Prepare for v0.33.0

[itaysk]

Draft to collaborate on v0.33.0 release announcement

🧾 NSA Kubernetes hardening compliance ☑️

You can now use Trivy to scan your Kubernetes cluster for compliance with the NSA Kubernetes hardening guide, by adding the --copmliance nsa flag. Compliance granularity can be controlled using the familiar --report summary|all flag and output format can be controlled using the familiar --output table|json flag.

$ trivy k8s cluster --compliance=nsa --report summary --format table


Summary Report for compliance: nsa
┌──────┬──────────┬──────────────────────────────────────────────────────────┬────────────┐
│  ID  │ Severity │                       Control Name                       │ Compliance │
├──────┼──────────┼──────────────────────────────────────────────────────────┼────────────┤
│ 1.0  │ MEDIUM   │                   Non-root containers                    │   91.95%   │
│ 1.1  │ LOW      │             Immutable container file systems             │   93.10%   │
│ 1.2  │ HIGH     │             Preventing privileged containers             │  100.00%   │
│ 1.3  │ HIGH     │           Share containers process namespaces            │  100.00%   │
│ 1.4  │ HIGH     │              Share host process namespaces               │  100.00%   │
│ 1.5  │ HIGH     │                   Use the host network                   │  100.00%   │
│ 1.6  │ LOW      │  Run with root privileges or with root group membership  │   0.00%    │
│ 1.7  │ MEDIUM   │         Restricts escalation to root privileges          │   93.10%   │
│ 1.8  │ MEDIUM   │        Sets the SELinux context of the container         │  100.00%   │
│ 1.9  │ MEDIUM   │ Restrict a container's access to resources with AppArmor │   91.95%   │
│ 1.10 │ LOW      │   Sets the seccomp profile used to sandbox containers.   │   91.95%   │
│ 1.11 │ MEDIUM   │          Protecting Pod service account tokens           │  100.00%   │
│ 1.12 │ MEDIUM   │    Namespace kube-system should not be used by users     │   88.37%   │
│ 2.0  │ MEDIUM   │           Pod and/or namespace Selectors usage           │  100.00%   │
│ 3.0  │ CRITICAL │      Use CNI plugin that supports NetworkPolicy API      │   0.00%    │
│ 4.0  │ MEDIUM   │      Use ResourceQuota policies to limit resources       │   0.00%    │
│ 4.1  │ MEDIUM   │        Use LimitRange policies to limit resources        │   0.00%    │
│ 5.0  │ CRITICAL │            Control plan disable insecure port            │   0.00%    │
│ 5.1  │ CRITICAL │                Encrypt etcd communication                │  100.00%   │
│ 6.0  │ CRITICAL │            Ensure kube config file permission            │   0.00%    │
│ 6.1  │ CRITICAL │       Check that encryption resource has been set        │  100.00%   │
│ 6.2  │ CRITICAL │                Check encryption provider                 │  100.00%   │
│ 7.0  │ CRITICAL │            Make sure anonymous-auth is unset             │  100.00%   │
│ 7.1  │ CRITICAL │            Make sure -authorization-mode=RBAC            │  100.00%   │
│ 8.0  │ HIGH     │                Audit policy is configure                 │   0.00%    │
│ 8.1  │ MEDIUM   │               Audit log path is configure                │  100.00%   │
│ 8.2  │ MEDIUM   │                     Audit log aging                      │  100.00%   │
└──────┴──────────┴──────────────────────────────────────────────────────────┴────────────┘

The new compliance feature is currently dedicated for NSA report, but in next release will be generalized to provide flexible reporting infrastructure for more compliance framework and custom reporting. Stay tuned!

⚠️ EXPERIMENTAL: Kubernetes cluster scanning is still experimental. This feature might change without preserving backward compatibility.

⎈ Scan Kubernetes cluster components 🔧

The trivy k8s now scans your Kubernetes cluster components in addition to workloads running in it.
The new "Infra Assessment" sections scans Kubernetes management components for misconfigurations and best practices. You can also select a specific section when scanning using the --components infra|workloads.
This feature is another small step in the direction of providing CIS Benchmark scanning using Trivy, as a modern alternative to kube-bench.

$ trivy k8s cluster --report summary --format table

Summary Report for minikube
===========================

Workload Assessment
┌─────────────┬──────────────────────────────────────┬─────────────────────┬────────────────────┬───────────────────┐
│  Namespace  │               Resource               │   Vulnerabilities   │ Misconfigurations  │      Secrets      │
│             │                                      ├───┬────┬───┬────┬───┼───┬───┬───┬────┬───┼───┬───┬───┬───┬───┤
│             │                                      │ C │ H  │ M │ L  │ U │ C │ H │ M │ L  │ U │ C │ H │ M │ L │ U │
├─────────────┼──────────────────────────────────────┼───┼────┼───┼────┼───┼───┼───┼───┼────┼───┼───┼───┼───┼───┼───┤
│ kube-system │ Service/kube-dns                     │   │    │   │    │   │   │   │ 1 │    │   │   │   │   │   │   │
│ kube-system │ Pod/etcd-minikube                    │   │ 20 │ 4 │    │ 4 │   │ 1 │ 3 │ 7  │   │   │   │   │   │   │
│ kube-system │ Pod/kube-apiserver-minikube          │   │ 2  │ 1 │ 1  │ 2 │   │ 1 │ 3 │ 9  │   │   │   │   │   │   │
│ kube-system │ Pod/kube-scheduler-minikube          │   │ 2  │   │    │   │   │ 1 │ 3 │ 8  │   │   │   │   │   │   │
│ kube-system │ Pod/storage-provisioner              │   │ 9  │ 2 │    │ 3 │   │ 1 │ 5 │ 10 │   │   │   │   │   │   │
│ kube-system │ DaemonSet/kube-proxy                 │   │ 3  │ 2 │ 22 │   │   │ 2 │ 4 │ 10 │   │   │   │   │   │   │
│ kube-system │ Deployment/coredns                   │ 1 │ 3  │ 1 │ 1  │ 4 │   │   │ 3 │ 5  │   │   │   │   │   │   │
│ kube-system │ Pod/kube-controller-manager-minikube │   │ 2  │ 1 │ 1  │ 2 │   │ 1 │ 3 │ 8  │   │   │   │   │   │   │
└─────────────┴──────────────────────────────────────┴───┴────┴───┴────┴───┴───┴───┴───┴────┴───┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN


RBAC Assessment
┌─────────────┬─────────────────────────────────────────────────────┬───────────────────┐
│  Namespace  │                      Resource                       │  RBAC Assessment  │
│             │                                                     ├───┬───┬───┬───┬───┤
│             │                                                     │ C │ H │ M │ L │ U │
├─────────────┼─────────────────────────────────────────────────────┼───┼───┼───┼───┼───┤
│ kube-system │ Role/system:controller:bootstrap-signer             │ 1 │   │   │   │   │
│ kube-system │ Role/system:controller:cloud-provider               │   │   │ 1 │   │   │
│ kube-system │ Role/system:controller:token-cleaner                │ 1 │   │   │   │   │
│ kube-system │ Role/system::leader-locking-kube-scheduler          │   │   │ 1 │   │   │
│ kube-system │ Role/system::leader-locking-kube-controller-manager │   │   │ 1 │   │   │
│ kube-system │ Role/system:persistent-volume-provisioner           │   │ 2 │   │   │   │
└─────────────┴─────────────────────────────────────────────────────┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN


Infra Assessment
┌─────────────┬──────────────────────────────────────┬─────────────────────────────┐
│  Namespace  │               Resource               │ Kubernetes Infra Assessment │
│             │                                      ├────┬────┬────┬─────┬────────┤
│             │                                      │ C  │ H  │ M  │ L   │   U    │
├─────────────┼──────────────────────────────────────┼────┼────┼────┼─────┼────────┤
│ kube-system │ Pod/kube-controller-manager-minikube │    │    │    │ 3   │        │
│ kube-system │ Pod/kube-scheduler-minikube          │    │    │    │ 1   │        │
│ kube-system │ Pod/kube-apiserver-minikube          │    │    │ 1  │ 10  │        │
└─────────────┴──────────────────────────────────────┴────┴────┴────┴─────┴────────┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN

⚠️ EXPERIMENTAL: Kubernetes cluster scanning is still experimental. This feature might change without preserving backward compatibility.

📦 Scan unpackaged binary files 🔥

Previously Trivy relied on package manager metadata in order to identify applications. If you included a piece of software outside of a package manager, Trivy could not have identified it. For example any Dockerfile centric workflow where you build the binary and COPY or ADD the binary into the container image would have been missed. Today we are releasing an experimental approach to address this common concern using SBOM and Sigstore. During scan, when Trivy stumble upon an executable binary, Trivy will lookup it's hash in Rekor (Sigstore public transparency log). If a relevant SBOM was found, Trivy will use it for vulnerability detection.

There are 3 steps to enable this feature:

1. Generate SBOM from a lock file in a project
2. Store the SBOM attestation linking to a binary of the project in Rekor
3. Scan the binary with --sbom-sources

If someone already stored the SBOM attestation of the specific binary you want to scan, you can start with the step 3.

$ trivy fs --sbom-sources rekor ./bat-v0.20.0-x86_64-apple-darwin/bat
2022-10-25T13:27:25.950+0300    INFO    Found SBOM attestation in Rekor: bat
2022-10-25T13:27:25.993+0300    INFO    Number of language-specific files: 1
2022-10-25T13:27:25.993+0300    INFO    Detecting cargo vulnerabilities...

bat (cargo)
===========
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌───────────┬───────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│  Library  │   Vulnerability   │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├───────────┼───────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ regex     │ CVE-2022-24713    │ HIGH     │ 1.5.4             │ 1.5.5         │ Mozilla: Denial of Service via complex regular expressions │
│           │                   │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-24713                 │
└───────────┴───────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

See here for the detail.

⚠️ EXPERIMENTAL: This feature might change without preserving backward compatibility.

🚓 Rego checks improvements ✅

Trivy's misconfiguration checks could be authored either in Go or Rego. Going forward we will focus on rego based rules and in preparation for that we've made numerous improvements to the rego policy engine. One notable improvement is the move to standard rego annotations to describe checks metadata.

# METADATA
# title: "Privileged container"
# description: "Privileged containers share namespaces with the host system and do not offer any security. They should be used exclusively for system containers that require high privileges."
# scope: package
# schemas:
# - input: schema["input"]
# related_resources:
# - https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
# custom:
#   id: KSV017
#   avd_id: AVD-KSV-0017
#   severity: HIGH
#   short_code: no-privileged-containers
#   recommended_action: "Change 'containers[].securityContext.privileged' to 'false'."
#   input:
#     selector:
#     - type: kubernetes

In the near future we will move to decouple the checks library from the policy engine to enable streamlined distribution of policies.

☁️ Azure/ARM support 💪

Trivy can now scan Azure Resource Manager templates for misconfigurations. ARM templates are parsed and interpolated automatically.

🐳 Support multi-arch images ⚔️

You can pass the --platform flag like Docker CLI if you want to scan a remote image with a specific OS and architecture.

$ trivy image --platform=arm/linux python:latest-alpine

Thanks to @ShubhamPalriwala

🐓 Add client/server mode for rootfs scanning 🐕‍🦺

Added --server to the rootfs subcommand.

$ trivy rootfs --server http://localhost:4954 /path/to/rootfs

Thanks to @bgoareguer

📍 Add dependency line numbers 🛫

Trivy now stores line numbers of each language-specific dependency in the JSON result. Currently, package-lock.json and yarn.lock are supported.

$ cat package-lock.json
{
  "name": "intern-angular",
  "version": "1.0.0",
  "lockfileVersion": 1,
  "dependencies": {
    "@angular/animations": {
      "version": "4.2.6",
      "resolved": "[https://registry.npmjs.org/@angular/animations/-/animations-4.2.6.tgz"](https://registry.npmjs.org/@angular/animations/-/animations-4.2.6.tgz%22),
      "integrity": "sha1-nZyAoRmwwDaTy9I7uvcosVMf/8c="
    }
}

$ trivy fs -f json --list-all-pkgs ./package-lock.json
...
  "Results": [
    {
      "Target": "package-lock.json",
      "Class": "lang-pkgs",
      "Type": "npm",
      "Packages": [
        {
          "ID": "@angular/[email protected]",
          "Name": "@angular/animations",
          "Version": "4.2.6",
          "Indirect": true,
          "Layer": {},
          "Locations": [
            {
              "StartLine": 6,
              "EndLine": 10
            }
          ]
        }
      ]

Support custom rego policies for AWS scanning

This enables the authoring of custom rego policies to apply to a live AWS account via the trivy aws command.

⚠️ EXPERIMENTAL: AWS account scanning is still experimental. This feature might change without preserving backward compatibility.