Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(misconf): Add support for inline ignore in helm charts #8198

Open
2 tasks done
simar7 opened this issue Jan 2, 2025 Discussed in #8128 · 0 comments
Open
2 tasks done

feat(misconf): Add support for inline ignore in helm charts #8198

simar7 opened this issue Jan 2, 2025 Discussed in #8128 · 0 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.59.0

Comments

@simar7
Copy link
Member

simar7 commented Jan 2, 2025

Discussed in #8128

Originally posted by RangerRick December 18, 2024

Description

I have a false positive when doing a trivy config on a Helm chart directory, and I would like to ignore it (or for trivy to not detect it in the first place). As far as I can tell, there is no form of #trivy:ignore:XXXX that is accepted.

For example, I get this error:

templates/configmap-extra.yaml (helm)

Tests: 10 (SUCCESSES: 9, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-KSV-0109 (HIGH): ConfigMap 'netbox-enterprise-extra' in 'default' namespace stores secrets in key(s) or value(s) '{"password_validation.py"}'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Storing secrets in configMaps is unsafe

See https://avd.aquasec.com/misconfig/avd-ksv-0109

Inside the ConfigMap, the password_validation.py file looks like this, it is not storing any secrets, it's just a script that implements custom password validation in Django:

  password_validation.py: |-
    from django.core.exceptions import ValidationError
    from django.utils.translation import gettext as _
    import re

    class OWASPValidator:
      def __init__(self):
        self.owasp_regex = re.compile('^(?:(?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))(?!.*(.)\1{2,})[A-Za-z0-9!~<>,;:_=?*+#."&§%°()\|\[\]\{\}\-\$\^\@\/ ]{12,128}$')

      def validate(self, password, user=None):
        if not self.owasp_regex.match(password):
          raise ValidationError(
            _("Password must meet the current OWASP recommendation for complex passwords: 12 to 128 characters, requiring at least 3 out 4 of uppercase and lowercase letters, numbers and special characters, and no more than 2 equal characters in a row."),
            code="password_too_weak",
          )

      def get_help_text(self):
        return _(
          "Password must meet the current OWASP recommendation for complex passwords: 12 to 128 characters, requiring at least 3 out 4 of uppercase and lowercase letters, numbers and special characters, and no more than 2 equal characters in a row."
        )

I have tried putting #trivy:ignore:AVD-KSV-0109 at every line of this file, from above the password_validation.py: to inside the python script.

Desired Behavior

  • #trivy:ignore:* is at the very least honored at the level of an entire resource in a ConfigMap
  • ideally, #trivy:ignore:* would be honored inside the resource, depending on what it is (in this case, a python script)
  • ideally, when throwing an error about the contents of a ConfigMap, it would say what line the error is, either of the resource in the ConfigMap, or the overall yaml file.

Actual Behavior

The false positive is always thrown.

Reproduction Steps

helm create test-trivy
cd test-trivy
cat <<END >templates/my-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: my-configmap
data:
  password_validation.py: |-
    from django.core.exceptions import ValidationError
    from django.utils.translation import gettext as _
    import re

    class OWASPValidator:
      def __init__(self):
        self.owasp_regex = re.compile('^(?:(?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))(?!.*(.)\1{2,})[A-Za-z0-9!~<>,;:_=?*+#."&§%°()\|\[\]\{\}\-\$\^\@\/ ]{12,128}$')

      def validate(self, password, user=None):
        if not self.owasp_regex.match(password):
          raise ValidationError(
            _("Password must meet the current OWASP recommendation for complex passwords: 12 to 128 characters, requiring at least 3 out 4 of uppercase and lowercase letters, numbers and special characters, and no more than 2 equal characters in a row."),
            code="password_too_weak",
          )

      def get_help_text(self):
        return _(
          "Password must meet the current OWASP recommendation for complex passwords: 12 to 128 characters, requiring at least 3 out 4 of uppercase and lowercase letters, numbers and special characters, and no more than 2 equal characters in a row."
        )
END

Target

Filesystem

Scanner

Misconfiguration

Output Format

Table

Mode

Standalone

Debug Output

$ trivy config . --debug
2024-12-18T10:52:48-05:00	DEBUG	No plugins loaded
2024-12-18T10:52:48-05:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-12-18T10:52:48-05:00	DEBUG	Cache dir	dir="/Users/ranger/Library/Caches/trivy"
2024-12-18T10:52:48-05:00	DEBUG	Cache dir	dir="/Users/ranger/Library/Caches/trivy"
2024-12-18T10:52:48-05:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-12-18T10:52:48-05:00	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-18T10:52:48-05:00	DEBUG	[misconfig] Checks successfully loaded from disk
2024-12-18T10:52:48-05:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-12-18T10:52:48-05:00	DEBUG	Initializing scan cache...	type="memory"
2024-12-18T10:52:48-05:00	DEBUG	[misconfig] Scanning files for misconfigurations...	scanner="Helm"
2024-12-18T10:52:49-05:00	DEBUG	[rego] Overriding filesystem for checks
2024-12-18T10:52:49-05:00	DEBUG	[rego] Embedded libraries are loaded	count=15
2024-12-18T10:52:49-05:00	DEBUG	[rego] Embedded checks are loaded	count=511
2024-12-18T10:52:49-05:00	DEBUG	[rego] Checks from disk are loaded	count=526
2024-12-18T10:52:49-05:00	DEBUG	[rego] Overriding filesystem for data
2024-12-18T10:52:49-05:00	DEBUG	[helm scanner] Processing rendered chart file	file_path="templates/serviceaccount.yaml"
2024-12-18T10:52:49-05:00	DEBUG	[rego] Scanning inputs	count=1
2024-12-18T10:52:49-05:00	DEBUG	[helm scanner] Processing rendered chart file	file_path="templates/my-configmap.yaml"
2024-12-18T10:52:49-05:00	DEBUG	[rego] Scanning inputs	count=1
2024-12-18T10:52:49-05:00	DEBUG	[helm scanner] Processing rendered chart file	file_path="templates/service.yaml"
2024-12-18T10:52:49-05:00	DEBUG	[rego] Scanning inputs	count=1
2024-12-18T10:52:49-05:00	DEBUG	[helm scanner] Processing rendered chart file	file_path="templates/deployment.yaml"
2024-12-18T10:52:49-05:00	DEBUG	[rego] Scanning inputs	count=1
2024-12-18T10:52:49-05:00	DEBUG	[misconfig] Scanning files for misconfigurations...	scanner="Kubernetes"
2024-12-18T10:52:49-05:00	DEBUG	[rego] Overriding filesystem for checks
2024-12-18T10:52:49-05:00	DEBUG	[rego] Embedded libraries are loaded	count=15
2024-12-18T10:52:49-05:00	DEBUG	[rego] Embedded checks are loaded	count=511
2024-12-18T10:52:49-05:00	DEBUG	[rego] Checks from disk are loaded	count=526
2024-12-18T10:52:49-05:00	DEBUG	[rego] Overriding filesystem for data
2024-12-18T10:52:49-05:00	DEBUG	[kubernetes scanner] Scanning files...	count=1
2024-12-18T10:52:49-05:00	DEBUG	[rego] Scanning inputs	count=1
2024-12-18T10:52:49-05:00	DEBUG	OS is not detected.
2024-12-18T10:52:49-05:00	INFO	Detected config files	num=4
2024-12-18T10:52:49-05:00	DEBUG	Scanned config file	file_path="templates/my-configmap.yaml"
2024-12-18T10:52:49-05:00	DEBUG	Scanned config file	file_path="templates/service.yaml"
2024-12-18T10:52:49-05:00	DEBUG	Scanned config file	file_path="templates/serviceaccount.yaml"
2024-12-18T10:52:49-05:00	DEBUG	Scanned config file	file_path="templates/deployment.yaml"
2024-12-18T10:52:49-05:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2024-12-18T10:52:49-05:00	DEBUG	[vex] VEX filtering is disabled

templates/deployment.yaml (helm)

Tests: 93 (SUCCESSES: 79, FAILURES: 14)
Failures: 14 (UNKNOWN: 0, LOW: 9, MEDIUM: 4, HIGH: 1, CRITICAL: 0)

AVD-KSV-0001 (MEDIUM): Container 'test-helm' of Deployment 'test-helm' should set 'securityContext.allowPrivilegeEscalation' to false
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.

See https://avd.aquasec.com/misconfig/ksv001
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 templates/deployment.yaml:31-49
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  31 ┌         - name: test-helm
  32 │           securityContext:
  33 │             {}
  34 │           image: "nginx:1.16.0"
  35 │           imagePullPolicy: IfNotPresent
  36 │           ports:
  37 │             - name: http
  38 │               containerPort: 80
  39 └               protocol: TCP
  ..
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


AVD-KSV-0003 (LOW): Container 'test-helm' of Deployment 'test-helm' should add 'ALL' to 'securityContext.capabilities.drop'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
The container should drop all default capabilities and add only those that are needed for its execution.

See https://avd.aquasec.com/misconfig/ksv003
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 templates/deployment.yaml:31-49
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  31 ┌         - name: test-helm
  32 │           securityContext:
  33 │             {}
  34 │           image: "nginx:1.16.0"
  35 │           imagePullPolicy: IfNotPresent
  36 │           ports:
  37 │             - name: http
  38 │               containerPort: 80
  39 └               protocol: TCP
  ..
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


AVD-KSV-0011 (LOW): Container 'test-helm' of Deployment 'test-helm' should set 'resources.limits.cpu'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Enforcing CPU limits prevents DoS via resource exhaustion.

See https://avd.aquasec.com/misconfig/ksv011
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 templates/deployment.yaml:31-49
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  31 ┌         - name: test-helm
  32 │           securityContext:
  33 │             {}
  34 │           image: "nginx:1.16.0"
  35 │           imagePullPolicy: IfNotPresent
  36 │           ports:
  37 │             - name: http
  38 │               containerPort: 80
  39 └               protocol: TCP
  ..
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


AVD-KSV-0012 (MEDIUM): Container 'test-helm' of Deployment 'test-helm' should set 'securityContext.runAsNonRoot' to true
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Force the running image to run as a non-root user to ensure least privileges.

See https://avd.aquasec.com/misconfig/ksv012
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 templates/deployment.yaml:31-49
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  31 ┌         - name: test-helm
  32 │           securityContext:
  33 │             {}
  34 │           image: "nginx:1.16.0"
  35 │           imagePullPolicy: IfNotPresent
  36 │           ports:
  37 │             - name: http
  38 │               containerPort: 80
  39 └               protocol: TCP
  ..
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


AVD-KSV-0014 (HIGH): Container 'test-helm' of Deployment 'test-helm' should set 'securityContext.readOnlyRootFilesystem' to true
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.

See https://avd.aquasec.com/misconfig/ksv014
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 templates/deployment.yaml:31-49
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  31 ┌         - name: test-helm
  32 │           securityContext:
  33 │             {}
  34 │           image: "nginx:1.16.0"
  35 │           imagePullPolicy: IfNotPresent
  36 │           ports:
  37 │             - name: http
  38 │               containerPort: 80
  39 └               protocol: TCP
  ..
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


AVD-KSV-0015 (LOW): Container 'test-helm' of Deployment 'test-helm' should set 'resources.requests.cpu'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.

See https://avd.aquasec.com/misconfig/ksv015
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 templates/deployment.yaml:31-49
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  31 ┌         - name: test-helm
  32 │           securityContext:
  33 │             {}
  34 │           image: "nginx:1.16.0"
  35 │           imagePullPolicy: IfNotPresent
  36 │           ports:
  37 │             - name: http
  38 │               containerPort: 80
  39 └               protocol: TCP
  ..
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


AVD-KSV-0016 (LOW): Container 'test-helm' of Deployment 'test-helm' should set 'resources.requests.memory'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.

See https://avd.aquasec.com/misconfig/ksv016
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 templates/deployment.yaml:31-49
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  31 ┌         - name: test-helm
  32 │           securityContext:
  33 │             {}
  34 │           image: "nginx:1.16.0"
  35 │           imagePullPolicy: IfNotPresent
  36 │           ports:
  37 │             - name: http
  38 │               containerPort: 80
  39 └               protocol: TCP
  ..
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


AVD-KSV-0018 (LOW): Container 'test-helm' of Deployment 'test-helm' should set 'resources.limits.memory'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Enforcing memory limits prevents DoS via resource exhaustion.

See https://avd.aquasec.com/misconfig/ksv018
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 templates/deployment.yaml:31-49
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  31 ┌         - name: test-helm
  32 │           securityContext:
  33 │             {}
  34 │           image: "nginx:1.16.0"
  35 │           imagePullPolicy: IfNotPresent
  36 │           ports:
  37 │             - name: http
  38 │               containerPort: 80
  39 └               protocol: TCP
  ..
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


AVD-KSV-0020 (LOW): Container 'test-helm' of Deployment 'test-helm' should set 'securityContext.runAsUser' > 10000
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.

See https://avd.aquasec.com/misconfig/ksv020
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 templates/deployment.yaml:31-49
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  31 ┌         - name: test-helm
  32 │           securityContext:
  33 │             {}
  34 │           image: "nginx:1.16.0"
  35 │           imagePullPolicy: IfNotPresent
  36 │           ports:
  37 │             - name: http
  38 │               containerPort: 80
  39 └               protocol: TCP
  ..
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


AVD-KSV-0021 (LOW): Container 'test-helm' of Deployment 'test-helm' should set 'securityContext.runAsGroup' > 10000
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.

See https://avd.aquasec.com/misconfig/ksv021
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 templates/deployment.yaml:31-49
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  31 ┌         - name: test-helm
  32 │           securityContext:
  33 │             {}
  34 │           image: "nginx:1.16.0"
  35 │           imagePullPolicy: IfNotPresent
  36 │           ports:
  37 │             - name: http
  38 │               containerPort: 80
  39 └               protocol: TCP
  ..
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


AVD-KSV-0030 (LOW): Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.

See https://avd.aquasec.com/misconfig/ksv030
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 templates/deployment.yaml:31-49
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  31 ┌         - name: test-helm
  32 │           securityContext:
  33 │             {}
  34 │           image: "nginx:1.16.0"
  35 │           imagePullPolicy: IfNotPresent
  36 │           ports:
  37 │             - name: http
  38 │               containerPort: 80
  39 └               protocol: TCP
  ..
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


AVD-KSV-0104 (MEDIUM): container "test-helm" of deployment "test-helm" in "default" namespace should specify a seccomp profile
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
A program inside the container can bypass Seccomp protection policies.

See https://avd.aquasec.com/misconfig/ksv104
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


AVD-KSV-0106 (LOW): container should drop all
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.

See https://avd.aquasec.com/misconfig/ksv106
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 templates/deployment.yaml:31-49
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  31 ┌         - name: test-helm
  32 │           securityContext:
  33 │             {}
  34 │           image: "nginx:1.16.0"
  35 │           imagePullPolicy: IfNotPresent
  36 │           ports:
  37 │             - name: http
  38 │               containerPort: 80
  39 └               protocol: TCP
  ..
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


AVD-KSV-0117 (MEDIUM): deployment test-helm in default namespace should not set spec.template.spec.containers.ports.containerPort to less than 1024
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
The ports which are lower than 1024 receive and transmit various sensitive and privileged data. Allowing containers to use them can bring serious implications.

See https://avd.aquasec.com/misconfig/ksv117
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────



templates/my-configmap.yaml (kubernetes)

Tests: 61 (SUCCESSES: 60, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

AVD-KSV-0109 (HIGH): ConfigMap 'my-configmap' in 'default' namespace stores secrets in key(s) or value(s) '{"password_validation.py"}'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Storing secrets in configMaps is unsafe

See https://avd.aquasec.com/misconfig/avd-ksv-0109
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Operating System

macOS Sequoia 15.2

Version

$ trivy --version
Version: 0.58.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-12-16 18:16:32.001191451 +0000 UTC
  NextUpdate: 2024-12-17 18:16:32.00119108 +0000 UTC
  DownloadedAt: 2024-12-16 20:16:04.823253 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-05-01 01:02:50.899807065 +0000 UTC
  NextUpdate: 2024-05-04 01:02:50.899806895 +0000 UTC
  DownloadedAt: 2024-05-01 16:54:52.772235 +0000 UTC
Check Bundle:
  Digest: sha256:f6901e03f486a48f47aa17a78d89d18e6c31ded82aff83ed19d0d73935a1a059
  DownloadedAt: 2024-12-18 15:51:23.643375 +0000 UTC

Checklist
@simar7 simar7 added kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning labels Jan 2, 2025
@simar7 simar7 added this to the v0.59.0 milestone Jan 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Status: No status
Milestone
v0.59.0
Development

No branches or pull requests
1 participant
@simar7