From dcf2eb553ae8972ad069e75e3bf4230ff39bcf68 Mon Sep 17 00:00:00 2001
From: Alex Hayward <alex.hayward@telespazio.com>
Date: Thu, 2 Apr 2026 16:02:43 +0100
Subject: [PATCH 1/3] Add a guide for installing Trivy

---
 docs/prerequisites/security-scanner.md    | 147 ++++++++++++++++++++++
 scripts/trivy/check-prerequisites.sh      |  13 ++
 scripts/trivy/configure-trivy-operator.sh |  17 +++
 scripts/trivy/values-template.yaml        |  24 ++++
 4 files changed, 201 insertions(+)
 create mode 100644 docs/prerequisites/security-scanner.md
 create mode 100644 scripts/trivy/check-prerequisites.sh
 create mode 100644 scripts/trivy/configure-trivy-operator.sh
 create mode 100644 scripts/trivy/values-template.yaml

diff --git a/docs/prerequisites/security-scanner.md b/docs/prerequisites/security-scanner.md
new file mode 100644
index 00000000..519b8f99
--- /dev/null
+++ b/docs/prerequisites/security-scanner.md
@@ -0,0 +1,147 @@
+# EOEPCA+ Security Scanner Deployment Guide (Trivy)
+
+Running a security scanner is important for vulnerability management in an EOEPCA deployment, allowing you to detect when new vulnerabilities are published for both EOEPCA-published and third-party software artefacts present in your cluster. You can then take action such as updating image versions in your Helm configuration files. This is important even for freshly installed deployments as, whilst we will endeavour to update this guide to avoid vulnerable versions at each EOEPCA release, we do not do so in between releases.
+
+Security scanners can also assess your Kubernetes configuration. This guide aims to achieve a baseline level of good security configuration, but a scanner will help ensure that your cluster and your custom modifications meet your particiular security goals and policies.
+
+This guide and the EOEPCA project use Trivy, but alternatives such as NeuVector can be used instead.
+
+---
+
+## Introduction
+
+This deployment uses Trivy Operator to run Trivy scans from within the Kubernetes cluster and save the results to custom resources. If you use ArgoCD then a UI plugin is available at https://github.com/mziyabo/argocd-trivy-extension that can display these results. Alternatively, you can view them with kubectl.
+
+---
+
+## Prerequisites
+
+Before you begin, make sure you have the following:
+
+| Component        | Requirement                            | Documentation Link                                                |
+| ---------------- | -------------------------------------- | ----------------------------------------------------------------- |
+| Kubernetes       | Cluster (tested on v1.32)              | [Installation Guide](kubernetes.md)             |
+| Helm             | Version 3.5 or newer                   | [Installation Guide](https://helm.sh/docs/intro/install/)         |
+| kubectl          | Configured for cluster access          | [Installation Guide](https://kubernetes.io/docs/tasks/tools/)     |
+
+**Clone the Deployment Guide Repository:**
+
+```bash
+git clone https://github.com/EOEPCA/deployment-guide
+cd deployment-guide/scripts/trivy
+```
+
+**Validate your environment:**
+
+Run the validation script to ensure all prerequisites are met:
+
+```bash
+bash check-prerequisites.sh
+```
+
+---
+
+## Deployment Steps
+
+### Trivy Configuration
+
+Trivy will check that container images come from trusted registries. The list of trusted registries should be configured to match those you expect. The list below is sufficient for EOEPCA.
+
+```bash
+kubectl create namespace trivy-system
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: extra-trivy-config
+  namespace: trivy-system
+data:
+  trivy-config-data.yaml: |
+    ksv0125:
+      trusted_registries:
+        - "docker.io"
+        - "ghcr.io"
+        - "quay.io"
+        - "registry.k8s.io"
+        - "gcr.io"
+EOF
+```
+
+Run the configuration script:
+
+```bash
+bash configure-trivy-operator.sh
+```
+
+Install Trivy Operator using Helm:
+
+```bash
+helm repo add aqua https://aquasecurity.github.io/helm-charts/
+helm repo update aqua
+helm upgrade -i trivy-operator aqua/trivy-operator \
+     --namespace trivy-system \
+     --create-namespace \
+     --version 0.32.1 \
+     --values generated-values.yaml
+```
+
+---
+
+## Validation
+
+**Automated Validation:**
+
+```bash
+bash validation.sh
+```
+
+This script checks that Trivy Operator is running and that reports have been generated. It may take some time before reports on all workloads have been generated.
+
+---
+
+**Manual Validation:**
+
+1. **Check Trivy is Running**
+
+Run
+
+```bash
+kubectl get all -n trivy-system
+```
+
+and you should see a Trivy Operator deployment running. You may also see some vulnerability report scan jobs and pods, which should be running or completed and not in an error state. By default these will be visible for ten minutes after they have run, but this can be changed in the values file.
+
+2. **Check ConfigAuditReports**
+
+Trivy should have generated or soon generate reports on the configuration of workloads in your cluster. You can summarize these with
+
+```bash
+kubectl get configauditreports --all-namespaces -o wide
+```
+
+The full list can be viewed by changing the output format to JSON or YAML (`-o yaml`).
+
+3. **Check VulnerabilityReports**
+
+Trivy should have generated or soon generate reports on vulnerable software detected within images used in your cluster. You can summarize these with
+
+```bash
+kubectl get vulnerabilityreports --all-namespaces -o wide
+```
+
+4. **Other Reports**
+
+Trivy should generate several other reports which you can view with the following commands
+
+```bash
+kubectl get clustercompliancereports -o wide
+kubectl get clusterconfigauditreports -o wide
+kubectl get clusterinfraassessmentreports -o wide
+kubectl get clusterrbacassessmentreports -o wide
+kubectl get clustersbomreports -o wide 
+kubectl get clustervulnerabilityreports -o wide
+kubectl get exposedsecretreports -A -o wide
+kubectl get infraassessmentreports -A -o wide
+kubectl get rbacassessmentreports -A -o wide
+kubectl get sbomreports -A -o wide
+```
diff --git a/scripts/trivy/check-prerequisites.sh b/scripts/trivy/check-prerequisites.sh
new file mode 100644
index 00000000..0d0e61dc
--- /dev/null
+++ b/scripts/trivy/check-prerequisites.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+source ../common/utils.sh
+source ../common/prerequisite-utils.sh
+echo "🔍 Checking prerequisites for Trivy Operator (security scanner) deployment..."
+
+declare -a checks=(
+    "check_kubernetes_access"
+    "check_kubectl_installed"
+    "check_helm_installed"
+)
+
+run_validation "${checks[@]}"
diff --git a/scripts/trivy/configure-trivy-operator.sh b/scripts/trivy/configure-trivy-operator.sh
new file mode 100644
index 00000000..561ad4c4
--- /dev/null
+++ b/scripts/trivy/configure-trivy-operator.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Load utility functions
+source ../common/utils.sh
+
+echo "Configuring Trivy Operator..."
+
+ask "TRIVY_SCAN_JOBS_CONCURRENCY" "Enter the number of Trivy scans that should run in parallerl" "10" is_non_empty
+
+# Generate templated configuration files
+echo "Generating configuration files..."
+
+export KUBERNETES_VERSION=$(kubectl version -o json | jq -r '.serverVersion | "\(.major).\(.minor)"')
+
+gomplate -f "$TEMPLATE_PATH" -o "$OUTPUT_PATH" --datasource annotations="$GOMPLATE_DATASOURCE_ANNOTATIONS"
+
+echo "Configuration complete!"
diff --git a/scripts/trivy/values-template.yaml b/scripts/trivy/values-template.yaml
new file mode 100644
index 00000000..d6e50040
--- /dev/null
+++ b/scripts/trivy/values-template.yaml
@@ -0,0 +1,24 @@
+operator:
+  scanJobsConcurrentLimit: "{{ getenv "TRIVY_SCAN_JOBS_CONCURRENCY" | default "10" }}"
+  clusterSbomCacheEnabled: true
+  scanJobTTL: 10m
+trivyOperator:
+  scanJobCustomVolumes:
+    - name: extra-trivy-config
+      configMap:
+        name: extra-trivy-config
+  scanJobCustomVolumesMount:
+    - name: extra-trivy-config
+      mountPath: /extra-trivy-config
+trivy:
+  severity: UNKNOWN,MEDIUM,HIGH,CRITICAL
+  ignoreUnfixed: false
+  ignoreFile:
+    - KSV-0104
+
+  configFile:
+    kubernetes:
+      k8s-version: "{{ getenv "KUBERNETES_VERSION" | default "1.32.0" }}"
+    rego:
+      data:
+        - /extra-trivy-config/trivy-config-data.yaml

From 907d162f430be44abff14a62b43d00aaf6270913 Mon Sep 17 00:00:00 2001
From: Alex Hayward <alex.hayward@telespazio.com>
Date: Thu, 2 Apr 2026 16:35:03 +0100
Subject: [PATCH 2/3] Small text tweak.

---
 docs/prerequisites/security-scanner.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/prerequisites/security-scanner.md b/docs/prerequisites/security-scanner.md
index 519b8f99..447470b6 100644
--- a/docs/prerequisites/security-scanner.md
+++ b/docs/prerequisites/security-scanner.md
@@ -1,6 +1,6 @@
 # EOEPCA+ Security Scanner Deployment Guide (Trivy)
 
-Running a security scanner is important for vulnerability management in an EOEPCA deployment, allowing you to detect when new vulnerabilities are published for both EOEPCA-published and third-party software artefacts present in your cluster. You can then take action such as updating image versions in your Helm configuration files. This is important even for freshly installed deployments as, whilst we will endeavour to update this guide to avoid vulnerable versions at each EOEPCA release, we do not do so in between releases.
+Running a security scanner is important for vulnerability management in an EOEPCA deployment, allowing you to detect when new vulnerabilities are published for both EOEPCA-published and third-party software artefacts present in your cluster. You can then take action such as updating image versions in your Helm configuration files. This is important even for freshly installed deployments as, whilst we will endeavour to update this guide and default image tags in our Helm charts to avoid vulnerable versions at each EOEPCA release, we do not do so in between releases.
 
 Security scanners can also assess your Kubernetes configuration. This guide aims to achieve a baseline level of good security configuration, but a scanner will help ensure that your cluster and your custom modifications meet your particiular security goals and policies.
 
@@ -138,7 +138,7 @@ kubectl get clustercompliancereports -o wide
 kubectl get clusterconfigauditreports -o wide
 kubectl get clusterinfraassessmentreports -o wide
 kubectl get clusterrbacassessmentreports -o wide
-kubectl get clustersbomreports -o wide 
+kubectl get clustersbomreports -o wide
 kubectl get clustervulnerabilityreports -o wide
 kubectl get exposedsecretreports -A -o wide
 kubectl get infraassessmentreports -A -o wide

From 689cd6d98243d132c314db97977497ac454bf17d Mon Sep 17 00:00:00 2001
From: Alex Hayward <alex.hayward@telespazio.com>
Date: Thu, 2 Apr 2026 16:43:34 +0100
Subject: [PATCH 3/3] Add the security scanner page to the prerequisites index

---
 docs/prerequisites/prerequisites-overview.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/prerequisites/prerequisites-overview.md b/docs/prerequisites/prerequisites-overview.md
index a3035bf7..890e6a5e 100644
--- a/docs/prerequisites/prerequisites-overview.md
+++ b/docs/prerequisites/prerequisites-overview.md
@@ -9,6 +9,7 @@ This section outlines the infrastructure requirements for deploying EOEPCA. Rath
 - **Storage**: Certain BBs need shared `ReadWriteMany` volumes.
 - **TLS**: For production, cert-manager or a similar mechanism is strongly recommended.
 - **(Optional) Object Storage**: E.g. MinIO or external S3.
+- **(Optional) Security Scanner**: E.g. Trivy or NeuVector
 
 For more in-depth information about each requirement (including recommended solutions for production vs. development), see the respective pages:
 
@@ -16,6 +17,7 @@ For more in-depth information about each requirement (including recommended solu
 - [Storage Requirements](storage.md)
 - [Ingress Controller Setup](../prerequisites/ingress/overview.md)
 - [TLS Management](tls.md)
+- [Security Scanner](security-scanner.md)
 
 ---