feat: add NodeVulnerabilityReport for node rootfs vulnerability scanning

[Jabejixo]

Description

This PR adds support for scanning node root filesystems using Trivy to detect OS package vulnerabilities on Kubernetes nodes.

Key Features

• New CRD: NodeVulnerabilityReport (cluster-scoped) to store scan results per node
• Automatic scanning: Watches all nodes and creates scan jobs automatically
• TTL-based cleanup: Reports are automatically deleted and re-scanned based on scannerReportTTL
• Manual rescan: Trigger rescan by changing trivy-operator.aquasecurity.github.io/node-rootfs-scan annotation on a node
• Node filtering: Optional nodeSelector to scan only specific nodes
• Severity filtering: Configurable severity levels to reduce report size (etcd 3MB limit)
• Metrics: Exposes trivy_node_vulnerabilities Prometheus metrics
• Configurable security context: Uses existing scanJob.podTemplateContainerSecurityContext

Configuration Options

Environment Variable	Default	Description
OPERATOR_NODE_SCANNING_ENABLED	false	Enable node rootfs scanning
OPERATOR_NODE_SCANNING_SCANNERS	vuln	Scanners to use
OPERATOR_NODE_SCANNING_PKG_TYPES	os	Package types to scan
OPERATOR_NODE_SCANNING_SKIP_DIRS	/proc,/sys,/dev,...	Directories to skip
OPERATOR_NODE_SCANNING_SEVERITIES	CRITICAL,HIGH	Severity filter
OPERATOR_NODE_SCANNING_HIDE_UNFIXED_CVES	false	Hide CVEs without fixes
OPERATOR_NODE_SCANNING_NODE_SELECTOR	``	JSON node selector
OPERATOR_CONCURRENT_NODE_SCANNING_LIMIT	1	Max concurrent scan jobs

Example NodeVulnerabilityReport

apiVersion: aquasecurity.github.io/v1alpha1
kind: NodeVulnerabilityReport
metadata:
  annotations:
    trivy-operator.aquasecurity.github.io/report-ttl: 24h0m0s
  creationTimestamp: "2026-02-18T10:55:52Z"
  generation: 1
  labels:
    app.kubernetes.io/managed-by: trivy-operator
    node-rootfs.scanner: Trivy
    resource-spec-hash: bffc6f866
    trivy-operator.resource.kind: Node
    trivy-operator.resource.name: test-static-system-4d2284cf-xwk75-47wxt
  name: node-test-static-system-4d2284cf-xwk75-47wxt
  ownerReferences:
  - apiVersion: v1
    kind: Node
    name: test-static-system-4d2284cf-xwk75-47wxt
    uid: 9b314bb3-6c4c-4220-b278-c165795efa44
  resourceVersion: "131147182"
  uid: 9ed1db7e-49db-432d-9d31-19580fed62de
report:
  artifact:
    kind: node-rootfs
    nodeName: test-static-system-4d2284cf-xwk75-47wxt
    rootPath: /hostfs
  os:
    family: ubuntu
    name: "22.04"
  scanner:
    name: Trivy
    vendor: Aqua Security
    version: 0.67.2
  summary:
    criticalCount: 0
    highCount: 185
    lowCount: 0
    mediumCount: 0
    noneCount: 0
    unknownCount: 0
  updateTimestamp: "2026-02-18T10:55:52Z"
  vulnerabilities:
  - class: os-pkgs
    description: In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments
      of an index variable where one is intended, leading to an out-of-bounds write
      for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)
    fixedVersion: 2.2.27-3ubuntu2.5
    installedVersion: 2.2.27-3ubuntu2.1
    lastModifiedDate: "2026-01-14T19:16:46.857Z"
    links:
    - http://www.openwall.com/lists/oss-security/2025/12/29/11
    - https://access.redhat.com/errata/RHSA-2026:0719
    - https://access.redhat.com/security/cve/CVE-2025-68973
    - https://bugzilla.redhat.com/2425966
    - https://bugzilla.redhat.com/show_bug.cgi?id=2425966
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68973
    - https://dev.gnupg.org/T7906
    - https://dev.gnupg.org/T8001
    - https://errata.almalinux.org/9/ALSA-2026-0719.html
    - https://errata.rockylinux.org/RLSA-2026:0719
    - https://github.com/gpg/gnupg/blob/ff30683418695f5d2cc9e6cf8c9418e09378ebe4/g10/armor.c#L1305-L1306
    - https://github.com/gpg/gnupg/commit/115d138ba599328005c5321c0ef9f00355838ca9
    - https://github.com/gpg/gnupg/commit/115d138ba599328005c5321c0ef9f00355838ca9
      (gnupg-2.5.14)
    - https://github.com/gpg/gnupg/commit/1e929abd20fa2e4be3797a137caca63a971d5372
      (gnupg-2.2.51)
    - https://github.com/gpg/gnupg/commit/4ecc5122f20e10c17172ed72f4fa46c784b5fb48
      (gnupg-2.4.9)
    - https://github.com/gpg/gnupg/compare/gnupg-2.2.50...gnupg-2.2.51
    - https://gpg.fail/memcpy
    - https://linux.oracle.com/cve/CVE-2025-68973.html
    - https://linux.oracle.com/errata/ELSA-2026-0728.html
    - https://lists.debian.org/debian-lts-announce/2026/01/msg00008.html
    - https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i
    - https://news.ycombinator.com/item?id=46403200
    - https://nvd.nist.gov/vuln/detail/CVE-2025-68973
    - https://ubuntu.com/security/notices/USN-7946-1
    - https://ubuntu.com/security/notices/USN-7946-2
    - https://www.cve.org/CVERecord?id=CVE-2025-68973
    - https://www.openwall.com/lists/oss-security/2025/12/28/5
    packageType: ubuntu
    primaryLink: https://avd.aquasec.com/nvd/cve-2025-68973
    publishedDate: "2025-12-28T17:16:01.5Z"
    resource: dirmngr
    score: 7
    severity: HIGH
    target: test-static-system-4d2284cf-xwk75-47wxt (ubuntu 22.04)
    title: 'GnuPG: GnuPG: Information disclosure and potential arbitrary code execution
      via out-of-bounds write'
    vulnerabilityID: CVE-2025-68973

Related issues

• Closes Scan for vulnerabilities on nodes #1471

Checklist

• I've read the guidelines for contributing to this repository.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[CLAassistant]

All committers have signed the CLA.

[nabokihms]

@simar7 @afdesk we would like to support the feature. Any chance you can take a look? Is our approach correct?

[AlwxSin]

@simar7 @afdesk friendly ping