A Simple and Comprehensive Vulnerability Scanner for Container Images, Git Repositories and Filesystems. Suitable for CI

Overview

GitHub Release Go Report Card License: Apache-2.0 codecov GitHub All Releases Docker Pulls

A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI.

Abstract

Trivy (tri pronounced like trigger, vy pronounced like envy) is a simple and comprehensive vulnerability scanner for containers and other artifacts. A software vulnerability is a glitch, flaw, or weakness present in the software or in an Operating System. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.). Trivy is easy to use. Just install the binary and you're ready to scan. All you need to do for scanning is to specify a target such as an image name of the container.

Trivy can be run in two different modes:

Trivy can scan three different artifacts:

It is considered to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily. See here for details.

Features

  • Detect comprehensive vulnerabilities
    • OS packages (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
    • Application dependencies (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
  • Simple
  • Fast
    • The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish in single seconds.
    • Unlike other scanners that take long to fetch vulnerability information (~10 minutes) on the first run, and encourage you to maintain a durable vulnerability database, Trivy is stateless and requires no maintenance or preparation.
  • Easy installation
    • apt-get install, yum install and brew install is possible (See Installation)
    • No pre-requisites such as installation of DB, libraries, etc.
  • High accuracy
    • Especially Alpine Linux and RHEL/CentOS
    • Other OSes are also high
  • DevSecOps
    • Suitable for CI such as Travis CI, CircleCI, Jenkins, GitLab CI, etc.
    • See CI Example
  • Support multiple formats
    • container image
      • A local image in Docker Engine which is running as a daemon
      • A local image in Podman (>=2.0) which is exposing a socket
      • A remote image in Docker Registry such as Docker Hub, ECR, GCR and ACR
      • A tar archive stored in the docker save / podman save formatted file
      • An image directory compliant with OCI Image Format
    • local filesystem
    • remote git repository

Please see LICENSE for Trivy licensing information. Note that Trivy uses vulnerability information from a variety of sources, some of which are licensed for non-commercial use only.

Documentation

The official documentation, which provides detailed installation, configuration, and quick start guides, is available at https://aquasecurity.github.io/trivy/.

Installation

See here

Quick Start

Simply specify an image name (and a tag).

$ trivy image [YOUR_IMAGE_NAME]

For example:

$ trivy image python:3.4-alpine
Result
2019-05-16T01:20:43.180+0900    INFO    Updating vulnerability database...
2019-05-16T01:20:53.029+0900    INFO    Detecting Alpine vulnerabilities...

python:3.4-alpine3.9 (alpine 3.9.2)
===================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl | CVE-2019-1543    | MEDIUM   | 1.1.1a-r1         | 1.1.1b-r1     | openssl: ChaCha20-Poly1305     |
|         |                  |          |                   |               | with long nonces               |
+---------+------------------+----------+-------------------+---------------+--------------------------------+

Examples

See here

Continuous Integration (CI)

See here

Vulnerability Detection

See here

Usage

See here

Author

Teppei Fukuda (knqyf263)

Comments
  • How to scan locally downloaded docker image?

    How to scan locally downloaded docker image?

    I've some enterprise docker images downloaded locally in my mac and I want to scan them using trivy. I tried without setting any config and I get this

    trivy docker.artifactory.aws.*****com/****-base-centos7:0.0.7
    2020-04-29T00:34:09.890+0530	FATAL	error in image scan: failed to analyze image: failed to extract files: failed to extract files: failed to extract the archive: unexpected EOF
    

    please suggest.

    triage/support lifecycle/stale triage/needs-information 
    opened by bsushant-athena 35
  • Trivy in docker not able to scan local image since verison v0.10.0

    Trivy in docker not able to scan local image since verison v0.10.0

    Description

    We use Trivy in our CI builds to scan local images. Since v0.10.0, trivy is not able to find the local images and expecting the image to exist in docker hub.

    What did you expect to happen? Expected trivy to scan local images.

    What happened instead? Trivy failed with the following error: Command ran: docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $PWD:/tmp/.cache/ aquasec/trivy myimage:local Where myimage:local was generated locally before running trivy. Trivy failed with this error

     FATAL   unable to initialize a scanner: unable to initialize a docker scanner: 2 errors occurred:
            * unable to inspect the image (index.docker.io/library/myimage:local): Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.24/images/index.docker.io/library/myimage:local/json: dial unix /var/run/docker.sock: connect: permission denied
            * GET https://index.docker.io/v2/library/myimage/manifests/local: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/myimage Type:repository]]
    

    Output of run with -debug:

    docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $PWD:/tmp/.cache/ aquasec/trivy --debug myimage:local2020-07-30T14:40:12.246Z        DEBUG   Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
    2020-07-30T14:40:12.257Z        DEBUG   cache dir:  /home/appuser/.cache/trivy
    2020-07-30T14:40:12.257Z        DEBUG   There is no valid metadata file: unable to open a file: open /home/appuser/.cache/trivy/db/metadata.json: no such file or directory
    2020-07-30T14:40:12.257Z        INFO    Need to update DB
    2020-07-30T14:40:12.257Z        INFO    Downloading DB...
    2020-07-30T14:40:12.257Z        DEBUG   no metadata file
    2020-07-30T14:40:12.788Z        DEBUG   release name: v1-2020073012
    2020-07-30T14:40:12.788Z        DEBUG   asset name: trivy-light-offline.db.tgz
    2020-07-30T14:40:12.788Z        DEBUG   file name doesn't match
    2020-07-30T14:40:12.788Z        DEBUG   asset name: trivy-light.db.gz
    2020-07-30T14:40:12.788Z        DEBUG   file name doesn't match
    2020-07-30T14:40:12.788Z        DEBUG   asset name: trivy-offline.db.tgz
    2020-07-30T14:40:12.788Z        DEBUG   file name doesn't match
    2020-07-30T14:40:12.788Z        DEBUG   asset name: trivy.db.gz
    2020-07-30T14:40:12.889Z        DEBUG   asset URL: https://github-production-release-asset-2e65be.s3.amazonaws.com/216830441/41262880-d25e-11ea-9f0d-69c6ece1083c?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200730%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200730T143846Z&X-Amz-Expires=300&X-Amz-Signature=8962d7139933af30f139c0238307e1cefb4f262c886ef8dd8fbcb5f0301a5b97&X-Amz-SignedHeaders=host&actor_id=0&repo_id=216830441&response-content-disposition=attachment%3B%20filename%3Dtrivy.db.gz&response-content-type=application%2Foctet-stream
    92.58 KiB / 17.57 MiB [>_____________________________________________________________] 0.51% ? p/s ?390.58 KiB / 17.57 MiB [->___________________________________________________________] 2.17% ? p/s ?713.58 KiB / 17.57 MiB [-->__________________________________________________________] 3.97% ? p/s ?917.58 KiB / 17.57 MiB [-->_____________________________________________] 5.10% 1.34 MiB p/s ETA 12s1.63 MiB / 17.57 MiB [---->_____________________________________________] 9.26% 1.34 MiB p/s ETA 11s2.06 MiB / 17.57 MiB [----->___________________________________________] 11.71% 1.34 MiB p/s ETA 11s2.46 MiB / 17.57 MiB [------>__________________________________________] 13.98% 1.42 MiB p/s ETA 10s2.85 MiB / 17.57 MiB [------->_________________________________________] 16.22% 1.42 MiB p/s ETA 10s3.24 MiB / 17.57 MiB [--------->_______________________________________] 18.42% 1.42 MiB p/s ETA 10s3.64 MiB / 17.57 MiB [---------->_______________________________________] 20.69% 1.46 MiB p/s ETA 9s4.02 MiB / 17.57 MiB [----------->______________________________________] 22.86% 1.46 MiB p/s ETA 9s4.42 MiB / 17.57 MiB [------------>_____________________________________] 25.13% 1.46 MiB p/s ETA 9s4.81 MiB / 17.57 MiB [------------->____________________________________] 27.40% 1.49 MiB p/s ETA 8s5.21 MiB / 17.57 MiB [-------------->___________________________________] 29.67% 1.49 MiB p/s ETA 8s5.61 MiB / 17.57 MiB [--------------->__________________________________] 31.93% 1.49 MiB p/s ETA 8s6.03 MiB / 17.57 MiB [----------------->________________________________] 34.30% 1.53 MiB p/s ETA 7s6.42 MiB / 17.57 MiB [------------------>_______________________________] 36.56% 1.53 MiB p/s ETA 7s6.87 MiB / 17.57 MiB [------------------->______________________________] 39.11% 1.53 MiB p/s ETA 7s7.29 MiB / 17.57 MiB [-------------------->_____________________________] 41.48% 1.56 MiB p/s ETA 6s7.72 MiB / 17.57 MiB [--------------------->____________________________] 43.93% 1.56 MiB p/s ETA 6s8.13 MiB / 17.57 MiB [----------------------->__________________________] 46.30% 1.56 MiB p/s ETA 6s8.55 MiB / 17.57 MiB [------------------------>_________________________] 48.66% 1.60 MiB p/s ETA 5s8.96 MiB / 17.57 MiB [------------------------->________________________] 51.01% 1.60 MiB p/s ETA 5s9.40 MiB / 17.57 MiB [-------------------------->_______________________] 53.48% 1.60 MiB p/s ETA 5s9.81 MiB / 17.57 MiB [--------------------------->______________________] 55.83% 1.63 MiB p/s ETA 4s10.24 MiB / 17.57 MiB [---------------------------->____________________] 58.30% 1.63 MiB p/s ETA 4s10.71 MiB / 17.57 MiB [----------------------------->___________________] 60.94% 1.63 MiB p/s ETA 4s11.12 MiB / 17.57 MiB [------------------------------->_________________] 63.30% 1.67 MiB p/s ETA 3s11.56 MiB / 17.57 MiB [-------------------------------->________________] 65.81% 1.67 MiB p/s ETA 3s12.00 MiB / 17.57 MiB [--------------------------------->_______________] 68.31% 1.67 MiB p/s ETA 3s12.45 MiB / 17.57 MiB [---------------------------------->______________] 70.86% 1.70 MiB p/s ETA 3s12.87 MiB / 17.57 MiB [----------------------------------->_____________] 73.23% 1.70 MiB p/s ETA 2s13.28 MiB / 17.57 MiB [------------------------------------->___________] 75.59% 1.70 MiB p/s ETA 2s13.71 MiB / 17.57 MiB [-------------------------------------->__________] 78.04% 1.73 MiB p/s ETA 2s14.16 MiB / 17.57 MiB [--------------------------------------->_________] 80.60% 1.73 MiB p/s ETA 1s14.64 MiB / 17.57 MiB [---------------------------------------->________] 83.33% 1.73 MiB p/s ETA 1s15.09 MiB / 17.57 MiB [------------------------------------------>______] 85.89% 1.76 MiB p/s ETA 1s15.55 MiB / 17.57 MiB [------------------------------------------->_____] 88.48% 1.76 MiB p/s ETA 1s16.00 MiB / 17.57 MiB [-------------------------------------------->____] 91.08% 1.76 MiB p/s ETA 0s16.47 MiB / 17.57 MiB [--------------------------------------------->___] 93.73% 1.80 MiB p/s ETA 0s16.92 MiB / 17.57 MiB [----------------------------------------------->_] 96.28% 1.80 MiB p/s ETA 0s17.38 MiB / 17.57 MiB [------------------------------------------------>] 98.93% 1.80 MiB p/s ETA 0s17.57 MiB / 17.57 MiB [----------------------------------------------------] 100.00% 2.12 MiB p/s 9s2020-07-30T14:40:22.179Z    DEBUG   Updating database metadata...
    2020-07-30T14:40:22.179Z        DEBUG   DB Schema: 1, Type: 1, UpdatedAt: 2020-07-30 12:13:03.860403389 +0000 UTC, NextUpdate: 2020-07-31 00:13:03.860403189 +0000 UTC
    2020-07-30T14:40:24.452Z        FATAL   unable to initialize a scanner:
        github.com/aquasecurity/trivy/internal/artifact.run
            /home/circleci/project/internal/artifact/run.go:72
      - unable to initialize a docker scanner:
        github.com/aquasecurity/trivy/internal/artifact.dockerScanner
            /home/circleci/project/internal/artifact/image.go:28
      - 2 errors occurred:
            * unable to inspect the image (index.docker.io/library/myimage:local): Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.24/images/index.docker.io/library/myimage:local/json: dial unix /var/run/docker.sock: connect: permission denied
            * GET https://index.docker.io/v2/library/myimage/manifests/local: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/myimage Type:repository]]
    

    Output of trivy -v:

    Version: 0.10.0
    

    Additional details (base image name, container registry info...): If we revert to trivy v0.9.0, the scan works successfully so something is broken in v0.10.0

    Has there been any change that either affects detecting local images over the docker socket?

    I would really appreciate if this has been paid attention as our builds are currently broken and as a workaround we have reverted to v0.9.0

    Regards,

    Nas

    kind/bug 
    opened by NasAmin 31
  • InstalledVersion comparison doesn't process

    InstalledVersion comparison doesn't process "epoch" value in debian package version numbers

    Description

    trivy rootfs -s HIGH -f json / shows several packages are vulnerable due to incorrect version comparison.

    For example, the debian package named zabbix-get with version 1:5.0.20-1+bionic is flagged as a "HIGH" severity vulnerability, but the details indicate that only versions before 2.2.x, 3.0.31 and 3.2 are vulnerable.

    What did you expect to happen?

    I expected that the epoch 1: value would be handled correctly (see http://manpages.ubuntu.com/manpages/trusty/man5/deb-version.5.html ), and Trivy would see that version 5.0.20 is more recent than the vulnerable versions.

    What happened instead?

    It incorrectly declares multiple packages to be vulnerable:

    {
      "VulnerabilityID": "CVE-2020-11800",
      "PkgName": "zabbix-get",
      "InstalledVersion": "1:5.0.20-1+bionic",
      "Layer": {},
      "SeveritySource": "ubuntu",
      "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-11800",
      "DataSource": {
        "ID": "ubuntu",
        "Name": "Ubuntu CVE Tracker",
        "URL": "https://git.launchpad.net/ubuntu-cve-tracker"
      },
      "Title": "Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote att ...",
      "Description": "Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote attackers to execute arbitrary code.",
      "Severity": "HIGH",
      "CVSS": {
        "nvd": {
          "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "V2Score": 7.5,
          "V3Score": 9.8
        }
      },
      "References": [
        "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00007.html",
        "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11800",
        "https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/85453e04656fc7bd8a6790f5295d79410101745c",
        "https://lists.debian.org/debian-lts-announce/2020/11/msg00039.html",
        "https://support.zabbix.com/browse/DEV-1538",
        "https://support.zabbix.com/browse/ZBX-17600",
        "https://support.zabbix.com/browse/ZBXSEC-30",
        "https://support.zabbix.com/browse/ZBXSEC-30 (not public)"
      ],
      "PublishedDate": "2020-10-07T16:15:00Z",
      "LastModifiedDate": "2022-01-01T18:16:00Z"
    }
    

    Output of run with -debug:

    (2237 lines of files scanned, not very useful for this report.)
    

    Output of trivy -v:

    Version: 0.24.4
    Vulnerability DB:
      Version: 2
      UpdatedAt: 2022-03-29 06:06:20.605614808 +0000 UTC
      NextUpdate: 2022-03-29 12:06:20.605614408 +0000 UTC
      DownloadedAt: 2022-03-29 06:17:15.692256189 +0000 UTC
    

    Additional details (base image name, container registry info...):

    OS: Ubuntu 18.04

    We're evaluating Trivy for use in our organization.

    kind/bug 
    opened by PenelopeFudd 30
  • Use a stable SARIF identifier

    Use a stable SARIF identifier

    :wave: Hello - I am from the GitHub code scanning team! :bow:

    We have noticed that your tool is currently generating unstable sarif identifiers. ๐Ÿ•ต๏ธ This is against the SARIF specification ๐Ÿ˜ฑ.

    Unstable identifiers result in suboptimal experience for users of GitHub Code Scanning:

    • Users are not able to easily group similar results (for example results for the same CVE in different images)
    • Users find results that have been dismissed reappear if the image name or tag changes
    • We have a hard limit of 500k identifiers per tool, beyond this point it is not possible to enumerate them all

    I've proposed a possible fix that would make your sarif identifier stable. Once you have found something that works for you I can migrate your existing rules. :+1:

    opened by simon-engledew 27
  • feat(template) Add misconfigurations to gitlab codequality report

    feat(template) Add misconfigurations to gitlab codequality report

    Gitlab codequality report for misconfigurations was missing

    Usage example: trivy fs --security-checks config,vuln --format template --template "@contrib/gitlab-codequality.tpl" -o report.json {folder}

    Checklist

    • [x] I've read the guidelines for contributing to this repository.
    • [x] I've followed the conventions in the PR title.
    • [x] I've added tests that prove my fix is effective or that my feature works.
    • [x] I've updated the documentation with the relevant information (if needed).
    • [x] I've added usage information (if the PR introduces new options)
    • [x] I've included a "before" and "after" example to the description (if the PR is a user interface change).
    opened by natefive 26
  • Support for Rocky Linux

    Support for Rocky Linux

    Rocky Linux should be detected as RHEL/CentOS. See https://rockylinux.org/ for details. Similar to classic CentOS, Rocky Linux is a RHEL clone so Red Hat Security advisories apply to it. This is the same exact situation as AlmaLinux https://github.com/aquasecurity/trivy/issues/1021

    kind/feature priority/important-longterm 
    opened by DecayingSec 26
  • FATAL	error in image scan: failed to analyze image: failed to extract files: missing signature key

    FATAL error in image scan: failed to analyze image: failed to extract files: missing signature key


    BUG REPORT INFORMATION

    I am running trivy installed from debian package (currently 0.1.1) instide a Gitlab CI worker. The worker is a docker container which can build images (docker socket is mounted).

    Description In my pipeline I would like to scan the images before pushing the to the repository. But trivy fails with the error above although the image is currently built.

    $ docker build --pull -t ${IMAGE}:${VERSION} -t ${IMAGE}:latest .
    Sending build context to Docker daemon  84.48kB
    Step 1/2 : FROM postgres:11-alpine
    11-alpine: Pulling from library/postgres
    e7c96db7181b: Already exists
    ddab92d60ba9: Pulling fs layer
    ... snipped ...
    79d684a466de: Pull complete
    1929cdd74131: Pull complete
    Digest: sha256:7507521549968d1506ba9748a1f86d4ac015544b07738da8d25cf670eb2a7279
    Status: Downloaded newer image for postgres:11-alpine
     ---> 0223e4d872f4
    Step 2/2 : LABEL MAINTAINER Oz123 <[email protected]>
     ---> Running in 86c97c84674b
    Removing intermediate container 86c97c84674b
     ---> a4b10056be0e
    Successfully built a4b10056be0e
    Successfully tagged gitlab.xxx.net:5050/tech/postgresql/docker-image:0.0.1
    Successfully tagged gitlab.xxx.net:5050/tech/postgresql/docker-image:latest
    $ trivy -q --auto-refresh ${IMAGE}:${VERSION}
    2019-05-27T15:06:46.237Z	INFO	Updating vulnerability database...
    2019-05-27T15:07:34.298Z	INFO	Updating NVD data...
    2019-05-27T15:08:04.259Z	INFO	Updating Alpine data...
    2019-05-27T15:08:05.058Z	INFO	Updating RedHat data...
    2019-05-27T15:08:08.466Z	INFO	Updating Debian data...
    2019-05-27T15:08:10.155Z	INFO	Updating Debian OVAL data...
    2019-05-27T15:08:15.279Z	INFO	Updating Ubuntu data...
    2019-05-27T15:08:20.303Z	FATAL	error in image scan: failed to analyze image: failed to extract files: missing signature key
    ERROR: Job failed: exit code 1
    

    Output of trivy -v: 0.1.1

    I suspect the docker image should also mount the directory where the image built files are stored, but I can't confirm this.

    opened by oz123 26
  • Is it correct that the Trivy Server Mode Vulnerability DB update is normal?

    Is it correct that the Trivy Server Mode Vulnerability DB update is normal?

    Is it correct that the current Trivy Server Mode Vulnerability DB update is normal?

    The UpdatedAt/NextUpdate date will not change after the time you ran. I would appreciate it if you can check if it is being updated normally.

    $ trivy -v
    Version: 0.27.1
    Vulnerability DB:
      Version: 2
      UpdatedAt: 2022-05-12 06:06:17.231057123 +0000 UTC
      NextUpdate: 2022-05-12 12:06:17.231056623 +0000 UTC
      DownloadedAt: 2022-05-26 23:35:53.026928539 +0000 UTC
    
    
    $ ls -alth
    -rw-r--r-- 1 test test  153  5 27 08:35 metadata.json
    -rw------- 1 test test 298M  5 27 08:35 trivy.db
    
    triage/support 
    opened by happylie 25
  • GitHub Action - analysis fails after sarif upload

    GitHub Action - analysis fails after sarif upload

    Description

    I'm scanning a docker image and want to upload the result via the github/codeql-action/[email protected] action.

    name: Trivy Analysis
    
    on:
      push:
    
    jobs:
      trivy_analysis:
        name: Trivy Analysis
        runs-on: "ubuntu-18.04"
        steps:
          - name: Run Trivy on python:3.6-slim-buster
            uses: aquasecurity/[email protected]
            with:
              image-ref: 'python:3.6-slim-buster'
              format: 'template'
              template: '@/contrib/sarif.tpl'
              output: 'trivy-slim-buster.sarif'
              severity: 'CRITICAL,HIGH'
    
          # Upload works fine, but analysis fails
          - name: Upload Trivy slim-buster scan results to GitHub Security tab
            uses: github/codeql-action/[email protected]
            with:
              sarif_file: 'trivy-slim-buster.sarif'
    

    What did you expect to happen?

    sarif file gets analyzed correctly.

    What happened instead?

    The error 'Analysis failed for trivy-workflow' is shown on the Code scanning alerts tab.

    Trivy Analysis Fails

    Output of run with -debug:

    not available
    

    Output of trivy -v:

    Run aquasecurity/[email protected]
      with:
        image-ref: python:3.6-slim-buster
        format: template
        template: @/contrib/sarif.tpl
        output: trivy-slim-buster.sarif
        severity: CRITICAL,HIGH
        scan-type: image
        scan-ref: .
        exit-code: 0
        ignore-unfixed: false
        vuln-type: os,library
    /usr/bin/docker run --name a33c1b243f0bb5ad54f939442448bb6a70f7e_e14d32 --label 8a33c1 --workdir /github/workspace --rm -e INPUT_IMAGE-REF -e INPUT_FORMAT -e INPUT_TEMPLATE -e INPUT_OUTPUT -e INPUT_SEVERITY -e INPUT_SCAN-TYPE -e INPUT_INPUT -e INPUT_SCAN-REF -e INPUT_EXIT-CODE -e INPUT_IGNORE-UNFIXED -e INPUT_VULN-TYPE -e INPUT_SKIP-DIRS -e INPUT_CACHE-DIR -e INPUT_TIMEOUT -e INPUT_IGNORE-POLICY -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RETENTION_DAYS -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e GITHUB_ACTION_REPOSITORY -e GITHUB_ACTION_REF -e GITHUB_PATH -e GITHUB_ENV -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/indy-node-container/indy-node-container":"/github/workspace" 8a33c1:b243f0bb5ad54f939442448bb6a70f7e  "-a image" "-b template" "-c @/contrib/sarif.tpl" "-d 0" "-e false" "-f os,library" "-g CRITICAL,HIGH" "-h trivy-slim-buster.sarif" "-i python:3.6-slim-buster" "-j ." "-k " "-l " "-m " "-n " "-o "
    Running trivy with options:  --no-progress  --format  template --template  @/contrib/sarif.tpl --exit-code  0 --vuln-type  os,library --severity  CRITICAL,HIGH --output  trivy-slim-buster.sarif  python:3.6-slim-buster
    Global options:  
    2021-06-02T06:51:17.428Z	INFO	Need to update DB
    2021-06-02T06:51:17.429Z	INFO	Downloading DB...
    2021-06-02T06:51:20.595Z	INFO	Detecting Debian vulnerabilities...
    2021-06-02T06:51:20.605Z	INFO	Trivy skips scanning programming language libraries because no supported file was detected
    

    Additional details (base image name, container registry info...):

    Uploading the result file to the Microsoft SARIF validator shows these problems:

    • GH1003: runs[0].results[0].locations[0].physicalLocation: The 'region' property is absent. GitHub Advanced Security code scanning can display the correct location only for results that provide a 'region' object with line and optional column information. At minimum, 'region.startLine' is required. 'region' can also provide 'startColumn', 'endLine', and 'endColumn', although all of those have reasonable defaults.
    • GH1005: runs[0].results[0].locations[0].physicalLocation.artifactLocation.uri: 'python:3.6-slim-buster' is not a file path. GitHub Advanced Security code scanning only displays results whose locations are specified by file paths, either as relative URIs or as absolute URIs that use the 'file' scheme.
    • SARIF1004: runs[0].results[0].locations[0].physicalLocation.artifactLocation: This 'artifactLocation' object has a 'uriBaseId' property 'ROOTPATH', but its 'uri' property 'python:3.6-slim-buster' is an absolute URI. Since the purpose of 'uriBaseId' is to resolve a relative reference to an absolute URI, it is not allowed when the 'uri' property is already an absolute URI.
    • SARIF2012: runs[0].tool.driver.rules[0].name: 'OS Package Vulnerability (Debian)' is not a Pascal-case identifier. For uniformity of experience across all tools that produce SARIF, the friendly name should be a single Pascal-case identifier, for example, 'ProvideRuleFriendlyName'.

    I don't know whether these problems are the cause of the error, but maybe they can be fixed by adjusting this block

    https://github.com/aquasecurity/trivy/blob/fb19abd09acc39c06a132fab8d0b9181f1556dcb/contrib/sarif.tpl#L76-L80

    if a Docker image is scanned.

    kind/bug lifecycle/stale 
    opened by mgmgwi 24
  • Trivy 0.2.0, run under docker-dind - gitlabCI - scan always ends with 'null' result

    Trivy 0.2.0, run under docker-dind - gitlabCI - scan always ends with 'null' result

    Trivy 0.2.0, run under docker-dind - gitlabCI - scan always ends with 'null' result

    What did you expect to happen? Conduct a scan

    What happened instead? Trivy does something, reports success and exits after 1 second

    Output of run with -debug:

    2019-11-14T18:51:04.070Z	DEBUG	cache dir:  /root/.cache/trivy
    2019-11-14T18:51:04.074Z	DEBUG	This is the first run
    [                    ] Downloading Lightweight DB file... 
    [=>                  ] Downloading Lightweight DB file... 
    [===>                ] Downloading Lightweight DB file... 2019-11-14T18:51:04.362Z	DEBUG	release name: v1-2019111418
    2019-11-14T18:51:04.362Z	DEBUG	asset name: trivy-light.db.gz
    [=====>              ] Downloading Lightweight DB file... 
    [======>             ] Downloading Lightweight DB file... 2019-11-14T18:51:04.534Z	DEBUG	asset URL: https://github-production-release-asset-2e65be.s3.amazonaws.com/216830441/fa14f900-0709-11ea-9b7f-1f882f72ad9e?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20191114%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20191114T185104Z&X-Amz-Expires=300&X-Amz-Signature=4ae948a4ce0501f0edb9eb5585d397ef276d725f95f8ea2af8ade4659264494d&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dtrivy-light.db.gz&response-content-type=application%2Foctet-stream
    [========>           ] 
    Downloading Lightweight DB file... 
    [==========>         ]
    Downloading Lightweight DB file... [============>       ] 
    Downloading Lightweight DB file... [==============>     ] 
    Downloading Lightweight DB file... [================>   ] 
    Downloading Lightweight DB file... ==================> ] 
    Downloading Lightweight DB file... [===================>] 
    Downloading Lightweight DB file... [                    ] 
    Downloading Lightweight DB file... [=>                  ] 
    Downloading Lightweight DB file... [===>                ]
     Downloading Lightweight DB file... [=====>              ] 
    Downloading Lightweight DB file... [======>             ]
     Downloading Lightweight DB file... [========>           ] 
    Downloading Lightweight DB file... 019-11-14T18:51:05.858Z	INFO	Reopening vulnerability DB
    2019-11-14T18:51:05.858Z	DEBUG	Vulnerability type:  [os library]
    2019-11-14T18:51:08.814Z	DEBUG	OS family: alpine, OS version: 3.8.4
    2019-11-14T18:51:08.814Z	DEBUG	the number of packages: 36
    2019-11-14T18:51:09.612Z	DEBUG	the number of packages from commands: 26
    2019-11-14T18:51:09.612Z	DEBUG	the number of packages: 36
    2019-11-14T18:51:09.612Z	INFO	Detecting Alpine vulnerabilities...
    2019-11-14T18:51:09.612Z	DEBUG	alpine: os version: 3.8
    2019-11-14T18:51:09.612Z	DEBUG	alpine: the number of packages: 36
    

    Output of trivy -v:

    trivy version 0.2.0
    

    Additional details (base image name, container registry info...): checked image trivy --light alpine:3.8.4 -debug dind image - docker:19.03-dind

    result:

    [
      {
        "Target": "myimage(alpine 3.8.4)",
        "Vulnerabilities": null
      }
    ]
    

    scan outside gitlabci

    alpine:3.8.4 (alpine 3.8.4)
    ===========================
    Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
    
    +---------+------------------+----------+-------------------+---------------+
    | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |
    +---------+------------------+----------+-------------------+---------------+
    | musl    | CVE-2019-14697   | HIGH     | 1.1.19-r10        | 1.1.19-r11    |
    +---------+------------------+----------+-------------------+---------------+
    
    kind/bug 
    opened by marcinbojko 24
  • feat: add k8s components

    feat: add k8s components

    Signed-off-by: Jose Donizetti [email protected]

    Description

    Adds a new table with checks for infra assesment.

    trivy k8s all --report=summary --namespace=kube-system
    34 / 34 [--------------------------------------------------------------------------------------------------------------------] 100.00% 1 p/s
    
    Summary Report for minikube
    โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
    โ”‚  Namespace  โ”‚               Resource               โ”‚   Vulnerabilities   โ”‚ Misconfigurations  โ”‚      Secrets      โ”‚
    โ”‚             โ”‚                                      โ”œโ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”ค
    โ”‚             โ”‚                                      โ”‚ C โ”‚ H  โ”‚ M โ”‚ L  โ”‚ U โ”‚ C โ”‚ H โ”‚ M โ”‚ L  โ”‚ U โ”‚ C โ”‚ H โ”‚ M โ”‚ L โ”‚ U โ”‚
    โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”ค
    โ”‚ kube-system โ”‚ Deployment/coredns                   โ”‚ 1 โ”‚ 2  โ”‚ 1 โ”‚ 1  โ”‚ 4 โ”‚   โ”‚   โ”‚ 3 โ”‚ 5  โ”‚   โ”‚   โ”‚   โ”‚   โ”‚   โ”‚   โ”‚
    โ”‚ kube-system โ”‚ Pod/etcd-minikube                    โ”‚   โ”‚ 16 โ”‚ 4 โ”‚    โ”‚ 4 โ”‚   โ”‚ 1 โ”‚ 3 โ”‚ 7  โ”‚   โ”‚   โ”‚   โ”‚   โ”‚   โ”‚   โ”‚
    โ”‚ kube-system โ”‚ Pod/kube-scheduler-minikube          โ”‚   โ”‚ 1  โ”‚   โ”‚    โ”‚   โ”‚   โ”‚ 1 โ”‚ 3 โ”‚ 8  โ”‚   โ”‚   โ”‚   โ”‚   โ”‚   โ”‚   โ”‚
    โ”‚ kube-system โ”‚ Pod/storage-provisioner              โ”‚   โ”‚ 8  โ”‚ 2 โ”‚    โ”‚ 2 โ”‚   โ”‚ 1 โ”‚ 5 โ”‚ 10 โ”‚   โ”‚   โ”‚   โ”‚   โ”‚   โ”‚   โ”‚
    โ”‚ kube-system โ”‚ DaemonSet/kube-proxy                 โ”‚   โ”‚ 2  โ”‚ 2 โ”‚ 22 โ”‚   โ”‚   โ”‚ 2 โ”‚ 4 โ”‚ 10 โ”‚   โ”‚   โ”‚   โ”‚   โ”‚   โ”‚   โ”‚
    โ”‚ kube-system โ”‚ Pod/kube-controller-manager-minikube โ”‚   โ”‚ 1  โ”‚ 1 โ”‚ 1  โ”‚ 2 โ”‚   โ”‚ 1 โ”‚ 3 โ”‚ 8  โ”‚   โ”‚   โ”‚   โ”‚   โ”‚   โ”‚   โ”‚
    โ”‚ kube-system โ”‚ Service/kube-dns                     โ”‚   โ”‚    โ”‚   โ”‚    โ”‚   โ”‚   โ”‚   โ”‚ 1 โ”‚    โ”‚   โ”‚   โ”‚   โ”‚   โ”‚   โ”‚   โ”‚
    โ”‚ kube-system โ”‚ Pod/kube-apiserver-minikube          โ”‚   โ”‚ 1  โ”‚ 1 โ”‚ 1  โ”‚ 2 โ”‚   โ”‚ 1 โ”‚ 3 โ”‚ 9  โ”‚   โ”‚   โ”‚   โ”‚   โ”‚   โ”‚   โ”‚
    โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”˜
    Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN
    
    
    Summary Report for minikube
    โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
    โ”‚  Namespace  โ”‚                      Resource                       โ”‚  RBAC Assessment  โ”‚
    โ”‚             โ”‚                                                     โ”œโ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”ค
    โ”‚             โ”‚                                                     โ”‚ C โ”‚ H โ”‚ M โ”‚ L โ”‚ U โ”‚
    โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”ค
    โ”‚ kube-system โ”‚ Role/system::leader-locking-kube-controller-manager โ”‚   โ”‚   โ”‚ 1 โ”‚   โ”‚   โ”‚
    โ”‚ kube-system โ”‚ Role/system:controller:bootstrap-signer             โ”‚ 1 โ”‚   โ”‚   โ”‚   โ”‚   โ”‚
    โ”‚ kube-system โ”‚ Role/system:controller:cloud-provider               โ”‚   โ”‚   โ”‚ 1 โ”‚   โ”‚   โ”‚
    โ”‚ kube-system โ”‚ Role/system:controller:token-cleaner                โ”‚ 1 โ”‚   โ”‚   โ”‚   โ”‚   โ”‚
    โ”‚ kube-system โ”‚ Role/system:persistent-volume-provisioner           โ”‚   โ”‚ 2 โ”‚   โ”‚   โ”‚   โ”‚
    โ”‚ kube-system โ”‚ Role/system::leader-locking-kube-scheduler          โ”‚   โ”‚   โ”‚ 1 โ”‚   โ”‚   โ”‚
    โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”˜
    Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN
    
    
    Summary Report for minikube
    โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
    โ”‚  Namespace  โ”‚               Resource               โ”‚ Kubernetes Infra Assessment โ”‚
    โ”‚             โ”‚                                      โ”œโ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
    โ”‚             โ”‚                                      โ”‚ C  โ”‚ H  โ”‚ M  โ”‚ L   โ”‚   U    โ”‚
    โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
    โ”‚ kube-system โ”‚ Pod/kube-apiserver-minikube          โ”‚    โ”‚    โ”‚ 1  โ”‚ 10  โ”‚        โ”‚
    โ”‚ kube-system โ”‚ Pod/kube-controller-manager-minikube โ”‚    โ”‚    โ”‚    โ”‚ 3   โ”‚        โ”‚
    โ”‚ kube-system โ”‚ Pod/kube-scheduler-minikube          โ”‚    โ”‚    โ”‚    โ”‚ 1   โ”‚        โ”‚
    โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
    Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN
    

    filtering by workload components:

    trivy k8s all --report=summary --namespace=kube-system --security-checks=config --components=workload
    34 / 34 [--------------------------------------------------------------------------------------------------------------------] 100.00% 4 p/s
    
    Summary Report for minikube
    โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
    โ”‚  Namespace  โ”‚               Resource               โ”‚ Misconfigurations  โ”‚
    โ”‚             โ”‚                                      โ”œโ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”ค
    โ”‚             โ”‚                                      โ”‚ C โ”‚ H โ”‚ M โ”‚ L  โ”‚ U โ”‚
    โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”ค
    โ”‚ kube-system โ”‚ Service/kube-dns                     โ”‚   โ”‚   โ”‚ 1 โ”‚    โ”‚   โ”‚
    โ”‚ kube-system โ”‚ Pod/kube-apiserver-minikube          โ”‚   โ”‚ 1 โ”‚ 3 โ”‚ 9  โ”‚   โ”‚
    โ”‚ kube-system โ”‚ Pod/kube-scheduler-minikube          โ”‚   โ”‚ 1 โ”‚ 3 โ”‚ 8  โ”‚   โ”‚
    โ”‚ kube-system โ”‚ Pod/storage-provisioner              โ”‚   โ”‚ 1 โ”‚ 5 โ”‚ 10 โ”‚   โ”‚
    โ”‚ kube-system โ”‚ Pod/etcd-minikube                    โ”‚   โ”‚ 1 โ”‚ 3 โ”‚ 7  โ”‚   โ”‚
    โ”‚ kube-system โ”‚ Deployment/coredns                   โ”‚   โ”‚   โ”‚ 3 โ”‚ 5  โ”‚   โ”‚
    โ”‚ kube-system โ”‚ DaemonSet/kube-proxy                 โ”‚   โ”‚ 2 โ”‚ 4 โ”‚ 10 โ”‚   โ”‚
    โ”‚ kube-system โ”‚ Pod/kube-controller-manager-minikube โ”‚   โ”‚ 1 โ”‚ 3 โ”‚ 8  โ”‚   โ”‚
    โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”˜
    Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN
    

    filtering by infra components:

    trivy k8s all --report=summary --namespace=kube-system --security-checks=config --components=infra
    34 / 34 [--------------------------------------------------------------------------------------------------------------------] 100.00% 4 p/s
    
    Summary Report for minikube
    โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
    โ”‚  Namespace  โ”‚               Resource               โ”‚ Kubernetes Infra Assessment โ”‚
    โ”‚             โ”‚                                      โ”œโ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
    โ”‚             โ”‚                                      โ”‚ C  โ”‚ H  โ”‚ M  โ”‚ L   โ”‚   U    โ”‚
    โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
    โ”‚ kube-system โ”‚ Pod/kube-scheduler-minikube          โ”‚    โ”‚    โ”‚    โ”‚ 1   โ”‚        โ”‚
    โ”‚ kube-system โ”‚ Pod/kube-apiserver-minikube          โ”‚    โ”‚    โ”‚ 1  โ”‚ 10  โ”‚        โ”‚
    โ”‚ kube-system โ”‚ Pod/kube-controller-manager-minikube โ”‚    โ”‚    โ”‚    โ”‚ 3   โ”‚        โ”‚
    โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
    Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN
    
    

    Related issues

    • Close https://github.com/aquasecurity/trivy/issues/2766

    Remove this section if you don't have related PRs.

    Checklist

    • [x] I've read the guidelines for contributing to this repository.
    • [x] I've followed the conventions in the PR title.
    • [x] I've added tests that prove my fix is effective or that my feature works.
    • [x] I've updated the documentation with the relevant information (if needed).
    • [x] I've added usage information (if the PR introduces new options)
    • [x] I've included a "before" and "after" example to the description (if the PR is a user interface change).
    opened by josedonizetti 23
  • feat(sbom): support third-party sboms

    feat(sbom): support third-party sboms

    Description

    Support Third-party SBOMs scanning.

    In this pull request, the source package information of the OS Package is used from the binary package, so vulnerabilities cannot be detected accurately.

    Related issues

    • Close #3081

    Checklist

    • [x] I've read the guidelines for contributing to this repository.
    • [x] I've followed the conventions in the PR title.
    • [x] I've added tests that prove my fix is effective or that my feature works.
    • [ ] I've updated the documentation with the relevant information (if needed).
    • [ ] I've added usage information (if the PR introduces new options)
    • [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).
    opened by masahiro331 1
  • fix(sbom): duplicate dependson

    fix(sbom): duplicate dependson

    Description

    • Changed to avoid duplicate dependsOn.
    • Changed to create Application Component with RustBinary and GoBinary.

    Related issues

    • Close #3260

    Checklist

    • [x] I've read the guidelines for contributing to this repository.
    • [x] I've followed the conventions in the PR title.
    • [x] I've added tests that prove my fix is effective or that my feature works.
    • [ ] I've updated the documentation with the relevant information (if needed).
    • [ ] I've added usage information (if the PR introduces new options)
    • [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).
    opened by masahiro331 0
  • Trivy is not generating compliant cyclonedx json

    Trivy is not generating compliant cyclonedx json

    Description

    It would be nice if trivy is continuously tested to generate compliant cyclonedx in json format.

    trivy image shiftleft/scan:latest -f cyclonedx --output trivy-bom.json
    cyclonedx validate --input-file trivy-bom.json --input-format json --input-version v1_4                                         
    Validating JSON BOM...
    Validation failed: Found duplicates at the following index pairs: "(8, 34), (9, 35), (12, 43), (12, 91), (18, 53), (18, 100), (18, 128), (42, 90), (43, 91), (53, 100), (53, 128), (57, 125), (60, 102), (65, 103), (68, 104), (69, 105), (71, 121), (76, 108), (82, 111), (88, 112), (94, 116), (99, 120), (100, 128), (1080, 1081)"
    #/properties/dependencies/items/$ref/properties/dependsOn/uniqueItems
    BOM is not valid.
    

    What did you expect to happen?

    cyclonedx cli based validation to succeed

    What happened instead?

    Output of run with -debug:

    Not relevant

    Output of trivy -v:

    trivy -v                                                                                                                      
    Version: 0.33.0
    Vulnerability DB:
      Version: 2
      UpdatedAt: 2022-12-01 12:08:24.329983324 +0000 UTC
      NextUpdate: 2022-12-01 18:08:24.329982924 +0000 UTC
      DownloadedAt: 2022-12-01 13:15:57.796196741 +0000 UTC
    

    Additional details (base image name, container registry info...):

    shiftleft/scan:latest

    Seems to be failing for most of the images tried.

    kind/bug 
    opened by prabhu 0
  • Trivy filesystem scan failing for Windows os filesystem

    Trivy filesystem scan failing for Windows os filesystem

    Description

    Trivy filesystem scan failing for Windows filesystem.

    Trivy scan command:

    trivy --debug --insecure --security-checks vuln --cache-dir /home/ubuntu/cachedir fs --timeout 10m0s -f json -o result.json --list-all-pkgs /home/ubuntu/volume/
    

    Output of run with -debug:

    2022-12-02T06:14:26.466Z	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"] 
    2022-12-02T06:14:26.468Z	DEBUG	cache dir: /home/ubuntu/cachedir 
    2022-12-02T06:14:26.468Z	DEBUG	Skipping DB update... 
    2022-12-02T06:14:26.468Z	DEBUG	DB Schema: 2, UpdatedAt: 2022-12-02 06:07:11.026905187 +0000 UTC, NextUpdate: 2022-12-02 12:07:11.026904487 +0000 UTC, DownloadedAt: 2022-12-02 06:10:56.724306839 +0000 UTC 
    2022-12-02T06:14:26.469Z	INFO	Vulnerability scanning is enabled 
    2022-12-02T06:14:26.469Z	DEBUG	Vulnerability type:  [os library] 
    2022-12-02T06:15:22.383Z	FATAL	filesystem scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run         /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:374   
    - scan error:     github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact         /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:230   
    - scan failed:     github.com/aquasecurity/trivy/pkg/commands/artifact.scan         /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:544   
    - failed analysis:     github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact         /home/runner/work/trivy/trivy/pkg/scanner/scan.go:127   
    - walk filesystem:     github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect         /home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:104   
    - walk error:     github.com/aquasecurity/trivy/pkg/fanal/walker.FS.Walk         /home/runner/work/trivy/trivy/pkg/fanal/walker/fs.go:60   
    - unknown error with /home/ubuntu/volume:     github.com/aquasecurity/trivy/pkg/fanal/walker.FS.Walk.func2         /home/runner/work/trivy/trivy/pkg/fanal/walker/fs.go:54  
    - unknown error with /home/ubuntu/volume/Windows:     github.com/aquasecurity/trivy/pkg/fanal/walker.FS.Walk.func2         /home/runner/work/trivy/trivy/pkg/fanal/walker/fs.go:54  
    - unknown error with /home/ubuntu/volume/Windows/assembly:     github.com/aquasecurity/trivy/pkg/fanal/walker.FS.Walk.func2         /home/runner/work/trivy/trivy/pkg/fanal/walker/fs.go:54  
    - unknown error with /home/ubuntu/volume/Windows/assembly/NativeImages_v4.0.30319_64:     github.com/aquasecurity/trivy/pkg/fanal/walker.FS.Walk.func2         /home/runner/work/trivy/trivy/pkg/fanal/walker/fs.go:54   
    - unknown error with /home/ubuntu/volume/Windows/assembly/NativeImages_v4.0.30319_64/System.Serv759bfb78#:     github.com/aquasecurity/trivy/pkg/fanal/walker.FS.Walk.func2         /home/runner/work/trivy/trivy/pkg/fanal/walker/fs.go:54
    - unknown error with /home/ubuntu/volume/Windows/assembly/NativeImages_v4.0.30319_64/System.Serv759bfb78#/065c68c5df73d6d3fe1af0c906703dcf:     github.com/aquasecurity/trivy/pkg/fanal/walker.FS.Walk.func2         /home/runner/work/trivy/trivy/pkg/fanal/walker/fs.go:54
    - lstat /home/ubuntu/volume/Windows/assembly/NativeImages_v4.0.30319_64/System.Serv759bfb78#/065c68c5df73d6d3fe1af0c906703dcf/System.ServiceProcess.ni.dll: input/output error
    

    same issue on different fs: (all other call stack is same as above)

    - lstat /home/ubuntu/volume/ProgramData/Microsoft/Windows Defender/Platform/4.18.2011.5-0/bs-Latn-BA/mpuxagent.dll.mui: input/output error
    
    - lstat /home/ubuntu/volume/Program Files/WindowsApps/Microsoft.UI.Xaml.2.1_2.11906.6001.0_x64__8wekyb3d8bbwe/Microsoft.UI.Xaml.dll: input/output error
    

    Output of trivy -v:

    Version: 0.32.0

    Additional details (base image name, container registry info...):

    Base OS: Ubuntu: 22.04 Jammy Jellyfish FIlesystem being scanned: Windows (Dont know exact version) I mount disk containing Windows OS on ubuntu and perform a filesystem scan.

    kind/bug 
    opened by nimish-salve 0
  • ksv106

    ksv106 "container should drop all" false positive

    Checklist

    • [X] I've read the documentation regarding wrong detection.
    • [X] I've confirmed that a security advisory in data sources was correct.
      • Run Trivy with -f json that shows data sources and make sure that the security advisory is correct.

    Description

    $ trivy config FILE.yaml on a K8s deployment file throws the following error despite a capabilities drop all directive being present.

    LOW: container should drop all
    โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
    Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.
    
    See https://avd.aquasec.com/misconfig/ksv106
    โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
     FILE.yaml:20-41
    โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
      20 โ”Œ       - name: REDACTEDext
      21 โ”‚         command:
      22 โ”‚         - "/extender"
      23 โ”‚         - "--cert=/REDACTED/cert/tls.crt"
      24 โ”‚         - "--key=/REDACTED/cert/tls.key"
      25 โ”‚         - "--cacert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
      26 โ”‚         - "--v=4"
      27 โ”‚         image: REDACTED
      28 โ””         imagePullPolicy: IfNotPresent
      ..
    โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
    
    

    FILE.yaml

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: REDACTED
      namespace: default 
      labels:
        app: REDACTED
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: REDACTED
      template:
        metadata:
          labels:
            app: REDACTED
        spec:
          serviceAccountName: REDACTED-service-account
          containers:
          - name: REDACTEDext
            command:
            - "/extender"
            - "--cert=/REDACTED/cert/tls.crt"
            - "--key=/REDACTED/cert/tls.key"
            - "--cacert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
            - "--v=4"
            image: REDACTED
            imagePullPolicy: IfNotPresent
            securityContext:
              capabilities:
                drop:
                  - all
              readOnlyRootFilesystem: true
              runAsNonRoot: true
              runAsUser: 10001
              allowPrivilegeEscalation: false
              seccompProfile:
                type: RuntimeDefault
    ...
    

    JSON Output of run with -debug:

    $ trivy config deploy/FILE.yaml --debug
    2022-12-02T13:12:50.504Z        DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
    2022-12-02T13:12:50.505Z        DEBUG   cache dir:  /home/user/.cache/trivy
    2022-12-02T13:12:50.505Z        INFO    Misconfiguration scanning is enabled
    2022-12-02T13:12:51.458Z        DEBUG   OS is not detected.
    2022-12-02T13:12:51.458Z        INFO    Detected config files: 1
    2022-12-02T13:12:51.458Z        DEBUG   Scanned config file: FILE.yaml
    
    

    Output of trivy -v:

    $ trivy -v
    Version: 0.34.0
    Vulnerability DB:
      Version: 2
      UpdatedAt: 2022-12-02 12:08:11.606948816 +0000 UTC
      NextUpdate: 2022-12-02 18:08:11.606948416 +0000 UTC
      DownloadedAt: 2022-12-02 12:36:13.855492637 +0000 UTC
    

    Additional details (base image name, container registry info...):

    kind/bug 
    opened by huornlmj 0
  • chore: update ubuntu version for Github action runnners

    chore: update ubuntu version for Github action runnners

    Description

    The Ubuntu-18.04 environment is deprecated now. It can lead to the build breaking: https://github.com/afdesk/sarif-test/actions/runs/3586988638

    Ubuntu 20.04 doesn't provide createrepo, so we have to use createrepo_c tool from Ubuntu 22.04.

    Checklist

    • [x] I've read the guidelines for contributing to this repository.
    • [x] I've followed the conventions in the PR title.
    • [ ] I've added tests that prove my fix is effective or that my feature works.
    • [ ] I've updated the documentation with the relevant information (if needed).
    • [ ] I've added usage information (if the PR introduces new options)
    • [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).
    opened by afdesk 0
Releases(v0.35.0)
Owner
Aqua Security
Full lifecycle security for containers and cloud-native applications
Aqua Security
SQL interface to git repositories, written in Go. https://docs.sourced.tech/gitbase

gitbase gitbase, is a SQL database interface to Git repositories. This project is now part of source{d} Community Edition, which provides the simplest

source{d} 2k Dec 7, 2022
Quickly clone git repositories into a nested folders like GOPATH.

cl cl clones git repositories into nested folders like GOPATH and outputs the path of the cloned directory. Example: cl https://github.com/foo/bar Is

Felix Geisendรถrfer 13 Nov 30, 2022
A simple cli tool for switching git user easily inspired by Git-User-Switch

gitsu A simple cli tool for switching git user easily inspired by Git-User-Switch Installation Binary releases are here. Homebrew brew install matsuyo

Masaya Watanabe 202 Nov 9, 2022
Git with a cup of tea, painless self-hosted git service

Gitea - Git with a cup of tea View the chinese version of this document Purpose The goal of this project is to make the easiest, fastest, and most pai

Gitea 33.5k Dec 2, 2022
ReGit: A Tiny Git-Compatible Git Implementation written in Golang

ReGit is a tiny Git implementation written in Golang. It uses the same underlying file formats as Git. Therefore, all the changes made by ReGit can be checked by Git.

null 167 Oct 31, 2022
A Git RPC service for handling all the git calls made by GitLab

Quick Links: Roadmap | Want to Contribute? | GitLab Gitaly Issues | GitLab Gitaly Merge Requests | Gitaly is a Git RPC service for handling all the gi

null 1 Nov 13, 2021
Removes unnecessarily saved git objects to optimize the size of the .git directory.

Git Repo Cleaner Optimizes the size of the .git directory by removing all of the files that are unnecessarily-still-saved as part of the git history.

Omar Yasser 2 Mar 24, 2022
Gum - Git User Manager (GUM) - Switch between git user profiles

Git User Manager (GUM) Add your profile info to config.yaml Build project: go bu

Mehmet Tevfik YรœKSEL 6 Feb 14, 2022
Git-now-playing - Git commits are the new AIM status messages

git-now-playing git-now-playing is an attempt to bring some of the panache of th

Paddy 1 Apr 4, 2022
A simple tool to help apply changes across many GitHub repositories simultaneously

A simple tool to help apply changes across many GitHub repositories simultaneously

Skyscanner 343 Nov 30, 2022
Find trending repositories on GitHub

octotrends.com A niftly little tool I wrote to try and find repos and languages that are rapidly growing on GitHub. Growth rates are based on % growth

Dominik Dabrowski 7 Jun 14, 2022
Simple git hooks written in go that installs globally to your machine

Go-hooks Simple git hooks written in go that installs globally to your machine Install curl -fsSL

Vadim Makerov 2 Oct 19, 2022
๐Ÿฅ„A simple generator for semantic git messages.

?? Tablespoon EXPERIMENTAL PREVIEW A simple generator for semantic git messages. Installation | Contributing Tablespoon is a simple generator which ca

Matt 6 Jul 22, 2022
Fast and powerful Git hooks manager for any type of projects.

Lefthook The fastest polyglot Git hooks manager out there Fast and powerful Git hooks manager for Node.js, Ruby or any other type of projects. Fast. I

Abroskin Alexander 2.5k Nov 28, 2022
go mod vendor lets you check in your dependencies to git, but that's both bloaty (for developers) and tedious (remembering to update it).

go-mod-archiver Afraid of being unable to build historical versions of your Go program? go mod vendor lets you check in your dependencies to git, but

Tailscale 86 Dec 1, 2022
A single Git repository that holds two microservices (Python and GO)

A single Git repository that holds two microservices (Python and GO)

null 0 Nov 19, 2021
Installs git repos onto your system and keeps them up-to-date

Gitfile Installs git repos onto your system and keeps them up-to-date. It's a lightweight package manager for things that haven't been published to a

Brad Urani 18 Jan 16, 2021
Sync tags in your git repository and a changelog in Keep a Changelog format with releases of your GitLab project.

Automatic GitLab releases Sync tags in your git repository and a changelog in Keep a Changelog format with releases of your GitLab project. Features:

null 1 Nov 12, 2022
Gogs is a painless self-hosted Git service

Gogs - A painless self-hosted Git service ็ฎ€ไฝ“ไธญๆ–‡ ?? Vision The Gogs (/gษ‘gz/) project aims to build a simple, stable and extensible self-hosted Git servi

Gogs 41.3k Dec 6, 2022