Send Finding Reports To Aws Security Hub using Postee

[guipal]

Hello everyone.

I am currently working on a Poc that includes using the operator to scan our K8s clusters and send the results to AWS Security Hub.

I have navigated through the documentation and I found the tutorial about how to send trivy results to AWS by using the webhook plugin.

Tried to replicate the same behaviour with the operator but realize that Postee is expecting the formated report and the webhook is sending results in a different format.

Is there any way to configure the operator to send the results in the expected format?
If not, what is the recommended way for sending Operator Results to AWS Security Hub?

Thank you very much.

[chen-keinan]

@guipal have you tried the operator integration with Postee

[guipal]

@chen-keinan, yes, I tried the integration but the problem is that the action is not working because the expected input is a report generated with the proper template.

My question here would be: Can we format the reports sent through the webhook with this template? I tried by changing the command var in the trivy-operator helm chart but apparently this is not supported.

[chen-keinan]

yes trivy-operator support only specific commands.
there are two options.

1. Add support for formatting webhook input before sending it to postee
2. use another service between postee to Aws Security Hub which will do the formatting

if you have time you can pick it up

[sbollers]

@guipal did you find a solution to this problem?

[akerge]

@guipal, @sbollers, to send vuln report from trivy-operator to AWS Security Hub I used an AWS API Gateway to trigger a Lambda function. Lambda parses the JSON vuln report to ASFF (based on this handy script). Assuming your k8s is hosted on AWS.