Continuous Image Security

Page content

In this post I will show you my tool to Continuously scann deployed images in your Kubernetes cluster.

Parst of the K8S Security series

In a previous posts we talked about admission-controllers that scnas the image at deploy. Like Banzaicloud’s anchore-image-validator and Anchore’s own admission-controller. But what if you run your image for a long time. Last weak I realised I run containers wit imagest older the a year. I this time period many new vulnerability came up.

I find a tool called trivy-scanner that do almast what I want. It scans the docker images in all namespaces with the label trivy=true and get the resoults to a prometheus endpoint. It based on Shell Operator that runs a small python script. I made my own version from it:

Deploy the app

git clone

nano trivy-scanner/deploy/kubernetes/kustomization.yaml
namespace: trivy-scanner

kubectl create ns trivy-scanner
kubectl aplly -k trivy-scanner/deploy/kubernetes/


Test the guestbook-demo namespace:

kubectl label namespaces guestbook-demo trivy=true

kubectl get service -n trivy-scanner
NAME            TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)  AGE
trivy-scanner   ClusterIP   <none>        9115/TCP   15m

curl -s | grep so_vulnerabilities

Now you need to add the trivy-scanner Service as target for your prometheus. I created a ServiceMonitor object for that:

kind: ServiceMonitor
    serviceapp: trivy-exporter-servicemonitor
    release: prometheus
  name: trivy-exporter-servicemonitor
      app: trivy-scanner
  - port: metrics

If you use my grafana dasgboard from the repo you can see someting like this: