Security Operator
Vulnerability Scanning
How the DevZero Security Operator scans container images for known CVEs and generates vulnerability reports.
Vulnerability Scanning
The Security Operator uses Trivy under the hood to scan container images for known vulnerabilities (CVEs).
How It Works
- When a new workload is deployed (or an existing image is updated), the operator detects the change
- A scan job is created that pulls the container image and analyzes it against vulnerability databases
- Results are stored as a
VulnerabilityReportCRD in the same namespace as the workload - Reports are synced to the DevZero dashboard for aggregated viewing
Severity Levels
| Severity | Description |
|---|---|
| Critical | Actively exploited or trivially exploitable vulnerabilities |
| High | Serious vulnerabilities that should be addressed promptly |
| Medium | Moderate risk, typically requiring specific conditions to exploit |
| Low | Minor issues with limited impact |
Viewing Reports
# List all vulnerability reports
kubectl get vulnerabilityreports -A
# Get detailed report for a specific workload
kubectl get vulnerabilityreport <name> -n <namespace> -o yaml
# Count vulnerabilities by severity
kubectl get vulnerabilityreports -A -o jsonpath='{range .items[*]}{.metadata.namespace}/{.metadata.name}: Critical={.report.summary.criticalCount} High={.report.summary.highCount}{"\n"}{end}'Scan Triggers
Scans are triggered in three ways:
- Automatic -- when a new pod is created or an image reference changes
- Scheduled -- based on the report TTL (default: 24 hours), expired reports are regenerated
- Manual -- delete an existing report to trigger a re-scan:
kubectl delete vulnerabilityreport <name> -n <namespace>
Private Container Registries
If your workloads use images from private registries, configure registry credentials:
Using a values file (recommended):
operator:
privateRegistryScanSecretsNames:
default: "my-registry-secret"
production: "docker-registry-secret"
staging: "acr-credentials,gcr-credentials"helm upgrade dakr-security \
oci://registry-1.docker.io/devzeroinc/dakr-security \
--namespace dakr-security-system \
-f values.yaml --reuse-valuesThe secrets must already exist in the specified namespaces. See the Configuration page for more options.
SBOM Generation
The operator also generates Software Bill of Materials (SBOM) data as part of the scanning process. SBOMs are cached to speed up subsequent scans of the same image.
Configure SBOM cache retention:
--set operator.cacheReportTTL=168h # 7 days (default: 120h)