The trivy-dojo-report-operator is a Kubernetes operator developed using Kopf and Python. This operator listens for vulnerability reports generated by the Trivy Operator and forwards them to Defect Dojo for further analysis and tracking.
- Monitor Kubernetes for new Trivy vulnerability reports.
- Push vulnerability reports to a configured Defect Dojo instance.
- Seamless integration with your existing Kubernetes cluster and security workflow.
- Developed using the Pythonic Kopf framework for easy maintenance and extensibility.
- Vulnerability reports
- RBAC Assessment reports
- Infra Assessment reports
- Config Audit reports
- Exposed secrets
- A running Kubernetes cluster (minikube, kind, or another environment)
- Trivy Operator installed and configured in the cluster
- An instance of Defect Dojo for storing vulnerability reports
- Clone this repository:
git clone https://github.com/telekom-mms/trivy-dojo-report-operator.git
cd trivy-dojo-report-operator
- Configure Defect Dojo settings:
Update the environment variables in the secret manifest to match your Defect Dojo instance configuration:
stringData:
url: "https://your.defectdojo.instance"
apiKey: "your_defect_dojo_api_key"
Replace https://your.defectdojo.instance with the URL of your Defect Dojo instance, and your_defect_dojo_api_key with your API key.
Change the environment variables in the deployment manifest to your liking. The options closely match the options
in the import-scan
API-call found here.
- Deploy the trivy-dojo-report-operator:
kubectl create ns mgmt
kubectl apply -f deploy/
- Configure Defect Dojo settings:
Update the variables in the values.yaml to match your Defect Dojo instance configuration:
defectDojoApiCredentials:
apiKey: "your_defect_dojo_api_key"
url: "https://your.defectdojo.instance"
- Deploy the chart from the repository:
helm repo add trivy-dojo-report-operator https://telekom-mms.github.io/trivy-dojo-report-operator/
helm install chart-name trivy-dojo-report-operator/trivy-dojo-report-operator
- Deploy the chart manually after cloning the git-repository:
helm install chart-name charts/
The operator is now running in your cluster and will monitor for Trivy vulnerability reports and push them to the configured Defect Dojo instance.
You can also run the operator locally. This way you don't have to install anything in your cluster. Just provide the Defect Dojo URL and API-Key and optionally labels to the docker-run command. You also have to mount your kubeconfig into the container to access the cluster.
docker pull ghcr.io/telekom-mms/docker-trivy-dojo-operator
docker run -it -v /path/to/your/.kube/config:/root/.kube/config \
-e DEFECT_DOJO_API_KEY=$DEFECT_DOJO_API_KEY \
-e DEFECT_DOJO_URL=$DEFECT_DOJO_URL \
-e LABEL="trivy-operator.resource.name" \
-e LABEL_VALUE="master-live-server" \
-e REPORTS="vulnerabilityreports"
ghcr.io/telekom-mms/docker-trivy-dojo-operator
Variable | Default Value | Description |
---|---|---|
defectDojoActive |
"true" |
Override the active setting from the tool. |
defectDojoAutoCreateContext |
"true" |
Specifies whether to automatically create Engagements, Products and Product_Types |
defectDojoCloseOldFindings |
"false" |
Select if old findings no longer present in the report get closed as mitigated when importing. If service has been set, only the findings for this service will be closed. |
defectDojoCloseOldFindingsProductScope |
"false" |
Select if close_old_findings applies to all findings of the same type in the product. By default, it is false meaning that only old findings of the same type in the engagement are in scope. |
defectDojoDeduplicationOnEngagement |
"true" |
restrict deduplication for imported Findings to the newly created Engagement. |
defectDojoEngagementName |
engagement |
The name of the engagement in DefectDojo. |
defectDojoEvalEngagementName |
"false" |
Specifies whether the engagement name should be evaluated as a python function. |
defectDojoEvalProductName |
"false" |
Specifies whether the product name should be evaluated as a python function. |
defectDojoEvalProductTypeName |
"false" |
Specifies whether the product type name should be evaluated as a python function. |
defectDojoEvalTestTitle |
"false" |
Specifies whether the test title should be evaluated as a python function. |
defectDojoMinimumSeverity |
Info |
The minimum severity level for findings in DefectDojo. |
defectDojoProductName |
product |
The name of the product in DefectDojo. |
defectDojoProductTypeName |
Research and Development |
The type of the product in DefectDojo. |
defectDojoPushToJira |
"false" |
Specifies whether findings should be pushed to Jira in DefectDojo. |
defectDojoTestTitle |
Kubernetes |
The title of the test in DefectDojo. |
defectDojoVerified |
"false" |
Specifies whether findings should be marked as verified in DefectDojo. |
defectDojoDoNotReactivate |
"true" |
If true the importing/reimporting will ignore uploaded active findings and not reactivate previously closed findings, while still creating new findings if there are new ones |
reports |
"vulnerabilityreports" |
Comma-separated list of reports that should be sent to DefectDojo. Possibilities: vulnerabilityreports, rbacassessmentreports, infraassessmentreports, configauditreports, exposedsecrets |
When setting one of the Eval*-settings to true
, the corresponding name or title will be run as a python function!
For example, set defectDojoEvalEngagementName to true
and defectDojoEngagementName
to meta["creationTimestamp"]
, then the creationTimestamp of the vulnerability Report Resource in Kubernetes will be evaluated and used as the engagement name.
If you set defectDojoEngagementName to body["report"]["artifact"]["tag"]
, then the engagement will get the name of the specified image-tag.
The operator provides a Prometheus metrics endpoint, where successful and failed requests are collected.
To remove the trivy-dojo-report-operator from your cluster, run the following command:
kubectl delete -f deploy/
-
On push to main
- a new release version is calculated
- versions in all files are automatically updated
- a draft release is created
-
On publish of the release a
- new tag is created
- new release is created
- new container image is built
- new helm chart is published
GPLv3