Research Spike: evaluate Trivy for scanning running containers

Time-box: 3 days effort.

Topic to Evaluate

This spike is to investigate the following requirement from the parent epic:

(2) The container scan will identify known vulnerabilities (CVEs) in OS and in the packages that are installed on the running container

The following questions need an answer:

• Do we want to use Clair/Klar, Trivy or something else?
• What are the high-level tasks for the recommended choice?

Implementation issues need to be written based on the answers above.

Tasks to Evaluate

• Use https://gitlab.com/gitlab-org/threat-management/defend/demos/ to snapshot and scan a container from an existing application
• Use Trivy to scan an existing container from https://gitlab.com/gitlab-org/threat-management/defend/demos/
  • What format does the scanner output its report?
  • Describe Trivy output in comparison to Klar.
  • Can Trivy support functionality that Klar supports?
• If the recommendation is not to use Klar or Trivy, write a new issue to investigate if there are other suitable scanners.

Risks and Implementation Considerations