SITA

[nfsouzaj]

[Optional] How do you use Trivy?

We have an Azure DevOps template with Trivy configured in our CI, to check images after they are build and also deployed on our clusters to check for vulnerabilities on running containers.

We also started to use is as part of the process to patch image using copacetic. Trivy outputs a json file with the OS vulnerabilities and copacetic uses that file as input to patch the appropriate packages.

[Optional] Which targets are you scanning with Trivy?

• Container Image
• Filesystem
• Git Repository
• Virtual Machine Image
• Kubernetes
• AWS
• SBOM

[Optional] What kind of issues are scanning with Trivy?

• Software Bill of Materials (SBOM)
• Known vulnerabilities (CVEs)
• IaC issues and misconfigurations
• Sensitive information and secrets
• Software licenses

[AnaisUrlichs]

Amazing, thank you so much for sharing!