Add Trivy Vulnerability Scanning setting document

sangeetgupta · sangeetgupta · commit dab1ebb7a007 · 2024-11-15T14:07:24.000Z
diff --git a/articles/operator-nexus/TOC.yml b/articles/operator-nexus/TOC.yml
@@ -273,6 +273,8 @@
           href: howto-use-mde-runtime-protection.md
         - name: Configure Network Access Control Lists for SSH Access on Management VPN
           href: howto-configure-acls-for-ssh-management-on-access-vpn.md
+        - name: Enable/Disable Trivy Vulnerability Scanning
+          href: howto-enable-disable-vulnerability-scanning.md
         - name: Service Principal Best Practices
           href: howto-service-principal.md
           expanded: false
diff --git a/articles/operator-nexus/howto-enable-disable-vulnerability-scanning.md b/articles/operator-nexus/howto-enable-disable-vulnerability-scanning.md
@@ -0,0 +1,64 @@
+---
+title: Enable/Disable Trivy Vulnerability Scanning in Azure Operator Nexus
+description: Get instructions on enabling/disabling the Trivy Vulnerability Scanning setting.
+ms.service: azure-operator-nexus
+ms.custom: template-how-to, devx-track-azurecli
+ms.topic: how-to
+ms.date: 11/14/2024
+author: sangeetgupta
+ms.author: sangeetgupta
+---
+
+# Enable/Disable Trivy Vulnerability Scanning in Azure Operator Nexus Cluster
+
+This guide provides you with instructions on how to enable or disable Trivy Vulnerability Scanning in an Azure Operator Nexus cluster.
+
+## Before you begin
+
+- Install the latest version of the [appropriate CLI extensions](./howto-install-cli-extensions.md).
+
+## Setting variables
+
+To help with configuring Trivy Vulnerability Scanning, define these environment variables used by the various commands throughout this guide.
+
+> [!NOTE]
+> These environment variable values do not reflect a real deployment and users MUST change them to match their environments.
+
+```bash
+# SUBSCRIPTION_ID: Subscription of your cluster
+export SUBSCRIPTION_ID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+# RESOURCE_GROUP: Resource group of your cluster
+export RESOURCE_GROUP="contoso-cluster-rg"
+# MANAGED_RESOURCE_GROUP: Managed resource group managed by your cluster
+export MANAGED_RESOURCE_GROUP="contoso-cluster-managed-rg"
+# CLUSTER_NAME: Name of your cluster
+export CLUSTER_NAME="contoso-cluster"
+```
+
+## Defaults for Trivy Vulnerability Scanning
+The Trivy Vulnerability Scanning is `Enabled` by default.
+
+## Configuring Trivy Vulnerability Scanning
+The `az networkcloud cluster update` command allows you to update of the settings of Trivy Vulnerability Scanning by using the argument `--vulnerability-scanning-settings container-scan="<setting>"`.
+
+The following command configures the `setting` for your Cluster.
+
+```bash
+az networkcloud cluster update \
+--subscription ${SUBSCRIPTION_ID} \
+--resource-group ${RESOURCE_GROUP} \
+--cluster-name ${CLUSTER_NAME} \
+--vulnerability-scanning-settings container-scan="<setting>"
+```
+
+Allowed values for `<setting>`: `Disabled`, `Enabled`.
+- `Disabled`: Trivy Vulnerability Scanning is turned off on the Cluster and no scans are performed.
+- `Enabled`: Trivy Vulnerability Scanning is enabled on the Cluster and scans are performed.
+
+You can confirm that setting was updated by inspecting the output for the following JSON snippet from the Cluster resource view:
+
+```json
+  "vulnerabilityScanningSettings": {
+      "containerScan": "<setting>"
+  }
+```
