Complete the command to scan a Docker image for vulnerabilities using Trivy.
trivy [1] nginx:latestThe trivy image command scans the specified image for vulnerabilities.
Complete the Kubernetes manifest snippet to add an image scanning annotation for the container.
containers:
- name: app
image: myapp:latest
metadata:
annotations:
[1]: "true"The annotation image.security.scan is commonly used to enable image scanning in Kubernetes manifests.
Fix the error in this Trivy command to scan an image and output results in JSON format.
trivy image nginx:latest --format [1]The --format json option outputs the scan results in JSON format.
Fill both blanks to create a Kubernetes Pod spec that uses an init container to scan the main container's image before starting.
apiVersion: v1
kind: Pod
metadata:
name: scan-pod
spec:
initContainers:
- name: scanner
image: [1]
containers:
- name: app
image: [2]The init container uses the Trivy image aquasec/trivy:latest to scan the main app image nginx:latest.
Fill all three blanks to create a Kubernetes ConfigMap that stores a Trivy policy file with a rule to fail scans on high severity vulnerabilities.
apiVersion: v1
kind: ConfigMap
metadata:
name: trivy-policy
data:
policy.rego: |
package [1]
deny[msg] {
input.Vulnerabilities[_].Severity == [2]
msg = "High severity vulnerability found"
}
severity_level = [3]The policy package is named trivy.policy. The severity is checked as the string "HIGH". The severity level is set to 3 to represent high severity.