mirror of
https://github.com/aquasecurity/trivy.git
synced 2025-12-12 15:50:15 -08:00
d19c7d9f29
* feat(repo): support local repositories * fix tests * test: fix client/server tests * docs: update * test: add fs tests * test: do not update golden files if overridden * docs: remove a comment about fs deprecation
398 lines
15 KiB
Plaintext
398 lines
15 KiB
Plaintext
{
|
|
"SchemaVersion": 2,
|
|
"ArtifactName": "testdata/fixtures/repo/helm",
|
|
"ArtifactType": "repository",
|
|
"Metadata": {
|
|
"ImageConfig": {
|
|
"architecture": "",
|
|
"created": "0001-01-01T00:00:00Z",
|
|
"os": "",
|
|
"rootfs": {
|
|
"type": "",
|
|
"diff_ids": null
|
|
},
|
|
"config": {}
|
|
}
|
|
},
|
|
"Results": [
|
|
{
|
|
"Target": "testchart.tar.gz:templates/deployment.yaml",
|
|
"Class": "config",
|
|
"Type": "helm",
|
|
"MisconfSummary": {
|
|
"Successes": 146,
|
|
"Failures": 4,
|
|
"Exceptions": 0
|
|
},
|
|
"Misconfigurations": [
|
|
{
|
|
"Type": "Helm Security Check",
|
|
"ID": "KSV001",
|
|
"AVDID": "AVD-KSV-0001",
|
|
"Title": "Can elevate its own privileges",
|
|
"Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.",
|
|
"Message": "Container 'testchart' of Deployment 'testchart' should set 'securityContext.allowPrivilegeEscalation' to false",
|
|
"Namespace": "builtin.kubernetes.KSV001",
|
|
"Query": "data.builtin.kubernetes.KSV001.deny",
|
|
"Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.",
|
|
"Severity": "MEDIUM",
|
|
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001",
|
|
"References": [
|
|
"https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted",
|
|
"https://avd.aquasec.com/misconfig/ksv001"
|
|
],
|
|
"Status": "FAIL",
|
|
"Layer": {},
|
|
"CauseMetadata": {
|
|
"Provider": "Kubernetes",
|
|
"Service": "general",
|
|
"StartLine": 28,
|
|
"EndLine": 57,
|
|
"Code": {
|
|
"Lines": [
|
|
{
|
|
"Number": 28,
|
|
"Content": " - name: testchart",
|
|
"IsCause": true,
|
|
"Annotation": "",
|
|
"Truncated": false,
|
|
"FirstCause": true,
|
|
"LastCause": false
|
|
},
|
|
{
|
|
"Number": 29,
|
|
"Content": " securityContext:",
|
|
"IsCause": true,
|
|
"Annotation": "",
|
|
"Truncated": false,
|
|
"FirstCause": false,
|
|
"LastCause": false
|
|
},
|
|
{
|
|
"Number": 30,
|
|
"Content": " capabilities:",
|
|
"IsCause": true,
|
|
"Annotation": "",
|
|
"Truncated": false,
|
|
"FirstCause": false,
|
|
"LastCause": false
|
|
},
|
|
{
|
|
"Number": 31,
|
|
"Content": " drop:",
|
|
"IsCause": true,
|
|
"Annotation": "",
|
|
"Truncated": false,
|
|
"FirstCause": false,
|
|
"LastCause": false
|
|
},
|
|
{
|
|
"Number": 32,
|
|
"Content": " - ALL",
|
|
"IsCause": true,
|
|
"Annotation": "",
|
|
"Truncated": false,
|
|
"FirstCause": false,
|
|
"LastCause": false
|
|
},
|
|
{
|
|
"Number": 33,
|
|
"Content": " readOnlyRootFilesystem: true",
|
|
"IsCause": true,
|
|
"Annotation": "",
|
|
"Truncated": false,
|
|
"FirstCause": false,
|
|
"LastCause": false
|
|
},
|
|
{
|
|
"Number": 34,
|
|
"Content": " runAsGroup: 10001",
|
|
"IsCause": true,
|
|
"Annotation": "",
|
|
"Truncated": false,
|
|
"FirstCause": false,
|
|
"LastCause": false
|
|
},
|
|
{
|
|
"Number": 35,
|
|
"Content": " runAsNonRoot: true",
|
|
"IsCause": true,
|
|
"Annotation": "",
|
|
"Truncated": false,
|
|
"FirstCause": false,
|
|
"LastCause": false
|
|
},
|
|
{
|
|
"Number": 36,
|
|
"Content": " runAsUser: 10001",
|
|
"IsCause": true,
|
|
"Annotation": "",
|
|
"Truncated": false,
|
|
"FirstCause": false,
|
|
"LastCause": true
|
|
},
|
|
{
|
|
"Number": 37,
|
|
"Content": "",
|
|
"IsCause": false,
|
|
"Annotation": "",
|
|
"Truncated": true,
|
|
"FirstCause": false,
|
|
"LastCause": false
|
|
}
|
|
]
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"Type": "Helm Security Check",
|
|
"ID": "KSV030",
|
|
"AVDID": "AVD-KSV-0030",
|
|
"Title": "Runtime/Default Seccomp profile not set",
|
|
"Description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.",
|
|
"Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'",
|
|
"Namespace": "builtin.kubernetes.KSV030",
|
|
"Query": "data.builtin.kubernetes.KSV030.deny",
|
|
"Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.",
|
|
"Severity": "LOW",
|
|
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030",
|
|
"References": [
|
|
"https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted",
|
|
"https://avd.aquasec.com/misconfig/ksv030"
|
|
],
|
|
"Status": "FAIL",
|
|
"Layer": {},
|
|
"CauseMetadata": {
|
|
"Provider": "Kubernetes",
|
|
"Service": "general",
|
|
"StartLine": 28,
|
|
"EndLine": 57,
|
|
"Code": {
|
|
"Lines": [
|
|
{
|
|
"Number": 28,
|
|
"Content": " - name: testchart",
|
|
"IsCause": true,
|
|
"Annotation": "",
|
|
"Truncated": false,
|
|
"FirstCause": true,
|
|
"LastCause": false
|
|
},
|
|
{
|
|
"Number": 29,
|
|
"Content": " securityContext:",
|
|
"IsCause": true,
|
|
"Annotation": "",
|
|
"Truncated": false,
|
|
"FirstCause": false,
|
|
"LastCause": false
|
|
},
|
|
{
|
|
"Number": 30,
|
|
"Content": " capabilities:",
|
|
"IsCause": true,
|
|
"Annotation": "",
|
|
"Truncated": false,
|
|
"FirstCause": false,
|
|
"LastCause": false
|
|
},
|
|
{
|
|
"Number": 31,
|
|
"Content": " drop:",
|
|
"IsCause": true,
|
|
"Annotation": "",
|
|
"Truncated": false,
|
|
"FirstCause": false,
|
|
"LastCause": false
|
|
},
|
|
{
|
|
"Number": 32,
|
|
"Content": " - ALL",
|
|
"IsCause": true,
|
|
"Annotation": "",
|
|
"Truncated": false,
|
|
"FirstCause": false,
|
|
"LastCause": false
|
|
},
|
|
{
|
|
"Number": 33,
|
|
"Content": " readOnlyRootFilesystem: true",
|
|
"IsCause": true,
|
|
"Annotation": "",
|
|
"Truncated": false,
|
|
"FirstCause": false,
|
|
"LastCause": false
|
|
},
|
|
{
|
|
"Number": 34,
|
|
"Content": " runAsGroup: 10001",
|
|
"IsCause": true,
|
|
"Annotation": "",
|
|
"Truncated": false,
|
|
"FirstCause": false,
|
|
"LastCause": false
|
|
},
|
|
{
|
|
"Number": 35,
|
|
"Content": " runAsNonRoot: true",
|
|
"IsCause": true,
|
|
"Annotation": "",
|
|
"Truncated": false,
|
|
"FirstCause": false,
|
|
"LastCause": false
|
|
},
|
|
{
|
|
"Number": 36,
|
|
"Content": " runAsUser: 10001",
|
|
"IsCause": true,
|
|
"Annotation": "",
|
|
"Truncated": false,
|
|
"FirstCause": false,
|
|
"LastCause": true
|
|
},
|
|
{
|
|
"Number": 37,
|
|
"Content": "",
|
|
"IsCause": false,
|
|
"Annotation": "",
|
|
"Truncated": true,
|
|
"FirstCause": false,
|
|
"LastCause": false
|
|
}
|
|
]
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"Type": "Helm Security Check",
|
|
"ID": "KSV104",
|
|
"AVDID": "AVD-KSV-0104",
|
|
"Title": "Seccomp policies disabled",
|
|
"Description": "Seccomp profile must not be explicitly set to 'Unconfined'.",
|
|
"Message": "container testchart of deployment testchart in default namespace should specify a seccomp profile",
|
|
"Namespace": "builtin.kubernetes.KSV104",
|
|
"Query": "data.builtin.kubernetes.KSV104.deny",
|
|
"Resolution": "Do not set seccomp profile to 'Unconfined'",
|
|
"Severity": "MEDIUM",
|
|
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104",
|
|
"References": [
|
|
"https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline",
|
|
"https://avd.aquasec.com/misconfig/ksv104"
|
|
],
|
|
"Status": "FAIL",
|
|
"Layer": {},
|
|
"CauseMetadata": {
|
|
"Provider": "Kubernetes",
|
|
"Service": "general",
|
|
"Code": {
|
|
"Lines": null
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"Type": "Helm Security Check",
|
|
"ID": "KSV116",
|
|
"AVDID": "AVD-KSV-0116",
|
|
"Title": "Runs with a root primary or supplementary GID",
|
|
"Description": "According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID.",
|
|
"Message": "deployment testchart in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0",
|
|
"Namespace": "builtin.kubernetes.KSV116",
|
|
"Query": "data.builtin.kubernetes.KSV116.deny",
|
|
"Resolution": "Set 'containers[].securityContext.runAsGroup' to a non-zero integer or leave undefined.",
|
|
"Severity": "LOW",
|
|
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv116",
|
|
"References": [
|
|
"https://kubesec.io/basics/containers-securitycontext-runasuser/",
|
|
"https://avd.aquasec.com/misconfig/ksv116"
|
|
],
|
|
"Status": "FAIL",
|
|
"Layer": {},
|
|
"CauseMetadata": {
|
|
"Provider": "Kubernetes",
|
|
"Service": "general",
|
|
"Code": {
|
|
"Lines": null
|
|
}
|
|
}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"Target": "testchart.tar.gz:templates/service.yaml",
|
|
"Class": "config",
|
|
"Type": "helm",
|
|
"MisconfSummary": {
|
|
"Successes": 149,
|
|
"Failures": 1,
|
|
"Exceptions": 0
|
|
},
|
|
"Misconfigurations": [
|
|
{
|
|
"Type": "Helm Security Check",
|
|
"ID": "KSV116",
|
|
"AVDID": "AVD-KSV-0116",
|
|
"Title": "Runs with a root primary or supplementary GID",
|
|
"Description": "According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID.",
|
|
"Message": "service testchart in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0",
|
|
"Namespace": "builtin.kubernetes.KSV116",
|
|
"Query": "data.builtin.kubernetes.KSV116.deny",
|
|
"Resolution": "Set 'containers[].securityContext.runAsGroup' to a non-zero integer or leave undefined.",
|
|
"Severity": "LOW",
|
|
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv116",
|
|
"References": [
|
|
"https://kubesec.io/basics/containers-securitycontext-runasuser/",
|
|
"https://avd.aquasec.com/misconfig/ksv116"
|
|
],
|
|
"Status": "FAIL",
|
|
"Layer": {},
|
|
"CauseMetadata": {
|
|
"Provider": "Kubernetes",
|
|
"Service": "general",
|
|
"Code": {
|
|
"Lines": null
|
|
}
|
|
}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"Target": "testchart.tar.gz:templates/serviceaccount.yaml",
|
|
"Class": "config",
|
|
"Type": "helm",
|
|
"MisconfSummary": {
|
|
"Successes": 149,
|
|
"Failures": 1,
|
|
"Exceptions": 0
|
|
},
|
|
"Misconfigurations": [
|
|
{
|
|
"Type": "Helm Security Check",
|
|
"ID": "KSV116",
|
|
"AVDID": "AVD-KSV-0116",
|
|
"Title": "Runs with a root primary or supplementary GID",
|
|
"Description": "According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID.",
|
|
"Message": "serviceaccount testchart in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0",
|
|
"Namespace": "builtin.kubernetes.KSV116",
|
|
"Query": "data.builtin.kubernetes.KSV116.deny",
|
|
"Resolution": "Set 'containers[].securityContext.runAsGroup' to a non-zero integer or leave undefined.",
|
|
"Severity": "LOW",
|
|
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv116",
|
|
"References": [
|
|
"https://kubesec.io/basics/containers-securitycontext-runasuser/",
|
|
"https://avd.aquasec.com/misconfig/ksv116"
|
|
],
|
|
"Status": "FAIL",
|
|
"Layer": {},
|
|
"CauseMetadata": {
|
|
"Provider": "Kubernetes",
|
|
"Service": "general",
|
|
"Code": {
|
|
"Lines": null
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|