Trivy

Prerequisite

Trivy integration enables you to scan the vulnerabilities for images, code, and manifests during the execution of build and deployment pipelines. Refer to Vulnerability Scanning to know more about Trivy.


Install Trivy Integration

For Enterprise Users

To enable Trivy integration for Devtron Enterprise (managed by Devtron), contact your Devtron representative.

In case you are self-managing the Devtron Enterprise, refer to the steps mentioned in For OSS and Self-Managed Devtron Enterprise Users to enable Trivy.

For OSS and Self-Managed Devtron Enterprise Users

To install Trivy integration, follow the steps:

  1. On the Devtron Stack ManagerDiscover page, click the Vulnerability Scanning (Trivy).

  2. On the Discover Integrations/Vulnerability Scanning (Trivy) page, click Install.

Note: In case, Clair is already installed, you also need to enable Trivy integration after installation.

The installation status may be one of the following:

Installation status
Description

Install

The integration is not yet installed.

Initializing

The installation is being initialized.

Installing

The installation is in progress. The logs are available to track the progress.

Failed

Installation failed, and the logs are available to troubleshoot. You can retry the installation or contact support.

Installed

The integration is successfully installed and available on the Installed page.

Request timed out

The request to install has hit the maximum number of retries. You may retry the installation or contact support for further assistance.

A list of installed integrations can be viewed on the Devtron Stack Manager > Installed page.

To update an installed integration, please update Devtron.


Using Trivy

In Devtron, Trivy can be used to scan vulnerabilities across various types of applications such as Devtron Apps, Helm Apps, ArgoCD Apps, and FluxCD Apps

Trivy can provide 3 types of scans based on the type of the application, i.e., Image scan, Kubernetes Manifest Scan, and Code Scan.

Type of scan
Description

Image Scan

Scans build images for

  • Vulnerabilities

  • License Risks

Manifest Scan

Scans Kubernetes manifests to identify

  • Misconfigurations

  • Exposed Secrets

Code Scan (requires Code Scan Plugin)

The Code Scan plugin of Devtron uses Trivy to scan your source code for

  • Vulnerabilities

  • License Risks

  • Misconfigurations

  • Exposed Secrets

Refer to the table below to see which type of scans are supported across different application types in Devtron.

Application Type

Image Scan

Code Scan (Requires Plugin)

Manifest Scan

Devtron Apps

Helm Apps

Not Applicable

ArgoCD Apps

Not Applicable

FluxCD Apps

Not Applicable


Devtron Apps

Where to Initiate the Scan for Devtron Apps

For Devtron Apps, you can enable scanning in 2 ways.

Field Name
Scans Supported
Description

Scan for vulnerabilities

  • Image scan

  • Kubernetes Manifest scan

Enables scanning for build Images and Kubernetes Manifests before deployment.

Code Scan (Plugin)

  • Code Scan

The Code Scan plugin of Devtron allows you to perform code scanning using Trivy.

Enable 'Scan for vulnerabilities' option

Who Can Perform This Action?

Devtron's CI pipeline provides a Scan for vulnerabilities option as shown below. Once you enable this option, it will automatically scan the image and Kubernetes manifests for vulnerabilities.

Follow the steps below to enable the Scan for vulnerabilities option.

Figure 1: Scan for vulnerabilities
  1. Navigate to ConfigurationsWorkflow Editor of your Devtron App.

  2. Select the specific build pipeline for which you want to enable scanning, and a Edit deployment pipeline modal window will appear.

  3. Enable the Scan for vulnerabilities toggle in the Build stage.

  4. Select Update pipeline to save the configuration.

  5. Trigger the next CI pipeline build to scan for vulnerabilities.

  6. To access the scan results after the build, navigate to the Build History page of your Devtron App. Refer to the From Build History Page section to learn more.

    • After the build image (artifact) is deployed, you can also access the scan results from the App Details page. Refer to the Accessing the scan results section to learn more.

After deploying your application, scan results are also available in the Security section under Security Scans. Refer Security Features to know more.

Enable Code Scan Plugin

To enable code scan for Devtron Apps, you can configure the code scan plugin as a pre-build task in your Devtron App

To configure Code Scan as a pre-build task, follow the steps below:

  1. Navigate to ConfigurationsWorkflow Editor of your Devtron App.

  2. Select the specific build pipeline for which you want to enable scanning, and a Edit deployment pipeline modal window will appear.

  3. Navigate to Pre-build stage, and select Add task from the left side panel.

  4. Search for Code Scan in the Search Plugin bar and select Code Scan from the list of plugins. The Code Scan plugin does not require any additional configuration. If you want, you can change the Task Name and Description. Refer to the Code Scan Plugin documentation to know more.

  5. Select Update Pipeline and the code scan plugin is now configured and will scan the code when the next build is triggered.

Accessing the scan's results

The table below shows the locations where the scan results will be available after enabling the above scans.

Location
Image Scan
Code Scan (Requires Plugin)
Manifest Scan

App Details

Select Image Artifact

✅ (Not in summary)

CI History (Job/Build)

Security

App Details

To access the scan results

  1. Navigate to the App details page of your Devtron App.

  2. In App Details, scan results are available at two places:

    • Security Card: You can view overall scan results by selecting the Security card

    • K8s Resources Sub Tab: You can view the scan results for specific workloads (Pods, Deployments, ReplicaSets) under K8s Resources Sub Tab.

Accessing Scan Results from 'Security'

After clicking on the Security card, a Security modal window will appear showing you all the enabled scan results sorted according to their severity in reverse chronological order, such as Image Scan, Code Scan, and Kubernetes Manifest Scan.

You can inspect each type of scan to view the specific type of vulnerabilities that the scan supports. Refer to the video below

K8s Resources Sub Tab

By clicking on the Security card you can access the Image scan results for the latest build image that is deployed, but if you want to inspect Image scan results for specific K8s resources (Deployments, ReplicaSet and Pods), then you can inspect them in Workloads dropdown under K8s Resources.

Note

In case you have enabled the vulnerability scanning after the application has already been built and deployed, you can still initiate the image scan for existing Kubernetes resources.

To access or initiate Image scan results for specific resources, follow the steps below

  1. Select the resource type (Deployment, Pod, or ReplicaSet) from the left-side menu in the Workloads under K8s Resources sub tab.

  2. After selecting the resource type, on the right side, a list of all resources of the selected type will appear.

  3. On the right-hand side, select the kebab menu (⋮) for the particular resource from the list and select Check Vulnerabilities.

  4. A Security modal window will appear, displaying the scan results for the image used to build that resource.

  5. Select the image in the Security modal window to view the list of vulnerabilities.

From Resource Browser

  1. Navigate to Resource Browser.

  2. Select a cluster.

  3. Click a workload within the Workloads dropdown.

  4. Select the Check vulnerabilities option from the kebab menu (⋮) to access the scan results.

Figure 2: Scanning Workloads - Resource Browser

From 'Build & Deploy' Page

You can access the build image scan results while selecting the image before triggering the deployment. To do so, follow the steps below

  1. Navigate to Build & Deploy tab of your application.

  2. Click the Select Image button in the deploy pipeline, and choose the build image you want to deploy.

  3. Click Show more info, which expands the selected image dialog box to display additional information about the selected image.

  4. Go to the Security tab for the selected image to access the scan results.

  5. Click on the scan to open a new Security modal window, which will display the scan results in detail.

From 'Build History' Page

You can access the scan results in Build History under the Security tab. To do so, follow the steps below:

  1. Navigate to Build History for you application.

  2. Go to Security tab in the Build History to access the scan results.

  3. Click on the specific scan to open a new Security modal window, which will display the scan results in detail.

Vulnerability Scanning in Helm Apps

Where to Initiate the Scan for Helm Apps

To enable scanning for Helm Apps, follow the steps below:

  1. Navigate to Configure tab of your Helm App.

  2. Enable the Security Scan option to enable vulnerability scanning.

Accessing the scan's results

The table below shows the locations where the scan results will be available after enabling the Security scan.

Location
Image Scan
Manifest Scan

App Details

Deployment History

From 'App Details' Page

To access the scan results

  1. Navigate to App Details tab of your Helm App

  2. Scan results can be found by selecting the Security card and under K8s resources for specific workloads.

Accessing Scan Results from 'Security' Card.

After clicking on the Security card, a Security modal window will appear showing you all the enabled scan results, such as Image Scan and Kubernetes Manifest Scan.

You can inspect each type of scan to view the specific type of vulnerabilities that the scan supports. Refer to the video below

K8s Resources Sub Tab

Note

In case you have enabled the vulnerability scanning after the application has already been built and deployed, you can still initiate the image scan for existing Kubernetes resources.

To access or initiate Image scan for specific resources, follow the steps below

  1. Select the resource type (Deployment, Pod, or ReplicaSet) from the Workloads dropdown under K8s Resources sub tab.

  2. On the right-hand side, select Check vulnerabilities from the kebab menu (⋮) to access security scans.

From 'Deployment History' Page

You can access the scan results in Deployment History under the Security tab. To do so, follow the steps below:

  1. Navigate to Deployment History for you application.

  2. Go to Security tab in the Deployment History to access the scan results.

  3. Click on the specific scan to open a new Security modal window, which will display the scan results in detail.

ArgoCD and FluxCD Apps

Where to Initiate the Scan for Helm Apps

For ArgoCD and FluxCD apps, you do not need to enable the scan anywhere; the scan will be initiated when you check the scan results for the first time.

The table below shows the locations where the scan results will be available after enabling the scan.

Location
Image Scan

App Details

From 'App Details' Page

To access the scan results

  1. Navigate to ArgoCD Apps or FluxCD Apps.

  2. Select your application for which you want to inspect the scan results.

  3. Under App Details scan results can be found under K8s resources for specific workloads.

K8s Resources Sub Tab

Note

In case you have enabled the vulnerability scanning after the application has already been built and deployed, you can still initiate the image scan for existing Kubernetes resources.

To access or initiate Image scan for specific resources, follow the steps below

  1. Select the resource type (Deployment, Pod, or ReplicaSet) from the Workloads dropdown under K8s Resources sub tab.

  2. On the right-hand side, select Check vulnerabilities from the kebab menu (⋮) to access security scans.

Security Policies

Devtron allows you to define security policies based on the severity of the vulnerabilities (Critical, High, Medium, Low). Users have the flexibility to set policies that either block the deployment of container images with vulnerabilities or allow their deployment.

With this feature, users can specify their desired actions for each severity level. For example, they can choose to block any container image with Critical vulnerabilities, while allowing container images with Moderate or Low vulnerabilities to be deployed.

For in-depth instructions, refer to the Security Policies.

Last updated

Was this helpful?