mirror of
https://github.com/aquasecurity/trivy.git
synced 2025-12-12 15:50:15 -08:00
fix(misconf): use argument value in WithIncludeDeprecatedChecks (#8942)
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
This commit is contained in:
Nikita Pivkin
@@ -21,7 +21,7 @@
|
||||
"Class": "config",
|
||||
"Type": "dockerfile",
|
||||
"MisconfSummary": {
|
||||
"Successes": 28,
|
||||
"Successes": 27,
|
||||
"Failures": 2
|
||||
},
|
||||
"Misconfigurations": [
|
||||
@@ -72,4 +72,4 @@
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
5
integration/testdata/dockerfile.json.golden
vendored
5
integration/testdata/dockerfile.json.golden
vendored
@@ -21,7 +21,7 @@
|
||||
"Class": "config",
|
||||
"Type": "dockerfile",
|
||||
"MisconfSummary": {
|
||||
"Successes": 27,
|
||||
"Successes": 26,
|
||||
"Failures": 1
|
||||
},
|
||||
"Misconfigurations": [
|
||||
@@ -48,7 +48,8 @@
|
||||
"Service": "general",
|
||||
"Code": {
|
||||
"Lines": null
|
||||
}
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
]
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
"Class": "config",
|
||||
"Type": "dockerfile",
|
||||
"MisconfSummary": {
|
||||
"Successes": 27,
|
||||
"Successes": 26,
|
||||
"Failures": 1
|
||||
},
|
||||
"Misconfigurations": [
|
||||
@@ -48,7 +48,8 @@
|
||||
"Service": "general",
|
||||
"Code": {
|
||||
"Lines": null
|
||||
}
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
}
|
||||
]
|
||||
|
||||
211
integration/testdata/helm.json.golden
vendored
211
integration/testdata/helm.json.golden
vendored
@@ -21,8 +21,8 @@
|
||||
"Class": "config",
|
||||
"Type": "helm",
|
||||
"MisconfSummary": {
|
||||
"Successes": 79,
|
||||
"Failures": 21
|
||||
"Successes": 78,
|
||||
"Failures": 18
|
||||
},
|
||||
"Misconfigurations": [
|
||||
{
|
||||
@@ -865,213 +865,6 @@
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV032",
|
||||
"AVDID": "AVD-KSV-0032",
|
||||
"Title": "All container images must start with the *.azurecr.io domain",
|
||||
"Description": "Containers should only use images from trusted registries.",
|
||||
"Message": "container nginx of deployment nginx-deployment in default namespace should restrict container image to your specific registry domain. For Azure any domain ending in 'azurecr.io'",
|
||||
"Namespace": "builtin.kubernetes.KSV032",
|
||||
"Query": "data.builtin.kubernetes.KSV032.deny",
|
||||
"Resolution": "Use images from trusted Azure registries.",
|
||||
"Severity": "MEDIUM",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv032",
|
||||
"References": [
|
||||
"https://avd.aquasec.com/misconfig/ksv032"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 19,
|
||||
"EndLine": 22,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 19,
|
||||
"Content": " - name: nginx",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 20,
|
||||
"Content": " image: nginx:1.14.2",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 21,
|
||||
"Content": " ports:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 22,
|
||||
"Content": " - containerPort: 80",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV033",
|
||||
"AVDID": "AVD-KSV-0033",
|
||||
"Title": "All container images must start with a GCR domain",
|
||||
"Description": "Containers should only use images from trusted GCR registries.",
|
||||
"Message": "container nginx of deployment nginx-deployment in default namespace should restrict container image to your specific registry domain. See the full GCR list here: https://cloud.google.com/container-registry/docs/overview#registries",
|
||||
"Namespace": "builtin.kubernetes.KSV033",
|
||||
"Query": "data.builtin.kubernetes.KSV033.deny",
|
||||
"Resolution": "Use images from trusted GCR registries.",
|
||||
"Severity": "MEDIUM",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv033",
|
||||
"References": [
|
||||
"https://avd.aquasec.com/misconfig/ksv033"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 19,
|
||||
"EndLine": 22,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 19,
|
||||
"Content": " - name: nginx",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 20,
|
||||
"Content": " image: nginx:1.14.2",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 21,
|
||||
"Content": " ports:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 22,
|
||||
"Content": " - containerPort: 80",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV035",
|
||||
"AVDID": "AVD-KSV-0035",
|
||||
"Title": "All container images must start with an ECR domain",
|
||||
"Description": "Container images from non-ECR registries should be forbidden.",
|
||||
"Message": "Container 'nginx' of Deployment 'nginx-deployment' should restrict images to own ECR repository. See the full ECR list here: https://docs.aws.amazon.com/general/latest/gr/ecr.html",
|
||||
"Namespace": "builtin.kubernetes.KSV035",
|
||||
"Query": "data.builtin.kubernetes.KSV035.deny",
|
||||
"Resolution": "Container image should be used from Amazon container Registry",
|
||||
"Severity": "MEDIUM",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv035",
|
||||
"References": [
|
||||
"https://avd.aquasec.com/misconfig/ksv035"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 19,
|
||||
"EndLine": 22,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 19,
|
||||
"Content": " - name: nginx",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 20,
|
||||
"Content": " image: nginx:1.14.2",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 21,
|
||||
"Content": " ports:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 22,
|
||||
"Content": " - containerPort: 80",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV104",
|
||||
|
||||
388
integration/testdata/helm_testchart.json.golden
vendored
388
integration/testdata/helm_testchart.json.golden
vendored
@@ -21,8 +21,8 @@
|
||||
"Class": "config",
|
||||
"Type": "helm",
|
||||
"MisconfSummary": {
|
||||
"Successes": 90,
|
||||
"Failures": 9
|
||||
"Successes": 89,
|
||||
"Failures": 6
|
||||
},
|
||||
"Misconfigurations": [
|
||||
{
|
||||
@@ -283,390 +283,6 @@
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV032",
|
||||
"AVDID": "AVD-KSV-0032",
|
||||
"Title": "All container images must start with the *.azurecr.io domain",
|
||||
"Description": "Containers should only use images from trusted registries.",
|
||||
"Message": "container testchart of deployment testchart in default namespace should restrict container image to your specific registry domain. For Azure any domain ending in 'azurecr.io'",
|
||||
"Namespace": "builtin.kubernetes.KSV032",
|
||||
"Query": "data.builtin.kubernetes.KSV032.deny",
|
||||
"Resolution": "Use images from trusted Azure registries.",
|
||||
"Severity": "MEDIUM",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv032",
|
||||
"References": [
|
||||
"https://avd.aquasec.com/misconfig/ksv032"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 28,
|
||||
"EndLine": 57,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 28,
|
||||
"Content": " - name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 29,
|
||||
"Content": " securityContext:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 30,
|
||||
"Content": " capabilities:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 31,
|
||||
"Content": " drop:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 32,
|
||||
"Content": " - ALL",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - ALL",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 33,
|
||||
"Content": " readOnlyRootFilesystem: true",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 34,
|
||||
"Content": " runAsGroup: 10001",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 35,
|
||||
"Content": " runAsNonRoot: true",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 36,
|
||||
"Content": " runAsUser: 10001",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m10001",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
},
|
||||
{
|
||||
"Number": 37,
|
||||
"Content": "",
|
||||
"IsCause": false,
|
||||
"Annotation": "",
|
||||
"Truncated": true,
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV033",
|
||||
"AVDID": "AVD-KSV-0033",
|
||||
"Title": "All container images must start with a GCR domain",
|
||||
"Description": "Containers should only use images from trusted GCR registries.",
|
||||
"Message": "container testchart of deployment testchart in default namespace should restrict container image to your specific registry domain. See the full GCR list here: https://cloud.google.com/container-registry/docs/overview#registries",
|
||||
"Namespace": "builtin.kubernetes.KSV033",
|
||||
"Query": "data.builtin.kubernetes.KSV033.deny",
|
||||
"Resolution": "Use images from trusted GCR registries.",
|
||||
"Severity": "MEDIUM",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv033",
|
||||
"References": [
|
||||
"https://avd.aquasec.com/misconfig/ksv033"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 28,
|
||||
"EndLine": 57,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 28,
|
||||
"Content": " - name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 29,
|
||||
"Content": " securityContext:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 30,
|
||||
"Content": " capabilities:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 31,
|
||||
"Content": " drop:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 32,
|
||||
"Content": " - ALL",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - ALL",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 33,
|
||||
"Content": " readOnlyRootFilesystem: true",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 34,
|
||||
"Content": " runAsGroup: 10001",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 35,
|
||||
"Content": " runAsNonRoot: true",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 36,
|
||||
"Content": " runAsUser: 10001",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m10001",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
},
|
||||
{
|
||||
"Number": 37,
|
||||
"Content": "",
|
||||
"IsCause": false,
|
||||
"Annotation": "",
|
||||
"Truncated": true,
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV035",
|
||||
"AVDID": "AVD-KSV-0035",
|
||||
"Title": "All container images must start with an ECR domain",
|
||||
"Description": "Container images from non-ECR registries should be forbidden.",
|
||||
"Message": "Container 'testchart' of Deployment 'testchart' should restrict images to own ECR repository. See the full ECR list here: https://docs.aws.amazon.com/general/latest/gr/ecr.html",
|
||||
"Namespace": "builtin.kubernetes.KSV035",
|
||||
"Query": "data.builtin.kubernetes.KSV035.deny",
|
||||
"Resolution": "Container image should be used from Amazon container Registry",
|
||||
"Severity": "MEDIUM",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv035",
|
||||
"References": [
|
||||
"https://avd.aquasec.com/misconfig/ksv035"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 28,
|
||||
"EndLine": 57,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 28,
|
||||
"Content": " - name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 29,
|
||||
"Content": " securityContext:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 30,
|
||||
"Content": " capabilities:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 31,
|
||||
"Content": " drop:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 32,
|
||||
"Content": " - ALL",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - ALL",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 33,
|
||||
"Content": " readOnlyRootFilesystem: true",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 34,
|
||||
"Content": " runAsGroup: 10001",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 35,
|
||||
"Content": " runAsNonRoot: true",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 36,
|
||||
"Content": " runAsUser: 10001",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m10001",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
},
|
||||
{
|
||||
"Number": 37,
|
||||
"Content": "",
|
||||
"IsCause": false,
|
||||
"Annotation": "",
|
||||
"Truncated": true,
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV104",
|
||||
|
||||
@@ -21,8 +21,8 @@
|
||||
"Class": "config",
|
||||
"Type": "helm",
|
||||
"MisconfSummary": {
|
||||
"Successes": 88,
|
||||
"Failures": 11
|
||||
"Successes": 87,
|
||||
"Failures": 8
|
||||
},
|
||||
"Misconfigurations": [
|
||||
{
|
||||
@@ -412,390 +412,6 @@
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV032",
|
||||
"AVDID": "AVD-KSV-0032",
|
||||
"Title": "All container images must start with the *.azurecr.io domain",
|
||||
"Description": "Containers should only use images from trusted registries.",
|
||||
"Message": "container testchart of deployment testchart in default namespace should restrict container image to your specific registry domain. For Azure any domain ending in 'azurecr.io'",
|
||||
"Namespace": "builtin.kubernetes.KSV032",
|
||||
"Query": "data.builtin.kubernetes.KSV032.deny",
|
||||
"Resolution": "Use images from trusted Azure registries.",
|
||||
"Severity": "MEDIUM",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv032",
|
||||
"References": [
|
||||
"https://avd.aquasec.com/misconfig/ksv032"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 28,
|
||||
"EndLine": 57,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 28,
|
||||
"Content": " - name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 29,
|
||||
"Content": " securityContext:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 30,
|
||||
"Content": " capabilities:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 31,
|
||||
"Content": " drop:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 32,
|
||||
"Content": " - ALL",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - ALL",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 33,
|
||||
"Content": " readOnlyRootFilesystem: true",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 34,
|
||||
"Content": " runAsGroup: 10001",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 35,
|
||||
"Content": " runAsNonRoot: true",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 36,
|
||||
"Content": " runAsUser: 0",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
},
|
||||
{
|
||||
"Number": 37,
|
||||
"Content": "",
|
||||
"IsCause": false,
|
||||
"Annotation": "",
|
||||
"Truncated": true,
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV033",
|
||||
"AVDID": "AVD-KSV-0033",
|
||||
"Title": "All container images must start with a GCR domain",
|
||||
"Description": "Containers should only use images from trusted GCR registries.",
|
||||
"Message": "container testchart of deployment testchart in default namespace should restrict container image to your specific registry domain. See the full GCR list here: https://cloud.google.com/container-registry/docs/overview#registries",
|
||||
"Namespace": "builtin.kubernetes.KSV033",
|
||||
"Query": "data.builtin.kubernetes.KSV033.deny",
|
||||
"Resolution": "Use images from trusted GCR registries.",
|
||||
"Severity": "MEDIUM",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv033",
|
||||
"References": [
|
||||
"https://avd.aquasec.com/misconfig/ksv033"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 28,
|
||||
"EndLine": 57,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 28,
|
||||
"Content": " - name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 29,
|
||||
"Content": " securityContext:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 30,
|
||||
"Content": " capabilities:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 31,
|
||||
"Content": " drop:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 32,
|
||||
"Content": " - ALL",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - ALL",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 33,
|
||||
"Content": " readOnlyRootFilesystem: true",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 34,
|
||||
"Content": " runAsGroup: 10001",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 35,
|
||||
"Content": " runAsNonRoot: true",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 36,
|
||||
"Content": " runAsUser: 0",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
},
|
||||
{
|
||||
"Number": 37,
|
||||
"Content": "",
|
||||
"IsCause": false,
|
||||
"Annotation": "",
|
||||
"Truncated": true,
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV035",
|
||||
"AVDID": "AVD-KSV-0035",
|
||||
"Title": "All container images must start with an ECR domain",
|
||||
"Description": "Container images from non-ECR registries should be forbidden.",
|
||||
"Message": "Container 'testchart' of Deployment 'testchart' should restrict images to own ECR repository. See the full ECR list here: https://docs.aws.amazon.com/general/latest/gr/ecr.html",
|
||||
"Namespace": "builtin.kubernetes.KSV035",
|
||||
"Query": "data.builtin.kubernetes.KSV035.deny",
|
||||
"Resolution": "Container image should be used from Amazon container Registry",
|
||||
"Severity": "MEDIUM",
|
||||
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv035",
|
||||
"References": [
|
||||
"https://avd.aquasec.com/misconfig/ksv035"
|
||||
],
|
||||
"Status": "FAIL",
|
||||
"Layer": {},
|
||||
"CauseMetadata": {
|
||||
"Provider": "Kubernetes",
|
||||
"Service": "general",
|
||||
"StartLine": 28,
|
||||
"EndLine": 57,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 28,
|
||||
"Content": " - name: testchart",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
|
||||
"FirstCause": true,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 29,
|
||||
"Content": " securityContext:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 30,
|
||||
"Content": " capabilities:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 31,
|
||||
"Content": " drop:",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 32,
|
||||
"Content": " - ALL",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " - ALL",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 33,
|
||||
"Content": " readOnlyRootFilesystem: true",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 34,
|
||||
"Content": " runAsGroup: 10001",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 35,
|
||||
"Content": " runAsNonRoot: true",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 36,
|
||||
"Content": " runAsUser: 0",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0",
|
||||
"FirstCause": false,
|
||||
"LastCause": true
|
||||
},
|
||||
{
|
||||
"Number": 37,
|
||||
"Content": "",
|
||||
"IsCause": false,
|
||||
"Annotation": "",
|
||||
"Truncated": true,
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
}
|
||||
]
|
||||
},
|
||||
"RenderedCause": {}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Type": "Helm Security Check",
|
||||
"ID": "KSV104",
|
||||
|
||||
@@ -115,10 +115,10 @@ func WithDisabledCheckIDs(ids ...string) options.ScannerOption {
|
||||
}
|
||||
}
|
||||
|
||||
func WithIncludeDeprecatedChecks(_ bool) options.ScannerOption {
|
||||
func WithIncludeDeprecatedChecks(include bool) options.ScannerOption {
|
||||
return func(s options.ConfigurableScanner) {
|
||||
if ss, ok := s.(*Scanner); ok {
|
||||
ss.includeDeprecatedChecks = true
|
||||
ss.includeDeprecatedChecks = include
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -2,6 +2,7 @@ package rego_test
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"fmt"
|
||||
"io/fs"
|
||||
"os"
|
||||
"path/filepath"
|
||||
@@ -14,6 +15,7 @@ import (
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"github.com/aquasecurity/trivy/pkg/iac/rego"
|
||||
"github.com/aquasecurity/trivy/pkg/iac/scanners/options"
|
||||
"github.com/aquasecurity/trivy/pkg/iac/severity"
|
||||
"github.com/aquasecurity/trivy/pkg/iac/types"
|
||||
)
|
||||
@@ -977,64 +979,53 @@ deny {
|
||||
}
|
||||
|
||||
func Test_RegoScanning_WithDeprecatedCheck(t *testing.T) {
|
||||
|
||||
check := `# METADATA
|
||||
# title: i am a deprecated check
|
||||
# description: i am a description
|
||||
# related_resources:
|
||||
# - https://google.com
|
||||
# custom:
|
||||
# id: EG123
|
||||
# avd_id: AVD-EG-0123
|
||||
# severity: LOW
|
||||
# recommended_action: have a cup of tea
|
||||
# deprecated: %v
|
||||
package defsec.test
|
||||
|
||||
deny {
|
||||
input.text
|
||||
}`
|
||||
|
||||
var testCases = []struct {
|
||||
name string
|
||||
policy string
|
||||
opts []options.ScannerOption
|
||||
expectedResults int
|
||||
}{
|
||||
{
|
||||
name: "happy path check is deprecated",
|
||||
policy: `# METADATA
|
||||
# title: i am a deprecated check
|
||||
# description: i am a description
|
||||
# related_resources:
|
||||
# - https://google.com
|
||||
# custom:
|
||||
# id: EG123
|
||||
# avd_id: AVD-EG-0123
|
||||
# severity: LOW
|
||||
# recommended_action: have a cup of tea
|
||||
# deprecated: true
|
||||
package defsec.test
|
||||
|
||||
deny {
|
||||
input.text
|
||||
}
|
||||
|
||||
`,
|
||||
name: "deprecated check is skipped by default",
|
||||
policy: fmt.Sprintf(check, true),
|
||||
expectedResults: 0,
|
||||
},
|
||||
{
|
||||
name: "happy path check is not deprecated",
|
||||
policy: `# METADATA
|
||||
# title: i am a deprecated check
|
||||
# description: i am a description
|
||||
# related_resources:
|
||||
# - https://google.com
|
||||
# custom:
|
||||
# id: EG123
|
||||
# avd_id: AVD-EG-0123
|
||||
# severity: LOW
|
||||
# recommended_action: have a cup of tea
|
||||
package defsec.test
|
||||
|
||||
deny {
|
||||
input.text
|
||||
}
|
||||
|
||||
`,
|
||||
name: "non-deprecated check is executed",
|
||||
policy: fmt.Sprintf(check, false),
|
||||
expectedResults: 1,
|
||||
},
|
||||
{
|
||||
name: "deprecated check is executed when includeDeprecatedChecks is true",
|
||||
policy: fmt.Sprintf(check, true),
|
||||
opts: []options.ScannerOption{rego.WithIncludeDeprecatedChecks(true)},
|
||||
expectedResults: 1,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
srcFS := CreateFS(t, map[string]string{
|
||||
"policies/test.rego": tc.policy,
|
||||
})
|
||||
|
||||
scanner := rego.NewScanner(rego.WithPolicyDirs("policies"))
|
||||
require.NoError(t, scanner.LoadPolicies(srcFS))
|
||||
opts := append(tc.opts, rego.WithPolicyReader(strings.NewReader(tc.policy)))
|
||||
scanner := rego.NewScanner(opts...)
|
||||
require.NoError(t, scanner.LoadPolicies(nil))
|
||||
|
||||
results, err := scanner.ScanInput(t.Context(), types.SourceJSON, rego.Input{
|
||||
Path: "/evil.lol",
|
||||
|
||||
Reference in New Issue
Block a user