Trivy (opens new window) is an open source tool for scanning Docker images for vulnerabilities. These scans run on your cluster, and the results are uploaded to Insights
# Vulnerability Database
Trivy's vulnerability database is managed via this GitHub repository (opens new window). The database is refreshed every 6 hours, and pulls from many different sources, including NIST's NVD, RedHat, Debian, etc. You can see the full list here (opens new window)
If you're seeing Action Items from the Trivy report, there are two typical routes for resolution:
- If the report is for a third-party library (e.g. a Helm chart), try updating to the latest version. If that doesn't solve the problem, notify the maintainer that the latest version has a vulnerability, e.g. by opening a GitHub issue.
- If the report is for an application you own, try updating the base image and any libraries you've installed on top of it.
# Private Images
On some cloud providers, your nodes will be automatically configured to have access to your container registry. For example, GKE nodes should be able to pull images from Google Container Registry automatically.
But in many cases, you'll need to grant Trivy permission to access private images. To do so, you'll need to create a Kubernetes Secret, and pass the name of that secret to the Helm installation of the Insights Agent
For example, to create a secret from your personal dockerconfig, you could run:
kubectl create secret generic insights-pull --from-file=config.json=$HOME/.docker/config.json -n insights-agent
Note that we named the secret
insights-pull, and put it in the
We can then install the agent with