Misconfiguration Scanning of Container Images Unclear

[AnaisUrlichs]

Description

In the documentation: https://aquasecurity.github.io/trivy/v0.48/docs/target/container_image/#misconfigurations_1
We state that "The image config is converted into Dockerfile and Trivy handles it as Dockerfile"
However, the command provided is slightlighty wrong:
Command in the docs:
$ trivy image --image-config-scanners config [YOUR_IMAGE_NAME]

But that throws the following error:
2024-01-19T08:39:36.516Z FATAL invalid argument "config" for "--image-config-scanners" flag: must be one of ["misconfig" "secret"]

First issue:
Using misconfig instead of config works but does not make much sense from a user experience perspective because we use config for all misconfiguration scanning.

Second issue:
I tried to scan different container images but am never shown any misconfiguration incl. the container image that has been used in the docs:
trivy image --image-config-scanners misconfig alpine:3.17

Am I missing something?

Desired Behavior

I would
1st like to use the --image-config-scanners config instead of --image-config-scanners misconfig
2nd I would like to see the misconfiguration of my container image

Actual Behavior

I don't see it

Reproduction Steps

The commands are provided above

Target

Container Image

Scanner

Misconfiguration

Output Format

Table

Mode

Standalone

Debug Output

❯ trivy image --image-config-scanners misconfig --debug alpine:3.17         

2024-01-19T08:45:10.993Z	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-01-19T08:45:10.993Z	DEBUG	Ignore statuses	{"statuses": null}
2024-01-19T08:45:11.009Z	DEBUG	cache dir:  /Users/anaisurlichs/Library/Caches/trivy
2024-01-19T08:45:11.010Z	DEBUG	DB update was skipped because the local DB is the latest
2024-01-19T08:45:11.010Z	DEBUG	DB Schema: 2, UpdatedAt: 2024-01-19 06:12:58.552061233 +0000 UTC, NextUpdate: 2024-01-19 12:12:58.552060411 +0000 UTC, DownloadedAt: 2024-01-19 08:13:24.837449 +0000 UTC
2024-01-19T08:45:11.010Z	INFO	Container image config scanners: ["misconfig"]
2024-01-19T08:45:11.010Z	INFO	Vulnerability scanning is enabled
2024-01-19T08:45:11.010Z	DEBUG	Vulnerability type:  [os library]
2024-01-19T08:45:11.010Z	INFO	Misconfiguration scanning is enabled
2024-01-19T08:45:11.011Z	DEBUG	Policies successfully loaded from disk
2024-01-19T08:45:11.011Z	INFO	Secret scanning is enabled
2024-01-19T08:45:11.011Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-01-19T08:45:11.011Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-01-19T08:45:11.011Z	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-01-19T08:45:12.666Z	DEBUG	No secret config detected: trivy-secret.yaml
2024-01-19T08:45:12.741Z	DEBUG	The nuget packages directory couldn't be found. License search disabled
2024-01-19T08:45:12.760Z	DEBUG	No secret config detected: trivy-secret.yaml
2024-01-19T08:45:12.942Z	DEBUG	Image ID: sha256:7997ad530b088ce1ef0b5e4a705600db0e62a2fd399e3639722b81ebe596d67d
2024-01-19T08:45:12.942Z	DEBUG	Diff IDs: [sha256:617df26c9e2bec4e63eed45acaa78b253ac74e1cd0dd74da35b050f3ef707d47]
2024-01-19T08:45:12.942Z	DEBUG	Base Layers: []
2024-01-19T08:45:12.987Z	INFO	Detected OS: alpine
2024-01-19T08:45:12.987Z	INFO	Detecting Alpine vulnerabilities...
2024-01-19T08:45:12.987Z	DEBUG	alpine: os version: 3.17
2024-01-19T08:45:12.987Z	DEBUG	alpine: package repository: 3.17
2024-01-19T08:45:12.987Z	DEBUG	alpine: the number of packages: 15
2024-01-19T08:45:12.989Z	INFO	Number of language-specific files: 0

Operating System

macOS

Version

❯ trivy --version
Version: 0.48.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-01-19 06:12:58.552061233 +0000 UTC
  NextUpdate: 2024-01-19 12:12:58.552060411 +0000 UTC
  DownloadedAt: 2024-01-19 08:13:24.837449 +0000 UTC
Policy Bundle:
  Digest: sha256:f21e8e92a7b3f6042ef7acfd3b799afc1648536dc4111c4d5458bc16396f8332
  DownloadedAt: 2024-01-18 10:37:46.841858 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[knqyf263]

Using misconfig instead of config works but does not make much sense from a user experience perspective because we use config for all misconfiguration scanning.

We moved to misconf. It looks like we forgot to update the document.
#5586

BTW, config should work for backward compatibility. It is a bug.

2nd I would like to see the misconfiguration of my container image

You can build your own image with misconfiguration.

$ cat Dockerfile
FROM debian:11

USER root

$ docker build -t test .
$ trivy image --image-config-scanners misconfig test 
test (dockerfile)

Tests: 26 (SUCCESSES: 23, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (UNKNOWN: 0, LOW: 2, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: Last USER command in Dockerfile should not be 'root'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 test:3
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   3 [ USER root
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


LOW: Consider using 'COPY file:dd3d4e5fe819950e7d01b44a29dbd790438cd722ba76198910e2597448ab0c6f in /' command instead of 'ADD file:dd3d4e5fe819950e7d01b44a29dbd790438cd722ba76198910e2597448ab0c6f in /'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.

See https://avd.aquasec.com/misconfig/ds005
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 test:1
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 [ ADD file:dd3d4e5fe819950e7d01b44a29dbd790438cd722ba76198910e2597448ab0c6f in /
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


LOW: Add HEALTHCHECK instruction in your Dockerfile
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds026
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

[knqyf263]

@DmitriyLewen Do you mean we should add strings.HasPrefix(h.CreatedBy, "RUN /bin/sh -c") here?

trivy/pkg/fanal/analyzer/imgconf/dockerfile/dockerfile.go

Line 52 in 91a2547

case strings.HasPrefix(h.CreatedBy, "/bin/sh -c"):

[DmitriyLewen]

Right. It seems that these are same cases.

[knqyf263]

@DmitriyLewen Yes, you're right. We need to add support for Buildkit.

$ docker history test
IMAGE          CREATED          CREATED BY                                       SIZE      COMMENT
b1afcbbdcdae   5 seconds ago    ADD foo.txt . # buildkit                         0B        buildkit.dockerfile.v0
<missing>      37 seconds ago   RUN /bin/sh -c ls # buildkit                     0B        buildkit.dockerfile.v0
<missing>      11 months ago    /bin/sh -c #(nop)  CMD ["/bin/sh"]               0B
<missing>      11 months ago    /bin/sh -c #(nop) ADD file:9bd9ea42a9f3bdc76…   7.46MB

[knqyf263]

Cerated #5989

[knqyf263]

Closing this discussion. Thanks @AnaisUrlichs.