diff --git a/.github/workflows/chart-testing.yaml b/.github/workflows/chart-testing.yaml index a9d3516d2..a1456b9a4 100644 --- a/.github/workflows/chart-testing.yaml +++ b/.github/workflows/chart-testing.yaml @@ -78,7 +78,7 @@ jobs: kind load image-archive trivy-operator.tar - name: Set up python - uses: actions/setup-python@v5.3.0 + uses: actions/setup-python@v5.4.0 with: python-version: '3.x' check-latest: true diff --git a/.github/workflows/publish-docs.yaml b/.github/workflows/publish-docs.yaml index 781529127..cd13d30b0 100644 --- a/.github/workflows/publish-docs.yaml +++ b/.github/workflows/publish-docs.yaml @@ -36,7 +36,7 @@ jobs: fetch-depth: 0 ref: ${{ github.event.inputs.ref }} persist-credentials: true - - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 + - uses: actions/setup-python@8039c45ed9a312fba91f3399cd0605ba2ebfe93c with: python-version: 3.x - run: | diff --git a/.github/workflows/publish-helm-chart.yaml b/.github/workflows/publish-helm-chart.yaml index 084e5dc6d..ac844441f 100644 --- a/.github/workflows/publish-helm-chart.yaml +++ b/.github/workflows/publish-helm-chart.yaml @@ -33,7 +33,7 @@ jobs: version: v3.14.2 - name: Set up python - uses: actions/setup-python@v5.3.0 + uses: actions/setup-python@v5.4.0 with: python-version: '3.x' check-latest: true diff --git a/docs/tutorials/writing-custom-configuration-audit-policies.md b/docs/tutorials/writing-custom-configuration-audit-policies.md index f6277c6e8..e655baeea 100644 --- a/docs/tutorials/writing-custom-configuration-audit-policies.md +++ b/docs/tutorials/writing-custom-configuration-audit-policies.md @@ -110,12 +110,9 @@ metadata: data: policy.recommended_labels.kinds: "*" policy.recommended_labels.rego: | - package trivyoperator.policy.k8s.custom + package trivyoperator.policy.k8s.custom - import data.lib.result - import future.keywords.in - - __rego_metadata__ := { + __rego_metadata__ := { "id": "recommended_labels", "title": "Recommended labels", "severity": "LOW", @@ -123,20 +120,21 @@ data: "description": "A common set of labels allows tools to work interoperably, describing objects in a common manner that all tools can understand.", "recommended_actions": "Take full advantage of using recommended labels and apply them on every resource object.", "url": "https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/", - } + } - __rego_input__ := { - "combine": false, - "selector": [{"type": "kubernetes"}], - } + recommended_labels := [ + "app.kubernetes.io/name", + "app.kubernetes.io/version", + ] - deny[res] { - input.kind == "Pod" - some container in input.spec.containers - not startswith(container.image, "hooli.com") - msg := sprintf("Image '%v' comes from untrusted registry", [container.image]) - res := result.new(msg, container) - } + deny[res] { + provided := {label | input.metadata.labels[label]} + required := {label | label := recommended_labels[_]} + missing := required - provided + count(missing) > 0 + msg := sprintf("You must provide labels: %v", [missing]) + res := {"msg": msg} + } ``` In this example, to add a new policy, you must define two data entries in the `trivy-operator-policies-config` diff --git a/pkg/configauditreport/controller/checks.go b/pkg/configauditreport/controller/checks.go new file mode 100644 index 000000000..005cb5b49 --- /dev/null +++ b/pkg/configauditreport/controller/checks.go @@ -0,0 +1,128 @@ +package controller + +import ( + "context" + "fmt" + "sync" + + "github.com/go-logr/logr" + corev1 "k8s.io/api/core/v1" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/builder" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/predicate" + + "github.com/aquasecurity/trivy-operator/pkg/configauditreport" + "github.com/aquasecurity/trivy-operator/pkg/kube" + "github.com/aquasecurity/trivy-operator/pkg/operator/etc" + "github.com/aquasecurity/trivy-operator/pkg/policy" + "github.com/aquasecurity/trivy-operator/pkg/trivyoperator" + "github.com/aquasecurity/trivy/pkg/set" +) + +type ChecksLoader struct { + mu sync.Mutex + cfg etc.Config + logger logr.Logger + cl client.Client + objectResolver kube.ObjectResolver + pluginContext trivyoperator.PluginContext + pluginConfig configauditreport.PluginInMemory + policyLoader policy.Loader + policies *policy.Policies +} + +func NewChecksLoader( + cfg etc.Config, + logger logr.Logger, + cl client.Client, + objectResolver kube.ObjectResolver, + pluginContext trivyoperator.PluginContext, + pluginConfig configauditreport.PluginInMemory, + policyLoader policy.Loader, +) *ChecksLoader { + return &ChecksLoader{ + cfg: cfg, + logger: logger, + cl: cl, + objectResolver: objectResolver, + pluginContext: pluginContext, + pluginConfig: pluginConfig, + policyLoader: policyLoader, + } +} + +func (r *ChecksLoader) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { + r.mu.Lock() + defer r.mu.Unlock() + + log := r.logger.WithValues("configMap", req.NamespacedName) + + var cm corev1.ConfigMap + if err := r.cl.Get(ctx, req.NamespacedName, &cm); err != nil { + if req.Name == trivyoperator.TrivyConfigMapName { + log.V(1).Info("Checks removed since trivy config is removed") + r.policies = nil + } + return ctrl.Result{}, client.IgnoreNotFound(err) + } + + if err := r.loadChecks(ctx); err != nil { + return ctrl.Result{}, fmt.Errorf("load checks: %w", err) + } + + return ctrl.Result{}, nil +} + +func (r *ChecksLoader) loadChecks(ctx context.Context) error { + log := r.logger + + log.V(1).Info("Load checks") + cac, err := r.pluginConfig.NewConfigForConfigAudit(r.pluginContext) + if err != nil { + return fmt.Errorf("new config for config audit: %w", err) + } + policies, err := ConfigurePolicies( + ctx, r.cfg, r.objectResolver, cac, r.logger, r.policyLoader, + ) + if err != nil { + return fmt.Errorf("getting policies: %w", err) + } + r.policies = policies + log.V(1).Info("Checks loaded") + + return nil +} + +var allowedConfigMaps = set.New( + trivyoperator.TrivyConfigMapName, + trivyoperator.PoliciesConfigMapName, +) + +var configPredicate = func(namespace string) predicate.Predicate { + return predicate.NewPredicateFuncs(func(obj client.Object) bool { + if allowedConfigMaps.Contains(obj.GetName()) { + return false + } + return obj.GetNamespace() == namespace + }) +} + +func (r *ChecksLoader) SetupWithManager(mgr ctrl.Manager) error { + return ctrl.NewControllerManagedBy(mgr). + For(&corev1.ConfigMap{}, builder.WithPredicates(configPredicate(r.cfg.Namespace))). + Complete(r) +} + +func (r *ChecksLoader) GetPolicies(ctx context.Context) (*policy.Policies, error) { + r.mu.Lock() + defer r.mu.Unlock() + + if r.policies == nil { + if err := r.loadChecks(ctx); err != nil { + return nil, fmt.Errorf("load checks: %w", err) + } + } + + return r.policies, nil +} diff --git a/pkg/configauditreport/controller/helper.go b/pkg/configauditreport/controller/helper.go index d0bd02b16..b813cb625 100644 --- a/pkg/configauditreport/controller/helper.go +++ b/pkg/configauditreport/controller/helper.go @@ -41,6 +41,21 @@ func Policies(ctx context.Context, config etc.Config, c client.Client, cac confi return policy.NewPolicies(cm.Data, cac, log, pl, version), nil } +func ConfigurePolicies(ctx context.Context, config etc.Config, c client.Client, cac configauditreport.ConfigAuditConfig, log logr.Logger, pl policy.Loader, clusterVersion ...string) (*policy.Policies, error) { + policies, err := Policies(ctx, config, c, cac, log, pl, clusterVersion...) + if err != nil { + return nil, err + } + if err := policies.Load(); err != nil { + return nil, fmt.Errorf("load policies: %w", err) + } + + if err := policies.InitScanner(); err != nil { + return nil, fmt.Errorf("init scanner: %w", err) + } + return policies, nil +} + func evaluate(ctx context.Context, policies *policy.Policies, resource client.Object, bi trivyoperator.BuildInfo, cd trivyoperator.ConfigData, c etc.Config, inputs ...[]byte) (Misconfiguration, error) { misconfiguration := Misconfiguration{} results, err := policies.Eval(ctx, resource, inputs...) diff --git a/pkg/configauditreport/controller/nodecollector.go b/pkg/configauditreport/controller/nodecollector.go index a5a8980d1..5cc12dc0c 100644 --- a/pkg/configauditreport/controller/nodecollector.go +++ b/pkg/configauditreport/controller/nodecollector.go @@ -40,13 +40,13 @@ type NodeCollectorJobController struct { configauditreport.PluginInMemory InfraReadWriter infraassessment.ReadWriter trivyoperator.BuildInfo + ChecksLoader *ChecksLoader } // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;delete func (r *NodeCollectorJobController) SetupWithManager(mgr ctrl.Manager) error { var predicates []predicate.Predicate - predicates = append(predicates, ManagedByTrivyOperator, IsNodeInfoCollector, JobHasAnyCondition) return ctrl.NewControllerManagedBy(mgr). For(&batchv1.Job{}, builder.WithPredicates(predicates...)). @@ -132,19 +132,17 @@ func (r *NodeCollectorJobController) processCompleteScanJob(ctx context.Context, if err != nil { return err } - cac, err := r.NewConfigForConfigAudit(r.PluginContext) - if err != nil { - return err - } - policies, err := Policies(ctx, r.Config, r.Client, cac, r.Logger, r.PolicyLoader) - if err != nil { - return fmt.Errorf("getting policies: %w", err) - } + resourceHash, err := kube.ComputeSpecHash(node) if err != nil { return fmt.Errorf("computing spec hash: %w", err) } + policies, err := r.ChecksLoader.GetPolicies(ctx) + if err != nil { + return fmt.Errorf("get policies: %w", err) + } + policiesHash, err := policies.Hash(string(kube.KindNode)) if err != nil { return fmt.Errorf("computing policies hash: %w", err) diff --git a/pkg/configauditreport/controller/resource.go b/pkg/configauditreport/controller/resource.go index 6d423028b..ecec5e688 100644 --- a/pkg/configauditreport/controller/resource.go +++ b/pkg/configauditreport/controller/resource.go @@ -49,6 +49,7 @@ type ResourceController struct { trivyoperator.BuildInfo ClusterVersion string CacheSyncTimeout time.Duration + ChecksLoader *ChecksLoader } // +kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch @@ -156,6 +157,7 @@ func (r *ResourceController) buildControlMgr(mgr ctrl.Manager, configResource ku func (r *ResourceController) reconcileResource(resourceKind kube.Kind) reconcile.Func { return func(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { log := r.Logger.WithValues("kind", resourceKind, "name", req.NamespacedName) + resourceRef := kube.ObjectRefFromKindAndObjectKey(resourceKind, req.NamespacedName) resource, err := r.ObjectFromObjectRef(ctx, resourceRef) if err != nil { @@ -170,13 +172,10 @@ func (r *ResourceController) reconcileResource(resourceKind kube.Kind) reconcile r.Config.ConfigAuditScannerScanOnlyCurrentRevisions, log, r.ConfigData.GetSkipResourceByLabels()); skip { return ctrl.Result{}, err } - cac, err := r.NewConfigForConfigAudit(r.PluginContext) - if err != nil { - return ctrl.Result{}, err - } - policies, err := Policies(ctx, r.Config, r.Client, cac, r.Logger, r.PolicyLoader, r.ClusterVersion) + + policies, err := r.ChecksLoader.GetPolicies(ctx) if err != nil { - return ctrl.Result{}, fmt.Errorf("getting policies: %w", err) + return ctrl.Result{}, fmt.Errorf("get policies: %w", err) } // Skip processing if there are no policies applicable to the resource diff --git a/pkg/operator/operator.go b/pkg/operator/operator.go index b1bf2f2dd..596fd0e57 100644 --- a/pkg/operator/operator.go +++ b/pkg/operator/operator.go @@ -168,9 +168,6 @@ func Start(ctx context.Context, buildInfo trivyoperator.BuildInfo, operatorConfi return err } objectResolver := kube.NewObjectResolver(mgr.GetClient(), compatibleObjectMapper) - if err != nil { - return err - } limitChecker := jobs.NewLimitChecker(operatorConfig, mgr.GetClient(), trivyOperatorConfig) logsReader := kube.NewLogsReader(clientSet) secretsReader := kube.NewSecretsReader(mgr.GetClient()) @@ -238,6 +235,20 @@ func Start(ctx context.Context, buildInfo trivyoperator.BuildInfo, operatorConfi } } + checksLoader := controller.NewChecksLoader( + operatorConfig, + ctrl.Log.WithName("checks-loader"), + mgr.GetClient(), + objectResolver, + pluginContext, + pluginConfig, + policyLoader, + ) + + if err := checksLoader.SetupWithManager(mgr); err != nil { + return fmt.Errorf("setup MyReconciler: %w", err) + } + if operatorConfig.ScannerReportTTL != nil { ttlReconciler := &TTLReportReconciler{ Logger: ctrl.Log.WithName("reconciler").WithName("ttlreport"), @@ -298,6 +309,7 @@ func Start(ctx context.Context, buildInfo trivyoperator.BuildInfo, operatorConfi BuildInfo: buildInfo, ClusterVersion: gitVersion, CacheSyncTimeout: *operatorConfig.ControllerCacheSyncTimeout, + ChecksLoader: checksLoader, }).SetupWithManager(mgr); err != nil { return fmt.Errorf("unable to setup resource controller: %w", err) } @@ -310,7 +322,7 @@ func Start(ctx context.Context, buildInfo trivyoperator.BuildInfo, operatorConfi PluginInMemory: pluginConfig, ClusterVersion: gitVersion, }).SetupWithManager(mgr); err != nil { - return fmt.Errorf("unable to setup resource controller: %w", err) + return fmt.Errorf("unable to setup policy config controller: %w", err) } if operatorConfig.InfraAssessmentScannerEnabled { limitChecker := jobs.NewLimitChecker(operatorConfig, mgr.GetClient(), trivyOperatorConfig) @@ -340,6 +352,7 @@ func Start(ctx context.Context, buildInfo trivyoperator.BuildInfo, operatorConfi PluginInMemory: pluginConfig, InfraReadWriter: infraassessment.NewReadWriter(&objectResolver), BuildInfo: buildInfo, + ChecksLoader: checksLoader, }).SetupWithManager(mgr); err != nil { return fmt.Errorf("unable to setup node collector controller: %w", err) } diff --git a/pkg/plugins/trivy/config_test.go b/pkg/plugins/trivy/config_test.go index bf2916816..e61b3168e 100644 --- a/pkg/plugins/trivy/config_test.go +++ b/pkg/plugins/trivy/config_test.go @@ -721,7 +721,7 @@ func TestPlugin_Init(t *testing.T) { }, Data: map[string]string{ "trivy.repository": DefaultImageRepository, - "trivy.tag": "0.52.2", + "trivy.tag": "0.59.1", "trivy.severity": DefaultSeverity, "trivy.slow": "true", "trivy.mode": string(Standalone), diff --git a/pkg/plugins/trivy/image.go b/pkg/plugins/trivy/image.go index 1d7950543..c5dbdd283 100644 --- a/pkg/plugins/trivy/image.go +++ b/pkg/plugins/trivy/image.go @@ -585,87 +585,85 @@ func initContainerEnvVar(trivyConfigName string, config Config) []corev1.EnvVar } func getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, imageRef, trivyServerURL, resultFileName string) ([]string, []string) { - command := []string{ - "trivy", - } - trivyConfig := ctx.GetTrivyOperatorConfig() - compressLogs := trivyConfig.CompressLogs() - c, err := getConfig(ctx) + trivyOperatorConfig := ctx.GetTrivyOperatorConfig() + trivyConfig, err := getConfig(ctx) + if err != nil { return []string{}, []string{} } - slow := Slow(c) - sbomSources := c.GetSbomSources() - skipJavaDBUpdate := SkipJavaDBUpdate(c) - cacheDir := c.GetImageScanCacheDir() - vulnTypeArgs := vulnTypeFilter(ctx) - scanners := Scanners(c) - var vulnTypeFlag string - if len(vulnTypeArgs) == 2 { - vulnTypeFlag = fmt.Sprintf("%s %s ", vulnTypeArgs[0], vulnTypeArgs[1]) + // Arguments first. + args := []string{ + "image", + imageRef, } - imcs := imageConfigSecretScanner(trivyConfig) - var imageconfigSecretScannerFlag string - if len(imcs) == 2 { - imageconfigSecretScannerFlag = fmt.Sprintf("%s %s ", imcs[0], imcs[1]) + + // Options in alphabetic order. + cacheDir := trivyConfig.GetImageScanCacheDir() + args = append(args, "--cache-dir", cacheDir, "--format", "json") + + imcs := imageConfigSecretScanner(trivyOperatorConfig) + if len(imcs) > 0 { + args = append(args, imcs...) } + + args = append(args, "--quiet") + + sbomSources := trivyConfig.GetSbomSources() + if sbomSources != "" { + args = append(args, []string{"--sbom-sources", sbomSources}...) + } + + scanners := Scanners(trivyConfig) + args = append(args, scanners, getSecurityChecks(ctx)) + + if trivyServerURL != "" { + args = append(args, []string{"--server", trivyServerURL}...) + } + var skipUpdate string - if c.GetClientServerSkipUpdate() && mode == ClientServer { - skipUpdate = SkipDBUpdate(c) + if trivyConfig.GetClientServerSkipUpdate() && mode == ClientServer { + skipUpdate = SkipDBUpdate(trivyConfig) } else if mode != ClientServer { - skipUpdate = SkipDBUpdate(c) + skipUpdate = SkipDBUpdate(trivyConfig) + } + if skipUpdate != "" { + args = append(args, skipUpdate) } - if !compressLogs { - args := []string{ - "--cache-dir", - cacheDir, - "--quiet", - "image", - scanners, - getSecurityChecks(ctx), - "--format", - "json", - } - if trivyServerURL != "" { - args = append(args, []string{"--server", trivyServerURL}...) - } - args = append(args, imageRef) - if slow != "" { - args = append(args, slow) - } - if len(vulnTypeArgs) > 0 { - args = append(args, vulnTypeArgs...) - } - if len(imcs) > 0 { - args = append(args, imcs...) - } - pkgList := getPkgList(ctx) - if pkgList != "" { - args = append(args, pkgList) - } - if sbomSources != "" { - args = append(args, []string{"--sbom-sources", sbomSources}...) - } - if skipUpdate != "" { - args = append(args, skipUpdate) - } - if skipJavaDBUpdate != "" { - args = append(args, skipJavaDBUpdate) - } + skipJavaDBUpdate := SkipJavaDBUpdate(trivyConfig) + if skipJavaDBUpdate != "" { + args = append(args, skipJavaDBUpdate) + } - return command, args + slow := Slow(trivyConfig) + if slow != "" { + args = append(args, slow) } - var serverUrlParms string - if mode == ClientServer { - serverUrlParms = fmt.Sprintf("--server '%s' ", trivyServerURL) + + vulnTypeArgs := vulnTypeFilter(ctx) + if len(vulnTypeArgs) > 0 { + args = append(args, vulnTypeArgs...) } - var sbomSourcesFlag string - if sbomSources != "" { - sbomSourcesFlag = fmt.Sprintf(" --sbom-sources %s ", sbomSources) + + pkgList := getPkgList(ctx) + if pkgList != "" { + args = append(args, pkgList) + } + + // Return early when compressing logs is disabled. + compressLogs := trivyOperatorConfig.CompressLogs() + if !compressLogs { + return []string{"trivy"}, args } - return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s %s %s %s %s%s --cache-dir %s --quiet %s --format json %s> /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), imageconfigSecretScannerFlag, vulnTypeFlag, skipUpdate, skipJavaDBUpdate, sbomSourcesFlag, cacheDir, getPkgList(ctx), serverUrlParms, resultFileName, resultFileName)} + + // Add command to args as it is now need to pipe output to compress. + args = append([]string{"trivy"}, args...) + // Add compress arguments. + // Sync is required to flush buffer to stdout before exiting. + args = append(args, fmt.Sprintf(`> /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64 && sync`, resultFileName, resultFileName)) + + return []string{"/bin/sh"}, append([]string{"-c"}, strings.Join(args, " ")) } func GetSbomScanCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, sbomFile, trivyServerURL, resultFileName string) ([]string, []string) { @@ -720,7 +718,7 @@ func GetSbomScanCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, sbomF if mode == ClientServer { serverUrlParms = fmt.Sprintf("--server '%s' ", trivyServerURL) } - return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy sbom %s %s %s %s --cache-dir /tmp/trivy/.cache --quiet --format json %s> /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64`, slow, sbomFile, vulnTypeFlag, skipUpdate, serverUrlParms, resultFileName, resultFileName)} + return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy sbom %s %s %s %s --cache-dir /tmp/trivy/.cache --quiet --format json %s> /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64 && sync`, slow, sbomFile, vulnTypeFlag, skipUpdate, serverUrlParms, resultFileName, resultFileName)} } func vulnTypeFilter(ctx trivyoperator.PluginContext) []string { diff --git a/pkg/plugins/trivy/image_test.go b/pkg/plugins/trivy/image_test.go index 856cf1ad5..5d73b2e07 100644 --- a/pkg/plugins/trivy/image_test.go +++ b/pkg/plugins/trivy/image_test.go @@ -79,7 +79,7 @@ func TestGetSbomScanCommandAndArgs(t *testing.T) { serverUrl: "", resultFileName: "output.json", compressedLogs: "true", - wantArgs: []string{"-c", "trivy sbom --slow /tmp/scan/bom.json --skip-db-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/output.json && bzip2 -c /tmp/scan/output.json | base64"}, + wantArgs: []string{"-c", "trivy sbom --slow /tmp/scan/bom.json --skip-db-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/output.json && bzip2 -c /tmp/scan/output.json | base64 && sync"}, wantCmd: []string{"/bin/sh"}, }, { @@ -99,7 +99,7 @@ func TestGetSbomScanCommandAndArgs(t *testing.T) { serverUrl: "http://trivy-server:8080", resultFileName: "output.json", compressedLogs: "true", - wantArgs: []string{"-c", "trivy sbom --slow /tmp/scan/bom.json --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy-server:8080' > /tmp/scan/output.json && bzip2 -c /tmp/scan/output.json | base64"}, + wantArgs: []string{"-c", "trivy sbom --slow /tmp/scan/bom.json --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy-server:8080' > /tmp/scan/output.json && bzip2 -c /tmp/scan/output.json | base64 && sync"}, wantCmd: []string{"/bin/sh"}, }, { diff --git a/pkg/plugins/trivy/jobspec.go b/pkg/plugins/trivy/jobspec.go index 31dc01649..2dd7e41c6 100644 --- a/pkg/plugins/trivy/jobspec.go +++ b/pkg/plugins/trivy/jobspec.go @@ -217,7 +217,7 @@ func getAutomountServiceAccountToken(ctx trivyoperator.PluginContext) bool { func getConfig(ctx trivyoperator.PluginContext) (Config, error) { pluginConfig, err := ctx.GetConfig() if err != nil { - return Config{}, err + return Config{}, fmt.Errorf("get config: %w", err) } return Config{PluginConfig: pluginConfig}, nil } diff --git a/pkg/plugins/trivy/plugin.go b/pkg/plugins/trivy/plugin.go index 56444cfc0..7ff32570d 100644 --- a/pkg/plugins/trivy/plugin.go +++ b/pkg/plugins/trivy/plugin.go @@ -80,7 +80,7 @@ func (p *plugin) Init(ctx trivyoperator.PluginContext) error { return ctx.EnsureConfig(trivyoperator.PluginConfig{ Data: map[string]string{ keyTrivyImageRepository: DefaultImageRepository, - keyTrivyImageTag: "0.52.2", + keyTrivyImageTag: "0.59.1", KeyTrivySeverity: DefaultSeverity, keyTrivySlow: "true", keyTrivyMode: string(Standalone), diff --git a/pkg/plugins/trivy/plugin_test.go b/pkg/plugins/trivy/plugin_test.go index 7cad4633c..ad0b8a719 100644 --- a/pkg/plugins/trivy/plugin_test.go +++ b/pkg/plugins/trivy/plugin_test.go @@ -342,7 +342,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) { }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -630,7 +630,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) { }, Args: []string{ "-c", - "trivy image --slow 'poc.myregistry.harbor.com.pl/nginx:1.16' --security-checks secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image poc.myregistry.harbor.com.pl/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -918,7 +918,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) { }, Args: []string{ "-c", - "trivy image --slow 'poc.myregistry.harbor.com.pl/nginx:1.16' --security-checks vuln --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image poc.myregistry.harbor.com.pl/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --quiet --security-checks vuln --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -1226,7 +1226,7 @@ CVE-2019-1543`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -1539,7 +1539,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -1831,7 +1831,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'mirror.io/library/nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image mirror.io/library/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -2119,7 +2119,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -2351,7 +2351,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -2580,7 +2580,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -2814,7 +2814,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'poc.myregistry.harbor.com.pl/nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'https://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image poc.myregistry.harbor.com.pl/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --server https://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -3048,7 +3048,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'poc.myregistry.harbor.com.pl/nginx:1.16' --security-checks vuln --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image poc.myregistry.harbor.com.pl/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --quiet --security-checks vuln --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -3302,7 +3302,7 @@ CVE-2019-1543`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks secret --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -3562,7 +3562,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks secret --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -3797,7 +3797,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -5413,7 +5413,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow '000000000000.dkr.ecr.eu-west-1.amazonaws.com/nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image 000000000000.dkr.ecr.eu-west-1.amazonaws.com/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -5728,7 +5728,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -6045,7 +6045,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'mirror.io/library/nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image mirror.io/library/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ diff --git a/pkg/policy/policy.go b/pkg/policy/policy.go index aca18073b..7a0b9ed04 100644 --- a/pkg/policy/policy.go +++ b/pkg/policy/policy.go @@ -44,12 +44,19 @@ const ( externalPoliciesNamespace = "trivyoperator" ) +type k8sScanner interface { + ScanFS(context.Context, fs.FS, string) (scan.Results, error) +} + type Policies struct { data map[string]string log logr.Logger cac configauditreport.ConfigAuditConfig clusterVersion string policyLoader Loader + policyFS *memoryfs.FS + loaded []string + scanner k8sScanner } func NewPolicies(data map[string]string, cac configauditreport.ConfigAuditConfig, log logr.Logger, pl Loader, serverVersion string) *Policies { @@ -59,6 +66,7 @@ func NewPolicies(data map[string]string, cac configauditreport.ConfigAuditConfig cac: cac, policyLoader: pl, clusterVersion: serverVersion, + policyFS: memoryfs.New(), } } @@ -109,6 +117,7 @@ func (p *Policies) PoliciesByKind(kind string) (map[string]string, error) { return policies, nil } +// TODO: use loaded func (p *Policies) Hash(kind string) (string, error) { policies, err := p.loadPolicies(kind) if err != nil { @@ -127,6 +136,31 @@ func (p *Policies) ModulesByKind(kind string) (map[string]string, error) { } return modules, nil } + +func (p *Policies) Load() error { + var err error + + if p.cac.GetUseBuiltinRegoPolicies() { + p.loaded, _, err = p.policyLoader.GetPoliciesAndBundlePath() + if err != nil { + return err + } + } + + for _, lib := range p.Libraries() { + p.loaded = append(p.loaded, lib) + } + + for key, policy := range p.data { + if !strings.HasSuffix(key, keySuffixRego) { + continue + } + p.loaded = append(p.loaded, policy) + } + + return nil +} + func (p *Policies) loadPolicies(kind string) ([]string, error) { // read external policies modByKind, err := p.ModulesByKind(kind) @@ -194,38 +228,24 @@ func (p *Policies) rbacDisabled(rbacEnable bool, kind string) bool { // Eval evaluates Rego policies with Kubernetes resource client.Object as input. func (p *Policies) Eval(ctx context.Context, resource client.Object, inputs ...[]byte) (scan.Results, error) { - resourceKind := resource.GetObjectKind().GroupVersionKind().Kind - policies, err := p.loadPolicies(resourceKind) - if err != nil { - return nil, fmt.Errorf("failed listing externalPolicies by kind: %s: %w", resourceKind, err) - } - memfs := memoryfs.New() - hasPolicies := len(policies) > 0 - if hasPolicies { - // add add policies to in-memory filesystem - err = createPolicyInputFS(memfs, policiesFolder, policies, regoExt) - if err != nil { - return nil, err - } - } inputResource, err := resourceBytes(resource, inputs) if err != nil { return nil, err } + // add resource input to in-memory filesystem - err = createPolicyInputFS(memfs, inputFolder, []string{string(inputResource)}, yamlExt) - if err != nil { + if err := createPolicyInputFS(memfs, inputFolder, []string{string(inputResource)}, yamlExt); err != nil { return nil, err } - dataFS, dataPaths, err := createDataFS([]string{}, p.clusterVersion) - if err != nil { - return nil, err + if p.scanner == nil { + if err := p.InitScanner(); err != nil { + return nil, fmt.Errorf("init scanner: %w", err) + } } - so := p.scannerOptions(policiesFolder, dataPaths, dataFS, hasPolicies) - scanner := kubernetes.NewScanner(so...) - scanResult, err := scanner.ScanFS(ctx, memfs, inputFolder) + + scanResult, err := p.scanner.ScanFS(ctx, memfs, inputFolder) if err != nil { return nil, err } @@ -236,6 +256,24 @@ func (p *Policies) Eval(ctx context.Context, resource client.Object, inputs ...[ return scanResult, nil } +func (p *Policies) InitScanner() error { + hasPolicies := len(p.loaded) > 0 + if hasPolicies { + // add policies to in-memory filesystem + err := createPolicyInputFS(p.policyFS, policiesFolder, p.loaded, regoExt) + if err != nil { + return err + } + } + dataFS, dataPaths, err := createDataFS([]string{}, p.clusterVersion) + if err != nil { + return fmt.Errorf("create data fs: %w", err) + } + so := p.scannerOptions(dataPaths, dataFS, hasPolicies) + p.scanner = kubernetes.NewScanner(so...) + return nil +} + func resourceBytes(resource client.Object, inputs [][]byte) ([]byte, error) { var inputResource []byte var err error @@ -271,7 +309,7 @@ func (r *Policies) HasSeverity(resultSeverity severity.Severity) bool { return strings.Contains(defaultSeverity, string(resultSeverity)) } -func (p *Policies) scannerOptions(policiesFolder string, dataPaths []string, dataFS fs.FS, hasPolicies bool) []options.ScannerOption { +func (p *Policies) scannerOptions(dataPaths []string, dataFS fs.FS, hasPolicies bool) []options.ScannerOption { optionsArray := []options.ScannerOption{ rego.WithDataFilesystem(dataFS), rego.WithDataDirs(dataPaths...), @@ -279,7 +317,9 @@ func (p *Policies) scannerOptions(policiesFolder string, dataPaths []string, dat if p.cac.GetUseEmbeddedRegoPolicies() { return append(optionsArray, rego.WithEmbeddedPolicies(true), rego.WithEmbeddedLibraries(true)) } - return append(optionsArray, rego.WithPolicyDirs(policiesFolder), rego.WithPolicyNamespaces(externalPoliciesNamespace)) + return append(optionsArray, + rego.WithPolicyFilesystem(p.policyFS), + rego.WithPolicyDirs(policiesFolder), rego.WithPolicyNamespaces(externalPoliciesNamespace)) } func createPolicyInputFS(memfs *memoryfs.FS, folderName string, fileData []string, ext string) error { diff --git a/pkg/policy/policy_test.go b/pkg/policy/policy_test.go index 57ae00d1d..4b447190a 100644 --- a/pkg/policy/policy_test.go +++ b/pkg/policy/policy_test.go @@ -641,7 +641,9 @@ func TestPolicies_Eval(t *testing.T) { t.Run(tc.name, func(t *testing.T) { g := NewGomegaWithT(t) log := ctrl.Log.WithName("resourcecontroller") - checks, err := policy.NewPolicies(tc.policies, newTestConfig(tc.useBuiltInPolicies), log, &TestLoader{}, "1.27.1").Eval(context.TODO(), tc.resource) + p := policy.NewPolicies(tc.policies, newTestConfig(tc.useBuiltInPolicies), log, &TestLoader{}, "1.27.1") + g.Expect(p.Load()).ToNot(HaveOccurred()) + checks, err := p.Eval(context.TODO(), tc.resource) if tc.expectedError != "" { g.Expect(err).To(HaveOccurred()) return diff --git a/pkg/trivyoperator/config.go b/pkg/trivyoperator/config.go index 391e6134d..08b2678ff 100644 --- a/pkg/trivyoperator/config.go +++ b/pkg/trivyoperator/config.go @@ -121,8 +121,8 @@ func GetDefaultConfig() ConfigData { KeyScanJobcompressLogs: "true", keyComplianceFailEntriesLimit: "10", KeyReportRecordFailedChecksOnly: "true", - KeyNodeCollectorImageRef: "ghcr.io/aquasecurity/node-collector:0.2.1", - KeyPoliciesBundleOciRef: "mirror.gcr.io/aquasec/trivy-checks:0", + KeyNodeCollectorImageRef: "gcr.io/aquasecurity/node-collector:0.3.1", + KeyPoliciesBundleOciRef: "mirror.gcr.io/aquasec/trivy-checks:1", } } diff --git a/pkg/trivyoperator/constants.go b/pkg/trivyoperator/constants.go index 35f00fb96..dfdab9d2c 100644 --- a/pkg/trivyoperator/constants.go +++ b/pkg/trivyoperator/constants.go @@ -16,6 +16,9 @@ const ( // PoliciesConfigMapName the name of the ConfigMap used to store OPA Rego // policies. PoliciesConfigMapName = "trivy-operator-policies-config" + + // PoliciesConfigMapName the name of the ConfigMap used to store Trivy configuration. + TrivyConfigMapName = "trivy-operator-trivy-config" ) const ( diff --git a/pkg/trivyoperator/plugin.go b/pkg/trivyoperator/plugin.go index 883cf3400..360fb8ddf 100644 --- a/pkg/trivyoperator/plugin.go +++ b/pkg/trivyoperator/plugin.go @@ -93,7 +93,7 @@ func (p *pluginContext) GetConfig() (PluginConfig, error) { Name: GetPluginConfigMapName(strings.ToLower(p.GetName())), }, cm) if err != nil { - return PluginConfig{}, err + return PluginConfig{}, fmt.Errorf("get config map: %w", err) } err = p.client.Get(context.Background(), types.NamespacedName{ @@ -101,6 +101,7 @@ func (p *pluginContext) GetConfig() (PluginConfig, error) { Name: GetPluginConfigMapName(strings.ToLower(p.GetName())), }, secret) + // TODO: init var secretData map[string][]byte if err == nil { secretData = secret.DeepCopy().Data diff --git a/tests/envtest/suite_test.go b/tests/envtest/suite_test.go index 2622456a9..865cb1eb2 100644 --- a/tests/envtest/suite_test.go +++ b/tests/envtest/suite_test.go @@ -162,6 +162,18 @@ var _ = BeforeSuite(func() { Expect(err).ToNot(HaveOccurred()) + checksLoader := ca.NewChecksLoader( + config, + ctrl.Log.WithName("resourcecontroller"), + managerClient, + objectResolver, + pluginContext, + pluginca, + &TestLoader{}, + ) + + Expect(checksLoader.SetupWithManager(k8sManager)).ToNot(HaveOccurred()) + err = (&ca.ResourceController{ Logger: ctrl.Log.WithName("resourcecontroller"), Config: config, @@ -174,6 +186,7 @@ var _ = BeforeSuite(func() { RbacReadWriter: rbacassessment.NewReadWriter(&objectResolver), InfraReadWriter: infraassessment.NewReadWriter(&objectResolver), BuildInfo: buildInfo, + ChecksLoader: checksLoader, }).SetupWithManager(k8sManager) Expect(err).ToNot(HaveOccurred()) diff --git a/tests/envtest/testdata/fixture/cronjob-expected-scan.yaml b/tests/envtest/testdata/fixture/cronjob-expected-scan.yaml index 54b800441..db897baf5 100644 --- a/tests/envtest/testdata/fixture/cronjob-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/cronjob-expected-scan.yaml @@ -47,7 +47,7 @@ spec: containers: - args: - -c - - trivy image --slow 'busybox:1.28' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_hello.json && bzip2 -c /tmp/scan/result_hello.json | base64 + - trivy image busybox:1.28 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_hello.json && bzip2 -c /tmp/scan/result_hello.json | base64 && sync command: - /bin/sh env: diff --git a/tests/envtest/testdata/fixture/daemonset-expected-scan.yaml b/tests/envtest/testdata/fixture/daemonset-expected-scan.yaml index 944149ff1..58d71f0c9 100644 --- a/tests/envtest/testdata/fixture/daemonset-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/daemonset-expected-scan.yaml @@ -47,7 +47,7 @@ spec: containers: - args: - -c - - trivy image --slow 'quay.io/fluentd_elasticsearch/fluentd:v2.5.2' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_fluentd-elasticsearch.json && bzip2 -c /tmp/scan/result_fluentd-elasticsearch.json | base64 + - trivy image quay.io/fluentd_elasticsearch/fluentd:v2.5.2 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_fluentd-elasticsearch.json && bzip2 -c /tmp/scan/result_fluentd-elasticsearch.json | base64 && sync command: - /bin/sh env: diff --git a/tests/envtest/testdata/fixture/job-expected-scan.yaml b/tests/envtest/testdata/fixture/job-expected-scan.yaml index 8f7f0aa96..70ae55199 100644 --- a/tests/envtest/testdata/fixture/job-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/job-expected-scan.yaml @@ -47,7 +47,7 @@ spec: containers: - args: - -c - - trivy image --slow 'perl:5.34' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_pi.json && bzip2 -c /tmp/scan/result_pi.json | base64 + - trivy image perl:5.34 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_pi.json && bzip2 -c /tmp/scan/result_pi.json | base64 && sync command: - /bin/sh env: diff --git a/tests/envtest/testdata/fixture/pod-expected-scan.yaml b/tests/envtest/testdata/fixture/pod-expected-scan.yaml index f19ff835a..4b9a1f181 100644 --- a/tests/envtest/testdata/fixture/pod-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/pod-expected-scan.yaml @@ -47,7 +47,7 @@ spec: containers: - args: - -c - - trivy image --slow 'app-image:app-image-tag' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_app.json && bzip2 -c /tmp/scan/result_app.json | base64 + - trivy image app-image:app-image-tag --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_app.json && bzip2 -c /tmp/scan/result_app.json | base64 && sync command: - /bin/sh env: diff --git a/tests/envtest/testdata/fixture/replicaset-expected-scan.yaml b/tests/envtest/testdata/fixture/replicaset-expected-scan.yaml index ef948cdf4..3d58cf276 100644 --- a/tests/envtest/testdata/fixture/replicaset-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/replicaset-expected-scan.yaml @@ -47,7 +47,7 @@ spec: containers: - args: - -c - - trivy image --slow 'wordpress:4.9' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_wordpress.json && bzip2 -c /tmp/scan/result_wordpress.json | base64 + - trivy image wordpress:4.9 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_wordpress.json && bzip2 -c /tmp/scan/result_wordpress.json | base64 && sync command: - /bin/sh env: diff --git a/tests/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml b/tests/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml index 3b0f023c2..561a82dfd 100644 --- a/tests/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml @@ -47,7 +47,7 @@ spec: containers: - args: - -c - - trivy image --slow 'nginx' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 + - trivy image nginx --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync command: - /bin/sh env: diff --git a/tests/envtest/testdata/fixture/statefulset-expected-scan.yaml b/tests/envtest/testdata/fixture/statefulset-expected-scan.yaml index e1ff6d098..236e80321 100644 --- a/tests/envtest/testdata/fixture/statefulset-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/statefulset-expected-scan.yaml @@ -47,7 +47,7 @@ spec: containers: - args: - -c - - trivy image --slow 'k8s.gcr.io/nginx-slim:0.8' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 + - trivy image k8s.gcr.io/nginx-slim:0.8 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync command: - /bin/sh env: