How to Decide on Critical Vulnerabilities When Using Trivy?

That's an interesting dilemma you're facing. Personally, I don’t think stopping a deployment solely based on a critical vulnerability in a base image is feasible, especially if there's no fix available. It really depends on how critical your app is and the context of that vulnerability. For example, how often are base images updated? I also recommend looking into how different teams automate their pipelines for updates and addressing vulnerabilities when they arise.

You bring up some great points! The discrepancies in scoring systems can really throw a wrench into vulnerability management. The CVSS is widely used, but vendors like Red Hat often have their own criteria that might skew how they rate vulnerabilities. Trivy and Red Hat also pull data from different sources, which can add to the confusion. It's crucial to understand the context of the vulnerabilities according to your specific environment.

Absolutely! It's about balancing the risk and understanding which vulnerabilities actually impact your application. One challenge is figuring out if the flagged vulnerabilities are even being used in your application. Tools like Kubescape can help identify whether certain vulnerabilities that are marked critical are relevant to your app. We need a solid framework to assess the real risks.

I've noticed similar issues with Trivy, especially regarding Kubernetes images. It tends to show many false positives. I think a solution is to define a clear vulnerability management policy and stick to one scanning tool to minimize confusion. For example, we use Twistlock and have customized the severity levels for both base and app images, which helps streamline our process.