This application processes vulnerability reports from Trivy, a vulnerability scanning tool for containers, and imports the findings into AWS Security Hub. It acts as a webhook receiver that listens for vulnerability reports sent by Trivy and processes them before forwarding the results to AWS Security Hub.
- Receives vulnerability reports via an HTTP POST request.
- Supports importing CVE findings into AWS Security Hub.
- Designed for integration with container image scanning.
- Logs and reports errors for easier troubleshooting.
- Vulnerability Report: The application listens for incoming vulnerability reports in JSON format from Trivy via a
/trivy-webhookendpoint. - Validation: The incoming report is validated to ensure it's of type
VulnerabilityReport, and only then are the vulnerabilities processed. - AWS Security Hub Integration: Vulnerabilities are imported as security findings into AWS Security Hub.
- Health Check: The
/healthzendpoint provides a simple health check for the application.
- AWS Account: This application uses AWS Security Hub to store and manage security findings, so you must have an active AWS account and the necessary permissions.
- Trivy: You must set up Trivy to scan container images and send reports to the webhook endpoint.
- Go: The application is written in Go, so you'll need Go installed to build and run it.
-
Clone the repository:
git clone https://github.com/csepulveda/trivy-webhook-aws-security-hub.git cd trivy-webhook-aws-security-hub -
Build the application:
Make sure Go is installed and set up correctly:
go mod tidy go build -o trivy-webhook-aws-security-hub
-
Run the application:
You can start the application locally:
./trivy-webhook-aws-security-hub
The server will start and listen on port
8080. -
Set up Trivy:
Configure Trivy to send vulnerability reports to the
/trivy-webhookendpoint of the running application.Example Trivy command:
trivy image --format json --output result.json <image> curl -X POST -H "Content-Type: application/json" --data @result.json http://localhost:8080/trivy-webhook
You can configure AWS credentials using standard AWS environment variables or by setting up the AWS SDK on your local machine or server.
AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEYAWS_REGION
These are automatically loaded by the AWS SDK for Go.
- POST
/trivy-webhook: Receives vulnerability reports in JSON format. Only processes reports of typeVulnerabilityReportand imports CVE findings to AWS Security Hub. - GET
/healthz: Health check endpoint that returns a simpleOKresponse.
{
"kind": "VulnerabilityReport",
"metadata": {
"name": "example",
"labels": {
"trivy-operator.container.name": "example-container"
}
},
"report": {
"registry": {
"server": "docker.io"
},
"artifact": {
"repository": "library/nginx",
"digest": "sha256:exampledigest"
},
"vulnerabilities": [
{
"vulnerabilityID": "CVE-2021-12345",
"title": "Example Vulnerability",
"severity": "HIGH",
"resource": "nginx",
"installedVersion": "1.18.0",
"fixedVersion": "1.19.0",
"primaryLink": "https://example.com/CVE-2021-12345"
}
]
}
}This application includes a Helm Chart to simplify deployment to Kubernetes. You can find the chart in the charts/ directory.
-
Ensure Helm is installed on your system.
-
Use the provided chart to install the application:
helm install trivy-webhook charts/trivy-webhook-aws-security-hub
We welcome contributions! To contribute, follow these steps:
- Fork the repository.
- Create a new feature branch:
git checkout -b my-feature. - Commit your changes:
git commit -m 'Add my feature'. - Push to the branch:
git push origin my-feature. - Create a new pull request.
This project is licensed under the GNU General Public License v3.0 License - see the LICENSE file for details.