Vulnerability scanning
| Stack |
Host(s) |
Scans |
Charlie/trivy-server |
morgott |
Compose-declared image refs across stack repos. |
Charlie/trivy-runner |
morgott, melina |
Currently running container images. |
Pipeline
| Stage |
State |
| Trivy DB |
Shared server on morgott. |
| Schedule |
Daily sweeps. |
| Metrics |
Prometheus textfiles under /var/lib/charlie/trivy/metrics. |
| Shipping |
node-exporter textfile collector -> otelcollector -> VictoriaMetrics. |
| Dashboard |
Grafana Container CVEs, Container CVE List. |
Metrics
| Metric |
Meaning |
trivy_image_vulnerabilities |
Distinct-CVE counts by image/severity/scanner. |
trivy_image_vulnerability_info |
Per-CVE detail (stack, image, advisory URL, title). |
trivy_image_scan_timestamp_seconds |
Last scan timestamp. |
trivy_image_scan_errors_total |
Scan error state. |
Access
| Identity |
Purpose |
sys-trivy-scanner |
Read-only registry access for private images. |
Alerting and build-time scan policy belong in
next work.