Files
project-charlie/docs/vulnerability-scanning.md
T
2026-06-22 15:12:21 +02:00

2.2 KiB

Vulnerability scanning

flowchart LR
  Compose[Compose image refs] --> Server[trivy-server]
  Running[Running containers] --> Runner[trivy-runner]
  Server --> Textfiles[Prometheus textfiles]
  Runner --> Textfiles
  Textfiles --> OTel[otelcollector]
  OTel --> VM[VictoriaMetrics]
  VM --> Grafana
Stack Host(s) Scans
Charlie/trivy-server morgott Compose-declared image refs across stack repos.
Charlie/trivy-runner morgott, melina Currently running container images.

Pipeline

Stage State
Trivy DB Shared server on morgott.
Schedule Daily sweeps.
Metrics Prometheus textfiles under /var/lib/charlie/trivy/metrics.
Shipping node-exporter textfile collector -> otelcollector -> VictoriaMetrics.
Dashboard Grafana Container CVEs, Container CVE List.

Metrics

Metric Meaning
trivy_image_vulnerabilities Distinct-CVE counts by image/severity/scanner.
trivy_image_vulnerability_info Per-CVE detail (stack, image, advisory URL, title).
trivy_image_scan_timestamp_seconds Last scan timestamp.
trivy_image_scan_errors_total Scan error state.

Access

Identity Purpose
sys-trivy-scanner Read-only registry access for private images.

Alerting and build-time scan policy belong in next work.