Skip to main content
logoTetrate Istio SubscriptionVersion: Next


Tetrate Vulnerability Scanner (TVS), currently featuring support for Istio, is a robust tool designed for detecting CVEs (Common Vulnerabilities and Exposures) in critical network-facing services like Istio and Envoy. Unlike general CVE scanning solutions that focus on container-level vulnerabilities, TVS excels in identifying specific vulnerabilities within Istio and Envoy. This is particularly important as these vulnerabilities, being network-facing, can often be more exploitable than those at the OS level.

TVS streamlines the process of staying informed about potential security threats, which traditionally required manual tracking of Istio Security Notices. By automating this task, TVS significantly reduces the workload on security and operations teams, ensuring that cloud environments are safeguarded and up-to-date.

How TVS Works

TVS operates by collecting digests of the installed Istio containers and sending them to Tetrate's APIs. These APIs then analyze the data to detect any CVEs present in those images. Tetrate ensures privacy by logging only the SHA digests without attaching any personal information, including IP addresses. The SHA is utilized solely to identify the image and its CVEs.

Downloading TVS

TVS is freely available to all Istio users. Future versions, supporting additional products, will also be accessible from the same platform. To install the current version of TVS, visit our download page.

Using TVS

For instructions on how to use TVS, please refer to the Usage Guide.

Frequently Asked Questions (FAQs)

  1. How does TVS work?

    TVS collects the SHA digest of images and sends it to the Tetrate CVE backend, managed by our platform team. This ensures accurate and timely vulnerability detection.

  2. What types of vulnerabilities can TVS detect?

    TVS can detect CVEs in Istio and Envoy. Future versions will support additional products.

  3. How is TVS better than other vulnerability detectors

    While general CVE scanning solutions can identify a broad range of container-level vulnerabilities, they may not always provide the focused and comprehensive coverage of Istio and Envoy vulnerabilities that TVS offers. With TVS, security engineers can quickly get a comprehensive and automatically updated list of Istio and Envoy CVEs continuously, and eliminate the constant checking of Istio security news.

  4. How often is TVS updated with new vulnerability definitions?

    TVS's vulnerability database is regularly updated to ensure it captures the latest known vulnerabilities. These updates are typically rolled out periodically to maintain the highest level of accuracy and protection.

  5. Can TVS be used in an air-gapped environment?

    An internet connection is required for TVS to function effectively, as it needs to communicate with our CVE backend.

  6. Why do I need to register?

    Registration is required to get access token required to make request to Tetrate CVE backend. Additionally, it allows us to keep you informed about any updates to TVS, Istio security notices, and product news about CVE remediations. We will not share your email with any third parties.

  7. Is registration process compliant with privacy standards?

    Absolutely. Our commitment to your privacy is paramount. We adhere to stringent privacy policies, detailed at Tetrate Privacy Policy.

  8. What is the backend sever address and port used by TVS?

    TVS communicates with the Tetrate server "" on port 443 to send the SHA digests of the images and receive the CVEs. Please ensure that your firewall allows traffic to this server and port.