Skip to content

Commit

Permalink
update readme
Browse files Browse the repository at this point in the history
  • Loading branch information
@Starttoaster
Starttoaster committed Apr 16, 2024
1 parent 1c51664 commit 6c5a4f2
Showing 1 changed file with 8 additions and 21 deletions.
29 changes: 8 additions & 21 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
# Trivy Operator Explorer

This is a web explorer that scrapes the data exported by the [Trivy Operator for Kubernetes.](https://github.com/aquasecurity/trivy-operator) The Trivy Operator exports a LOT of metrics about vulnerabilities in a kubernetes cluster; so many that some people may consider not storing all of that in Prometheus because metrics with high levels of cardinality in label sets can cause query performance issues. Because of this, instead of relying on Prometheus to scrape the metrics, and have this query Prometheus, this explorer scrapes the operator's metrics itself and parses it for dashboarding.

## Usage

This is still heavily in progress. This is just local dev usage for now. Assuming your Trivy Operator installation is in the trivy-system namespace, in one shell:
Expand All @@ -15,25 +17,10 @@ go generate && go build && ./trivy-operator-explorer

## TODO

- Add role vulnerabilities to the dashboard
- Support GHSA CVE links in the image vulnerability view

### Filters

#### Images

- Filter images view by affected namespace.

#### Image/Vulnerability List

- Filter by resource, or not-resource
- Filter out vulnerabilities that don't have a fix version
- Add graphical ability to filter by Severity, currently it's just a query param

## Future TODO

Things that I'm probably not doing right away but might be worth doing.

- Graphical elements for setting filters, currently they're just URL query parameters.
- Add Role/ClusterRole vulnerabilities to the dashboard.
- Support different vulnerability IDs - currently GHSA vulnerabilities link to NIST just like normal CVEs, where NIST 404s.
- Add ability to connect to cluster to check for images or roles not scanned yet.
- Have an endpoint and view for each affected Pod that shows other data like its role.
- Find out more about exposed secrets scanning.
- Find out more about exposed secrets scanning. Add it to the dashboard?
- Does a JSON API make sense for this? Is there a use case for it?
- Testing. Pretty sure by law no new product has testing and it gets added later.

0 comments on commit 6c5a4f2

Please sign in to comment.