wiki.unix7.org

Trivy (pronunciation) is a comprehensive and versatile security scanner. Trivy has scanners that look for security issues, and targets where it can find those issues.

Targets (what Trivy can scan):

• Container Image
• Filesystem
• Git Repository (remote)
• Virtual Machine Image
• Kubernetes
• AWS

Scanners (what Trivy can find there):

• OS packages and software dependencies in use (SBOM)
• Known vulnerabilities (CVEs)
• IaC issues and misconfigurations
• Sensitive information and secrets
• Software licenses

In-cluster Security Scans

The Trivy Operator automatically generates and updates security reports. These reports are generated in response to new workload and other changes on a Kubernetes cluster, generating the following reports:

• Vulnerability Scans: Automated vulnerability scanning for Kubernetes workloads.
• ConfigAudit Scans: Automated configuration audits for Kubernetes resources with predefined rules or custom Open Policy Agent (OPA) policies.
• Exposed Secret Scans: Automated secret scans which find and detail the location of exposed Secrets within your cluster.
• RBAC scans: Role Based Access Control scans provide detailed information on the access rights of the different resources installed.
• K8s core component infra assessment scan Kubernetes infra core components (etcd,apiserver,scheduler,controller-manager and etc) setting and configuration.
• k8s outdated api validation - a configaudit check will validate if the resource api has been deprecated and planned for removal
• Compliance reports
• NSA, CISA Kubernetes Hardening Guidance v1.1 cybersecurity technical report is produced.
• CIS Kubernetes Benchmark v1.23 cybersecurity technical report is produced.
• Kubernetes pss-baseline, Pod Security Standards
• Kubernetes pss-restricted, Pod Security Standards
• SBOM (Software Bill of Materials generations) for Kubernetes workloads

Kyverno (Greek for “govern”) is a policy engine designed specifically for Kubernetes. Some of its many features include:

• policies as Kubernetes resources (no new language to learn!)
• validate, mutate, generate, or cleanup (remove) any resource
• verify container images for software supply chain security
• inspect image metadata
• match resources using label selectors and wildcards
• validate and mutate using overlays (like Kustomize!)
• synchronize configurations across Namespaces
• block non-conformant resources using admission controls, or report policy violations
• self-service reports (no proprietary audit log!)
• self-service policy exceptions
• test policies and validate resources using the Kyverno CLI, in your CI/CD pipeline, before applying to your cluster
• manage policies as code using familiar tools like git and kustomize

Kyverno allows cluster administrators to manage environment specific configurations independently of workload configurations and enforce configuration best practices for their clusters. Kyverno can be used to scan existing workloads for best practices, or can be used to enforce best practices by blocking or mutating API requests.