Skip to main content

Overview

CPLN Trivy automates vulnerability scanning for every image in your Control Plane image registry. A scheduled daemon queries the registry for unscanned images, runs Trivy against each one, and stores an HTML report in S3 or an Azure File Share. After each scan, the image is tagged with a direct link to its report — visible in the Control Plane console.

Architecture

  • daemon (cron workload) — Runs on a configurable schedule, queries the registry for images that do not yet have a cpln/trivy-scan tag, and orchestrates scanning. Includes a trivy-api sidecar that wraps the Trivy CLI and returns HTML vulnerability reports.
  • web-server (serverless workload) — Receives scan reports from the daemon, stores them in the configured storage backend, and serves them publicly via URL.
After each scan, the daemon writes two tags to the image:
TagValue
cpln/trivy-scanURL to the HTML vulnerability report
cpln/trivy-scan-timeTimestamp of the scan
Each run scans images that do not yet have a cpln/trivy-scan tag. When rescanAfter is set (default 7d), images whose last scan is older than that window are scanned again and their report is refreshed in place at the same URL. Setting rescanAfter to "" disables rescanning — then re-scanning an image requires removing its cpln/trivy-scan tag first.

What Gets Created

  • Cron Daemon Workload — Trivy daemon with trivy-api sidecar, runs on a cron schedule.
  • Serverless Web-Server Workload — Report storage and serving, autoscales from 1–3 replicas.
  • Identity & Policy — Identity bound to each workload with access to the configured storage cloud account, plus reveal access to the referenced credentials secret.
  • Secret — CPLN secret storing the shared bearer token between the daemon and web-server. The service account key itself lives in an opaque secret you create beforehand (see Prerequisites).
This template does not create a GVC. You must deploy it into an existing GVC.

Prerequisites

Service Account

Trivy authenticates against the Control Plane image registry using a service account key stored in an opaque secret.
1

Create or select a service account

Create a Control Plane service account (or use an existing one). Set serviceAccountName in values.yaml to its name — the template grants it image pull and view permissions automatically.
2

Generate a key

Generate a key for the service account and copy the key value. It cannot be retrieved later.
3

Store the key in an opaque secret

4

Reference the secret in values.yaml

The template grants the workload identity reveal access automatically:

Storage

Choose a storage backend — either AWS S3 or Azure File Share. Set storage.type to the appropriate value and configure only that section.
1

Create an S3 bucket

Create an S3 bucket in your AWS account to store scan reports. Set storage.s3.bucket and storage.s3.region.
2

Register a Cloud Account

If you do not have one, create an AWS Cloud Account in Control Plane. Set storage.s3.cloudAccountName to its name.
3

Create an IAM policy

Create an IAM policy scoped to your bucket (replace YOUR_BUCKET_NAME) and set storage.s3.policyName to its name:
To install, follow the instructions for your preferred method:

UI

Browse, install, and manage templates visually

CLI

Manage templates from your terminal

Terraform

Declare templates in your Terraform configurations
Pulumi Icon Streamline Icon: https://streamlinehq.com

Pulumi

Declare templates in your Pulumi programs

Configuration

The default values.yaml for this template:

Configuration Reference

ParameterDefaultDescription
storage.types3Storage backend for reports. Options: s3, azureFileshare
storage.s3.cloudAccountNameAWS Cloud Account name registered in Control Plane
storage.s3.bucketS3 bucket name
storage.s3.regionAWS region (e.g. us-east-1)
storage.s3.policyNameName of the IAM policy scoped to the bucket
storage.azureFileshare.cloudAccountNameAzure Cloud Account name registered in Control Plane
storage.azureFileshare.accountNameAzure storage account name
storage.azureFileshare.fileShareAzure file share name
storage.azureFileshare.scopeFull Azure resource scope for role assignment
postTokenchangemeShared bearer token between daemon and web-server
trivyAuth.secretNametrivy-credentialsName of an existing opaque secret whose payload is the service account key
serviceAccountNametrivy-service-accountService account Trivy uses to pull images
schedule*/59 * * * *Cron schedule for the scanning daemon
rescanAfter7dRescan images whose last scan is older than this (<N>d or <N>h). Empty string disables rescanning
daemon.resources.cpu1CPU for the daemon container
daemon.resources.memory1GiMemory for the daemon container
trivyApi.resources.cpu2CPU for the trivy-api sidecar
trivyApi.resources.memory4GiMemory for the trivy-api sidecar
webServer.autoscaling.minScale1Minimum web-server replicas
webServer.autoscaling.maxScale3Maximum web-server replicas
Change postToken from its default changeme value before any production deployment. This token authenticates report submissions from the daemon to the web-server.
Report URLs are publicly accessible by default — they contain an unguessable SHA-256 hash, but no authentication. Restrict webServer.firewall.inboundAllowCIDR if reports must stay private.

Viewing Reports

Once the daemon has run, navigate to any scanned image in the Control Plane console. The cpln/trivy-scan tag on the image contains a direct URL to the HTML vulnerability report. Opening that URL serves the report from the web-server. To list all scanned images via CLI:

Maintenance

Periodic Re-Scans

With rescanAfter set (default 7d), re-scans happen automatically: any image whose last scan is older than the window is scanned again on the next daemon run, and its report is refreshed at the same URL. Adjust the window (e.g. 24h for daily) or set it to "" to scan each image only once.

Force an Immediate Re-Scan

To re-scan an image before its rescanAfter window elapses, remove its scan tags:
To reset all scan tags and trigger a full re-scan on the next daemon run:
The daemon will pick the images up on its next scheduled run.

External References

Trivy Documentation

Official Trivy vulnerability scanner documentation

Create a Cloud Account

Set up AWS or Azure cloud accounts for storage access