Trivy Operator

Trivy is an open-source project from Aqua Security that automatically scans the container images and configurations running in your cluster. Deploying the operator gives you ongoing visibility into CVEs without requiring manual scans each time a new image is deployed.

It will:

• Detect every image running in the cluster and scan it for vulnerabilities
• Periodically re-scan images so newly discovered issues are surfaced
• Generate Kubernetes custom resources containing detailed vulnerability and configuration audit reports
• Expose metrics that can be scraped by Prometheus or other monitoring systems

Installing the Operator

The course repository includes a Taskfile that installs the Trivy Operator with Helm.

# task trivy-operator:01-install-trivy-operator

Which runs the following commands:

helm repo add aqua https://aquasecurity.github.io/helm-charts/
helm repo update
helm upgrade --install trivy-operator aqua/trivy-operator \
  --namespace trivy-system \
  --create-namespace \
  --version 0.23.2

Viewing Scan Jobs

After installation the operator immediately starts jobs to scan every detected image.

kubectl get pods -n trivy-system

You should see the operator pod as well as one or more vulnerabilityreport-scan jobs.

List the generated reports:

kubectl get vulnerabilityreports -A

Add the -o wide flag to get a summary count of vulnerabilities found at each severity level.

To inspect a specific report in detail:

kubectl get vulnerabilityreports -n demo-app <report-name> -o yaml | yq

The output shows each CVE along with links to additional information. In the video we saw an example vulnerability in the Go standard library that could be resolved by updating the base image version.

Cleanup

If you want to remove the operator, run:

# task trivy-operator:02-uninstall-trivy-operator

All of the code used in this lesson is available in the course GitHub repository.