Continuous Image Security

Page content

In this post I will show you my tool to Continuously scann deployed images in your Kubernetes cluster.

Parts of the K8S Security Lab series

Container Runetime Security
Advanced Kernel Security
Network Security
Secure Kubernetes Install
User Security
Image Security
  • Part1: Image security Admission Controller
  • Part2: Image security Admission Controller V2
  • Part3: Image security Admission Controller V3
  • Part4: Continuous Image security
  • Part5: trivy-operator 1.0
  • Part6: trivy-operator 2.1: Trivy-operator is now an Admisssion controller too!!!
  • Part7: trivy-operator 2.2: Patch release for Admisssion controller
  • Part8: trivy-operator 2.3: Patch release for Admisssion controller
  • Part8: trivy-operator 2.4: Patch release for Admisssion controller
  • Part8: trivy-operator 2.5: Patch release for Admisssion controller
  • Part9_ Image Signature Verification with Connaisseur
  • Part10: Image Signature Verification with Connaisseur 2.0
  • Part11: Image Signature Verification with Kyverno
  • Part12: How to use imagePullSecrets cluster-wide??
  • Part13: Automatically change registry in pod definition
  • Part14: ArgoCD auto image updater
    Pod Security
    Secret Security
    Monitoring and Observability

    In a previous posts we talked about admission-controllers that scnas the image at deploy. Like Banzaicloud’s anchore-image-validator and Anchore’s own admission-controller. But what if you run your image for a long time. Last weak I realised I run containers wit imagest older the a year. I this time period many new vulnerability came up.

    I find a tool called trivy-scanner that do almast what I want. It scans the docker images in all namespaces with the label trivy=true and get the resoults to a prometheus endpoint. It based on Shell Operator that runs a small python script. I made my own version from it:

    Deploy the app

    git clone
    nano trivy-scanner/deploy/kubernetes/kustomization.yaml
    namespace: trivy-scanner
    kubectl create ns trivy-scanner
    kubectl aplly -k trivy-scanner/deploy/kubernetes/


    Test the guestbook-demo namespace:

    kubectl label namespaces guestbook-demo trivy=true
    kubectl get service -n trivy-scanner
    NAME            TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)  AGE
    trivy-scanner   ClusterIP   <none>        9115/TCP   15m
    curl -s | grep so_vulnerabilities

    Now you need to add the trivy-scanner Service as target for your prometheus. I created a ServiceMonitor object for that:

    kind: ServiceMonitor
        serviceapp: trivy-exporter-servicemonitor
        release: prometheus
      name: trivy-exporter-servicemonitor
          app: trivy-scanner
      - port: metrics

    If you use my grafana dasgboard from the repo you can see someting like this: