/trivy-dojo-report-operator

This Kubernetes operator listens for vulnerability reports generated by the Trivy Operator and forwards them to Defect Dojo for further analysis and tracking.

Primary LanguagePythonGNU General Public License v3.0GPL-3.0

trivy-dojo-report-operator

The trivy-dojo-report-operator is a Kubernetes operator developed using Kopf and Python. This operator listens for vulnerability reports generated by the Trivy Operator and forwards them to Defect Dojo for further analysis and tracking.

Features

  • Monitor Kubernetes for new Trivy vulnerability reports.
  • Push vulnerability reports to a configured Defect Dojo instance.
  • Seamless integration with your existing Kubernetes cluster and security workflow.
  • Developed using the Pythonic Kopf framework for easy maintenance and extensibility.

Supported Reports

  • Vulnerability reports
  • RBAC Assessment reports
  • Infra Assessment reports
  • Config Audit reports
  • Exposed secrets

Prerequisites

  • A running Kubernetes cluster (minikube, kind, or another environment)
  • Trivy Operator installed and configured in the cluster
  • An instance of Defect Dojo for storing vulnerability reports

Installation and usage

  • Clone this repository:
git clone https://github.com/telekom-mms/trivy-dojo-report-operator.git
cd trivy-dojo-report-operator

Manually

  • Configure Defect Dojo settings:

Update the environment variables in the secret manifest to match your Defect Dojo instance configuration:

stringData:
  url: "https://your.defectdojo.instance"
  apiKey: "your_defect_dojo_api_key"

Replace https://your.defectdojo.instance with the URL of your Defect Dojo instance, and your_defect_dojo_api_key with your API key.

Change the environment variables in the deployment manifest to your liking. The options closely match the options in the import-scan API-call found here.

  • Deploy the trivy-dojo-report-operator:
kubectl create ns mgmt
kubectl apply -f deploy/

With Helm

  • Configure Defect Dojo settings:

Update the variables in the values.yaml to match your Defect Dojo instance configuration:

defectDojoApiCredentials:
  apiKey: "your_defect_dojo_api_key"
  url: "https://your.defectdojo.instance"
  • Deploy the chart from the repository:
helm repo add trivy-dojo-report-operator https://telekom-mms.github.io/trivy-dojo-report-operator/
helm install chart-name trivy-dojo-report-operator/trivy-dojo-report-operator
  • Deploy the chart manually after cloning the git-repository:
helm install chart-name charts/

The operator is now running in your cluster and will monitor for Trivy vulnerability reports and push them to the configured Defect Dojo instance.

Running locally with Docker

You can also run the operator locally. This way you don't have to install anything in your cluster. Just provide the Defect Dojo URL and API-Key and optionally labels to the docker-run command. You also have to mount your kubeconfig into the container to access the cluster.

docker pull ghcr.io/telekom-mms/docker-trivy-dojo-operator

docker run -it -v /path/to/your/.kube/config:/root/.kube/config \
  -e DEFECT_DOJO_API_KEY=$DEFECT_DOJO_API_KEY \
  -e DEFECT_DOJO_URL=$DEFECT_DOJO_URL \
  -e LABEL="trivy-operator.resource.name" \
  -e LABEL_VALUE="master-live-server" \
  -e REPORTS="vulnerabilityreports"
  ghcr.io/telekom-mms/docker-trivy-dojo-operator

Configuration

Variable Default Value Description
defectDojoActive "true" Override the active setting from the tool.
defectDojoAutoCreateContext "true" Specifies whether to automatically create Engagements, Products and Product_Types
defectDojoCloseOldFindings "false" Select if old findings no longer present in the report get closed as mitigated when importing. If service has been set, only the findings for this service will be closed.
defectDojoCloseOldFindingsProductScope "false" Select if close_old_findings applies to all findings of the same type in the product. By default, it is false meaning that only old findings of the same type in the engagement are in scope.
defectDojoDeduplicationOnEngagement "true" restrict deduplication for imported Findings to the newly created Engagement.
defectDojoEngagementName engagement The name of the engagement in DefectDojo.
defectDojoEvalEngagementName "false" Specifies whether the engagement name should be evaluated as a python function.
defectDojoEvalProductName "false" Specifies whether the product name should be evaluated as a python function.
defectDojoEvalProductTypeName "false" Specifies whether the product type name should be evaluated as a python function.
defectDojoEvalTestTitle "false" Specifies whether the test title should be evaluated as a python function.
defectDojoMinimumSeverity Info The minimum severity level for findings in DefectDojo.
defectDojoProductName product The name of the product in DefectDojo.
defectDojoProductTypeName Research and Development The type of the product in DefectDojo.
defectDojoPushToJira "false" Specifies whether findings should be pushed to Jira in DefectDojo.
defectDojoTestTitle Kubernetes The title of the test in DefectDojo.
defectDojoVerified "false" Specifies whether findings should be marked as verified in DefectDojo.
defectDojoDoNotReactivate "true" If true the importing/reimporting will ignore uploaded active findings and not reactivate previously closed findings, while still creating new findings if there are new ones
reports "vulnerabilityreports" Comma-separated list of reports that should be sent to DefectDojo. Possibilities: vulnerabilityreports, rbacassessmentreports, infraassessmentreports, configauditreports, exposedsecrets

A note on eval

When setting one of the Eval*-settings to true, the corresponding name or title will be run as a python function!

For example, set defectDojoEvalEngagementName to true and defectDojoEngagementName to meta["creationTimestamp"], then the creationTimestamp of the vulnerability Report Resource in Kubernetes will be evaluated and used as the engagement name.

If you set defectDojoEngagementName to body["report"]["artifact"]["tag"], then the engagement will get the name of the specified image-tag.

Metrics

The operator provides a Prometheus metrics endpoint, where successful and failed requests are collected.

Uninstall

To remove the trivy-dojo-report-operator from your cluster, run the following command:

kubectl delete -f deploy/

Creating new Releases

  • On push to main

    • a new release version is calculated
    • versions in all files are automatically updated
    • a draft release is created
  • On publish of the release a

    • new tag is created
    • new release is created
    • new container image is built
    • new helm chart is published

License

GPLv3