Documentation forSolarWinds Observability SaaS

Troubleshoot Container image vulnerabilities detection

The SWO K8s Collector currently supports collection of image vulnerability scans provided by Aqua Security Trivy Operator. You can deploy the operator separately or as part of the SWO K8s Collector.

To deploy the Trivy Operator as part of the SWO K8s Collector, use the Helm setting trivy-operator.enabled: true.

If the Trivy Operator is deployed separately, make sure it has at least the following mandatory Helm settings (the default settings):

operator:
     vulnerabilityScannerEnabled: true
alternateReportStorage.enabled: false

Trivy documentation

To troubleshoot any issues with the Trivy Operator or with the security scans, follow Trivy official documentation:

If the Trivy Operator is deployed as part of the SWO K8s Collector, all its Helm settings need to be applied to the trivy-operator section of the SWO K8s Collector Helm settings.

Common issues

SolarWinds Observability SaaS does not display any vulnerability scan results

Verify the following:

  • The deployed SWO K8s Collector is version 5.1.0 or later and it is configured to collect Kubernetes workload manifests (setting otel.manifests.enabled: true, enabled by default).

  • You have deployed the Trivy Operator with one of these methods:

    • Separately, verifying the mandatory settings.

    • As part of the SWO K8s Collector, using the Helm setting trivy-operator.enabled: true.

  • The Trivy Operator Kubernetes Deployment is running in the monitored cluster and is not reporting any issues.

  • When a new workload is deployed to the monitored cluster, a scan Job is successfully executed and the result is stored as a VulnerabilityReport (aquasecurity.github.io) CRD.

Security scans for multi-arch container images show incorrect results

Trivy does not fully support multi-arch images. For example, when a Kubernetes workload uses an image built for Darwin ARM64, Trivy may scan a Linux AMD64 version of the image if available. And if the vulnerabilities in those images differ, Trivy may report the incorrect ones.

The operator can be configured to prefer one specific OS/platform with the setting trivy-operator.trivyOperator.scanJobNodeSelector. Trivy will report container image vulnerabilities for that OS/platform.

Security scan Jobs timeout

If some of the workloads in a cluster contain many container images or the images are very complex, the scan jobs may time out and fail. This can be configured with the setting trivy-operator.operator.scanJobTimeout.

Security scan Jobs fail on OutOfMemory error

Similarly to scan job timeouts, if there are many or complex container images in a workload, the scan job may need more CPU/memory resources. This can be configured with the setting trivy-operator.trivy.resources.

Container images from private registries are not scanned

Follow the official documentation for configuring access to private registries or managed registries.