# Vulnerability scanning ```mermaid flowchart LR Compose[Compose image refs] --> Server[trivy-server] Running[Running containers] --> Runner[trivy-runner] Server --> Textfiles[Prometheus textfiles] Runner --> Textfiles Textfiles --> OTel[otelcollector] OTel --> VM[VictoriaMetrics] VM --> Grafana ``` | Stack | Host(s) | Scans | | ---------------------- | --------------- | ----------------------------------------------- | | `Charlie/trivy-server` | morgott | Compose-declared image refs across stack repos. | | `Charlie/trivy-runner` | morgott, melina | Currently running container images. | ## Pipeline | Stage | State | | --------- | --------------------------------------------------------------------- | | Trivy DB | Shared server on morgott. | | Schedule | Daily sweeps. | | Metrics | Prometheus textfiles under `/var/lib/charlie/trivy/metrics`. | | Shipping | node-exporter textfile collector -> otelcollector -> VictoriaMetrics. | | Dashboard | Grafana `Container CVEs`, `Container CVE List`. | ## Metrics | Metric | Meaning | | ------------------------------------ | ---------------------------------------------------- | | `trivy_image_vulnerabilities` | Distinct-CVE counts by image/severity/scanner. | | `trivy_image_vulnerability_info` | Per-CVE detail (stack, image, advisory URL, title). | | `trivy_image_scan_timestamp_seconds` | Last scan timestamp. | | `trivy_image_scan_errors_total` | Scan error state. | ## Access | Identity | Purpose | | ------------------- | --------------------------------------------- | | `sys-trivy-scanner` | Read-only registry access for private images. | Alerting and build-time scan policy belong in [next work](https://gitea.alexandru.macocian.me/Charlie/project-charlie/src/branch/main/docs/roadmap.md).