Merge branch 'main' into defsec-refactor-update

aquasecurity · Oct 16, 2023 · 98864a7 · 98864a7
2 parents 97b85f5 + 57a1022
commit 98864a7
Show file tree

Hide file tree

Showing 38 changed files with 9,031 additions and 615 deletions.
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -130,6 +130,15 @@ jobs:
     name: VM Integration Test
     runs-on: ubuntu-latest
     steps:
+      - name: Maximize build space
+        uses: easimon/maximize-build-space@v8
+        with:
+          root-reserve-mb: 35840 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
+          remove-android: 'true'
+          remove-docker-images: 'true'
+          remove-dotnet: 'true'
+          remove-haskell: 'true'
+
       - name: Checkout
         uses: actions/[email protected]
 

diff --git a/contrib/asff.tpl b/contrib/asff.tpl
@@ -91,7 +91,7 @@
             "Severity": {
                 "Label": "{{ $severity }}"
             },
-            "Title": "Trivy found a misconfiguration in {{ $target }}: {{ .Title }}",
+            "Title": "Trivy found a misconfiguration in {{ $target }}: {{ escapeString .Title }}",
             "Description": {{ escapeString $description | printf "%q" }},
             "Remediation": {
                 "Recommendation": {

diff --git a/docs/docs/coverage/index.md b/docs/docs/coverage/index.md
@@ -5,4 +5,5 @@ For more detailed information about the specific platforms and languages, check
 
 - [OS Packages](os/index.md)
 - [Language-specific Packages](language/index.md)
-- [IaC files](iac/index.md)
+- [IaC files](iac/index.md)
+- [Kubernetes clusters](./kubernetes.md)
diff --git a/docs/docs/coverage/kubernetes.md b/docs/docs/coverage/kubernetes.md
@@ -0,0 +1,22 @@
+# Kubernetes
+
+When scanning a Kubernetes cluster, Trivy differentiates between the following:
+
+1. Cluster infrastructure (e.g api-server, kubelet, addons)
+1. Cluster configuration (e.g Roles, ClusterRoles). 
+1. Application workloads (e.g nginx, postgresql).
+
+Whenever Trivy scans either of these Kubernetes resources, the container image is scanned separately to the Kubernetes resource definition (the YAML manifest) that defines the resource.
+When scanning any of the above, the container image is scanned separately to the Kubernetes resource definition (the YAML manifest) that defines the resource.
+
+Container image is scanned for:
+- Vulnerabilities
+- Misconfigurations
+- Exposed secrets
+
+Kubernetes resource definition is scanned for:
+- Vulnerabilities - partially supported through [KBOM scanning](#KBOM)
+- Misconfigurations
+- Exposed secrets
+
+To learn more, please see the [documentation for Kubernetes scanning](../target/kubernetes.md)
diff --git a/docs/docs/scanner/vulnerability.md b/docs/docs/scanner/vulnerability.md
@@ -5,6 +5,9 @@ The following packages are supported.
 
 - [OS packages](#os-packages)
 - [Language-specific packages](#language-specific-packages)
+- [Kubernetes components (control plane, node and addons)](#kubernetes-components-control-plane-node-and-addons)
+
+Trivy also detects known vulnerabilities in Kubernetes components using KBOM (Kubernetes bill of Material) scanning. To learn more, see the [documentation for Kubernetes scanning](../target/kubernetes.md#KBOM).
 
 ## OS Packages
 Trivy is capable of automatically detecting installed OS packages when scanning container images, VM images and running hosts.
@@ -98,6 +101,18 @@ See [here](../coverage/language/index.md#supported-languages) for the supported
 
 [^1]: Intentional delay between vulnerability disclosure and registration in the DB
 
+## Kubernetes
+
+Trivy can detect vulnerabilities in Kubernetes clusters and components.
+
+### Data Sources
+
+| Vendor        | Source                                      |
+| ------------- |---------------------------------------------|
+| Kubernetes    | [Kubernetes Official CVE feed][k8s-cve][^1] |
+
+[^1]: Some manual triage and correction has been made.
+
 ## Database
 Trivy downloads [the vulnerability database](https://github.com/aquasecurity/trivy-db) every 6 hours.
 Trivy uses two types of databases for vulnerability detection:
@@ -180,3 +195,5 @@ Currently, specifying a username and password is not supported.
 [rust-osv]: https://osv.dev/list?q=&ecosystem=crates.io
 
 [nvd]: https://nvd.nist.gov/vuln
+
+[k8s-cve]: https://kubernetes.io/docs/reference/issues-security/official-cve-feed/
diff --git a/docs/docs/target/container_image.md b/docs/docs/target/container_image.md
@@ -171,13 +171,6 @@ See [here](../scanner/secret.md) for the detail.
 $ trivy image --image-config-scanners secret [YOUR_IMAGE_NAME]
 ```
 
-If you just want to scan the image config, you can disable scanners with `--scanners none`.
-For example:
-
-```shell
-$ trivy image --scanners none --image-config-scanners secret vuln-image
-```
-
 <details>
 <summary>Result</summary>