From bd3a4e56bc7b9663154641515cb45d1efbfbe34a Mon Sep 17 00:00:00 2001 From: chenk Date: Mon, 8 Apr 2024 14:25:55 +0300 Subject: [PATCH] feat: support exclude/include kinds/namespaces Signed-off-by: chenk --- .../configuration/cli/trivy_kubernetes.md | 25 +++++++++---------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/docs/docs/references/configuration/cli/trivy_kubernetes.md b/docs/docs/references/configuration/cli/trivy_kubernetes.md index 4f99888ee963..7b7c91f3d88e 100644 --- a/docs/docs/references/configuration/cli/trivy_kubernetes.md +++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md @@ -2,32 +2,33 @@ [EXPERIMENTAL] Scan kubernetes cluster +### Synopsis + +Default context in kube configuration will be used unless specified + ``` -trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg: pods, pod/NAME } +trivy kubernetes [flags] [CONTEXT] ``` ### Examples ``` # cluster scanning - $ trivy k8s --report summary cluster - - # namespace scanning: - $ trivy k8s -n kube-system --report summary all + $ trivy k8s --report summary - # resources scanning: - $ trivy k8s --report=summary deploy - $ trivy k8s --namespace=kube-system --report=summary deploy,configmaps + # cluster scanning with specific namespace: + $ trivy k8s --include-namespaces kube-system --report summary - # resource scanning: - $ trivy k8s deployment/orion + # cluster with specific context: + $ trivy k8s kind-kind --report summary + + ``` ### Options ``` - -A, --all-namespaces fetch resources from all cluster namespaces --burst int specify the maximum burst for throttle (default 10) --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") --cache-ttl duration cache TTL when using redis as cache backend @@ -36,7 +37,6 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg: --components strings specify which components to scan (workload,infra) (default [workload,infra]) --config-data strings specify paths from which data for the Rego policies will be recursively loaded --config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files - --context string specify a context to scan --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2") --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages --download-db-only download/update vulnerability database but don't run a scan @@ -68,7 +68,6 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg: --kubeconfig string specify the kubeconfig file path to use --list-all-pkgs enabling the option will output all packages regardless of vulnerability --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot]) - -n, --namespace string specify a namespace to scan --no-progress suppress progress bar --node-collector-imageref string indicate the image reference for the node-collector scan job (default "ghcr.io/aquasecurity/node-collector:0.0.9") --node-collector-namespace string specify the namespace in which the node-collector job should be deployed (default "trivy-temp")