This application processes vulnerability reports from Trivy, a vulnerability scanning tool for containers, and imports the findings into an Elasticsearch index. It acts as a webhook receiver that listens for vulnerability reports sent by Trivy and processes them before forwarding the results to Elasticsearch.
- Receives vulnerability reports via an HTTP POST request.
- Supports importing CVE findings into an Elasticsearch index.
- Designed for integration with container image scanning.
- Logs and reports errors for easier troubleshooting.
- Vulnerability Report: The application listens for incoming vulnerability reports in JSON format from Trivy via a
/webhookendpoint. - Validation: The incoming report is validated to ensure it's of type
VulnerabilityReport, and only then are the vulnerabilities processed. - Elasticsearch Integration: Vulnerabilities are indexed into the specified Elasticsearch index for further analysis and visualization.
- Health Check: The
/healthzendpoint provides a simple health check for the application.
- Elasticsearch: You must have access to an Elasticsearch instance with the appropriate credentials (username, password, and endpoint).
- Trivy: You must set up Trivy to scan container images and send reports to the webhook endpoint.
- Go: The application is written in Go, so you'll need Go installed to build and run it.
-
Clone the repository:
git clone https://github.com/lbi22/trivy-webhook-elasticsearch.git cd trivy-webhook-elasticsearch -
Build the application:
Make sure Go is installed and set up correctly:
git clone https://github.com/lbi22/trivy-webhook-elasticsearch.git cd trivy-webhook-elasticsearch -
Run the application:
You can start the application locally:
Copy code ./trivy-webhook-elasticsearch The server will start and listen on port 8080.
-
Set up Trivy:
Configure Trivy to send vulnerability reports to the /webhook endpoint of the running application.
Example Trivy command:
Copy code trivy image --format json --output result.json <image> curl -X POST -H "Content-Type: application/json" --data @result.json http://localhost:8080/webhook
You can configure Elasticsearch credentials using the following environment variables:
ELASTICSEARCH_ENDPOINT: The Elasticsearch endpoint.ELASTICSEARCH_USERNAME: The Elasticsearch username.ELASTICSEARCH_PASSWORD: The Elasticsearch password.
These are automatically loaded by the Go application to connect to Elasticsearch.
- POST
/webhook: Receives vulnerability reports in JSON format. Only processes reports of typeVulnerabilityReportand indexes CVE findings to Elasticsearch. - GET
/healthz: Health check endpoint that returns a simpleOKresponse.
{
"kind": "VulnerabilityReport",
"metadata": {
"name": "example",
"labels": {
"trivy-operator.container.name": "example-container"
}
},
"report": {
"registry": {
"server": "docker.io"
},
"artifact": {
"repository": "library/nginx",
"digest": "sha256:exampledigest"
},
"vulnerabilities": [
{
"vulnerabilityID": "CVE-2021-12345",
"title": "Example Vulnerability",
"severity": "HIGH",
"resource": "nginx",
"installedVersion": "1.18.0",
"fixedVersion": "1.19.0",
"primaryLink": "https://example.com/CVE-2021-12345"
}
]
}
}This application includes a Helm Chart to simplify deployment to Kubernetes. You can find the chart in the charts/ directory.
-
Ensure Helm is installed on your system.
-
Use the provided chart to install the application:
helm install trivy-webhook charts/trivy-webhook-elasticsearch
We welcome contributions! To contribute, follow these steps:
- Fork the repository.
- Create a new feature branch:
git checkout -b my-feature. - Commit your changes:
git commit -m 'Add my feature'. - Push to the branch:
git push origin my-feature. - Create a new pull request.
This project is licensed under the GNU General Public License v3.0 License - see the LICENSE file for details.