Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(misconf): add helm-api-version and helm-kube-version flag #6332

Merged
merged 6 commits into from
Apr 6, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions docs/docs/references/configuration/cli/trivy_aws.md
Original file line number Diff line number Diff line change
@@ -76,6 +76,8 @@ trivy aws [flags]
--endpoint string AWS Endpoint override
--exit-code int specify exit code when any security issues are found
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
jkroepke marked this conversation as resolved.
Show resolved Hide resolved
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
2 changes: 2 additions & 0 deletions docs/docs/references/configuration/cli/trivy_config.md
Original file line number Diff line number Diff line change
@@ -20,6 +20,8 @@ trivy config [flags] DIR
--exit-code int specify exit code when any security issues are found
--file-patterns strings specify config file patterns
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
2 changes: 2 additions & 0 deletions docs/docs/references/configuration/cli/trivy_filesystem.md
Original file line number Diff line number Diff line change
@@ -35,6 +35,8 @@ trivy filesystem [flags] PATH
--exit-code int specify exit code when any security issues are found
--file-patterns strings specify config file patterns
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
2 changes: 2 additions & 0 deletions docs/docs/references/configuration/cli/trivy_image.md
Original file line number Diff line number Diff line change
@@ -51,6 +51,8 @@ trivy image [flags] IMAGE_NAME
--exit-on-eol int exit with the specified code when the OS reaches end of service/life
--file-patterns strings specify config file patterns
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
2 changes: 2 additions & 0 deletions docs/docs/references/configuration/cli/trivy_kubernetes.md
Original file line number Diff line number Diff line change
@@ -46,6 +46,8 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
--exit-code int specify exit code when any security issues are found
--file-patterns strings specify config file patterns
-f, --format string format (table,json,cyclonedx) (default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
2 changes: 2 additions & 0 deletions docs/docs/references/configuration/cli/trivy_repository.md
Original file line number Diff line number Diff line change
@@ -35,6 +35,8 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--exit-code int specify exit code when any security issues are found
--file-patterns strings specify config file patterns
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
2 changes: 2 additions & 0 deletions docs/docs/references/configuration/cli/trivy_rootfs.md
Original file line number Diff line number Diff line change
@@ -38,6 +38,8 @@ trivy rootfs [flags] ROOTDIR
--exit-on-eol int exit with the specified code when the OS reaches end of service/life
--file-patterns strings specify config file patterns
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
2 changes: 2 additions & 0 deletions docs/docs/references/configuration/cli/trivy_vm.md
Original file line number Diff line number Diff line change
@@ -35,6 +35,8 @@ trivy vm [flags] VM_IMAGE
--exit-on-eol int exit with the specified code when the OS reaches end of service/life
--file-patterns strings specify config file patterns
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
24 changes: 14 additions & 10 deletions docs/docs/references/configuration/config-file.md
Original file line number Diff line number Diff line change
@@ -279,35 +279,39 @@ misconfiguration:
- terraform

# helm value override configurations
# set individual values
helm:
# set individual values
set:
- securityContext.runAsUser=10001

# set values with file
helm:
# set values with file
values:
- overrides.yaml

# set specific values from specific files
helm:
# set specific values from specific files
set-file:
- image=dev-overrides.yaml

# set as string and preserve type
helm:
# set as string and preserve type
set-string:
- name=true

# Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command.
api-versions:
- policy/v1/PodDisruptionBudget
- apps/v1/Deployment

# Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
kube-version: "v1.21.0"

# terraform tfvars overrrides
terraform:
vars:
- dev-terraform.tfvars
- common-terraform.tfvars

# Same as '--tf-exclude-downloaded-modules'
# Default is false
terraform:
# Same as '--tf-exclude-downloaded-modules'
# Default is false
exclude-downloaded-modules: false
```

2 changes: 2 additions & 0 deletions pkg/commands/artifact/run.go
Original file line number Diff line number Diff line change
@@ -603,6 +603,8 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
HelmValueFiles: opts.HelmValueFiles,
HelmFileValues: opts.HelmFileValues,
HelmStringValues: opts.HelmStringValues,
HelmAPIVersions: opts.HelmAPIVersions,
HelmKubeVersion: opts.HelmKubeVersion,
TerraformTFVars: opts.TerraformTFVars,
CloudFormationParamVars: opts.CloudFormationParamVars,
K8sVersion: opts.K8sVersion,
20 changes: 20 additions & 0 deletions pkg/flag/misconf_flags.go
Original file line number Diff line number Diff line change
@@ -45,6 +45,16 @@ var (
ConfigName: "misconfiguration.helm.set-string",
Usage: "specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)",
}
HelmAPIVersionsFlag = Flag[[]string]{
Name: "helm-api-versions",
ConfigName: "misconfiguration.helm.api-versions",
Usage: "Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)",
}
HelmKubeVersionFlag = Flag[string]{
Name: "helm-kube-version",
ConfigName: "misconfiguration.helm.kube-version",
Usage: "Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.",
}
TfVarsFlag = Flag[[]string]{
Name: "tf-vars",
ConfigName: "misconfiguration.terraform.vars",
@@ -86,6 +96,8 @@ type MisconfFlagGroup struct {
HelmValueFiles *Flag[[]string]
HelmFileValues *Flag[[]string]
HelmStringValues *Flag[[]string]
HelmAPIVersions *Flag[[]string]
HelmKubeVersion *Flag[string]
TerraformTFVars *Flag[[]string]
CloudformationParamVars *Flag[[]string]
TerraformExcludeDownloaded *Flag[bool]
@@ -102,6 +114,8 @@ type MisconfOptions struct {
HelmValueFiles []string
HelmFileValues []string
HelmStringValues []string
HelmAPIVersions []string
HelmKubeVersion string
TerraformTFVars []string
CloudFormationParamVars []string
TfExcludeDownloaded bool
@@ -118,6 +132,8 @@ func NewMisconfFlagGroup() *MisconfFlagGroup {
HelmFileValues: HelmSetFileFlag.Clone(),
HelmStringValues: HelmSetStringFlag.Clone(),
HelmValueFiles: HelmValuesFileFlag.Clone(),
HelmAPIVersions: HelmAPIVersionsFlag.Clone(),
HelmKubeVersion: HelmKubeVersionFlag.Clone(),
TerraformTFVars: TfVarsFlag.Clone(),
CloudformationParamVars: CfParamsFlag.Clone(),
TerraformExcludeDownloaded: TerraformExcludeDownloaded.Clone(),
@@ -138,6 +154,8 @@ func (f *MisconfFlagGroup) Flags() []Flagger {
f.HelmValueFiles,
f.HelmFileValues,
f.HelmStringValues,
f.HelmAPIVersions,
f.HelmKubeVersion,
f.TerraformTFVars,
f.TerraformExcludeDownloaded,
f.CloudformationParamVars,
@@ -158,6 +176,8 @@ func (f *MisconfFlagGroup) ToOptions() (MisconfOptions, error) {
HelmValueFiles: f.HelmValueFiles.Value(),
HelmFileValues: f.HelmFileValues.Value(),
HelmStringValues: f.HelmStringValues.Value(),
HelmAPIVersions: f.HelmAPIVersions.Value(),
HelmKubeVersion: f.HelmKubeVersion.Value(),
TerraformTFVars: f.TerraformTFVars.Value(),
CloudFormationParamVars: f.CloudformationParamVars.Value(),
TfExcludeDownloaded: f.TerraformExcludeDownloaded.Value(),
8 changes: 8 additions & 0 deletions pkg/iac/scanners/helm/options.go
Original file line number Diff line number Diff line change
@@ -49,3 +49,11 @@ func ScannerWithAPIVersions(values ...string) options.ScannerOption {
}
}
}

func ScannerWithKubeVersion(values string) options.ScannerOption {
return func(s options.ConfigurableScanner) {
if helmScanner, ok := s.(ConfigurableHelmScanner); ok {
helmScanner.AddParserOptions(parser.OptionWithKubeVersion(values))
}
}
}
9 changes: 9 additions & 0 deletions pkg/iac/scanners/helm/parser/option.go
Original file line number Diff line number Diff line change
@@ -9,6 +9,7 @@ type ConfigurableHelmParser interface {
SetFileValues(...string)
SetStringValues(...string)
SetAPIVersions(...string)
SetKubeVersion(string)
}

func OptionWithValuesFile(paths ...string) options.ParserOption {
@@ -50,3 +51,11 @@ func OptionWithAPIVersions(values ...string) options.ParserOption {
}
}
}

func OptionWithKubeVersion(value string) options.ParserOption {
return func(p options.ConfigurableParser) {
if helmParser, ok := p.(ConfigurableHelmParser); ok {
helmParser.SetKubeVersion(value)
}
}
}
19 changes: 17 additions & 2 deletions pkg/iac/scanners/helm/parser/parser.go
Original file line number Diff line number Diff line change
@@ -17,6 +17,7 @@ import (
"helm.sh/helm/v3/pkg/action"
"helm.sh/helm/v3/pkg/chart"
"helm.sh/helm/v3/pkg/chart/loader"
"helm.sh/helm/v3/pkg/chartutil"
"helm.sh/helm/v3/pkg/release"
"helm.sh/helm/v3/pkg/releaseutil"

@@ -40,6 +41,7 @@ type Parser struct {
fileValues []string
stringValues []string
apiVersions []string
kubeVersion string
}

type ChartFile struct {
@@ -75,7 +77,11 @@ func (p *Parser) SetAPIVersions(values ...string) {
p.apiVersions = values
}

func New(path string, opts ...options.ParserOption) *Parser {
func (p *Parser) SetKubeVersion(value string) {
p.kubeVersion = value
}

func New(path string, opts ...options.ParserOption) (*Parser, error) {

client := action.NewInstall(&action.Configuration{})
client.DryRun = true // don't do anything
@@ -95,7 +101,16 @@ func New(path string, opts ...options.ParserOption) *Parser {
p.helmClient.APIVersions = p.apiVersions
}

return p
if p.kubeVersion != "" {
kubeVersion, err := chartutil.ParseKubeVersion(p.kubeVersion)
if err != nil {
return nil, err
}

p.helmClient.KubeVersion = kubeVersion
}

return p, nil
}

func (p *Parser) ParseFS(ctx context.Context, target fs.FS, path string) error {
3 changes: 2 additions & 1 deletion pkg/iac/scanners/helm/parser/parser_test.go
Original file line number Diff line number Diff line change
@@ -12,7 +12,8 @@ import (

func TestParseFS(t *testing.T) {
t.Run("source chart is located next to an same archived chart", func(t *testing.T) {
p := New(".")
p, err := New(".")
require.NoError(t, err)
require.NoError(t, p.ParseFS(context.TODO(), os.DirFS(filepath.Join("testdata", "chart-and-archived-chart")), "."))

expectedFiles := []string{
5 changes: 4 additions & 1 deletion pkg/iac/scanners/helm/scanner.go
Original file line number Diff line number Diff line change
@@ -170,7 +170,10 @@ func (s *Scanner) ScanFS(ctx context.Context, target fs.FS, path string) (scan.R
}

func (s *Scanner) getScanResults(path string, ctx context.Context, target fs.FS) (results []scan.Result, err error) {
helmParser := parser.New(path, s.parserOptions...)
helmParser, err := parser.New(path, s.parserOptions...)
if err != nil {
return nil, err
}

if err := helmParser.ParseFS(ctx, target, path); err != nil {
return nil, err
Loading