// the find
aquasecurity/trivy-operator
Kubernetes-native security toolkit
trivy-operator is a Kubernetes operator that runs Trivy security scans automatically in response to cluster changes, surfacing results as CRDs queryable via kubectl. It covers vulnerability scanning, config auditing, secret detection, RBAC analysis, and SBOM generation in one package. Backed by Aqua Security, so it's not a weekend project that gets abandoned.
The CRD-native approach is genuinely useful — scan results live in etcd and you can query them with standard kubectl or wire them into any tooling that speaks Kubernetes. Trigger-based scanning (new pod → scan runs) means you don't have to schedule jobs manually or worry about stale results after deployments. The compliance report coverage (NSA/CISA, CIS Benchmark, PSS baseline and restricted) saves real work integrating multiple auditing frameworks. FIPS and UBI9 Dockerfiles are included, which matters if you're operating in regulated environments.
Still self-describing as 'incubating' with API stability caveats — CRD schemas can change between releases, which is a painful upgrade story if you've built tooling on top of them. The scan jobs spawn in-cluster, which means the operator needs broad RBAC permissions that many platform teams will push back on; least-privilege setup isn't well documented. Heavy dependency on Trivy means any Trivy DB lag or rate limiting hits all your scans simultaneously — there's no fallback. The config audit OPA policy story is underdocumented; writing custom Rego that actually works with the loader requires digging through test fixtures rather than any real guide.