Trivy
Last updated
Was this helpful?
v0.7
Last updated
Was this helpful?
For OSS users: Please ensure that integration is installed.
For Enterprise Users: Build and Deploy (CI/CD) integration is installed by default.
Trivy integration enables you to scan the vulnerabilities for images, code, and manifests during the execution of build and deployment pipelines. Refer to to know more about Trivy.
To enable Trivy integration for Devtron Enterprise (managed by Devtron), contact your Devtron representative.
In case you are self-managing the Devtron Enterprise, refer to the steps mentioned in to enable Trivy.
To install Trivy integration, follow the steps:
On the Devtron Stack Manager → Discover page, click the Vulnerability Scanning (Trivy).
On the Discover Integrations/Vulnerability Scanning (Trivy) page, click Install.
Note: In case, Clair is already installed, you also need to enable Trivy integration after installation.
The installation status may be one of the following:
Install
The integration is not yet installed.
Initializing
The installation is being initialized.
Installing
The installation is in progress. The logs are available to track the progress.
Failed
Installed
The integration is successfully installed and available on the Installed page.
Request timed out
A list of installed integrations can be viewed on the Devtron Stack Manager > Installed page.
In Devtron, Trivy can be used to scan vulnerabilities across various types of applications such as Devtron Apps, Helm Apps, ArgoCD Apps, and FluxCD Apps
Trivy can provide 3 types of scans based on the type of the application, i.e., Image scan, Kubernetes Manifest Scan, and Code Scan.
Image Scan
Scans build images for
Vulnerabilities
License Risks
Misconfigurations
Exposed Secrets
The Code Scan plugin of Devtron uses Trivy to scan your source code for
Vulnerabilities
License Risks
Misconfigurations
Exposed Secrets
Refer to the table below to see which type of scans are supported across different application types in Devtron.
Application Type
Image Scan
Code Scan (Requires Plugin)
Manifest Scan
Devtron Apps
✅
✅
✅
Helm Apps
✅
Not Applicable
✅
ArgoCD Apps
✅
Not Applicable
❌
FluxCD Apps
✅
Not Applicable
❌
For Devtron Apps, you can enable scanning in 2 ways.
Scan for vulnerabilities
Image scan
Kubernetes Manifest scan
Enables scanning for build Images and Kubernetes Manifests before deployment.
Code Scan (Plugin)
Code Scan
The Code Scan plugin of Devtron allows you to perform code scanning using Trivy.
Users need to have Admin permission or above (along with access to the environment and application) to enable the Scan for vulnerabilities option.
Follow the steps below to enable the Scan for vulnerabilities option.
Navigate to Configurations → Workflow Editor of your Devtron App.
Select the specific build pipeline for which you want to enable scanning, and a Edit deployment pipeline modal window will appear.
Enable the Scan for vulnerabilities toggle in the Build stage.
Select Update pipeline to save the configuration.
Trigger the next CI pipeline build to scan for vulnerabilities.
To enable code scan for Devtron Apps, you can configure the code scan plugin as a pre-build task in your Devtron App
To configure Code Scan as a pre-build task, follow the steps below:
Navigate to Configurations → Workflow Editor of your Devtron App.
Select the specific build pipeline for which you want to enable scanning, and a Edit deployment pipeline modal window will appear.
Navigate to Pre-build stage, and select Add task from the left side panel.
Select Update Pipeline and the code scan plugin is now configured and will scan the code when the next build is triggered.
The table below shows the locations where the scan results will be available after enabling the above scans.
App Details
✅
✅
✅
Select Image Artifact
✅
✅ (Not in summary)
❌
CI History (Job/Build)
✅
✅
❌
Security
✅
✅
❌
To access the scan results
Navigate to the App details page of your Devtron App.
In App Details, scan results are available at two places:
Security Card: You can view overall scan results by selecting the Security card
K8s Resources Sub Tab: You can view the scan results for specific workloads (Pods, Deployments, ReplicaSets) under K8s Resources Sub Tab.
After clicking on the Security card, a Security modal window will appear showing you all the enabled scan results sorted according to their severity in reverse chronological order, such as Image Scan, Code Scan, and Kubernetes Manifest Scan.
You can inspect each type of scan to view the specific type of vulnerabilities that the scan supports. Refer to the video below
By clicking on the Security card you can access the Image scan results for the latest build image that is deployed, but if you want to inspect Image scan results for specific K8s resources (Deployments, ReplicaSet and Pods), then you can inspect them in Workloads dropdown under K8s Resources.
In case you have enabled the vulnerability scanning after the application has already been built and deployed, you can still initiate the image scan for existing Kubernetes resources.
To access or initiate Image scan results for specific resources, follow the steps below
Select the resource type (Deployment, Pod, or ReplicaSet) from the left-side menu in the Workloads under K8s Resources sub tab.
After selecting the resource type, on the right side, a list of all resources of the selected type will appear.
On the right-hand side, select the kebab menu (⋮) for the particular resource from the list and select Check Vulnerabilities.
A Security modal window will appear, displaying the scan results for the image used to build that resource.
Select the image in the Security modal window to view the list of vulnerabilities.
Navigate to Resource Browser.
Select a cluster.
Click a workload within the Workloads dropdown.
Select the Check vulnerabilities option from the kebab menu (⋮) to access the scan results.
You can access the build image scan results while selecting the image before triggering the deployment. To do so, follow the steps below
Navigate to Build & Deploy tab of your application.
Click the Select Image button in the deploy pipeline, and choose the build image you want to deploy.
Click Show more info, which expands the selected image dialog box to display additional information about the selected image.
Go to the Security tab for the selected image to access the scan results.
Click on the scan to open a new Security modal window, which will display the scan results in detail.
You can access the scan results in Build History under the Security tab. To do so, follow the steps below:
Navigate to Build History for you application.
Go to Security tab in the Build History to access the scan results.
Click on the specific scan to open a new Security modal window, which will display the scan results in detail.
To enable scanning for Helm Apps, follow the steps below:
Navigate to Configure tab of your Helm App.
Enable the Security Scan option to enable vulnerability scanning.
The table below shows the locations where the scan results will be available after enabling the Security scan.
App Details
✅
✅
Deployment History
✅
✅
To access the scan results
Navigate to App Details tab of your Helm App
Scan results can be found by selecting the Security card and under K8s resources for specific workloads.
After clicking on the Security card, a Security modal window will appear showing you all the enabled scan results, such as Image Scan and Kubernetes Manifest Scan.
You can inspect each type of scan to view the specific type of vulnerabilities that the scan supports. Refer to the video below
In case you have enabled the vulnerability scanning after the application has already been built and deployed, you can still initiate the image scan for existing Kubernetes resources.
To access or initiate Image scan for specific resources, follow the steps below
Select the resource type (Deployment, Pod, or ReplicaSet) from the Workloads dropdown under K8s Resources sub tab.
On the right-hand side, select Check vulnerabilities from the kebab menu (⋮) to access security scans.
You can access the scan results in Deployment History under the Security tab. To do so, follow the steps below:
Navigate to Deployment History for you application.
Go to Security tab in the Deployment History to access the scan results.
Click on the specific scan to open a new Security modal window, which will display the scan results in detail.
For ArgoCD and FluxCD apps, you do not need to enable the scan anywhere; the scan will be initiated when you check the scan results for the first time.
The table below shows the locations where the scan results will be available after enabling the scan.
App Details
✅
To access the scan results
Navigate to ArgoCD Apps or FluxCD Apps.
Select your application for which you want to inspect the scan results.
Under App Details scan results can be found under K8s resources for specific workloads.
In case you have enabled the vulnerability scanning after the application has already been built and deployed, you can still initiate the image scan for existing Kubernetes resources.
To access or initiate Image scan for specific resources, follow the steps below
Select the resource type (Deployment, Pod, or ReplicaSet) from the Workloads dropdown under K8s Resources sub tab.
On the right-hand side, select Check vulnerabilities from the kebab menu (⋮) to access security scans.
Devtron allows you to define security policies based on the severity of the vulnerabilities (Critical, High, Medium, Low). Users have the flexibility to set policies that either block the deployment of container images with vulnerabilities or allow their deployment.
With this feature, users can specify their desired actions for each severity level. For example, they can choose to block any container image with Critical vulnerabilities, while allowing container images with Moderate or Low vulnerabilities to be deployed.
Installation failed, and the logs are available to troubleshoot. You can retry the installation or .
The request to install has hit the maximum number of retries. You may retry the installation or for further assistance.
To update an installed integration, please .
Manifest Scan
Scans Kubernetes to identify
Code Scan
(requires Code Scan Plugin)
Devtron's CI pipeline provides a option as shown below. Once you enable this option, it will automatically scan the image and Kubernetes manifests for vulnerabilities.
To access the scan results after the build, navigate to the Build History page of your Devtron App. Refer to the section to learn more.
After the build image (artifact) is deployed, you can also access the scan results from the App Details page. Refer to the section to learn more.
After deploying your application, scan results are also available in the Security section under Security Scans. Refer to know more.
Search for Code Scan in the Search Plugin bar and select Code Scan from the list of plugins. The Code Scan plugin does not require any additional configuration. If you want, you can change the Task Name and Description. Refer to the documentation to know more.
For in-depth instructions, refer to the .
