Skip to content

Commit

Permalink
docs: k8s vulnerability scanning (#5515)
Browse files Browse the repository at this point in the history
Signed-off-by: chenk <hen.keinan@gmail.com>
  • Loading branch information
chen-keinan authored Nov 6, 2023
1 parent fdb3a15 commit 46f1b9e
Show file tree
Hide file tree
Showing 2 changed files with 81 additions and 35 deletions.
58 changes: 50 additions & 8 deletions docs/docs/target/kubernetes.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,14 @@ When scanning a Kubernetes cluster, Trivy differentiates between the following:
When scanning any of the above, the container image is scanned separately to the Kubernetes resource definition (the YAML manifest) that defines the resource.

Container image is scanned for:

- Vulnerabilities
- Misconfigurations
- Exposed secrets

Kubernetes resource definition is scanned for:
- Vulnerabilities - partially supported through [KBOM scanning](#KBOM)

- Vulnerabilities (Open Source Libraries, Control Plane and Node Components)
- Misconfigurations
- Exposed secrets

Expand Down Expand Up @@ -73,6 +75,33 @@ You can exclude specific nodes from the scan using the `--exclude-nodes` flag, w
trivy k8s cluster --report summary --exclude-nodes kubernetes.io/arch:arm6
```

## Control Plane and Node Components Vulnerability Scanning

Trivy is capable of discovering Kubernetes control plane (apiserver, controller-manager and etc) and node components(kubelet, kube-proxy and etc), matching them against the [official Kubernetes vulnerability database feed](https://github.com/aquasecurity/vuln-list-k8s), and reporting any vulnerabilities it finds


```
trivy k8s cluster --scanners vuln --report all
NodeComponents/kind-control-plane (kubernetes)
Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
┌────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬───────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────┤
│ k8s.io/kubelet │ CVE-2023-2431 │ LOW │ fixed │ 1.21.1 │ 1.24.14, 1.25.10, 1.26.5, 1.27.2 │ Bypass of seccomp profile enforcement │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2431 │
│ ├────────────────┼──────────┤ │ ├──────────────────────────────────┼───────────────────────────────────────────────────┤
│ │ CVE-2021-25741 │ HIGH │ │ │ 1.19.16, 1.20.11, 1.21.5, 1.22.1 │ Symlink exchange can allow host filesystem access │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25741 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼───────────────────────────────────────────────────┤
│ │ CVE-2021-25749 │ │ │ │ 1.22.14, 1.23.11, 1.24.5 │ runAsNonRoot logic bypass for Windows containers │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25749 │
└────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────┘
```


### Components types

You can control what kinds of components are discovered using the `--components` flag:
Expand Down Expand Up @@ -288,25 +317,33 @@ Examples:
Scan the cluster for Kubernetes Pod Security Standards Baseline compliance:

```
trivy k8s cluster --compliance=k8s-pss-baseline --report summary
$ trivy k8s cluster --compliance=k8s-pss-baseline --report summary
```

Get the detailed report for checks:

```
trivy k8s cluster --compliance=k8s-cis --report all
$ trivy k8s cluster --compliance=k8s-cis --report all
```

Get summary report in JSON format:

```
trivy k8s cluster --compliance=k8s-cis --report summary --format json
$ trivy k8s cluster --compliance=k8s-cis --report summary --format json
```

Get detailed report in JSON format:

```
trivy k8s cluster --compliance=k8s-cis --report all --format json
$ trivy k8s cluster --compliance=k8s-cis --report all --format json
```

## KBOM
Expand All @@ -317,19 +354,24 @@ For more background on KBOM, see [here](https://blog.aquasec.com/introducing-kbo
Trivy can generate KBOM in CycloneDX format:

```sh
trivy k8s cluster --format cyclonedx --output mykbom.cdx.json

$ trivy k8s cluster --format cyclonedx --output mykbom.cdx.json

```

Trivy can also scan that generated KBOM (or any SBOM) for vulnerabilities:

```sh
trivy sbom mykbom.cdx.json

$ trivy sbom mykbom.cdx.json

```

<details>
<summary>Result</summary>

```
```sh

2023-09-28T22:52:25.707+0300 INFO Vulnerability scanning is enabled
2023-09-28T22:52:25.707+0300 INFO Detected SBOM format: cyclonedx-json
2023-09-28T22:52:25.717+0300 WARN No OS package is detected. Make sure you haven't deleted any files that contain information about the installed packages.
Expand Down
58 changes: 31 additions & 27 deletions docs/docs/target/sbom.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
# SBOM scanning

Trivy can take the following SBOM formats as an input and scan for vulnerabilities.

- CycloneDX
Expand All @@ -11,25 +12,28 @@ To scan SBOM, you can use the `sbom` subcommand and pass the path to the SBOM.
The input format is automatically detected.

```bash

$ trivy sbom /path/to/sbom_file

```

!!! note
Passing SBOMs generated by tool other than Trivy may result in inaccurate detection
Passing SBOMs generated by tool other than Trivy may result in inaccurate detection
because Trivy relies on custom properties in SBOM for accurate scanning.

## CycloneDX

Trivy supports CycloneDX as an input.

!!! note
CycloneDX XML is not supported at the moment.


```bash
$ trivy sbom /path/to/cyclonedx.json
```

## SPDX

Trivy supports the SPDX SBOM as an input.

The following SPDX formats are supported:
Expand Down Expand Up @@ -113,28 +117,28 @@ Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)

To read more about KBOM, see the [documentation for Kubernetes scanning](./kubernetes.md#KBOM).

```shell
$ trivy k8s --format cyclonedx cluster -o kbom.json
$ trivy sbom kbom.json
2023-09-28T22:52:25.707+0300 INFO Vulnerability scanning is enabled
2023-09-28T22:52:25.707+0300 INFO Detected SBOM format: cyclonedx-json
2023-09-28T22:52:25.717+0300 WARN No OS package is detected. Make sure you haven't deleted any files that contain information about the installed packages.
2023-09-28T22:52:25.717+0300 WARN e.g. files under "/lib/apk/db/", "/var/lib/dpkg/" and "/var/lib/rpm"
2023-09-28T22:52:25.717+0300 INFO Detected OS: debian gnu/linux
2023-09-28T22:52:25.717+0300 WARN unsupported os : debian gnu/linux
2023-09-28T22:52:25.717+0300 INFO Number of language-specific files: 3
2023-09-28T22:52:25.717+0300 INFO Detecting kubernetes vulnerabilities...
2023-09-28T22:52:25.718+0300 INFO Detecting gobinary vulnerabilities...
Kubernetes (kubernetes)
Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
┌────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────────────────────┬──────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version Title
├────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────────────────────┼──────────────────────────────────────────────────┤
│ k8s.io/kubelet │ CVE-2021-25749 │ HIGH │ fixed │ 1.24.0 │ 1.22.14, 1.23.11, 1.24.5 │ runAsNonRoot logic bypass for Windows containers │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25749 │
│ ├────────────────┼──────────┤ │ ├────────────────────────────────┼──────────────────────────────────────────────────┤
│ │ CVE-2023-2431 │ LOW │ │ │ 1.24.14, 1.25.9, 1.26.4, 1.27.1 │ Bypass of seccomp profile enforcement │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2431 │
└────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────────────────────┴──────────────────────────────────────────────────┘
```
```sh

$ trivy k8s --format cyclonedx cluster -o kbom.json
$ trivy sbom kbom.json
2023-09-28T22:52:25.707+0300 INFO Vulnerability scanning is enabled
2023-09-28T22:52:25.717+0300 INFO Number of language-specific files: 3
2023-09-28T22:52:25.717+0300 INFO Detecting kubernetes vulnerabilities...
2023-09-28T22:52:25.718+0300 INFO Detecting gobinary vulnerabilities...

Kubernetes (kubernetes)

Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)


┌────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────────────────────┬──────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title
├────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────────────────────┼──────────────────────────────────────────────────┤
│ k8s.io/kubelet │ CVE-2021-25749 │ HIGH │ fixed │ 1.24.0 │ 1.22.14, 1.23.11, 1.24.5 │ runAsNonRoot logic bypass for Windows containers │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25749 │
│ ├────────────────┼──────────┤ │ ├────────────────────────────────┼──────────────────────────────────────────────────┤
│ │ CVE-2023-2431 │ LOW │ │ │1.24.14, 1.25.9, 1.26.4, 1.27.1 │ Bypass of seccomp profile enforcement │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2431 │
└────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────────────────────┴──────────────────────────────────────────────────┘

```

0 comments on commit 46f1b9e

Please sign in to comment.