Research Spike: evaluate Trivy for scanning running containers
Time-box: 3 days effort.
Topic to Evaluate
This spike is to investigate the following requirement from the parent epic:
(2) The container scan will identify known vulnerabilities (CVEs) in OS and in the packages that are installed on the running container
The following questions need an answer:
- Do we want to use Clair/Klar, Trivy or something else?
- What are the high-level tasks for the recommended choice?
Implementation issues need to be written based on the answers above.
Tasks to Evaluate
-
Use https://gitlab.com/gitlab-org/threat-management/defend/demos/ to snapshot and scan a container from an existing application -
Use Trivy to scan an existing container from https://gitlab.com/gitlab-org/threat-management/defend/demos/ -
What format does the scanner output its report? -
Describe Trivy output in comparison to Klar. -
Can Trivy support functionality that Klar supports?
-
-
If the recommendation is not to use Klar or Trivy, write a new issue to investigate if there are other suitable scanners.
Risks and Implementation Considerations
Edited by Thiago Figueiró