Skip to content

Starttoaster/trivy-operator-explorer

Repository files navigation

Trivy Operator Explorer

This project explores the reports generated by the Trivy Operator for Kubernetes across one or more clusters. It is split into two applications that share this repository:

  • collector (cmd/collector): runs inside each cluster, reads the trivy-operator custom resources (plus running-pod/container data), and writes a copy of them to an S3 bucket namespaced by cluster name. The bucket is multi-tenant, so many clusters can write into it.
  • frontend (cmd/frontend): reads the report bundles from S3 for every cluster and serves the web UI, JSON API, and MCP server. It supports selecting a single cluster or viewing an aggregated "All clusters" mode.

Architecture

                per-cluster                       central
  ┌───────────────────────────┐        ┌──────────────────────────┐
  │ trivy-operator CRs + Pods  │        │ frontend (web / API / MCP)│
  │            │               │        │            ▲             │
  │            ▼               │        │            │ read        │
  │        collector ──────────┼──put──►│         S3 bucket        │
  └───────────────────────────┘        │  <prefix>/<cluster>/*.json│
                                        │  sqlite: ignored CVEs     │
                                        └──────────────────────────┘

S3 layout

Each collector writes one JSON object per report type under its cluster prefix:

<prefix>/<cluster>/vulnerabilityreports.json
<prefix>/<cluster>/clustercompliancereports.json
<prefix>/<cluster>/rbacassessmentreports.json
<prefix>/<cluster>/clusterrbacassessmentreports.json
<prefix>/<cluster>/configauditreports.json
<prefix>/<cluster>/clusterinfraassessmentreports.json
<prefix>/<cluster>/exposedsecretreports.json
<prefix>/<cluster>/containerimages.json
<prefix>/<cluster>/meta.json

The frontend discovers clusters by listing the common prefixes under <prefix>/.

AWS credentials for both apps are resolved via the standard AWS SDK credential chain (environment variables, shared config, and in-cluster IRSA / web-identity).

Install

Pre-requisites

You will need Trivy Operator installed in each cluster you want to scan, plus an S3 bucket that the collectors can write to and the frontend can read from.

Install the collector (per cluster)

helm upgrade --install --create-namespace \
--repo "https://starttoaster.github.io/trivy-operator-explorer" \
-n trivy-explorer \
--set config.clusterName=my-cluster \
--set s3.bucket=my-trivy-reports \
--set s3.region=us-east-1 \
trivy-operator-collector \
trivy-operator-collector

Install the frontend (once, centrally)

helm upgrade --install --create-namespace \
--repo "https://starttoaster.github.io/trivy-operator-explorer" \
-n trivy-explorer \
--set s3.bucket=my-trivy-reports \
--set s3.region=us-east-1 \
trivy-operator-explorer \
trivy-operator-explorer

Pre-release / unstable charts

Stable charts are published from main to https://starttoaster.github.io/trivy-operator-explorer. While the two-app rework is baking on a release/** branch, release-candidate charts are published to a separate unstable channel on every push to that branch:

helm repo add trivy-operator-explorer-unstable \
  https://starttoaster.github.io/trivy-operator-explorer/unstable
helm repo update

# See the available pre-release versions (they look like 0.1.0-unstable.42).
helm search repo trivy-operator-explorer-unstable --devel --versions

Install a specific candidate with --devel (so Helm considers pre-release versions) and an explicit --version. Each unstable chart pins appVersion to the sha-<commit> image built from the same commit, so the chart and image always match.

Multi-cluster UI

The sidebar has a cluster selector. Choosing a cluster scopes every page to that cluster via a ?cluster=<name> query parameter; "All clusters" aggregates all of them and shows a Cluster column. The same cluster parameter is accepted by the JSON API and as an optional argument to the MCP tools.

JSON API

A JSON API mirroring every HTML page is exposed under /api/v1/..., along with CVE-ignore management and a machine-readable OpenAPI 3 spec at /api/v1/openapi.json. See docs/API.md for the full route list and examples.

TODO

See CONTRIBUTING.md if you'd like to contribute an item on this list. Please make an Issue if you would like to see something added to this list.

  • SBOM dashboard

About

A web explorer for the Trivy Operator for kubernetes.

Topics

Resources

License

Contributing

Stars

5 stars

Watchers

1 watching

Forks

Packages

 
 
 

Contributors