Trivy - Mind Palace

**Trivy** is a comprehensive, open source vulnerability and misconfiguration scanner from Aqua Security. It scans container images, filesystems, Git repositories, Kubernetes cluster configurations, and IaC files for known CVEs, misconfigurations, exposed secrets, and SBOM data. --- ### First Principle: Security starts before deployment. Don't ship vulnerabilities into production — catch them in the build pipeline. [[Falco]] detects threats at runtime. Trivy catches them before deployment. Scanning container images in CI/CD pipelines ([[Tekton]], GitHub Actions) ensures that known-vulnerable base images, exposed API keys, and misconfigured Dockerfiles never reach production. --- ### Key Considerations - **Wide Scan Surface**: Trivy scans container images (all layers), filesystems, Git repos, [[Kubernetes]] cluster state, Helm charts, [[OpenTofu]]/Terraform configs, and Dockerfile/cloud config files — in a single tool. - **DB Sources**: Vulnerability data comes from NVD, GHSA, Red Hat, Alpine, Debian, Ubuntu, and many OS-specific advisory databases — updated daily. - **SBOM Generation**: Trivy can generate a Software Bill of Materials (SBOM) in SPDX or CycloneDX format — enabling license compliance and supply chain security analysis. - **IaC Scanning**: Trivy checks [[OpenTofu]]/Terraform, [[Kubernetes]] YAML, Helm charts, and Dockerfiles for misconfigurations — open security groups, privileged containers, exposed ports. - **CI/CD Integration**: Trivial to add to any [[Tekton]] pipeline. `trivy image myimage:latest --exit-code 1 --severity CRITICAL` fails the build if any critical CVEs are found. - **Kubernetes Operator**: The Trivy Operator installs in the cluster and continuously scans all running workloads — surfacing vulnerabilities as Kubernetes CRD objects. --- ### How It Fits ``` [[Tekton]] CI pipeline (build image) → Trivy (scan image for CVEs + secrets + misconfig) → Container registry (only clean images pushed) → [[Falco]] (runtime monitoring after deployment) ``` [[Falco]] | [[Open Policy Agent (OPA)]] | [[Tekton]] | [[Kubernetes]] | [[Open Source Hyperscaler MoC]]