Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(helm): sometimes the report does not contain a code #5931

Closed
nikpivkin opened this issue Jan 12, 2024 · 0 comments · Fixed by aquasecurity/trivy-iac#75
Closed

bug(helm): sometimes the report does not contain a code #5931

nikpivkin opened this issue Jan 12, 2024 · 0 comments · Fixed by aquasecurity/trivy-iac#75
Assignees
@simar7 @nikpivkin
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.49.0

Comments

@nikpivkin
Copy link
Contributor

In this example, Helm Chart contains two templates . On scanning the report will not contain the code of findings of deployment.yaml file. But deleting the manifest.yaml file solves the problem.

Code

File tree:

tree
.
├── Chart.yaml
└── templates
    ├── deployment.yaml
    └── manifest.yaml

2 directories, 4 files

deployment.yaml:

apiVersion: apps/v1
kind: Deployment
spec:
  selector:
    matchLabels:
      app: myapp
  template:
    metadata:
      labels:
        app: myapp
    spec:
      containers:
      - name: myapp
        image: test:latest
        resources:
          limits:
            memory: "128Mi"
            cpu: "500m"
        ports:
        - containerPort: 80

manifest.yaml:

apiVersion: apps/v1
kind: Deployment

Chart.yaml:

apiVersion: v2
name: test
description: A Helm chart for Kubernetes
type: application
version: 0.1.0
appVersion: "1.16.0"

Output:

Output with manifest.yaml:

templates/deployment.yaml (helm)

Tests: 152 (SUCCESSES: 150, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (UNKNOWN: 0, LOW: 2, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

LOW: Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.

See https://avd.aquasec.com/misconfig/ksv030
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


LOW: container should drop all
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.

See https://avd.aquasec.com/misconfig/ksv106
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Output without manifest.yaml:

templates/deployment.yaml (helm)

Tests: 152 (SUCCESSES: 150, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (UNKNOWN: 0, LOW: 2, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

LOW: Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.

See https://avd.aquasec.com/misconfig/ksv030
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 templates/deployment.yaml:14-21
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  14 ┌       - name: myapp
  15 │         image: test:latest
  16 │         resources:
  17 │           limits:
  18 │             memory: "128Mi"
  19 │             cpu: "500m"
  20 │         ports:
  21 └         - containerPort: 80
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


LOW: container should drop all
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.

See https://avd.aquasec.com/misconfig/ksv106
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 templates/deployment.yaml:14-21
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  14 ┌       - name: myapp
  15 │         image: test:latest
  16 │         resources:
  17 │           limits:
  18 │             memory: "128Mi"
  19 │             cpu: "500m"
  20 │         ports:
  21 └         - containerPort: 80
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
@nikpivkin nikpivkin added kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning labels Jan 12, 2024
@nikpivkin nikpivkin mentioned this issue Jan 12, 2024
Merged
@simar7 simar7 added this to the v0.49.0 milestone Jan 13, 2024
@simar7 simar7 mentioned this issue Jan 23, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@simar7 simar7

@nikpivkin nikpivkin

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Archived in project
Milestone
v0.49.0
Development

Successfully merging a pull request may close this issue.

fix(helm): resolve variable capture in loop closure nikpivkin/trivy-iac
2 participants
@simar7 @nikpivkin