Reads CRDs generated by Trivy Operator from the Kubernetes cluster it is deployed in, and converts them to individual metrics that can be scraped by Prometheus.

Yes it does. However, the built-in metrics of Trivy Operator are aggregated. They only show a count of e.g. vulnerabilities per report, but not the details of each individual vulnerability. This exporter, on the other hand, exports each vulnerability as a separate metric with detailed labels.

trivy_image_vulnerabilities{
    container_name="coredns",
    image_digest="",
    image_registry="index.docker.io",
    image_os_eosl="",
    image_os_family="",
    image_os_name="",
    image_repository="rancher/coredns-coredns",
    image_tag="1.8.3",
    name="replicaset-coredns-6488c6fcc6-coredns",
    namespace="kube-system",
    resource_kind="ReplicaSet",
    resource_name="coredns-6488c6fcc6",
    severity="High"
    } 10

trivy_image_vulnerabilities{
    fixed_version="1.24.12, 1.25.6",
    image_name="kube-state-metrics/kube-state-metrics",
    image_tag="v2.18.0",
    installed_version="v1.25.5",
    muted="false",
    namespace="monitoring",
    primary_link="https://avd.aquasec.com/nvd/cve-2025-61726",
    published_date="2026-01-28T20:16:09Z",
    resource="stdlib",
    score="7.5",
    severity="HIGH",
    target="",
    title="golang: net/url: Memory exhaustion in query parameter parsing in net/url",
    vulnerability_id="CVE-2025-61726"
    } 1

We support these CRDs and exports them as Prometheus metrics (gauges): Metrics are updated in real time using Kubernetes informers.

• VulnerabilityReports
  • trivy_image_vulnerabilities{}
• ConfigAuditReports
  • trivy_config_audits{}
• ExposedSecretReports
  • trivy_exposed_secrets{}

Assuming Trivy Operator is already installed, run this command:

helm install trivy-operator-metrics-exporter \
  oci://ghcr.io/3lvia/charts/trivy-operator-metrics-exporter \
  --namespace trivy-system

See values.yaml for available configuration options.

The exporter can be configured via the following environment variables:

These environment variables can also be set via Helm values.

We support an additional metric label called muted (true/false) to indicate whether a vulnerability is "muted" or not. You can use this to filter out vulnerabilities in your PromQL queries.

Mute config is set via a file called mute.yaml. Only vulnerabilities are currently supported.

Example mute.yaml:

vulnerabilities:
  # Mutes all vulnerabilities with CVE-2025-15467, regardless of the namespace or image.
  - id: CVE-2025-15467

  # Mutes all vulnerabilities with CVE-2025-15467 in the "traefik" namespace, regardless of the image.
  - id: CVE-2025-15467
    namespace: traefik

  # Mutes all vulnerabilities with CVE-2025-15467 in any namespace, but only for the "curlimages/curl" image.
  - id: CVE-2025-15467
    namespace: traefik
    imageName: curlimages/curl

Mute config can be set in the Helm chart.

# Run exporter locally. Uses your local kubeconfig.
make run

# Run linter (golangci-lint).
make lint

# Run unit tests.
make test

1. Increment the version in VERSION file.

2. Update version and appVersion in charts/trivy-operator-metrics-exporter/Chart.yaml to match the new version. We always keep the image version and Helm chart version the same!

3. Update image.tag in charts/trivy-operator-metrics-exporter/values.yaml to match the new version.

4. Commit and push the changes.