The trivy-dojo-report-operator is a Kubernetes operator developed using Kopf and Python. This operator listens for vulnerability reports generated by the Trivy Operator and forwards them to Defect Dojo for further analysis and tracking.
git clone https://github.com/telekom-mms/trivy-dojo-report-operator.git
cd trivy-dojo-report-operator
Update the environment variables in the secret manifest to match your Defect Dojo instance configuration:
data:
url: "https://your.defectdojo.instance"
api-key: "your_defect_dojo_api_key"
Replace https://your.defectdojo.instance with the URL of your Defect Dojo instance, and your_defect_dojo_api_key with your API key.
Change the environment variables in the deployment manifest to your liking. The options closely match the options
in the import-scan API-call found here.
kubectl apply -f deploy/
Update the variables in the values.yaml to match your Defect Dojo instance configuration:
defectDojoApiCredentials:
apiKey: "your_defect_dojo_api_key"
url: "https://your.defectdojo.instance"
> helm install chart-name charts/
The operator is now running in your cluster and will monitor for Trivy vulnerability reports and push them to the configured Defect Dojo instance.
You can also run the operator locally. This way you don’t have to install anything in your cluster. Just provide the Defect Dojo URL and API-Key and optionally labels to the docker-run command. You also have to mount your kubeconfig into the container to access the cluster.
docker pull ghcr.io/telekom-mms/docker-trivy-dojo-operator
docker run -it -v /path/to/your/.kube/config:/root/.kube/config -e DEFECT_DOJO_API_KEY=$DEFECT_DOJO_API_KEY -e DEFECT_DOJO_URL=$DEFECT_DOJO_URL -e LABEL="trivy-operator.resource.name" -e LABEL_VALUE="master-live-server" ghcr.io/telekom-mms/docker-trivy-dojo-operator
To remove the trivy-dojo-report-operator from your cluster, run the following command:
kubectl delete -f deploy/
GPLv3