feat(f3s): deploy Trivy Operator for image CVE scanning (task h)

- ArgoCD app: aquasecurity/trivy-operator in monitoring with ServiceMonitor - PrometheusRule for Critical/High trivy_image_vulnerabilities alerts - Alertmanager route/receiver for component=trivy (UI; webhook TBD) Made-with: Cursor
author: Paul Buetow <paul@buetow.org> 2026-04-08 12:46:01 +0300
committer: Paul Buetow <paul@buetow.org> 2026-04-08 12:46:01 +0300
commit: 7f2175d28dab2f1a9b3adb9ac44a0343c936f560 (patch)
tree: 14a40c31623486ba1daa6e51611c5d2ddd30166b
parent: c1fa7805501164c6eda50d9fb8db723bd0afd14b (diff)
3 files changed, 91 insertions, 0 deletions
diff --git a/f3s/argocd-apps/monitoring/prometheus.yaml b/f3s/argocd-apps/monitoring/prometheus.yaml
index f20be95..3d88e39 100644
--- a/f3s/argocd-apps/monitoring/prometheus.yaml
+++ b/f3s/argocd-apps/monitoring/prometheus.yaml
@@ -110,6 +110,13 @@ spec:
                     group_by: ['alertname', 'name', 'severity']
                     group_wait: 10s
                     repeat_interval: 6h
+                  # Container image CVEs from Trivy Operator (see trivy-operator ArgoCD app)
+                  - matchers:
+                      - component = "trivy"
+                    receiver: 'trivy-alerts'
+                    group_by: ['alertname', 'namespace', 'severity']
+                    group_wait: 2m
+                    repeat_interval: 24h
               receivers:
                 - name: 'null'
                 - name: 'default'
@@ -117,6 +124,8 @@ spec:
                 - name: 'argocd-alerts'
                   # ArgoCD-specific receiver - alerts visible in UI only
                   # Future: add email/slack/webhook configuration here
+                - name: 'trivy-alerts'
+                  # Trivy Operator CVE alerts - visible in Alertmanager UI; add webhook/email when desired
               inhibit_rules:
                 # Inhibit info alerts if warning or critical is firing
                 - source_matchers:
diff --git a/f3s/argocd-apps/monitoring/trivy-operator.yaml b/f3s/argocd-apps/monitoring/trivy-operator.yaml
new file mode 100644
index 0000000..fc7de60
--- /dev/null
+++ b/f3s/argocd-apps/monitoring/trivy-operator.yaml
@@ -0,0 +1,43 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: trivy-operator
+  namespace: cicd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://aquasecurity.github.io/helm-charts
+    chart: trivy-operator
+    targetRevision: 0.32.1
+    helm:
+      releaseName: trivy-operator
+      valuesObject:
+        # Scrape operator metrics with kube-prometheus-stack (release name: prometheus)
+        serviceMonitor:
+          enabled: true
+          namespace: monitoring
+          labels:
+            release: prometheus
+        operator:
+          scanJobsConcurrentLimit: 5
+          metricsFindingsEnabled: true
+        # System namespaces are tied to k3s upgrades; scanning them adds noise without actionable fixes.
+        excludeNamespaces: "kube-system,kube-public,kube-node-lease"
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: monitoring
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=false
+      - ServerSideApply=true
+    retry:
+      limit: 3
+      backoff:
+        duration: 10s
+        factor: 2
+        maxDuration: 3m
diff --git a/f3s/prometheus/manifests/trivy-operator-alerts.yaml b/f3s/prometheus/manifests/trivy-operator-alerts.yaml
new file mode 100644
index 0000000..5fa460f
--- /dev/null
+++ b/f3s/prometheus/manifests/trivy-operator-alerts.yaml
@@ -0,0 +1,39 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: trivy-operator-alerts
+  namespace: monitoring
+  labels:
+    release: prometheus
+spec:
+  groups:
+    - name: trivy-operator
+      interval: 60s
+      rules:
+        - alert: TrivyContainerCriticalVulnerabilities
+          expr: |
+            sum by (namespace, resource_name, container_name, image_repository) (
+              trivy_image_vulnerabilities{severity="Critical"}
+            ) > 0
+          for: 30m
+          labels:
+            severity: critical
+            component: trivy
+          annotations:
+            summary: "Critical CVEs in container {{ $labels.container_name }} ({{ $labels.image_repository }})"
+            description: "Workload {{ $labels.resource_name }} in namespace {{ $labels.namespace }} has one or more Critical vulnerabilities. Inspect VulnerabilityReport CRs or Grafana/Prometheus metrics trivy_image_vulnerabilities."
+            action: "kubectl get vulnerabilityreports -A | grep -i {{ $labels.namespace }}\nkubectl describe vulnerabilityreport -n {{ $labels.namespace }} <name>"
+
+        - alert: TrivyContainerHighVulnerabilities
+          expr: |
+            sum by (namespace, resource_name, container_name, image_repository) (
+              trivy_image_vulnerabilities{severity="High"}
+            ) > 0
+          for: 3h
+          labels:
+            severity: warning
+            component: trivy
+          annotations:
+            summary: "High-severity CVEs in container {{ $labels.container_name }} ({{ $labels.image_repository }})"
+            description: "Workload {{ $labels.resource_name }} in namespace {{ $labels.namespace }} has High-severity vulnerabilities. Plan image upgrades or mitigations."
+            action: "kubectl get vulnerabilityreports -n {{ $labels.namespace }}"
author	Paul Buetow <paul@buetow.org>	2026-04-08 12:46:01 +0300
committer	Paul Buetow <paul@buetow.org>	2026-04-08 12:46:01 +0300
commit	7f2175d28dab2f1a9b3adb9ac44a0343c936f560 (patch)
tree	14a40c31623486ba1daa6e51611c5d2ddd30166b
parent	c1fa7805501164c6eda50d9fb8db723bd0afd14b (diff)