Adding vulnerability scans, config scans and SBOM using Trivy
I have added three main things:
- Vulnerability scans for images
- SBOMs (Software Bill of Materials) in CycloneDX format
- Configuration check of charts and deployments
- Configuration check of Dockerfiles
To make the implementation easier and more maintainable, I have created the TrivyUtils class in security_utils.py which contains the necessary functions used during build.
There is also the option to filter vulnerabilities and configuration issues based on their severity levels, so I have included a severity filter for CRITICAL, HIGH, MEDIUM, LOW, and UNKNOWN. I have set the --ignore-unfixed flag to be on by default, but I will revisit this setting as it could potentially filter out vulnerabilities in old software that may never receive updates.
A full check creates following reports: