trivy-operator icon indicating copy to clipboard operation
trivy-operator copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

Discrepancy between trivy cli CVE findings and trivy-operator in-cluster vulnerability report findings

Open sj-williams opened this issue 1 year ago • 13 comments

What steps did you take and what happened:

I am seeing a large number of trivy-operator generated vulnerability reports flagging CVEs for the following resources:

github.com/docker/docker
github.com/docker/distribution
github.com/sigstore/rekor
google.golang.org/grpc

These are flagging on scans of many different images across multiple namespaces in my cluster, seemingly irrespective of whether the scanned image has a dependency on the flagged resources.

Local scanning of said images does not produce the same CVE finding results as operator in-cluster scans.

What did you expect to happen:

trivy-operator in-cluster vulnerabilty report image scan CVE findings to match those of a local trivy cli scan.

Anything else you would like to add:

Environment:

  • Trivy-Operator version - Helm release: 0.13
  • Kubernetes version : EKS v1.24

sj-williams avatar Nov 03 '23 13:11 sj-williams