Skip to main content
The Vulnerabilities section shows CVEs matched against your cloud resources. InfraAudit uses Trivy for scanning and enriches each finding with metadata from the NVD database, including CVSS scores, descriptions, and fix information.

How vulnerability scanning works

The scanner runs as a scheduled job (daily at 02:00 UTC by default):
1

Identify scannable artifacts

For each active resource, InfraAudit identifies artifacts it can scan — primarily container images for Kubernetes workloads and EC2 instances with known AMIs.
2

Trivy scans for CVEs

Trivy scans the artifacts for known CVEs across OS packages, language runtime dependencies (Go, Python, Node.js, etc.), and application libraries.
3

NVD enrichment

Findings are matched against the NVD feed to pull in CVSS scores, descriptions, and fix versions.
4

Findings stored and alerted

New findings are stored with a status of open. If alert rules are configured, they trigger notifications.

Vulnerability list

In the sidebar, click Vulnerabilities. The table shows:
ColumnDescription
CVE IDThe CVE identifier (e.g. CVE-2024-12345)
SeverityCVSS severity: critical, high, medium, or low
Affected resourceThe resource containing the vulnerable artifact
PackageThe affected package and version
Fix versionThe version that resolves the CVE, if one exists
Statusopen, fixed, or ignored
DetectedTimestamp of first detection

Filtering and triage

Use the filter bar to narrow by severity, resource type, provider, status, or CVE ID. For triage, start with the Critical severity filter — these represent the highest-risk findings and often have known exploits.
Filter by Fix version: available to focus on CVEs you can remediate right now by upgrading a package.

Vulnerability detail

Click any CVE row to open the detail panel:
  • CVE description — pulled from NVD
  • CVSS score and vector — the full scoring breakdown
  • Affected packages — all packages and versions where this CVE appears
  • Fix version — the patched version, if available
  • References — links to the NVD advisory, vendor bulletins, and patch notes

Managing findings

Mark as fixed

When you’ve patched the package and re-deployed, run a new scan. InfraAudit re-scans the artifact and moves the finding to fixed if the vulnerable version is no longer present: 
infraudit vuln scan

Ignore a finding

Some CVEs are not exploitable in your specific environment. You can mark them as ignored from the detail panel or via the CLI. Ignored findings are hidden from the default list view but remain in the database for audit purposes: 
infraudit vulnerability update <vuln-id> \
  --status ignored \
  --reason "not reachable from public network"

Triggering a manual scan

From the UI, click Run scan on the Vulnerabilities page. From the CLI: 
# Scan all providers
infraudit vuln scan

# Scan a specific provider
infraudit vuln scan --provider <provider-id>

# Scan a specific resource
infraudit vuln scan --resource <resource-id>

Alert configuration

Configure vulnerability alert thresholds under Settings → Notifications. A common configuration: alert on critical and high findings only, to avoid alert fatigue from low-severity noise.

Recommendations for vulnerabilities

For each critical or high vulnerability with a known fix, InfraAudit generates a recommendation that includes:
  • The affected resource and package
  • The fix version and upgrade command
  • Estimated effort and priority score
See Recommendations.

Next steps