Understanding #Trivy Scan Discrepancies in EKS Pods about trivy HOT 8 OPEN

Hi @chen-keinan, is there any update to this issue?

from trivy.

as discussed, the severity field will be removed from compliance reports. To match cis specifications

from trivy.

There should be some indication of severities that should tell us if there is any HIGH or a CRITICAL finding that needs to be fixed. Without a severity, I am not sure what would be the significance of scanning a kubernetes deployment or a pod using trivy k8s -n prd --compliance=k8s-cis --report summary deployment/xxxx-pod

from trivy.

@chen-keinan, the summary report with severities are fine as it displays the highest severity of the IaC checks within a particular control check. The real issue is with the detailed report (report --all) not displaying IaC checks mapped to their compliance control check.
As we now know that the severity filter works only on IaC checks and not on compliance control check severity, hence when you run the scan with report --all displaying the severity for each IaC checks mapped to a compliance control check would fix the issue and make the most sense.

from trivy.

@avaniicf following to our discussion I came to a conclusion that adding severity to compliance report is unnecessary and do not comply to official cis-benchmarks specs as shown.

IaC checks still will have severities and can be assess the cluster with the usual command and you'll get results which you can filter with severity :
trivy k8s cluster --scanners config --severity HIGH

however the compliance cis report IMHO should no include severities as it cause confusion and do not comply to cis-benchmark specifications

from trivy.

Hi @chen-keinan, I understand your perspective of not using severity in compliance reports and how it aligns with CIS benchmark specifications.

To clarify further-

1. Are you suggesting a command like trivy k8s deployment/xxxx-pod --scanners misconfig --severity HIGH -n dev for scanning as --scanners config is deprecated?

2. Does scanning with --scanners misconfig include a comprehensive compliance check against the full set of CIS benchmarks or does it focus primarily on detecting misconfigurations?
   Because our ultimate aim is to perform the compliance scan using the CIS benchmark (--compliance=k8s-cis).

from trivy.

@avaniicf --scanners config is the right way, but you'll have to execute it in a cluster scope. In order to get infra assessments

trivy k8s cluster --scannners config --report all --format json

Or you can run it with default scanners and youll get vulns and secrets results as well

trivy k8s cluster --report all --format json

from trivy.

@chen-keinan, okay then what about my 2nd question in my previous reply -

Does scanning with --scanners config include a comprehensive compliance check against the full set of CIS benchmarks or does it focus primarily on detecting misconfigurations?
Because our ultimate aim is to perform the compliance scan using the CIS benchmark (--compliance=k8s-cis).

from trivy.