feat: add k8s cis bench (#3315)

Signed-off-by: chenk <hen.keinan@gmail.com>
aquasecurity · Dec 28, 2022 · a888440 · a888440
1 parent 62b369e
commit a888440
Show file tree

Hide file tree

Showing 12 changed files with 575 additions and 324 deletions.
diff --git a/docs/docs/compliance/compliance.md b/docs/docs/compliance/compliance.md
@@ -4,5 +4,6 @@ Trivy supports producing compliance reports.
 
 ## Supported reports
 
-- [NSA, CISA Kubernetes Hardening Guidance v1.0](../kubernetes/cli/compliance.md) 
-- [AWS CIS v1.2 and v1.4](../cloud/aws/compliance.md)
+- [NSA, CISA Kubernetes Hardening Guidance v1.0](../kubernetes/cli/compliance.md)
+- [CIS Benchmark for Kubernetes v1.23](../kubernetes/cli/compliance.md)
+- [AWS CIS v1.2 and v1.4](../cloud/aws/compliance.md)
diff --git a/docs/docs/kubernetes/cli/compliance.md b/docs/docs/kubernetes/cli/compliance.md
diff --git a/docs/imgs/trivy-nsa-summary.png b/docs/imgs/trivy-nsa-summary.png
diff --git a/go.mod b/go.mod
@@ -8,7 +8,7 @@ require (
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/alicebob/miniredis/v2 v2.23.0
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/defsec v0.82.6
+	github.com/aquasecurity/defsec v0.82.7-0.20221225070347-3a6cfb67e460
 	github.com/aquasecurity/go-dep-parser v0.0.0-20221208150335-299772f066c4
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798

diff --git a/go.sum b/go.sum
@@ -193,8 +193,8 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
-github.com/aquasecurity/defsec v0.82.6 h1:whb9ygS+cANcvGSq51s44+hY3nU6OV3VOR2Q4dIz3kc=
-github.com/aquasecurity/defsec v0.82.6/go.mod h1:sUdW6pzASralDcs+CDOE+QpWfBJt3/PY1Qbg8CS5flg=
+github.com/aquasecurity/defsec v0.82.7-0.20221225070347-3a6cfb67e460 h1:XHYo9HDWlrn3l+GH1ZTVUQAeP//r/iyEVUoP4Rmhuuw=
+github.com/aquasecurity/defsec v0.82.7-0.20221225070347-3a6cfb67e460/go.mod h1:sUdW6pzASralDcs+CDOE+QpWfBJt3/PY1Qbg8CS5flg=
 github.com/aquasecurity/go-dep-parser v0.0.0-20221208150335-299772f066c4 h1:cFQv/JghmN6dC/vuu6JbDkziwhBgLPfQvyi/TxJN+6I=
 github.com/aquasecurity/go-dep-parser v0.0.0-20221208150335-299772f066c4/go.mod h1:ZCiGJgdQxCateSw3nPMwZvp9J/+nU8/3DcGY/NO71e4=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=

diff --git a/integration/testdata/helm.json.golden b/integration/testdata/helm.json.golden
@@ -20,7 +20,7 @@
       "Class": "config",
       "Type": "helm",
       "MisconfSummary": {
-        "Successes": 80,
+        "Successes": 82,
         "Failures": 2,
         "Exceptions": 0
       },
@@ -270,7 +270,7 @@
       "Class": "config",
       "Type": "helm",
       "MisconfSummary": {
-        "Successes": 82,
+        "Successes": 84,
         "Failures": 0,
         "Exceptions": 0
       }
@@ -280,7 +280,7 @@
       "Class": "config",
       "Type": "helm",
       "MisconfSummary": {
-        "Successes": 82,
+        "Successes": 84,
         "Failures": 0,
         "Exceptions": 0
       }

diff --git a/integration/testdata/helm_testchart.json.golden b/integration/testdata/helm_testchart.json.golden
@@ -20,7 +20,7 @@
       "Class": "config",
       "Type": "helm",
       "MisconfSummary": {
-        "Successes": 80,
+        "Successes": 82,
         "Failures": 2,
         "Exceptions": 0
       },
@@ -270,7 +270,7 @@
       "Class": "config",
       "Type": "helm",
       "MisconfSummary": {
-        "Successes": 82,
+        "Successes": 84,
         "Failures": 0,
         "Exceptions": 0
       }
@@ -280,7 +280,7 @@
       "Class": "config",
       "Type": "helm",
       "MisconfSummary": {
-        "Successes": 82,
+        "Successes": 84,
         "Failures": 0,
         "Exceptions": 0
       }

diff --git a/integration/testdata/helm_testchart.overridden.json.golden b/integration/testdata/helm_testchart.overridden.json.golden
@@ -20,7 +20,7 @@
       "Class": "config",
       "Type": "helm",
       "MisconfSummary": {
-        "Successes": 78,
+        "Successes": 80,
         "Failures": 4,
         "Exceptions": 0
       },
@@ -481,7 +481,7 @@
       "Class": "config",
       "Type": "helm",
       "MisconfSummary": {
-        "Successes": 82,
+        "Successes": 84,
         "Failures": 0,
         "Exceptions": 0
       }
@@ -491,7 +491,7 @@
       "Class": "config",
       "Type": "helm",
       "MisconfSummary": {
-        "Successes": 82,
+        "Successes": 84,
         "Failures": 0,
         "Exceptions": 0
       }

diff --git a/mkdocs.yml b/mkdocs.yml
@@ -92,6 +92,8 @@ nav:
       - Virtual Machine Image:
           - Overview: docs/vm/index.md
           - AWS EC2: docs/vm/aws.md
+      - Compliance:
+            - Reports:  docs/compliance/compliance.md
       - SBOM:
           - Overview: docs/sbom/index.md
           - Supported: docs/sbom/supported.md

diff --git a/pkg/commands/app.go b/pkg/commands/app.go
@@ -755,7 +755,7 @@ func NewKubernetesCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 
 	reportFlagGroup := flag.NewReportFlagGroup()
 	compliance := flag.ComplianceFlag
-	compliance.Usage += fmt.Sprintf(" (%s)", types.ComplianceNsa)
+	compliance.Usage += fmt.Sprintf(" (%s,%s)", types.ComplianceNsa, types.ComplianceCIS)
 	reportFlagGroup.Compliance = &compliance // override usage as the accepted values differ for each subcommand.
 
 	k8sFlags := &flag.Flags{