openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity
1689ffcd1a
openova/platform/trivy/README.md
hatiyildiz 4043e1d51c docs(pass-32): registry-DNS sweep — harbor.<domain> across 9 component READMEs 
Pass 25's deferred sweep, executed. Image refs of the form
harbor.<domain>/... (and one registry.<domain>/... in temporal) collapse
the location-code segment. Per NAMING §5.1, Catalyst per-host-cluster
Harbor DNS is harbor.{location-code}.{sovereign-domain} (e.g.
harbor.hfmp.openova.io).

Fixed (11 instances, 9 files):
- anthropic-adapter, bge (×2), debezium, harbor (×2 — ingress + Kyverno
  policy), knative (×2 — serving + traffic-split), llm-gateway, strimzi,
  trivy — all standardized to harbor.<location-code>.<sovereign-domain>.
- temporal had two drift items in one line: registry.<domain> (off-spec
  placeholder — Catalyst's only per-host-cluster registry is Harbor) AND
  legacy "fuse" namespace (renamed to bp-fabric per BUSINESS-STRATEGY
  §16.2 / Pass 26). Rewritten to fabric/order-worker.

Out of scope (deliberate): :latest tag hygiene, and whether Application
Blueprint READMEs should reference ghcr.io/openova-io/bp-<name>:<semver>
vs the Sovereign Harbor mirror. Stalwart customer-email-domain <domain>
placeholders preserved (correct semantics). external-dns illustrative
gslb/api/svc.<domain> preserved (upstream-doc generic).

With Pass 29 (canonical-doc DNS) + Pass 31 (carry-over fixes) + Pass 32
(image registry), the recurring DNS-placeholder collapse drift category
is addressed end-to-end.

Validation log Pass 32 entry added.
2026-04-27 22:36:39 +02:00

242 lines
5.0 KiB
Markdown
Raw Blame History

# Trivy
Image and IaC vulnerability scanning. Per-host-cluster infrastructure (see [`docs/PLATFORM-TECH-STACK.md`](../../docs/PLATFORM-TECH-STACK.md) §3.3) — runs in CI for Blueprint scans, in Harbor for registry scans, and at runtime via Trivy Operator on every host cluster.
**Status:** Accepted | **Updated:** 2026-04-27
---
## Overview
Trivy provides unified security scanning at multiple levels: CI/CD, registry, and runtime.
```mermaid
flowchart LR
subgraph CI["CI/CD Pipeline"]
Code[Code] --> Scan1[Trivy Scan]
Scan1 --> Build[Build Image]
end
subgraph Registry
Build --> Harbor
Harbor --> Scan2[Trivy Scan]
end
subgraph Runtime["Kubernetes"]
Harbor --> Deploy[Deploy]
TO[Trivy Operator] --> Scan3[Continuous Scan]
end
```
---
## Scanning Levels
| Level | Integration | Trigger |
|-------|-------------|---------|
| CI/CD | Gitea Actions | On push/PR |
| Registry | Harbor (built-in) | On push |
| Runtime | Trivy Operator | Continuous |
---
## Scanning Capabilities
| Target | Command |
|--------|---------|
| Container images | `trivy image` |
| Kubernetes manifests | `trivy config` |
| IaC (Terraform) | `trivy config` |
| SBOM generation | `trivy sbom` |
| Secrets detection | `trivy fs --scanners secret` |
---
## Harbor Integration
Harbor includes Trivy scanning. Images are automatically scanned on push.
```mermaid
sequenceDiagram
participant CI as CI/CD
participant H as Harbor
participant T as Trivy
participant K as Kubernetes
CI->>H: Push image
H->>T: Trigger scan
T->>H: Return vulnerabilities
alt Critical vulnerabilities
H-->>CI: Block deployment
else Clean
H->>K: Allow pull
end
```
---
## Scan Policies
| Severity | CI/CD Action | Harbor Action |
|----------|--------------|---------------|
| Critical | Fail build | Block pull |
| High | Warn | Allow (configurable) |
| Medium | Info | Allow |
| Low | Info | Allow |
---
## Trivy Operator
Continuous runtime scanning in Kubernetes:
```yaml
apiVersion: aquasecurity.github.io/v1alpha1
kind: VulnerabilityReport
# Generated automatically for each workload
```
### Installation
```yaml
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: trivy-operator
namespace: trivy-system
spec:
interval: 10m
chart:
spec:
chart: trivy-operator
version: "0.20.x"
sourceRef:
kind: HelmRepository
name: aqua
namespace: flux-system
values:
trivy:
ignoreUnfixed: true
operator:
scanJobsConcurrentLimit: 5
```
---
## CI/CD Integration
### Gitea Actions
```yaml
name: Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Scan filesystem
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
severity: 'CRITICAL,HIGH'
exit-code: '1'
- name: Scan Kubernetes manifests
uses: aquasecurity/trivy-action@master
with:
scan-type: 'config'
scan-ref: './k8s'
severity: 'CRITICAL,HIGH'
```
---
## Kyverno Policy
Block deployment of vulnerable images:
```yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-vulnerable-images
spec:
validationFailureAction: Enforce
rules:
- name: check-vulnerabilities
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "harbor.<location-code>.<sovereign-domain>/*"
attestations:
- type: https://cosign.sigstore.dev/attestation/vuln/v1
conditions:
- all:
- key: "{{ scanner }}"
operator: Equals
value: "trivy"
- key: "{{ criticalCount }}"
operator: LessThanOrEquals
value: "0"
```
---
## Monitoring
### Key Metrics
| Metric | Query |
|--------|-------|
| Vulnerability count | `trivy_vulnerability_id` |
| Critical vulns | `count(trivy_vulnerability_id{severity="CRITICAL"})` |
| Scan status | `trivy_image_vulnerabilities` |
### Alerts
```yaml
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: trivy-alerts
namespace: monitoring
spec:
groups:
- name: trivy
rules:
- alert: CriticalVulnerabilityFound
expr: count(trivy_vulnerability_id{severity="CRITICAL"}) > 0
for: 5m
labels:
severity: critical
annotations:
summary: "Critical vulnerability detected"
```
---
## Consequences
**Positive:**
- Unified scanning across CI/CD, registry, and runtime
- Integrated with Harbor (mandatory component)
- Shift-left security with fast feedback
- SBOM generation for compliance
**Negative:**
- False positives require triage
- Scan time adds to CI/CD pipeline
- Operator resources in cluster
---
*Part of [OpenOva](https://openova.io)*
Reference in New Issue View Git Blame Copy Permalink