Kubernetes Security Scanner with AI-Powered Triage
Query vulnerabilities, compliance issues, and security posture from your cluster.
Use AI to investigate findings and get actionable remediation advice.
Features | Installation | Usage | AI Investigation | Server Mode | Roadmap
- Query Security Findings - Browse vulnerabilities, compliance issues, RBAC problems, and exposed secrets
- AI-Powered Investigation - Ask questions in natural language and get actionable remediation advice
- Continuous Monitoring - Server mode with Slack/webhook notifications for new and fixed vulnerabilities
- SBOM Search - Find specific packages across all container images (e.g., log4j)
- NetworkPolicy Analysis - Identify pods without network protection
- Interactive Mode - Have follow-up conversations about your security posture
- BYOK (Bring Your Own Key) - Your data stays between you and your LLM provider
- Multiple Output Formats - Human-readable tables or JSON for automation
| Tool | Status | Description |
|---|---|---|
| Trivy Operator | ✅ Supported | Vulnerabilities, compliance, RBAC, secrets, SBOM |
| Kubescape | 🔜 Planned | NSA/CISA hardening checks |
| Kyverno | 🔜 Planned | Policy violations |
| Falco | 🔜 Planned | Runtime security events |
trix is a local CLI tool that queries security data from your Kubernetes cluster via kubeconfig. Trivy Operator runs in-cluster and scans your workloads - trix reads those results and makes them actionable.
| Finding Type | Description |
|---|---|
| Vulnerabilities | CVEs in container images with CVSS scores |
| Compliance | Misconfigurations and policy violations |
| RBAC Issues | Overly permissive roles and bindings |
| Exposed Secrets | Secrets found in container images |
| NetworkPolicy Gaps | Pods without network protection |
| Software Inventory | SBOM data for all images |
- Access to a Kubernetes cluster
- Trivy Operator installed in your cluster
Install Trivy Operator (if not already installed)
helm repo add aqua https://aquasecurity.github.io/helm-charts/
helm repo update
helm install trivy-operator aqua/trivy-operator \
--namespace trivy-system \
--create-namespaceFrom source:
git clone https://github.com/davealtena/trix.git
cd trix
go build -o trix .
sudo mv trix /usr/local/bin/Container image:
docker run --rm -v ~/.kube:/home/nonroot/.kube:ro ghcr.io/davealtena/trix:latest statusVerify installation:
trix version
trix status # Check Trivy Operator connection# View all findings across namespaces
trix query findings -A
# Summary with severity breakdown
trix query summary -A
# Filter by namespace
trix query findings -n production
# JSON output for automation
trix query findings -A -o jsontrix query network -A# List all images and components
trix query sbom -A
# Search for specific packages (e.g., log4j)
trix query sbom -A --package log4j# Rescan vulnerabilities in a namespace
trix scan vulns -n default
# Rescan everything (with confirmation skip)
trix scan all -A -y$ trix query summary -A
Security Findings Summary
=========================
Total Findings: 884
By Severity:
CRITICAL: 12
HIGH: 45
MEDIUM: 234
LOW: 593
By Type:
vulnerability: 763
compliance: 47
rbac: 11
Top Affected Resources:
kube-system/etcd-control-plane - 112 findings
kube-system/kube-apiserver - 89 findings
Use natural language to investigate your cluster's security posture. trix uses AI to query findings, analyze RBAC, and provide actionable remediation steps.
Bring Your Own Key (BYOK): You provide your own LLM API key. Your data stays between you and your LLM provider.
# Option 1: Anthropic Claude
export ANTHROPIC_API_KEY=your-key-here
# Option 2: OpenAI GPT
export OPENAI_API_KEY=your-key-here
# Option 3: Mistral AI (EU-based)
export MISTRAL_API_KEY=your-key-here
# Option 4: Ollama (local, experimental)
export OLLAMA_HOST=http://localhost:11434trix auto-detects which provider to use based on available environment variables.
# Single question
trix ask "What are the top 5 security risks in my cluster?"
# Interactive mode for follow-up questions
trix ask "What critical vulnerabilities do I have?" -i$ trix ask "What critical vulnerabilities are in my cluster?" -i
Investigating...
→ trix query summary -A
→ trix query findings --severity=CRITICAL
[tokens: 2477 in, 357 out | total: 5548 in, 507 out]
## Critical Security Issues Summary
Your cluster has 20 critical vulnerabilities across 8 workloads...
> How do I fix CVE-2024-45337?
Investigating...
→ trix finding detail CVE-2024-45337
[tokens: 3200 in, 450 out | total: 8748 in, 957 out]
## How to Patch CVE-2024-45337
Update the golang.org/x/crypto package to version 0.31.0 or later...
Commands in interactive mode:
- Type your question and press Enter
clear- Reset conversation contextexitorquit- Exit
| Provider | Status | Environment Variable |
|---|---|---|
| Anthropic (Claude) | Supported | ANTHROPIC_API_KEY |
| OpenAI (GPT-4) | Supported | OPENAI_API_KEY |
| Mistral AI | Supported | MISTRAL_API_KEY |
| Ollama (local) | Experimental | OLLAMA_HOST |
EU Data Sovereignty: Mistral AI is a French company with EU-based infrastructure. Use
--provider mistralfor EU data residency requirements.
Use --provider to explicitly select a provider:
trix ask "..." --provider anthropic
trix ask "..." --provider openai
trix ask "..." --provider mistral
trix ask "..." --provider ollama --model llama3.1:8bOllama support allows running trix with local LLMs for air-gapped environments. Note that local models have limited multi-step tool calling capability compared to hosted models.
# Start Ollama
ollama serve
# Pull a model
ollama pull llama3.1:8b
# Use with trix
export OLLAMA_HOST=http://localhost:11434
trix ask "What vulnerabilities are in my cluster?" --provider ollama
# Or specify model explicitly
trix ask "..." --provider ollama --model qwen2.5:14b --ollama-url http://localhost:11434Recommended models for tool calling: llama3.1:8b, qwen2.5:14b, mistral
Run trix as a long-running service that continuously monitors your cluster and sends notifications when vulnerabilities are discovered or fixed.
trix serve- Polls Trivy Operator CRDs at configurable intervals
- Tracks vulnerability lifecycle (new/fixed) in PostgreSQL
- Sends Slack notifications grouped by workload
- Health endpoints for Kubernetes probes
See deploy/README.md for Kubernetes deployment with Kustomize.
| Variable | Description | Default |
|---|---|---|
TRIX_DATABASE_URL |
PostgreSQL connection string | required |
TRIX_POLL_INTERVAL |
How often to poll | 5m |
TRIX_NAMESPACES |
Namespaces to watch (comma-separated) | all |
TRIX_NOTIFY_SLACK |
Slack incoming webhook URL | - |
TRIX_NOTIFY_WEBHOOK |
Generic webhook URL | - |
TRIX_NOTIFY_SEVERITY |
Minimum severity to notify | CRITICAL |
- Helm Chart - Easy deployment and configuration
- More Security Tools - Kubescape, Kyverno, Falco integrations
- More Notifications - Teams, PagerDuty integrations
Contributions are welcome! See CONTRIBUTING.md for development setup and guidelines.
- Open an issue for bugs or feature requests
- Start a discussion for questions or ideas
Distributed under the Apache 2.0 License. See LICENSE for more information.