Container image tag	`0.1.0`
`env_id`	A unique name assigned to your environment’s identifier, to differentiate telemetry data across various environments.	`""`
`terminationGracePeriodSeconds`	Termination period (in seconds) to wait before killing Fluentd pod process on pod shutdown.	`30`
`serviceAccount.create`	Specifies whether to create a service account for the cron job.	`true`
`serviceAccount.name`	Name of the service account.	`""`
`secrets.enabled`	Specifies wheter to create a secret for the deployment	`true`
`secrets.name`	Secret name	`"logzio-logs-secret-trivy"`
`secrets.logzioShippingToken`	Your logz.io log shipping token	`""`
`secrets.logzioListener`	Your logz.io listener host	`""` (defaults to us region)
`scriptLogLevel`	Log level of the script that sends security risk to Logz.io. Can be one of: `DEBUG`, `INFO`, `WARNING`, `ERROR`, `CRITICAL`.	`INFO`

Uninstalling the Chart

The Uninstall command is used to remove all the Kubernetes components associated with the chart and to delete the release.

To uninstall the logzio-trivy deployment, use the following command:

helm uninstall logzio-trivy -n monitoring

Handling image pull rate limit

In certain cases, such as spot clusters, where pods or nodes are frequently replaced, the pull rate limit for images retrieved from Docker Hub may be reached, resulting in an error:

You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limits.

In these cases we can use the following --set command to use an alternative image repository:

--set image=public.ecr.aws/logzio/trivy-to-logzio