Vulnerability Management

Overview

Secure60’s Vulnerability Management provides automated, SBOM-based vulnerability scanning across your Linux infrastructure. A lightweight client agent discovers installed software packages, generates a Software Bill of Materials (SBOM), and sends the inventory to Secure60. The platform then scans for known CVEs and raises threats automatically.

Key capabilities:

Automated software inventory discovery using Trivy and CycloneDX SBOMs
CVE detection with severity classification (CRITICAL, HIGH, MEDIUM, LOW)
Full vulnerability lifecycle management with auto-closure when vulnerabilities are resolved
Integration with Threats Overview for tracking, exceptions, and reporting
Scheduled re-scanning every 6 hours via cron

Enable the Module

To use Vulnerability Management, the module must be enabled for your project:

Navigate to Modules in the left-hand menu
Locate the Vulnerability Management module
Click to enable it for the target project

Deploy the Client (Linux)

Prerequisites

Linux host (RHEL, CentOS, Rocky, Debian, or Ubuntu)
curl installed
Network access to your Secure60 Collector or Ingest endpoint
Root or sudo access (for Trivy installation and cron setup)

Download the Script

Download the client script directly:

curl -O https://secure60.io/docs/s60-software-inv-agent-linux-1.03.sh
chmod +x s60-software-inv-agent-linux-1.03.sh

Or download it from the direct link.

Interactive Install (First Run)

Run the script without any flags for a guided setup:

./s60-software-inv-agent-linux-1.03.sh

You will be prompted for:

Send mode — Collector (on-prem) or Ingest (cloud)
Endpoint URL — Your Collector address or Ingest base URL
Project ID — Your Secure60 project ID (Ingest mode only)
JWT Token — Your API token (Ingest mode only)

Configuration is saved to .env-s60-client-script in the same directory as the script. Subsequent runs will use this file automatically.

At the end of the first run, you will be prompted to set up a cron job to run the scan every 6 hours.

Silent / Scripted Install

For automated deployments (e.g. Ansible, Puppet, or shell scripts), use the --scripted flag with environment variables:

export S60_SCRIPTED_INSTALL=1
export S60_SEND_MODE=ingest
export S60_INGEST_BASE=https://ingest.secure60.io
export PROJECT_ID=313
export TOKEN=eyJhbGciOiJIUzI1NiIs...
export S60_SETUP_CRON=1
export S60_INSTALL_TRIVY_IF_MISSING=1

./s60-software-inv-agent-linux-1.03.sh --scripted

Environment Variables Reference

Variable	Description	Example
`S60_SEND_MODE`	Send mode: `collector` (on-prem) or `ingest` (cloud). Required.	`ingest`
`S60_COLLECTOR_BASE`	Collector endpoint URL. Required for collector mode.	`https://192.168.1.100`
`S60_INGEST_BASE`	Ingest base URL. Required for ingest mode.	`https://ingest.secure60.io`
`PROJECT_ID`	Secure60 project ID. Required for ingest mode.	`313`
`TOKEN`	JWT Bearer token for authentication. Required for ingest mode.	`eyJhbG...`
`HOST`	Hostname override. Auto-detected if not set.	`web-server-01`
`IP`	Host IP address. Optional metadata.	`10.0.1.5`
`FQDN`	Fully qualified domain name. Optional metadata.	`web-server-01.example.com`
`environment`	Environment label. Defaults to `Production`.	`Production`
`S60_SETUP_CRON`	Set to `1` to automatically install a cron job (every 6 hours).	`1`
`S60_INSTALL_DIR`	Install directory. Cron will reference this path.	`/opt/secure60`
`S60_CRON_LOG`	Log file path for cron output. Logrotate configured automatically.	`/var/log/s60-sbom.log`
`S60_INSTALL_TRIVY_IF_MISSING`	Set to `1`, `Y`, or `yes` to auto-install Trivy if not found.	`1`

Trivy Installation

The client uses Trivy to generate software inventories. Trivy can be installed automatically or manually.

Auto-install during scan:

./s60-software-inv-agent-linux-1.03.sh --install-trivy-if-missing=Y

Install Trivy only (no scan):

./s60-software-inv-agent-linux-1.03.sh --install-trivy-only

Supported distributions:

RHEL / CentOS / Rocky — installs via yum or dnf from the official Aqua repository
Debian / Ubuntu — installs via apt from the official Aqua repository

Enable Cron (Scheduled Scanning)

To keep your software inventory and vulnerability data up to date, set up a cron job to run the scan automatically every 6 hours.

Option 1: During interactive install

The script will prompt you to set up cron at the end of the first run.

Option 2: During scripted install

export S60_SETUP_CRON=1
./s60-software-inv-agent-linux-1.03.sh --scripted

Option 3: Manual cron entry

0 */6 * * * /opt/secure60/s60-software-inv-agent-linux-1.03.sh --scripted >> /var/log/s60-sbom.log 2>&1

When cron is set up automatically, log rotation is also configured at /etc/logrotate.d/s60-sbom (weekly rotation, 4 weeks retained).

Configuration File

All settings are saved to .env-s60-client-script in the same directory as the script. This file is used automatically on subsequent runs and by the cron job.

Example configuration (Ingest mode):

S60_SEND_MODE=ingest
S60_INGEST_BASE=https://ingest.secure60.io
PROJECT_ID=313
TOKEN=eyJhbGciOiJIUzI1NiIs...
HOST=web-server-01
IP=10.0.1.5
FQDN=web-server-01.example.com
environment=Production

Example configuration (Collector mode):

S60_SEND_MODE=collector
S60_COLLECTOR_BASE=https://collector.internal:8443
HOST=web-server-01

Viewing Your Data

Once the client has run and sent data to Secure60, you can view software inventory and vulnerability information across two main areas.

Surface Area — Software Inventory

Navigate to Surface Area and select the Software Inventory tab.

This view shows all discovered software packages across your scanned hosts:

Software — Package name
Source — Package type (e.g. rpm, deb, pip)
Version Count — Number of distinct versions detected
Host Count — Number of hosts with this package installed
Last Seen — When the package was last reported

You can search, sort, and export the inventory to CSV.

Surface Area — Vulnerabilities

Select the Vulnerabilities tab on the Surface Area page.

This view shows all detected CVEs across your infrastructure:

Vulnerability ID — CVE identifier (e.g. CVE-2021-47548)
Package — Affected package name
Severity — CRITICAL, HIGH, MEDIUM, or LOW
Installed Version — Version currently installed on the host
Fixed Version — Version that resolves the vulnerability (where available)
Host Count — Number of hosts affected

Surface Area - Vulnerabilities tab showing CVEs with severity levels

Threats Overview

Vulnerability findings are automatically raised as Threats on the Threats Overview page. These threats appear with the source label Vulnerability.

From Threats Overview you can:

View and triage vulnerability threats alongside other threat sources
Manage lifecycle — track threats through investigation, response, and closure
Create exceptions — mark accepted risks or false positives
Auto-closure — when a vulnerability is no longer detected in subsequent scans, the associated threat is automatically closed

How It Works

Client agent runs Trivy on the host to generate a CycloneDX SBOM (Software Bill of Materials)
SBOM is flattened into individual package events and sent to Secure60 via Collector or Ingest
Secure60 platform reconstructs the SBOM and runs a vulnerability scan against known CVE databases
Vulnerabilities are matched to installed packages and raised as threats with severity classification
Subsequent scans update the inventory — new vulnerabilities are raised, resolved ones are auto-closed

Need Help?

For questions about Vulnerability Management setup or configuration, contact our team at support@secure60.io.