Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add --all-namespaces flag for trivy k8s resources scanning #2901

Closed
nilesh-akhade opened this issue Sep 16, 2022 · 3 comments · Fixed by #4096
Closed

Add --all-namespaces flag for trivy k8s resources scanning #2901

nilesh-akhade opened this issue Sep 16, 2022 · 3 comments · Fixed by #4096
Assignees
@chen-keinan
Labels
kind/feature Categorizes issue or PR as related to a new feature. priority/backlog Higher priority than priority/awaiting-more-evidence. target/kubernetes Issues relating to kubernetes cluster scanning

Comments

@nilesh-akhade
Copy link

When we do resource scanning, trivy scans it in only the given namespace. This should be improved by adding --all-namespaces aka -A flag.

Use cases

Examples:

  # namespace scanning:
  $ trivy k8s -n kube-system --report summary all

  # resources scanning:
  $ trivy k8s --report=summary deploy
  $ trivy k8s --namespace=kube-system --report=summary deploy,configmaps
  $ trivy k8s --all-namespaces --report=summary configmaps
  $ trivy k8s -A --report=summary deployments,replicasets,replicationcontrollers,statefulsets,daemonsets,services,pods,configmaps,roles,rolebindings,networkpolicies,ingresses,resourcequotas,limitranges,clusterroles,clusterrolebindings,podsecuritypolicies
@nilesh-akhade nilesh-akhade added the kind/feature Categorizes issue or PR as related to a new feature. label Sep 16, 2022
@josedonizetti josedonizetti added priority/backlog Higher priority than priority/awaiting-more-evidence. target/kubernetes Issues relating to kubernetes cluster scanning labels Sep 17, 2022
@knqyf263
Copy link
Collaborator

@chen-keinan What do you think?

@chen-keinan
Copy link
Contributor

chen-keinan commented Sep 28, 2022
edited
Loading

@chen-keinan What do you think?

sound reasonable

This was referenced Apr 20, 2023
Merged
Merged
@thapabishwa
Copy link
Contributor

When I run configmap with--all-namespaces, it fails to report all items

trivy k8s --all-namespaces --report=summary configmaps

Summary Report for arn:aws:eks:<region>:<account>:cluster/eks-cluster


Workload Assessment
┌───────────┬────────────────────────────┬───────────────────┬───────────────────┬───────────────────┐
│ Namespace │          Resource          │  Vulnerabilities  │ Misconfigurations │      Secrets      │
│           │                            ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤
│           │                            │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │
├───────────┼────────────────────────────┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┤
│ default   │ ConfigMap/kube-root-ca.crt │   │   │   │   │   │   │   │   │ 1 │   │   │   │   │   │   │
└───────────┴────────────────────────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN

Trivy Version

trivy --version                                       
Version: 0.44.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-08-25 06:08:52.74908423 +0000 UTC
  NextUpdate: 2023-08-25 12:08:52.74908373 +0000 UTC
  DownloadedAt: 2023-08-25 08:24:37.498688 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-08-23 00:59:25.619115427 +0000 UTC
  NextUpdate: 2023-08-26 00:59:25.619114827 +0000 UTC
  DownloadedAt: 2023-08-23 03:12:22.137159 +0000 UTC
Policy Bundle:
  Digest: sha256:2e95a2d5d45de8ebecae53a97403230a6c608a579b082f3de170f3cf09e46243
  DownloadedAt: 2023-08-25 04:42:45.175519 +0000 UTC

Cm Lists

 kubectl get cm -A                                                                                    
NAMESPACE         NAME                                                   DATA   AGE
cert-manager      cert-manager-webhook                                   0      9d
cert-manager      kube-root-ca.crt                                       1      9d
default           kube-root-ca.crt                                       1      16d
kube-node-lease   kube-root-ca.crt                                       1      16d
kube-public       kube-root-ca.crt                                       1      16d
kube-system       aws-auth                                               3      16d
kube-system       aws-for-fluent-bit                                     1      14d
kube-system       coredns                                                1      16d
kube-system       extension-apiserver-authentication                     6      16d
kube-system       kube-apiserver-legacy-service-account-token-tracking   1      16d
kube-system       kube-proxy                                             1      16d
kube-system       kube-proxy-config                                      1      16d
kube-system       kube-root-ca.crt                                       1      16d
workload          kube-root-ca.crt                                       1      11d
workload          workload-policies                                      1      11d

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chen-keinan chen-keinan

Labels
kind/feature Categorizes issue or PR as related to a new feature. priority/backlog Higher priority than priority/awaiting-more-evidence. target/kubernetes Issues relating to kubernetes cluster scanning
Projects
Trivy Roadmap
Status: No status
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: k8s all-namespaces support chen-keinan/trivy
5 participants
@josedonizetti @knqyf263 @chen-keinan @thapabishwa @nilesh-akhade