feat: filter artifacts on --exclude-owned flag (#5059)

* feat: filter artifacts on --exclude-owned flag - filter artifacts using trivy-kubernetes library - upgrade dependencies - generate docs * chore: remove shorthand flag for --exclude-owned flag
2025-12-12 15:50:15 -08:00 · 2023-08-31 16:02:52 +05:45
parent c04f234fa4
commit 0c8919e1e4
3 changed files with 18 additions and 2 deletions
--- a/docs/docs/references/configuration/cli/trivy_kubernetes.md
+++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md
@@ -41,6 +41,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
      --download-db-only                  download/update vulnerability database but don't run a scan
      --download-java-db-only             download/update Java index database but don't run a scan
      --exclude-nodes strings             indicate the node labels that the node-collector job should exclude from scanning (example: kubernetes.io/arch:arm64,team:dev)
+      --exclude-owned                     exclude resources that have an owner reference
      --exit-code int                     specify exit code when any security issues are found
      --file-patterns strings             specify config file patterns
  -f, --format string                     format (table,json,cyclonedx) (default "table")
--- a/pkg/flag/kubernetes_flags.go
+++ b/pkg/flag/kubernetes_flags.go
@@ -79,6 +79,12 @@ var (
 		Default:    "trivy-temp",
 		Usage:      "specify the namespace in which the node-collector job should be deployed",
 	}
+	ExcludeOwned = Flag{
+		Name:       "exclude-owned",
+		ConfigName: "kubernetes.exclude.owned",
+		Default:    false,
+		Usage:      "exclude resources that have an owner reference",
+	}
 	ExcludeNodes = Flag{
 		Name:       "exclude-nodes",
 		ConfigName: "exclude.nodes",
@@ -97,6 +103,7 @@ type K8sFlagGroup struct {
 	Tolerations            *Flag
 	AllNamespaces          *Flag
 	NodeCollectorNamespace *Flag
+	ExcludeOwned           *Flag
 	ExcludeNodes           *Flag
 }

@@ -110,6 +117,7 @@ type K8sOptions struct {
 	Tolerations            []corev1.Toleration
 	AllNamespaces          bool
 	NodeCollectorNamespace string
+	ExcludeOwned           bool
 	ExcludeNodes           map[string]string
 }

@@ -124,6 +132,7 @@ func NewK8sFlagGroup() *K8sFlagGroup {
 		Tolerations:            &TolerationsFlag,
 		AllNamespaces:          &AllNamespaces,
 		NodeCollectorNamespace: &NodeCollectorNamespace,
+		ExcludeOwned:           &ExcludeOwned,
 		ExcludeNodes:           &ExcludeNodes,
 	}
 }
@@ -143,6 +152,7 @@ func (f *K8sFlagGroup) Flags() []*Flag {
 		f.Tolerations,
 		f.AllNamespaces,
 		f.NodeCollectorNamespace,
+		f.ExcludeOwned,
 		f.ExcludeNodes,
 	}
 }
@@ -180,6 +190,7 @@ func (f *K8sFlagGroup) ToOptions() (K8sOptions, error) {
 		Tolerations:            tolerations,
 		AllNamespaces:          getBool(f.AllNamespaces),
 		NodeCollectorNamespace: getString(f.NodeCollectorNamespace),
+		ExcludeOwned:           getBool(f.ExcludeOwned),
 		ExcludeNodes:           exludeNodeLabels,
 	}, nil
 }
--- a/pkg/k8s/commands/resource.go
+++ b/pkg/k8s/commands/resource.go
@@ -22,11 +22,15 @@ func resourceRun(ctx context.Context, args []string, opts flag.Options, cluster
 	}

 	runner := newRunner(opts, cluster.GetCurrentContext())
+
 	var trivyk trivyk8s.TrivyK8S
+
+	trivyk = trivyk8s.New(cluster, log.Logger, trivyk8s.WithExcludeOwned(opts.ExcludeOwned))
+
 	if opts.AllNamespaces {
-		trivyk = trivyk8s.New(cluster, log.Logger).AllNamespaces()
+		trivyk = trivyk.AllNamespaces()
 	} else {
-		trivyk = trivyk8s.New(cluster, log.Logger).Namespace(getNamespace(opts, cluster.GetCurrentNamespace()))
+		trivyk = trivyk.Namespace(getNamespace(opts, cluster.GetCurrentNamespace()))
 	}

 	if len(name) == 0 { // pods or configmaps etc