Skip to content

Commit

Permalink
feat: image config secret scanner support (#1218)
Browse files Browse the repository at this point in the history 
* feat: image config secret scanner support

Signed-off-by: chenk <hen.keinan@gmail.com>

* feat: image config secret scanner support

Signed-off-by: chenk <hen.keinan@gmail.com>

* feat: image config secret scanner support

Signed-off-by: chenk <hen.keinan@gmail.com>

* feat: image config secret scanner support

Signed-off-by: chenk <hen.keinan@gmail.com>

---------

Signed-off-by: chenk <hen.keinan@gmail.com>
  • Loading branch information
@chen-keinan
chen-keinan committed May 16, 2023
1 parent 6bb3728 commit 6b29e21
Show file tree
Hide file tree
Showing 9 changed files with 47 additions and 27 deletions.
2 changes: 1 addition & 1 deletion pkg/operator/envtest/testdata/fixture/cronjob-expected-scan.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ spec:
containers:
- args:
- -c
- trivy image --slow 'busybox:1.28' --security-checks vuln,secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_hello.json && bzip2 -c /tmp/scan/result_hello.json | base64
- trivy image --slow 'busybox:1.28' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_hello.json && bzip2 -c /tmp/scan/result_hello.json | base64
command:
- /bin/sh
env:
Expand Down
2 changes: 1 addition & 1 deletion pkg/operator/envtest/testdata/fixture/daemonset-expected-scan.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ spec:
containers:
- args:
- -c
- trivy image --slow 'quay.io/fluentd_elasticsearch/fluentd:v2.5.2' --security-checks vuln,secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_fluentd-elasticsearch.json && bzip2 -c /tmp/scan/result_fluentd-elasticsearch.json | base64
- trivy image --slow 'quay.io/fluentd_elasticsearch/fluentd:v2.5.2' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_fluentd-elasticsearch.json && bzip2 -c /tmp/scan/result_fluentd-elasticsearch.json | base64
command:
- /bin/sh
env:
Expand Down
2 changes: 1 addition & 1 deletion pkg/operator/envtest/testdata/fixture/job-expected-scan.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ spec:
containers:
- args:
- -c
- trivy image --slow 'perl:5.34' --security-checks vuln,secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_pi.json && bzip2 -c /tmp/scan/result_pi.json | base64
- trivy image --slow 'perl:5.34' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_pi.json && bzip2 -c /tmp/scan/result_pi.json | base64
command:
- /bin/sh
env:
Expand Down
2 changes: 1 addition & 1 deletion pkg/operator/envtest/testdata/fixture/pod-expected-scan.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ spec:
containers:
- args:
- -c
- trivy image --slow 'app-image:app-image-tag' --security-checks vuln,secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_app.json && bzip2 -c /tmp/scan/result_app.json | base64
- trivy image --slow 'app-image:app-image-tag' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_app.json && bzip2 -c /tmp/scan/result_app.json | base64
command:
- /bin/sh
env:
Expand Down
2 changes: 1 addition & 1 deletion pkg/operator/envtest/testdata/fixture/replicaset-expected-scan.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ spec:
containers:
- args:
- -c
- trivy image --slow 'wordpress:4.9' --security-checks vuln,secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_wordpress.json && bzip2 -c /tmp/scan/result_wordpress.json | base64
- trivy image --slow 'wordpress:4.9' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_wordpress.json && bzip2 -c /tmp/scan/result_wordpress.json | base64
command:
- /bin/sh
env:
Expand Down
2 changes: 1 addition & 1 deletion pkg/operator/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ spec:
containers:
- args:
- -c
- trivy image --slow 'nginx' --security-checks vuln,secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64
- trivy image --slow 'nginx' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64
command:
- /bin/sh
env:
Expand Down
2 changes: 1 addition & 1 deletion pkg/operator/envtest/testdata/fixture/statefulset-expected-scan.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ spec:
containers:
- args:
- -c
- trivy image --slow 'k8s.gcr.io/nginx-slim:0.8' --security-checks vuln,secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64
- trivy image --slow 'k8s.gcr.io/nginx-slim:0.8' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64
command:
- /bin/sh
env:
Expand Down
26 changes: 23 additions & 3 deletions pkg/plugins/trivy/plugin.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1085,7 +1085,8 @@ func (p *plugin) getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, i
command := []string{
"trivy",
}
compressLogs := ctx.GetTrivyOperatorConfig().CompressLogs()
trivyConfig := ctx.GetTrivyOperatorConfig()
compressLogs := trivyConfig.CompressLogs()
c, err := p.getConfig(ctx)
if err != nil {
return []string{}, []string{}
Expand All @@ -1097,6 +1098,11 @@ func (p *plugin) getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, i
if len(vulnTypeArgs) == 2 {
vulnTypeFlag = fmt.Sprintf("%s %s ", vulnTypeArgs[0], vulnTypeArgs[1])
}
imcs := p.imageConfigSecretScanner(trivyConfig)
var imageconfigSecretScannerFlag string
if len(imcs) == 2 {
imageconfigSecretScannerFlag = fmt.Sprintf("%s %s ", imcs[0], imcs[1])
}
if mode == ClientServer {
if !compressLogs {
args := []string{
Expand All @@ -1118,9 +1124,12 @@ func (p *plugin) getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, i
if len(vulnTypeArgs) > 0 {
args = append(args, vulnTypeArgs...)
}
if len(imcs) > 0 {
args = append(args, imcs...)
}
return command, args
}
return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s %s--cache-dir /tmp/trivy/.cache --quiet --format json --server '%s' > /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), vulnTypeFlag, trivyServerURL, resultFileName, resultFileName)}
return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s %s %s --cache-dir /tmp/trivy/.cache --quiet --format json --server '%s' > /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), imageconfigSecretScannerFlag, vulnTypeFlag, trivyServerURL, resultFileName, resultFileName)}
}
skipUpdate := SkipDBUpdate(c)
if !compressLogs {
Expand All @@ -1142,9 +1151,12 @@ func (p *plugin) getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, i
if len(vulnTypeArgs) > 0 {
args = append(args, vulnTypeArgs...)
}
if len(imcs) > 0 {
args = append(args, imcs...)
}
return command, args
}
return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s %s--cache-dir /tmp/trivy/.cache --quiet %s --format json > /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), vulnTypeFlag, skipUpdate, resultFileName, resultFileName)}
return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s %s %s --cache-dir /tmp/trivy/.cache --quiet %s --format json > /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), imageconfigSecretScannerFlag, vulnTypeFlag, skipUpdate, resultFileName, resultFileName)}
}

func (p *plugin) vulnTypeFilter(ctx trivyoperator.PluginContext) []string {
Expand All @@ -1159,6 +1171,14 @@ func (p *plugin) vulnTypeFilter(ctx trivyoperator.PluginContext) []string {
return []string{"--vuln-type", vulnType}
}

func (p *plugin) imageConfigSecretScanner(tc trivyoperator.ConfigData) []string {

if tc.ExposedSecretsScannerEnabled() {
return []string{"--image-config-scanners", "secret"}
}
return []string{}
}

func getAutomountServiceAccountToken(ctx trivyoperator.PluginContext) bool {
return ctx.GetTrivyOperatorConfig().GetScanJobAutomountServiceAccountToken()
}
Expand Down
34 changes: 17 additions & 17 deletions pkg/plugins/trivy/plugin_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1128,7 +1128,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
},
Args: []string{
"-c",
"trivy image --slow 'nginx:1.16' --security-checks vuln,secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -1416,7 +1416,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
},
Args: []string{
"-c",
"trivy image --slow 'poc.myregistry.harbor.com.pl/nginx:1.16' --security-checks secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image --slow 'poc.myregistry.harbor.com.pl/nginx:1.16' --security-checks secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -1704,7 +1704,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
},
Args: []string{
"-c",
"trivy image --slow 'poc.myregistry.harbor.com.pl/nginx:1.16' --security-checks vuln --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image --slow 'poc.myregistry.harbor.com.pl/nginx:1.16' --security-checks vuln --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -2012,7 +2012,7 @@ CVE-2019-1543`,
},
Args: []string{
"-c",
"trivy image --slow 'nginx:1.16' --security-checks vuln,secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -2325,7 +2325,7 @@ default ignore = false`,
},
Args: []string{
"-c",
"trivy image --slow 'nginx:1.16' --security-checks vuln,secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -2617,7 +2617,7 @@ default ignore = false`,
},
Args: []string{
"-c",
"trivy image --slow 'mirror.io/library/nginx:1.16' --security-checks vuln,secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image --slow 'mirror.io/library/nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -2905,7 +2905,7 @@ default ignore = false`,
},
Args: []string{
"-c",
"trivy image --slow 'nginx:1.16' --security-checks vuln,secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -3137,7 +3137,7 @@ default ignore = false`,
},
Args: []string{
"-c",
"trivy image --slow 'nginx:1.16' --security-checks vuln,secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -3366,7 +3366,7 @@ default ignore = false`,
},
Args: []string{
"-c",
"trivy image --slow 'nginx:1.16' --security-checks vuln,secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -3600,7 +3600,7 @@ default ignore = false`,
},
Args: []string{
"-c",
"trivy image --slow 'poc.myregistry.harbor.com.pl/nginx:1.16' --security-checks vuln,secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'https://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image --slow 'poc.myregistry.harbor.com.pl/nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'https://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -3834,7 +3834,7 @@ default ignore = false`,
},
Args: []string{
"-c",
"trivy image --slow 'poc.myregistry.harbor.com.pl/nginx:1.16' --security-checks vuln --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image --slow 'poc.myregistry.harbor.com.pl/nginx:1.16' --security-checks vuln --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -4088,7 +4088,7 @@ CVE-2019-1543`,
},
Args: []string{
"-c",
"trivy image --slow 'nginx:1.16' --security-checks secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image --slow 'nginx:1.16' --security-checks secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -4348,7 +4348,7 @@ default ignore = false`,
},
Args: []string{
"-c",
"trivy image --slow 'nginx:1.16' --security-checks secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image --slow 'nginx:1.16' --security-checks secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -4583,7 +4583,7 @@ default ignore = false`,
},
Args: []string{
"-c",
"trivy image --slow 'nginx:1.16' --security-checks vuln,secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -6147,7 +6147,7 @@ default ignore = false`,
},
Args: []string{
"-c",
"trivy image --slow '000000000000.dkr.ecr.eu-west-1.amazonaws.com/nginx:1.16' --security-checks vuln,secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image --slow '000000000000.dkr.ecr.eu-west-1.amazonaws.com/nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -6462,7 +6462,7 @@ default ignore = false`,
},
Args: []string{
"-c",
"trivy image --slow 'nginx:1.16' --security-checks vuln,secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -6779,7 +6779,7 @@ default ignore = false`,
},
Args: []string{
"-c",
"trivy image --slow 'mirror.io/library/nginx:1.16' --security-checks vuln,secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image --slow 'mirror.io/library/nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down

0 comments on commit 6b29e21

Please sign in to comment.