Comments (8)
Hi @chen-keinan, is there any update to this issue?
from trivy.
as discussed, the severity field will be removed from compliance reports. To match cis specifications
from trivy.
There should be some indication of severities that should tell us if there is any HIGH or a CRITICAL finding that needs to be fixed. Without a severity, I am not sure what would be the significance of scanning a kubernetes deployment or a pod using trivy k8s -n prd --compliance=k8s-cis --report summary deployment/xxxx-pod
from trivy.
@chen-keinan, the summary report with severities are fine as it displays the highest severity of the IaC checks within a particular control check. The real issue is with the detailed report (report --all
) not displaying IaC checks mapped to their compliance control check.
As we now know that the severity filter works only on IaC checks and not on compliance control check severity, hence when you run the scan with report --all
displaying the severity for each IaC checks mapped to a compliance control check would fix the issue and make the most sense.
from trivy.
@avaniicf following to our discussion I came to a conclusion that adding severity to compliance report is unnecessary and do not comply to official cis-benchmarks specs as shown.
IaC checks still will have severities and can be assess the cluster with the usual command and you'll get results which you can filter with severity :
trivy k8s cluster --scanners config --severity HIGH
however the compliance cis report IMHO should no include severities as it cause confusion and do not comply to cis-benchmark specifications
from trivy.
Hi @chen-keinan, I understand your perspective of not using severity in compliance reports and how it aligns with CIS benchmark specifications.
To clarify further-
-
Are you suggesting a command like
trivy k8s deployment/xxxx-pod --scanners misconfig --severity HIGH -n dev
for scanning as--scanners config
is deprecated? -
Does scanning with
--scanners misconfig
include a comprehensive compliance check against the full set of CIS benchmarks or does it focus primarily on detecting misconfigurations?
Because our ultimate aim is to perform the compliance scan using the CIS benchmark (--compliance=k8s-cis
).
from trivy.
@avaniicf --scanners config
is the right way, but you'll have to execute it in a cluster scope. In order to get infra assessments
trivy k8s cluster --scannners config --report all --format json
Or you can run it with default scanners and youll get vulns and secrets results as well
trivy k8s cluster --report all --format json
from trivy.
@chen-keinan, okay then what about my 2nd question in my previous reply -
Does scanning with --scanners config
include a comprehensive compliance check against the full set of CIS benchmarks or does it focus primarily on detecting misconfigurations?
Because our ultimate aim is to perform the compliance scan using the CIS benchmark (--compliance=k8s-cis).
from trivy.
Related Issues (20)
- Multiple OS components in SBOM are not supported properly HOT 2
- bug(misconf): YAML and JSON inputs of same file yield different output formats from Trivy
- Authentication with maven doesn't work when using encrypted password. HOT 1
- docs: `--show-suppressed` flag is available only in the table format
- feat(misconf): Fallback to embedded check if needed
- Multiple OS components in SBOM are not supported properly HOT 4
- feat(pom.xml): parse `maven-metadata.xml` files for snapshot repositories.
- feat(pnpm): add support of Lockfile v9 HOT 6
- bug(misconf): eval_conflict_error in AVD-DS-0017 HOT 7
- fix(misconf): split docker commands by semicolon
- bug(misconf) Terraform module: "Failed to load module "improper constraint:"
- The InstalledFile of dpkg package should exclude directories HOT 1
- feat(misconf): Support symlinks inside of tar archives
- perf(misconf): High memory usage (9.5 GB) and long scan time (45 min) on some repos HOT 6
- --node-collector-namespace: Do not delete existing namespace HOT 1
- feat(conda): detect dependencies from environment.yml
- feat(conda): detect licenses for environment.yml HOT 1
- Dependency tree HOT 2
- "Multiple types of OS packages in SBOM are not supported (["rpm" "deb"])" HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from trivy.