Skip to main content

Trivy

Trivy is an open-source vulnerability scanner for containers that can detect vulnerabilities in OS packages and application dependencies. The Trivy Operator is a Kubernetes operator that automates the process of scanning container images for vulnerabilities using Trivy.

This integration utilizes the logzio-trivy Helm Chart to deploy:

  • Trivy-Operator Helm Chart that scans the cluster and creates Trivy reports.
  • A deployment that looks for the Trivy reports in the cluster, processes them, and sends them to Logz.io
note

At present, only vulnerability reports are being collected.

note

This integration is presently in its beta phase and may be subject to modifications.

Deployment

Before you begin, you'll need:

  • An active Logz.io account
  • Kubernetes cluster to send reports from

Add logzio-helm repo

helm repo add logzio-helm https://logzio.github.io/logzio-helm
helm repo update

Run the Helm deployment code

helm install -n monitoring --create-namespace \
--set env_id="<<ENV-ID>>" \
--set secrets.logzioShippingToken="<<LOG-SHIPPING-TOKEN>>" \
--set secrets.logzioListener="<<LISTENER-HOST>>" \
logzio-trivy logzio-helm/logzio-trivy
note

With this command, we instruct Helm to create the monitoring namespace if it does not already exist.

ParameterDescription
<<ENV-ID>>A unique name assigned to your environment's identifier, to differentiate telemetry data across various environments. If you're collecting metrics, this should match the env-id/p8s_logzio_name you used for the metrics.
<<LOG-SHIPPING-TOKEN>>Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.
<<LISTENER-HOST>>Replace <<LISTENER-HOST>> with the host for your region, without the http/https prefix.

Trivy Metrics

By default the trivy-operator exposes a metrics endpoint. As a result, if the chart is run alongside the Logz.io Telemetry chart to collect metrics from the cluster, the Trivy metrics will also be collected.

caution

The Logz.io Telemetry chart is sending metrics of the entire cluster and not only of trivy.

helm install  -n monitoring --create-namespace \
--set metricsOrTraces.enabled=true \
--set logzio-k8s-telemetry.metrics.enabled=true \
--set logzio-k8s-telemetry.secrets.MetricsToken="<<METRICS-SHIPPING-TOKEN>>" \
--set logzio-k8s-telemetry.secrets.ListenerHost="https://<<LISTENER-HOST>>:8053" \
--set logzio-k8s-telemetry.secrets.p8s_logzio_name="<<ENV-ID>>" \
--set logzio-k8s-telemetry.secrets.env_id="<<ENV-ID>>" \
--set securityReport.enabled=true \
--set logzio-trivy.env_id="<<ENV-ID>>" \
--set logzio-trivy.secrets.logzioShippingToken="<<LOG-SHIPPING-TOKEN>>" \
--set logzio-trivy.secrets.logzioListener="<<LISTENER-HOST>>" \
logzio-monitoring logzio-helm/logzio-monitoring

Check Logz.io for your reports

Give your reports some time to get from your system to ours, and then open Open Search Dashboards.

Additional configuration

Customizing Helm chart parameters

Configure customization options

You can use the following options to update the Helm chart parameters:

  • Specify parameters using the --set key=value[,key=value] argument to helm install

  • Edit the values.yaml

  • Override default values with your own my_values.yaml and apply it in the helm install command.

Custom parameters

ParameterDescriptionDefault
trivy-operator.trivy.ignoreUnfixedDetermines whether to display only fixed vulnerabilities in the reports generated by Trivy.false
nameOverrideOverrides the Chart name for resources.""
fullnameOverrideOverrides the full name of the resources.""
scheduleTime for daily scanning for security reports and sending them to Logz.io, in the "HH:MM" format."07:00"
restartPolicyContainer restart policyOnFailure
imageContainer imagelogzio/trivy-to-logzio
imageTagContainer image tag0.1.0
env_idA unique name assigned to your environment's identifier, to differentiate telemetry data across various environments.""
terminationGracePeriodSecondsTermination period (in seconds) to wait before killing Fluentd pod process on pod shutdown.30
serviceAccount.createSpecifies whether to create a service account for the cron job.true
serviceAccount.nameName of the service account.""
secrets.enabledSpecifies wheter to create a secret for the deploymenttrue
secrets.nameSecret name"logzio-logs-secret-trivy"
secrets.logzioShippingTokenYour logz.io log shipping token""
secrets.logzioListenerYour logz.io listener host"" (defaults to us region)
scriptLogLevelLog level of the script that sends security risk to Logz.io. Can be one of: DEBUG, INFO, WARNING, ERROR, CRITICAL.INFO

Uninstalling the Chart

The Uninstall command is used to remove all the Kubernetes components associated with the chart and to delete the release.

To uninstall the logzio-trivy deployment, use the following command:

helm uninstall logzio-trivy -n monitoring

Handling image pull rate limit

In certain cases, such as spot clusters, where pods or nodes are frequently replaced, the pull rate limit for images retrieved from Docker Hub may be reached, resulting in an error:

You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limits.

In these cases we can use the following --set command to use an alternative image repository:

--set image=public.ecr.aws/logzio/trivy-to-logzio