forked from intel/intel-device-plugins-for-kubernetes
-
Notifications
You must be signed in to change notification settings - Fork 0
/
.trivyignore
27 lines (22 loc) · 1.12 KB
/
.trivyignore
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# Image user should not be ‘root’
# Running containers with ‘root’ user can lead to a container escape situation.
# It is a best practice to run containers as non-root users, which can be done by
# adding # a ‘USER’ statement to the Dockerfile.
AVD-DS-0002
# Privileged containers share namespaces with the host system and do not offer any security.
# They should be used exclusively for system containers that require high # privileges.
# initcontainers require privileged access
AVD-KSV-0017
# Do not allow privilege escalation from node proxy
# Check whether role permits privilege escalation from node proxy
# gpu plugin in kubelet mode requires "nodes/proxy" resource access
AVD-KSV-0047
# Do not allow update/create of a malicious pod
# Check whether role permits update/create of a malicious pod
# device plugin operator requires access to daemonset creation etc.
AVD-KSV-0048
# HostPath present many security risks and as a security practice it is better to avoid critical host paths mounts.
# Some plugins require access to various host paths
AVD-KSV-0121
# Ignore invalid "readOnlyRootFilesystem" detections
AVD-KSV-0014