From 13dcf579acc7246363ba4c40cefd840dfe4730bd Mon Sep 17 00:00:00 2001 From: Bishwa Thapa Date: Thu, 31 Aug 2023 14:34:24 +0545 Subject: [PATCH 1/2] feat: filter artifacts on --exclude-owned flag - filter artifacts using trivy-kubernetes library - upgrade dependencies - generate docs --- .../references/configuration/cli/trivy_kubernetes.md | 1 + pkg/flag/kubernetes_flags.go | 12 ++++++++++++ pkg/k8s/commands/resource.go | 8 ++++++-- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/docs/docs/references/configuration/cli/trivy_kubernetes.md b/docs/docs/references/configuration/cli/trivy_kubernetes.md index 52f7a53f14ec..73840ccca17a 100644 --- a/docs/docs/references/configuration/cli/trivy_kubernetes.md +++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md @@ -41,6 +41,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg: --download-db-only download/update vulnerability database but don't run a scan --download-java-db-only download/update Java index database but don't run a scan --exclude-nodes strings indicate the node labels that the node-collector job should exclude from scanning (example: kubernetes.io/arch:arm64,team:dev) + -E, --exclude-owned exclude resources that have an owner reference --exit-code int specify exit code when any security issues are found --file-patterns strings specify config file patterns -f, --format string format (table,json,cyclonedx) (default "table") diff --git a/pkg/flag/kubernetes_flags.go b/pkg/flag/kubernetes_flags.go index 0645c45167a7..f6672d912ee6 100644 --- a/pkg/flag/kubernetes_flags.go +++ b/pkg/flag/kubernetes_flags.go @@ -79,6 +79,13 @@ var ( Default: "trivy-temp", Usage: "specify the namespace in which the node-collector job should be deployed", } + ExcludeOwned = Flag{ + Name: "exclude-owned", + ConfigName: "kubernetes.exclude.owned", + Shorthand: "E", + Default: false, + Usage: "exclude resources that have an owner reference", + } ExcludeNodes = Flag{ Name: "exclude-nodes", ConfigName: "exclude.nodes", @@ -97,6 +104,7 @@ type K8sFlagGroup struct { Tolerations *Flag AllNamespaces *Flag NodeCollectorNamespace *Flag + ExcludeOwned *Flag ExcludeNodes *Flag } @@ -110,6 +118,7 @@ type K8sOptions struct { Tolerations []corev1.Toleration AllNamespaces bool NodeCollectorNamespace string + ExcludeOwned bool ExcludeNodes map[string]string } @@ -124,6 +133,7 @@ func NewK8sFlagGroup() *K8sFlagGroup { Tolerations: &TolerationsFlag, AllNamespaces: &AllNamespaces, NodeCollectorNamespace: &NodeCollectorNamespace, + ExcludeOwned: &ExcludeOwned, ExcludeNodes: &ExcludeNodes, } } @@ -143,6 +153,7 @@ func (f *K8sFlagGroup) Flags() []*Flag { f.Tolerations, f.AllNamespaces, f.NodeCollectorNamespace, + f.ExcludeOwned, f.ExcludeNodes, } } @@ -180,6 +191,7 @@ func (f *K8sFlagGroup) ToOptions() (K8sOptions, error) { Tolerations: tolerations, AllNamespaces: getBool(f.AllNamespaces), NodeCollectorNamespace: getString(f.NodeCollectorNamespace), + ExcludeOwned: getBool(f.ExcludeOwned), ExcludeNodes: exludeNodeLabels, }, nil } diff --git a/pkg/k8s/commands/resource.go b/pkg/k8s/commands/resource.go index cc6f36397f34..a829ca04bdcd 100644 --- a/pkg/k8s/commands/resource.go +++ b/pkg/k8s/commands/resource.go @@ -22,11 +22,15 @@ func resourceRun(ctx context.Context, args []string, opts flag.Options, cluster } runner := newRunner(opts, cluster.GetCurrentContext()) + var trivyk trivyk8s.TrivyK8S + + trivyk = trivyk8s.New(cluster, log.Logger, trivyk8s.WithExcludeOwned(opts.ExcludeOwned)) + if opts.AllNamespaces { - trivyk = trivyk8s.New(cluster, log.Logger).AllNamespaces() + trivyk = trivyk.AllNamespaces() } else { - trivyk = trivyk8s.New(cluster, log.Logger).Namespace(getNamespace(opts, cluster.GetCurrentNamespace())) + trivyk = trivyk.Namespace(getNamespace(opts, cluster.GetCurrentNamespace())) } if len(name) == 0 { // pods or configmaps etc From 8f17e0fcb267b3a0ec7f9f927c3a0978219bb568 Mon Sep 17 00:00:00 2001 From: Bishwa Thapa Date: Thu, 31 Aug 2023 15:19:05 +0545 Subject: [PATCH 2/2] chore: remove shorthand flag for --exclude-owned flag --- docs/docs/references/configuration/cli/trivy_kubernetes.md | 2 +- pkg/flag/kubernetes_flags.go | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/docs/references/configuration/cli/trivy_kubernetes.md b/docs/docs/references/configuration/cli/trivy_kubernetes.md index 73840ccca17a..e140d054f270 100644 --- a/docs/docs/references/configuration/cli/trivy_kubernetes.md +++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md @@ -41,7 +41,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg: --download-db-only download/update vulnerability database but don't run a scan --download-java-db-only download/update Java index database but don't run a scan --exclude-nodes strings indicate the node labels that the node-collector job should exclude from scanning (example: kubernetes.io/arch:arm64,team:dev) - -E, --exclude-owned exclude resources that have an owner reference + --exclude-owned exclude resources that have an owner reference --exit-code int specify exit code when any security issues are found --file-patterns strings specify config file patterns -f, --format string format (table,json,cyclonedx) (default "table") diff --git a/pkg/flag/kubernetes_flags.go b/pkg/flag/kubernetes_flags.go index f6672d912ee6..41edc741acb5 100644 --- a/pkg/flag/kubernetes_flags.go +++ b/pkg/flag/kubernetes_flags.go @@ -82,7 +82,6 @@ var ( ExcludeOwned = Flag{ Name: "exclude-owned", ConfigName: "kubernetes.exclude.owned", - Shorthand: "E", Default: false, Usage: "exclude resources that have an owner reference", }