Management of vulnerabilities

[KevinDW-Fluxys]

Hi all,

I'm raising this discussion as follow up on a conversation on slack regarding the management of vulnerabilities.

We already have some good ways of making vulnerabilities visible:

• Reading out the CRDs via kubectl/lens/lens extention
• Grafana Dashboards (data is exposed as metrics from trivy)
• Running Trivy itself locally or as part of a pipeline
• ...

But we seem to lack in means of following up on these vulnerabilities.
When we spot a vulnerability we can resolve it by updating the image/package and it will disappear from the reports, which is the happy flow.

But in some cases the vulnerability might not apply to a specific component, or the vulnerability is a false positive or ...
In those cases we will want to exclude these vulnerabilities in an easy way, and also maybe have some information on the reasoning behind the exclusion.

Trivy-operator offers a technical solution by letting us apply rego policies via the values file of trivy-operator which works fine, but in a real world situation, you want to make this configuration accessible/readable for teams (dev teams, security teams, ...)

I'm wondering if anyone has some experience, or wants to share how they are handling this, in the hopes of inspiring a solution.

In conclusion, the 2 requirements could be described as:

1. Having a flexible way of adding exclusions (which does not require adapting trivy-operator configuration)
2. Having visibility on exclusions of vulnerabilities, including the reasoning behind the exclusion

Any info is welcome!