Adding vulnerability scans, config scans and SBOM using Trivy (!31) · Merge requests · kaapana / kaapana

Benjamin Hamm requested to merge feature/trivy_utils into develop Feb 17, 2023

I have added three main things:

Vulnerability scans for images
SBOMs (Software Bill of Materials) in CycloneDX format
Configuration check of charts and deployments
Configuration check of Dockerfiles

To make the implementation easier and more maintainable, I have created the TrivyUtils class in security_utils.py which contains the necessary functions used during build.

There is also the option to filter vulnerabilities and configuration issues based on their severity levels, so I have included a severity filter for CRITICAL, HIGH, MEDIUM, LOW, and UNKNOWN. I have set the --ignore-unfixed flag to be on by default, but I will revisit this setting as it could potentially filter out vulnerabilities in old software that may never receive updates.

A full check creates following reports:

chart_report.json

compressed_chart_report.json

compressed_vulnerability_report.json

dockerfile_report.json

sboms.json

vulnerability_reports.json

Adding vulnerability scans, config scans and SBOM using Trivy

Merge request reports