Deploying Trivy Operator with Prometheus metrics

tjtharrison
5 min readDec 1, 2023

I’ve been using Trivy for a while as a security quality gate for container security.

More recently been looking at their Kubernetes cluster scanning offering — the Trivy Operator.

From the docs:

The Trivy Operator leverages Trivy to continuously scan your Kubernetes cluster for security issues. The scans are summarised in security reports as Kubernetes Custom Resource Definitions, which become accessible through the Kubernetes API.

To summarise, the operator runs on your cluster and runs compliance and security scans against your cluster when resource definitions change and on a schedule.

For example if a new pod is launched on the cluster, Trivy will scan the resource for vulnerabilities and produce a report.

Photo by Matthew Henry on Unsplash

How to install using Helm

The installation process for deploying using the helm cli is documented on the Trivy website here.

However, as I’ve covered in other articles (Using Helm Dependencies for third party charts) I like to install third party Helm charts using dependencies to keep the install “GitOps” so I’ll be doing that for the Trivy Operator.

To start off with, in a new repository — Create a new file named Chart.yaml with the following contents:

apiVersion: v2
name: trivy
description: A helm chart to deploy Trivy operator into Kubernetes
type: application
version: 1.0.0
appVersion: 1.0.0
dependencies:
- name: trivy-operator
version: 0.18.4
repository: https://aquasecurity.github.io/helm-charts/

We’ll now run helm dependency update to download the third party chart and look at the installation command.

helm install trivy-operator aqua/trivy-operator \
--namespace trivy-system \
--create-namespace \
--set="trivy.ignoreUnfixed=true" \
--version v0.0.3

Looking at the above, we are specifying the version in our Chart.yaml file so we can remove that from the install command..

As we’re using a dependency we can replace aqua/trivy-operator with . to install from our local directory.

--

--