Trivy Implementation

Container Scanning Pipeline

# GitLab CI Pipeline Configuration
container_scan:
  image: aquasec/trivy:latest
  variables:
    TRIVY_NO_PROGRESS: "true"
    TRIVY_CACHE_DIR: ".trivycache/"
  script:
    - trivy image --exit-code 1 
      --severity HIGH,CRITICAL 
      --no-progress 
      --format template 
      --template "@/contrib/sarif.tpl" 
      -o trivy-results.sarif 
      $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
  artifacts:
    reports:
      security: trivy-results.sarif

Kubernetes Manifest Scanning

apiVersion: batch/v1
kind: CronJob
metadata:
  name: trivy-cluster-scan
spec:
  schedule: "0 0 * * *"
  jobTemplate:
    spec:
      template:
        spec:
          serviceAccountName: trivy-scanner
          containers:
          - name: trivy
            image: aquasec/trivy:latest
            args:
            - k8s
            - --report=summary
            - --severity=HIGH,CRITICAL
            - all
            volumeMounts:
            - name: results
              mountPath: /results
          volumes:
          - name: results
            persistentVolumeClaim:
              claimName: scan-results

Snyk Integration

GitHub Action Integration

name: Snyk Security Scan
on: pull_request

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Run Snyk to check for vulnerabilities
      uses: snyk/actions/node@master
      env:
        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      with:
        args: --severity-threshold=high
        
    - name: Container Scan
      uses: snyk/actions/docker@master
      env:
        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      with:
        image: your-registry/app:latest
        args: --file=Dockerfile
        
    - name: IaC Scan
      uses: snyk/actions/iac@master
      env:
        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      with:
        args: --severity-threshold=high

Wiz Implementation

Cloud Configuration Scanning

# Terraform configuration for Wiz
resource "wiz_automation_rule" "critical_vuln" {
  name        = "Critical Vulnerability Alert"
  description = "Alert on critical vulnerabilities in production"
  enabled     = true
  
  trigger {
    type = "VULNERABILITY"
    vulnerabilities {
      severity = ["CRITICAL"]
      has_fix  = true
    }
  }
  
  actions {
    create_issue {
      provider = "JIRA"
      project  = "SEC"
      type     = "Bug"
    }
    send_notification {
      channels = ["SLACK"]
      template = "critical-vuln"
    }
  }
}

Production Implementation

Multi-Scanner Integration

# ArgoCD Application for Security Scanning
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: security-scanners
spec:
  project: security
  source:
    repoURL: https://github.com/org/security-configs.git
    targetRevision: HEAD
    path: scanners/
  destination:
    server: https://kubernetes.default.svc
    namespace: security
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - CreateNamespace=true
    
---
# Scanner Configuration
apiVersion: v1
kind: ConfigMap
metadata:
  name: scanner-config
data:
  trivy.yaml: |
    severity: CRITICAL,HIGH
    ignore-unfixed: true
    timeout: 10m
        
  snyk.yaml: |
    severity-threshold: high
    fail-on: upgradable
        
  wiz.yaml: |
    scan-interval: 6h
    alert-threshold: CRITICAL
    compliance-frameworks:
      - SOC2
      - PCI