K8sAttackMap
Features

CVE-Aware Scoring

How Trivy vulnerability scan results integrate into the attack graph edge weights.

Overview

K8sAttackMap integrates Trivy to scan every unique container image found in the cluster, then feeds vulnerability data directly into the edge risk weights used by Dijkstra path finding.

A pod running an image with a critical, remotely exploitable CVE gets a lower-friction traversal score — meaning the attack graph treats it as an easier target, reflecting real attacker economics.

Scanning Process

  1. K8sJsonParser extracts all unique container image references from the cluster JSON
  2. TrivyScanner runs trivy image --format json <image> for each unique image
  3. TrivyJsonParser parses the JSON output, extracting CVE IDs, severity, and CVSS scores
  4. TrivyCache stores results in memory to avoid duplicate scans across runs
# K8sAttackMap internally runs something equivalent to:
trivy image --format json nginx:1.25.3

Caching

Trivy scan results are cached per image reference within a single K8sAttackMap run. If the same image appears in multiple pods, it is scanned only once. This significantly reduces analysis time in clusters with many pods sharing common base images.

How CVE Scores Affect Edge Weights

The EdgeRiskScorer applies CVE data as friction reductions:

CVE SeverityFriction ReductionRationale
CRITICAL (CVSS ≥ 9.0)−1.5Severe vulnerability → very easy to exploit
HIGH (CVSS 7.0–8.9)−0.8Significant vulnerability → meaningfully easier
MEDIUM (CVSS 4.0–6.9)−0.2Minor friction reduction
LOW (CVSS < 4.0)−0.05Negligible effect

These deductions stack: a pod with multiple critical CVEs will accumulate lower friction, making it an even more attractive attack path entry point.

Score Sources

K8sAttackMap's TrivyJsonParser supports multiple CVSS score sources in priority order:

  1. NVD — National Vulnerability Database CVSS v3 / v2 scores
  2. GHSA — GitHub Security Advisory scores
  3. Red Hat — Vendor-specific scores for RHEL-family images
  4. Bitnami — Bitnami-specific container image advisories

PDF Report: CVE Summary

The PDF audit report includes a Pod CVE Summary table sorted by CVE count, showing:

  • Pod name and namespace
  • Container image
  • Total CVE count
  • Breakdown by severity (Critical / High / Medium / Low)

Implementation Details

  • security/TrivyScanner.java — invokes the Trivy CLI and collects results
  • security/trivy/TrivyJsonParser.java — parses Trivy JSON output into ScanResult objects
  • security/trivy/TrivyCache.java — in-memory cache keyed by image reference
  • security/EdgeRiskScorer.java — applies CVE scores as friction deductions

Trivy Version Compatibility

K8sAttackMap requires Trivy ≥ 0.70.0. The JSON output schema changed in 0.70.0 in ways that affect CVE field availability. Older versions may produce incomplete or missing CVE data.

Privilege Escalation Loops

Detect circular RBAC chains that allow indefinite privilege escalation.

Edge Types

Complete reference for all 19 semantic edge types in the K8sAttackMap attack graph.

On this page

OverviewScanning ProcessCachingHow CVE Scores Affect Edge WeightsScore SourcesPDF Report: CVE SummaryImplementation DetailsTrivy Version Compatibility