The trivy-dojo-report-operator is a Kubernetes operator developed using Kopf and Python. This operator listens for vulnerability reports generated by the Trivy Operator and forwards them to Defect Dojo for further analysis and tracking.
- Monitor Kubernetes for new Trivy vulnerability reports.
- Push vulnerability reports to a configured Defect Dojo instance.
- Seamless integration with your existing Kubernetes cluster and security workflow.
- Developed using the Pythonic Kopf framework for easy maintenance and extensibility.
- Vulnerability reports
- RBAC Assessment reports
- Infra Assessment reports
- Config Audit reports
- Exposed secrets
- A running Kubernetes cluster (minikube, kind, or another environment)
- Trivy Operator installed and configured in the cluster
- An instance of Defect Dojo for storing vulnerability reports
- Configure Defect Dojo settings:
Update the variables in the values.yaml to match your Defect Dojo instance
configuration, including the environment variables. The options closely match
the options in the import-scan
API-call found
here.
defectDojoApiCredentials:
apiKey: "YOUR_DEFECTDOJO_API_KEY"
url: "https://YOUR.DEFECTDOJO.URL"
- Deploy the chart from the repository:
helm repo add trivy-dojo-report-operator https://telekom-mms.github.io/trivy-dojo-report-operator/
helm repo update
helm install chart-name trivy-dojo-report-operator/trivy-dojo-report-operator --values your_values.yaml
- or deploy the chart manually after cloning the git-repository:
git clone https://github.com/telekom-mms/trivy-dojo-report-operator.git
cd trivy-dojo-report-operator
helm install chart-name charts/
- or deploy the trivy-dojo-report-operator using the Kubernetes manifests
- update the secret in the manifest
- apply manifests
kubectl create ns mgmt
kubectl apply -f deploy/trivy-dojo-report-operator.yaml
The operator is now running in your cluster and will monitor for Trivy vulnerability reports and push them to the configured Defect Dojo instance.
You can also run the operator locally. This way you don't have to install anything in your cluster. Just provide the Defect Dojo URL and API-Key and optionally labels to the docker-run command. You also have to mount your kubeconfig into the container to access the cluster.
docker pull ghcr.io/telekom-mms/docker-trivy-dojo-operator
docker run -it -v /path/to/your/.kube/config:/root/.kube/config \
-e DEFECT_DOJO_API_KEY=$DEFECT_DOJO_API_KEY \
-e DEFECT_DOJO_URL=$DEFECT_DOJO_URL \
-e DEFECT_DOJO_PRODUCT_TYPE_NAME="Research and Development" \
-e LABEL="trivy-operator.resource.name" \
-e LABEL_VALUE="master-live-server" \
-e REPORTS="vulnerabilityreports"
ghcr.io/telekom-mms/docker-trivy-dojo-operator
Variable | Default Value | Description |
---|---|---|
defectDojoActive |
"true" |
Override the active setting from the tool. |
defectDojoAutoCreateContext |
"true" |
Specifies whether to automatically create Engagements, Products and Product_Types |
defectDojoCloseOldFindings |
"false" |
Select if old findings no longer present in the report get closed as mitigated when importing. If service has been set, only the findings for this service will be closed. |
defectDojoCloseOldFindingsProductScope |
"false" |
Select if close_old_findings applies to all findings of the same type in the product. By default, it is false meaning that only old findings of the same type in the engagement are in scope. |
defectDojoDeduplicationOnEngagement |
"true" |
restrict deduplication for imported Findings to the newly created Engagement. |
defectDojoEngagementName |
engagement |
The name of the engagement in DefectDojo. |
defectDojoEvalEngagementName |
"false" |
Specifies whether the engagement name should be evaluated as a python function. |
defectDojoEvalProductName |
"false" |
Specifies whether the product name should be evaluated as a python function. |
defectDojoEvalProductTypeName |
"false" |
Specifies whether the product type name should be evaluated as a python function. |
defectDojoEvalEnvName |
"false" |
Specifies whether the enviroment type name should be evaluated as a python function. |
defectDojoEvalTestTitle |
"false" |
Specifies whether the test title should be evaluated as a python function. |
defectDojoMinimumSeverity |
Info |
The minimum severity level for findings in DefectDojo. |
defectDojoProductName |
product |
The name of the product in DefectDojo. |
defectDojoProductTypeName |
`` | The type of the product in DefectDojo. |
defectDojoEnvName |
Development |
The type of the env in DefectDojo. |
defectDojoPushToJira |
"false" |
Specifies whether findings should be pushed to Jira in DefectDojo. |
defectDojoTestTitle |
Kubernetes |
The title of the test in DefectDojo. |
defectDojoVerified |
"false" |
Specifies whether findings should be marked as verified in DefectDojo. |
defectDojoDoNotReactivate |
"true" |
If true the importing/reimporting will ignore uploaded active findings and not reactivate previously closed findings, while still creating new findings if there are new ones |
reports |
"vulnerabilityreports" |
Comma-separated list of reports that should be sent to DefectDojo. Possibilities: vulnerabilityreports, rbacassessmentreports, infraassessmentreports, configauditreports, exposedsecretreports |
When setting one of the Eval*-settings to true
, the corresponding name or
title will be run as a python function.
For example, set defectDojoEvalEngagementName to true
and
defectDojoEngagementName
to meta["creationTimestamp"]
, then the
creationTimestamp of the vulnerability Report Resource in Kubernetes will be
evaluated and used as the engagement name.
If you set defectDojoEngagementName to body["report"]["artifact"]["tag"]
,
then the engagement will get the name of the specified image-tag.
The operator provides a Prometheus metrics endpoint, where successful and failed requests are collected.
To remove the trivy-dojo-report-operator from your cluster, run the following command:
helm uninstall chart-name
-
On push to main
- a new release version is calculated
- versions in all files are automatically updated
- k8s manifests are rendered from the helm chart and updated in deploy/
- a draft release is created
-
On publish of the release a
- new tag is created
- new release is created
- new container image is built
- new helm chart is published
GPLv3