Skip to main content

Quickstart Guide

This document provides a quick guide to setting up and running the security scanning infrastructure using Trivy and other related tools.

Prerequisites

Before you begin, make sure you have the following prerequisites installed in your environment:

  • Kubernetes Cluster
  • Helm 3.x
  • Credential setup in HashiCorp Vault
  • Access to OpenStack (for storing results)

Project Structure

The project structure is organized as follows:

.
├── cronjob
│   ├── configmap.yaml
│   └── trivy-cronjob.yaml
├── trivy-operator
│   └── values.yaml
└── trivy-reporter
    └── values.yaml

Main Files

1. cronjob/configmap.yaml

This file defines a ConfigMap that is used to store configurations and scripts necessary for executing the CronJob that performs security scans using Trivy.

  • Primary Use: Store scripts and configurations that will be used by the CronJob.
  • Important: Ensure that the scripts stored in this ConfigMap are correctly formatted and configured to run in the Kubernetes environment.

2. cronjob/trivy-cronjob.yaml

This file defines a CronJob in Kubernetes that is responsible for periodically running the security scan using Trivy.

  • Schedule: The CronJob is configured to run at specific intervals defined in the file.
  • Containers: It uses several containers, including trivy-reports-getter for fetching the reports and trivy-reports-uploader for uploading the results to an external storage like OpenStack.
  • Configurations: Ensure that all configurations, including volumes and initContainers, are correctly set up before deploying this CronJob.

3. trivy-operator/trivy_results.json

This file contains an example JSON output generated by Trivy after performing a security scan.

  • Usage: Used as an example or reference to analyze the results of the scans.
  • Important: This file can be used to conduct local tests on scripts that process Trivy's scan results.

4. trivy-operator/values.yaml

This file contains specific configurations for deploying the trivy-operator using Helm.

  • Configuration: Defines the values to customize the deployment of the Trivy operator in the Kubernetes cluster.
  • Note: Ensure to customize this file according to your environment's needs before deploying.

5. trivy-reporter/values.yaml

This file contains specific configurations for the trivy-reporter tool.

  • Purpose: Used to configure how reports should be generated and processed after Trivy performs a scan.
  • Configuration: Customize this file according to the environment and the report you wish to generate.

Deployment

To deploy the security scanning infrastructure, follow the steps below:

  1. Configure ConfigMaps and Secrets: Ensure all necessary ConfigMaps and Secrets are properly created in your Kubernetes cluster.

     kubectl apply -f cronjob/configmap.yaml

  2. Deploy the CronJob: Deploy the CronJob that will run the periodic scans.

     kubectl apply -f cronjob/trivy-cronjob.yaml

  3. Deploy Trivy Operator: Use Helm to deploy the trivy-operator in your cluster.

     helm install trivy-operator trivy-operator/ -f trivy-operator/values.yaml

  4. Deploy Trivy Reporter: Use Helm to deploy the trivy-reporter in your cluster.

     helm repo add trivy-dojo-report-operator https://telekom-mms.github.io/trivy-dojo-report-operator/
     helm repo update
     helm install chart-name trivy-dojo-report-operator/trivy-dojo-report-operator --values trivy-reporter/values.yaml