Overview
CPLN Trivy automates vulnerability scanning for every image in your Control Plane image registry. A scheduled daemon queries the registry for unscanned images, runs Trivy against each one, and stores an HTML report in S3 or an Azure File Share. After each scan, the image is tagged with a direct link to its report — visible in the Control Plane console.Architecture
- daemon (cron workload) — Runs on a configurable schedule, queries the registry for images that do not yet have a
cpln/trivy-scantag, and orchestrates scanning. Includes a trivy-api sidecar that wraps the Trivy CLI and returns HTML vulnerability reports. - web-server (serverless workload) — Receives scan reports from the daemon, stores them in the configured storage backend, and serves them publicly via URL.
| Tag | Value |
|---|---|
cpln/trivy-scan | URL to the HTML vulnerability report |
cpln/trivy-scan-time | Timestamp of the scan |
cpln/trivy-scan tag. When rescanAfter is set (default 7d), images whose last scan is older than that window are scanned again and their report is refreshed in place at the same URL. Setting rescanAfter to "" disables rescanning — then re-scanning an image requires removing its cpln/trivy-scan tag first.
What Gets Created
- Cron Daemon Workload — Trivy daemon with trivy-api sidecar, runs on a cron schedule.
- Serverless Web-Server Workload — Report storage and serving, autoscales from 1–3 replicas.
- Identity & Policy — Identity bound to each workload with access to the configured storage cloud account, plus
revealaccess to the referenced credentials secret. - Secret — CPLN secret storing the shared bearer token between the daemon and web-server. The service account key itself lives in an opaque secret you create beforehand (see Prerequisites).
This template does not create a GVC. You must deploy it into an existing GVC.
Prerequisites
Service Account
Trivy authenticates against the Control Plane image registry using a service account key stored in an opaque secret.Create or select a service account
Create a Control Plane service account (or use an existing one). Set
serviceAccountName in values.yaml to its name — the template grants it image pull and view permissions automatically.Generate a key
Generate a key for the service account and copy the key value. It cannot be retrieved later.
Storage
Choose a storage backend — either AWS S3 or Azure File Share. Setstorage.type to the appropriate value and configure only that section.
- AWS S3
Create an S3 bucket
Create an S3 bucket in your AWS account to store scan reports. Set
storage.s3.bucket and storage.s3.region.Register a Cloud Account
If you do not have one, create an AWS Cloud Account in Control Plane. Set
storage.s3.cloudAccountName to its name.UI
Browse, install, and manage templates visually
CLI
Manage templates from your terminal
Terraform
Declare templates in your Terraform configurations
Pulumi
Declare templates in your Pulumi programs
Configuration
The defaultvalues.yaml for this template:
Configuration Reference
| Parameter | Default | Description |
|---|---|---|
storage.type | s3 | Storage backend for reports. Options: s3, azureFileshare |
storage.s3.cloudAccountName | — | AWS Cloud Account name registered in Control Plane |
storage.s3.bucket | — | S3 bucket name |
storage.s3.region | — | AWS region (e.g. us-east-1) |
storage.s3.policyName | — | Name of the IAM policy scoped to the bucket |
storage.azureFileshare.cloudAccountName | — | Azure Cloud Account name registered in Control Plane |
storage.azureFileshare.accountName | — | Azure storage account name |
storage.azureFileshare.fileShare | — | Azure file share name |
storage.azureFileshare.scope | — | Full Azure resource scope for role assignment |
postToken | changeme | Shared bearer token between daemon and web-server |
trivyAuth.secretName | trivy-credentials | Name of an existing opaque secret whose payload is the service account key |
serviceAccountName | trivy-service-account | Service account Trivy uses to pull images |
schedule | */59 * * * * | Cron schedule for the scanning daemon |
rescanAfter | 7d | Rescan images whose last scan is older than this (<N>d or <N>h). Empty string disables rescanning |
daemon.resources.cpu | 1 | CPU for the daemon container |
daemon.resources.memory | 1Gi | Memory for the daemon container |
trivyApi.resources.cpu | 2 | CPU for the trivy-api sidecar |
trivyApi.resources.memory | 4Gi | Memory for the trivy-api sidecar |
webServer.autoscaling.minScale | 1 | Minimum web-server replicas |
webServer.autoscaling.maxScale | 3 | Maximum web-server replicas |
Report URLs are publicly accessible by default — they contain an unguessable SHA-256 hash, but no authentication. Restrict
webServer.firewall.inboundAllowCIDR if reports must stay private.Viewing Reports
Once the daemon has run, navigate to any scanned image in the Control Plane console. Thecpln/trivy-scan tag on the image contains a direct URL to the HTML vulnerability report. Opening that URL serves the report from the web-server.
To list all scanned images via CLI:
Maintenance
Periodic Re-Scans
WithrescanAfter set (default 7d), re-scans happen automatically: any image whose last scan is older than the window is scanned again on the next daemon run, and its report is refreshed at the same URL. Adjust the window (e.g. 24h for daily) or set it to "" to scan each image only once.
Force an Immediate Re-Scan
To re-scan an image before itsrescanAfter window elapses, remove its scan tags:
External References
Trivy Documentation
Official Trivy vulnerability scanner documentation
Create a Cloud Account
Set up AWS or Azure cloud accounts for storage access