Skip to content
GitLab
Next
    • Why GitLab
    • Pricing
    • Contact Sales
    • Explore
  • Why GitLab
  • Pricing
  • Contact Sales
  • Explore
  • Sign in
  • Get free trial
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #270888

Research Spike: evaluate Trivy for scanning running containers

Time-box: 3 days effort.

Topic to Evaluate

This spike is to investigate the following requirement from the parent epic:

(2) The container scan will identify known vulnerabilities (CVEs) in OS and in the packages that are installed on the running container

The following questions need an answer:

  • Do we want to use Clair/Klar, Trivy or something else?
  • What are the high-level tasks for the recommended choice?

Implementation issues need to be written based on the answers above.

Tasks to Evaluate

  • Use https://gitlab.com/gitlab-org/threat-management/defend/demos/ to snapshot and scan a container from an existing application
  • Use Trivy to scan an existing container from https://gitlab.com/gitlab-org/threat-management/defend/demos/
    • What format does the scanner output its report?
    • Describe Trivy output in comparison to Klar.
    • Can Trivy support functionality that Klar supports?
  • If the recommendation is not to use Klar or Trivy, write a new issue to investigate if there are other suitable scanners.

Risks and Implementation Considerations

Edited Nov 18, 2020 by Thiago Figueiró
Assignee
Assign to
Time tracking