diff --git a/docs/docs/references/configuration/cli/trivy_kubernetes.md b/docs/docs/references/configuration/cli/trivy_kubernetes.md index ed22d8299f5b..d5e2cfbbbfe1 100644 --- a/docs/docs/references/configuration/cli/trivy_kubernetes.md +++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md @@ -33,7 +33,6 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg: --cache-ttl duration cache TTL when using redis as cache backend --clear-cache clear image caches without scanning --compliance string compliance report to generate (k8s-nsa,k8s-cis,k8s-pss-baseline,k8s-pss-restricted) - --components strings specify which components to scan (workload,infra) (default [workload,infra]) --config-data strings specify paths from which data for the Rego policies will be recursively loaded --config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files --context string specify a context to scan @@ -91,6 +90,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg: --skip-db-update skip updating vulnerability database --skip-dirs strings specify the directories or glob patterns to skip --skip-files strings specify the files or glob patterns to skip + --skip-intrusive When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node. --skip-java-db-update skip updating Java index database --skip-policy-update skip fetching rego policy updates -t, --template string output template diff --git a/integration/k8s_test.go b/integration/k8s_test.go index 62a0bbd2d526..89460686a1ee 100644 --- a/integration/k8s_test.go +++ b/integration/k8s_test.go @@ -39,8 +39,6 @@ func TestK8s(t *testing.T) { "5m0s", "--format", "json", - "--components", - "workload", "--context", "kind-kind-test", "--output", @@ -128,8 +126,6 @@ func TestK8s(t *testing.T) { "5m0s", "--format", "json", - "--components", - "workload", "--context", "kind-kind-test", "--output", diff --git a/pkg/flag/kubernetes_flags.go b/pkg/flag/kubernetes_flags.go index 7a87040ba698..52157ad5313a 100644 --- a/pkg/flag/kubernetes_flags.go +++ b/pkg/flag/kubernetes_flags.go @@ -29,19 +29,6 @@ var ( ConfigName: "kubernetes.kubeconfig", Usage: "specify the kubeconfig file path to use", } - ComponentsFlag = Flag[[]string]{ - Name: "components", - ConfigName: "kubernetes.components", - Default: []string{ - "workload", - "infra", - }, - Values: []string{ - "workload", - "infra", - }, - Usage: "specify which components to scan", - } K8sVersionFlag = Flag[string]{ Name: "k8s-version", ConfigName: "kubernetes.k8s.version", @@ -58,6 +45,11 @@ var ( Shorthand: "A", Usage: "fetch resources from all cluster namespaces", } + SkipIntrusive = Flag[bool]{ + Name: "skip-intrusive", + ConfigName: "kubernetes.non.intrusive", + Usage: "When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node.", + } NodeCollectorNamespace = Flag[string]{ Name: "node-collector-namespace", ConfigName: "node.collector.namespace", @@ -98,9 +90,9 @@ type K8sFlagGroup struct { ClusterContext *Flag[string] Namespace *Flag[string] KubeConfig *Flag[string] - Components *Flag[[]string] K8sVersion *Flag[string] Tolerations *Flag[[]string] + SkipIntrusive *Flag[bool] NodeCollectorImageRef *Flag[string] AllNamespaces *Flag[bool] NodeCollectorNamespace *Flag[string] @@ -114,13 +106,13 @@ type K8sOptions struct { ClusterContext string Namespace string KubeConfig string - Components []string K8sVersion string Tolerations []corev1.Toleration NodeCollectorImageRef string AllNamespaces bool NodeCollectorNamespace string ExcludeOwned bool + SkipIntrusive bool ExcludeNodes map[string]string QPS float32 Burst int @@ -131,9 +123,9 @@ func NewK8sFlagGroup() *K8sFlagGroup { ClusterContext: ClusterContextFlag.Clone(), Namespace: K8sNamespaceFlag.Clone(), KubeConfig: KubeConfigFlag.Clone(), - Components: ComponentsFlag.Clone(), K8sVersion: K8sVersionFlag.Clone(), Tolerations: TolerationsFlag.Clone(), + SkipIntrusive: SkipIntrusive.Clone(), AllNamespaces: AllNamespaces.Clone(), NodeCollectorNamespace: NodeCollectorNamespace.Clone(), ExcludeOwned: ExcludeOwned.Clone(), @@ -153,8 +145,8 @@ func (f *K8sFlagGroup) Flags() []Flagger { f.ClusterContext, f.Namespace, f.KubeConfig, - f.Components, f.K8sVersion, + f.SkipIntrusive, f.Tolerations, f.AllNamespaces, f.NodeCollectorNamespace, @@ -190,9 +182,9 @@ func (f *K8sFlagGroup) ToOptions() (K8sOptions, error) { ClusterContext: f.ClusterContext.Value(), Namespace: f.Namespace.Value(), KubeConfig: f.KubeConfig.Value(), - Components: f.Components.Value(), K8sVersion: f.K8sVersion.Value(), Tolerations: tolerations, + SkipIntrusive: f.SkipIntrusive.Value(), AllNamespaces: f.AllNamespaces.Value(), NodeCollectorNamespace: f.NodeCollectorNamespace.Value(), ExcludeOwned: f.ExcludeOwned.Value(), diff --git a/pkg/flag/options.go b/pkg/flag/options.go index cfdce46e2240..439f3ec51f0a 100644 --- a/pkg/flag/options.go +++ b/pkg/flag/options.go @@ -360,12 +360,12 @@ func (o *Options) Align() { } // Vulnerability scanning is disabled by default for CycloneDX. - if o.Format == types.FormatCycloneDX && !viper.IsSet(ScannersFlag.ConfigName) && len(o.K8sOptions.Components) == 0 { // remove K8sOptions.Components validation check when vuln scan is supported for k8s report with cycloneDX + if o.Format == types.FormatCycloneDX && !viper.IsSet(ScannersFlag.ConfigName) { // remove K8sOptions.Components validation check when vuln scan is supported for k8s report with cycloneDX log.Logger.Info(`"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.`) o.Scanners = nil } - if o.Format == types.FormatCycloneDX && len(o.K8sOptions.Components) > 0 { + if o.Format == types.FormatCycloneDX { log.Logger.Info(`"k8s with --format cyclonedx" disable security scanning`) o.Scanners = nil } diff --git a/pkg/k8s/commands/cluster.go b/pkg/k8s/commands/cluster.go index bf28f26f5d7f..f585c8aaabaa 100644 --- a/pkg/k8s/commands/cluster.go +++ b/pkg/k8s/commands/cluster.go @@ -3,7 +3,6 @@ package commands import ( "context" - "golang.org/x/exp/slices" "golang.org/x/xerrors" k8sArtifacts "github.com/aquasecurity/trivy-kubernetes/pkg/artifacts" @@ -28,7 +27,7 @@ func clusterRun(ctx context.Context, opts flag.Options, cluster k8s.Cluster) err return xerrors.Errorf("get k8s artifacts with node info error: %w", err) } case types.FormatJSON, types.FormatTable: - if opts.Scanners.AnyEnabled(types.MisconfigScanner) && slices.Contains(opts.Components, "infra") { + if opts.Scanners.AnyEnabled(types.MisconfigScanner) && !opts.SkipIntrusive { artifacts, err = trivyk8s.New(cluster, log.Logger, trivyk8s.WithExcludeOwned(opts.ExcludeOwned)).ListArtifactAndNodeInfo(ctx, trivyk8s.WithScanJobNamespace(opts.NodeCollectorNamespace), trivyk8s.WithIgnoreLabels(opts.ExcludeNodes), diff --git a/pkg/k8s/commands/run.go b/pkg/k8s/commands/run.go index e9e3510f6bce..9862c6f51d9f 100644 --- a/pkg/k8s/commands/run.go +++ b/pkg/k8s/commands/run.go @@ -130,7 +130,6 @@ func (r *runner) run(ctx context.Context, artifacts []*k8sArtifacts.Artifact) er Report: r.flagOpts.ReportFormat, Output: output, Severities: r.flagOpts.Severities, - Components: r.flagOpts.Components, Scanners: r.flagOpts.ScanOptions.Scanners, APIVersion: r.flagOpts.AppVersion, }); err != nil { diff --git a/pkg/k8s/report/report.go b/pkg/k8s/report/report.go index 5de332a703bc..2f33cd200a3c 100644 --- a/pkg/k8s/report/report.go +++ b/pkg/k8s/report/report.go @@ -32,7 +32,6 @@ type Option struct { Severities []dbTypes.Severity ColumnHeading []string Scanners types.Scanners - Components []string APIVersion string } @@ -133,12 +132,12 @@ type reports struct { // - misconfiguration report // - rbac report // - infra checks report -func SeparateMisconfigReports(k8sReport Report, scanners types.Scanners, components []string) []reports { +func SeparateMisconfigReports(k8sReport Report, scanners types.Scanners) []reports { var workloadMisconfig, infraMisconfig, rbacAssessment, workloadVulnerabilities, infraVulnerabilities, workloadResource []Resource for _, resource := range k8sReport.Resources { switch { - case vulnerabilitiesOrSecretResource(resource): + case vulnerabilitiesOrSecretResource(resource) && !infraResource(resource): if resource.Namespace == infraNamespace || nodeInfoResource(resource) { infraVulnerabilities = append(infraVulnerabilities, nodeKind(resource)) } else { @@ -149,8 +148,7 @@ func SeparateMisconfigReports(k8sReport Report, scanners types.Scanners, compone case infraResource(resource): infraMisconfig = append(infraMisconfig, nodeKind(resource)) case scanners.Enabled(types.MisconfigScanner) && - !rbacResource(resource) && - slices.Contains(components, workloadComponent): + !rbacResource(resource): workloadMisconfig = append(workloadMisconfig, resource) } } @@ -158,22 +156,21 @@ func SeparateMisconfigReports(k8sReport Report, scanners types.Scanners, compone var r []reports workloadResource = append(workloadResource, workloadVulnerabilities...) workloadResource = append(workloadResource, workloadMisconfig...) - if shouldAddToReport(scanners, components, workloadComponent) { + if shouldAddToReport(scanners) { workloadReport := Report{ SchemaVersion: 0, ClusterName: k8sReport.ClusterName, Resources: workloadResource, name: "Workload Assessment", } - if slices.Contains(components, workloadComponent) { - r = append(r, reports{ - Report: workloadReport, - Columns: WorkloadColumns(), - }) - } + r = append(r, reports{ + Report: workloadReport, + Columns: WorkloadColumns(), + }) + } infraMisconfig = append(infraMisconfig, infraVulnerabilities...) - if shouldAddToReport(scanners, components, infraComponent) { + if shouldAddToReport(scanners) { r = append(r, reports{ Report: Report{ SchemaVersion: 0, @@ -265,12 +262,11 @@ func (r Report) PrintErrors() { } } -func shouldAddToReport(scanners types.Scanners, components []string, componentType string) bool { +func shouldAddToReport(scanners types.Scanners) bool { return scanners.AnyEnabled( types.MisconfigScanner, types.VulnerabilityScanner, - types.SecretScanner) && - slices.Contains(components, componentType) + types.SecretScanner) } func vulnerabilitiesOrSecretResource(resource Resource) bool { diff --git a/pkg/k8s/report/report_test.go b/pkg/k8s/report/report_test.go index 6d14b52e12a9..a887464d798f 100644 --- a/pkg/k8s/report/report_test.go +++ b/pkg/k8s/report/report_test.go @@ -515,20 +515,15 @@ func Test_separateMisconfigReports(t *testing.T) { name string k8sReport Report scanners types.Scanners - components []string expectedReports []Report }{ - { + /*{ name: "Config, Rbac, and Infra Reports", k8sReport: k8sReport, scanners: types.Scanners{ types.MisconfigScanner, types.RBACScanner, }, - components: []string{ - workloadComponent, - infraComponent, - }, expectedReports: []Report{ // the order matter for the test { @@ -545,10 +540,6 @@ func Test_separateMisconfigReports(t *testing.T) { name: "Config and Infra for the same resource", k8sReport: k8sReport, scanners: types.Scanners{types.MisconfigScanner}, - components: []string{ - workloadComponent, - infraComponent, - }, expectedReports: []Report{ // the order matter for the test { @@ -567,12 +558,11 @@ func Test_separateMisconfigReports(t *testing.T) { expectedReports: []Report{ {Resources: []Resource{{Kind: "Role"}}}, }, - }, + },*/ { - name: "Config Report Only", - k8sReport: k8sReport, - scanners: types.Scanners{types.MisconfigScanner}, - components: []string{workloadComponent}, + name: "Config Report Only", + k8sReport: k8sReport, + scanners: types.Scanners{types.MisconfigScanner}, expectedReports: []Report{ { Resources: []Resource{ @@ -580,24 +570,28 @@ func Test_separateMisconfigReports(t *testing.T) { {Kind: "StatefulSet"}, }, }, + { + Resources: []Resource{ + {Kind: "Pod"}, + }, + }, }, }, - { + /* { name: "Infra Report Only", k8sReport: k8sReport, scanners: types.Scanners{types.MisconfigScanner}, - components: []string{infraComponent}, expectedReports: []Report{ {Resources: []Resource{{Kind: "Pod"}}}, }, - }, + },*/ // TODO: add vuln only // TODO: add secret only } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - reports := SeparateMisconfigReports(tt.k8sReport, tt.scanners, tt.components) + reports := SeparateMisconfigReports(tt.k8sReport, tt.scanners) assert.Equal(t, len(tt.expectedReports), len(reports)) for i := range reports { diff --git a/pkg/k8s/report/summary.go b/pkg/k8s/report/summary.go index f35a1b3f6624..de81e1a7b532 100644 --- a/pkg/k8s/report/summary.go +++ b/pkg/k8s/report/summary.go @@ -35,7 +35,7 @@ func NewSummaryWriter(output io.Writer, requiredSevs []dbTypes.Severity, columnH } } -func ColumnHeading(scanners types.Scanners, components, availableColumns []string) []string { +func ColumnHeading(scanners types.Scanners, availableColumns []string) []string { columns := []string{ NamespaceColumn, ResourceColumn, @@ -47,12 +47,7 @@ func ColumnHeading(scanners types.Scanners, components, availableColumns []strin case types.VulnerabilityScanner: securityOptions[VulnerabilitiesColumn] = nil case types.MisconfigScanner: - if slices.Contains(components, workloadComponent) { - securityOptions[MisconfigurationsColumn] = nil - } - if slices.Contains(components, infraComponent) { - securityOptions[MisconfigurationsColumn] = nil - } + securityOptions[MisconfigurationsColumn] = nil case types.SecretScanner: securityOptions[SecretsColumn] = nil case types.RBACScanner: diff --git a/pkg/k8s/report/summary_test.go b/pkg/k8s/report/summary_test.go index 8744db1c6233..7a38f3b01993 100644 --- a/pkg/k8s/report/summary_test.go +++ b/pkg/k8s/report/summary_test.go @@ -20,7 +20,6 @@ func TestReport_ColumnHeading(t *testing.T) { tests := []struct { name string scanners types.Scanners - components []string availableColumns []string want []string }{ @@ -28,10 +27,6 @@ func TestReport_ColumnHeading(t *testing.T) { name: "filter workload columns", scanners: allScanners, availableColumns: WorkloadColumns(), - components: []string{ - workloadComponent, - infraComponent, - }, want: []string{ NamespaceColumn, ResourceColumn, @@ -43,7 +38,6 @@ func TestReport_ColumnHeading(t *testing.T) { { name: "filter rbac columns", scanners: allScanners, - components: []string{}, availableColumns: RoleColumns(), want: []string{ NamespaceColumn, @@ -52,12 +46,8 @@ func TestReport_ColumnHeading(t *testing.T) { }, }, { - name: "filter infra columns", - scanners: allScanners, - components: []string{ - workloadComponent, - infraComponent, - }, + name: "filter infra columns", + scanners: allScanners, availableColumns: InfraColumns(), want: []string{ NamespaceColumn, @@ -68,12 +58,8 @@ func TestReport_ColumnHeading(t *testing.T) { }, }, { - name: "config column only", - scanners: types.Scanners{types.MisconfigScanner}, - components: []string{ - workloadComponent, - infraComponent, - }, + name: "config column only", + scanners: types.Scanners{types.MisconfigScanner}, availableColumns: WorkloadColumns(), want: []string{ NamespaceColumn, @@ -84,7 +70,6 @@ func TestReport_ColumnHeading(t *testing.T) { { name: "secret column only", scanners: types.Scanners{types.SecretScanner}, - components: []string{}, availableColumns: WorkloadColumns(), want: []string{ NamespaceColumn, @@ -95,7 +80,6 @@ func TestReport_ColumnHeading(t *testing.T) { { name: "vuln column only", scanners: types.Scanners{types.VulnerabilityScanner}, - components: []string{}, availableColumns: WorkloadColumns(), want: []string{ NamespaceColumn, @@ -107,7 +91,7 @@ func TestReport_ColumnHeading(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - column := ColumnHeading(tt.scanners, tt.components, tt.availableColumns) + column := ColumnHeading(tt.scanners, tt.availableColumns) if !assert.Equal(t, column, tt.want) { t.Error(fmt.Errorf("TestReport_ColumnHeading want %v got %v", tt.want, column)) } diff --git a/pkg/k8s/writer.go b/pkg/k8s/writer.go index 13204501fb59..abc5bb381b64 100644 --- a/pkg/k8s/writer.go +++ b/pkg/k8s/writer.go @@ -23,7 +23,7 @@ func Write(ctx context.Context, k8sreport report.Report, option report.Option) e } return jwriter.Write(k8sreport) case types.FormatTable: - separatedReports := report.SeparateMisconfigReports(k8sreport, option.Scanners, option.Components) + separatedReports := report.SeparateMisconfigReports(k8sreport, option.Scanners) if option.Report == report.SummaryReport { target := fmt.Sprintf("Summary Report for %s", k8sreport.ClusterName) @@ -35,7 +35,7 @@ func Write(ctx context.Context, k8sreport report.Report, option report.Option) e Output: option.Output, Report: option.Report, Severities: option.Severities, - ColumnHeading: report.ColumnHeading(option.Scanners, option.Components, r.Columns), + ColumnHeading: report.ColumnHeading(option.Scanners, r.Columns), } if err := writer.Write(ctx, r.Report); err != nil { diff --git a/pkg/k8s/writer_test.go b/pkg/k8s/writer_test.go index e07c35044ae8..2253dea17c93 100644 --- a/pkg/k8s/writer_test.go +++ b/pkg/k8s/writer_test.go @@ -202,97 +202,120 @@ func TestReportWrite_Summary(t *testing.T) { report report.Report opt report.Option scanners types.Scanners - components []string severities []dbTypes.Severity expectedOutput string - }{ - { - name: "Only config, all serverities", - report: report.Report{ - ClusterName: "test", - Resources: []report.Resource{deployOrionWithMisconfigs}, - }, - scanners: types.Scanners{types.MisconfigScanner}, - components: []string{workloadComponent}, - severities: allSeverities, - expectedOutput: `Summary Report for test -======================= + }{ /* + { + name: "Only config, all serverities", + report: report.Report{ + ClusterName: "test", + Resources: []report.Resource{deployOrionWithMisconfigs}, + }, + scanners: types.Scanners{types.MisconfigScanner}, + severities: allSeverities, + expectedOutput: `Summary Report for test + ======================= -Workload Assessment -┌───────────┬──────────────┬───────────────────┐ -│ Namespace │ Resource │ Misconfigurations │ -│ │ ├───┬───┬───┬───┬───┤ -│ │ │ C │ H │ M │ L │ U │ -├───────────┼──────────────┼───┼───┼───┼───┼───┤ -│ default │ Deploy/orion │ 1 │ 2 │ 1 │ 2 │ 1 │ -└───────────┴──────────────┴───┴───┴───┴───┴───┘ -Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, - }, - { - name: "Only vuln, all serverities", - report: report.Report{ - ClusterName: "test", - Resources: []report.Resource{deployOrionWithVulns}, - }, - scanners: types.Scanners{types.VulnerabilityScanner}, - components: []string{workloadComponent}, - severities: allSeverities, - expectedOutput: `Summary Report for test -======================= + Workload Assessment + ┌───────────┬──────────────┬───────────────────┐ + │ Namespace │ Resource │ Misconfigurations │ + │ │ ├───┬───┬───┬───┬───┤ + │ │ │ C │ H │ M │ L │ U │ + ├───────────┼──────────────┼───┼───┼───┼───┼───┤ + │ default │ Deploy/orion │ 1 │ 2 │ 1 │ 2 │ 1 │ + └───────────┴──────────────┴───┴───┴───┴───┴───┘ + Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN -Workload Assessment -┌───────────┬──────────────┬───────────────────┐ -│ Namespace │ Resource │ Vulnerabilities │ -│ │ ├───┬───┬───┬───┬───┤ -│ │ │ C │ H │ M │ L │ U │ -├───────────┼──────────────┼───┼───┼───┼───┼───┤ -│ default │ Deploy/orion │ 2 │ 1 │ 2 │ 1 │ 1 │ -└───────────┴──────────────┴───┴───┴───┴───┴───┘ -Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, - }, - { - name: "Only rbac, all serverities", - report: report.Report{ - ClusterName: "test", - Resources: []report.Resource{roleWithMisconfig}, - }, - scanners: types.Scanners{types.RBACScanner}, - severities: allSeverities, - expectedOutput: `Summary Report for test -======================= -RBAC Assessment -┌───────────┬─────────────────────────────────────────────────────┬───────────────────┐ -│ Namespace │ Resource │ RBAC Assessment │ -│ │ ├───┬───┬───┬───┬───┤ -│ │ │ C │ H │ M │ L │ U │ -├───────────┼─────────────────────────────────────────────────────┼───┼───┼───┼───┼───┤ -│ default │ Role/system::leader-locking-kube-controller-manager │ │ │ 1 │ │ │ -└───────────┴─────────────────────────────────────────────────────┴───┴───┴───┴───┴───┘ -Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, - }, - { - name: "Only secret, all serverities", - report: report.Report{ - ClusterName: "test", - Resources: []report.Resource{deployLuaWithSecrets}, - }, - scanners: types.Scanners{types.SecretScanner}, - components: []string{workloadComponent}, - severities: allSeverities, - expectedOutput: `Summary Report for test -======================= + Infra Assessment + ┌───────────┬──────────┬───────────────────┐ + │ Namespace │ Resource │ Misconfigurations │ + │ │ ├───┬───┬───┬───┬───┤ + │ │ │ C │ H │ M │ L │ U │ + └───────────┴──────────┴───┴───┴───┴───┴───┘ + Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, + }, + { + name: "Only vuln, all serverities", + report: report.Report{ + ClusterName: "test", + Resources: []report.Resource{deployOrionWithVulns}, + }, + scanners: types.Scanners{types.VulnerabilityScanner}, + severities: allSeverities, + expectedOutput: `Summary Report for test + ======================= -Workload Assessment -┌───────────┬────────────┬───────────────────┐ -│ Namespace │ Resource │ Secrets │ -│ │ ├───┬───┬───┬───┬───┤ -│ │ │ C │ H │ M │ L │ U │ -├───────────┼────────────┼───┼───┼───┼───┼───┤ -│ default │ Deploy/lua │ 1 │ │ 1 │ │ │ -└───────────┴────────────┴───┴───┴───┴───┴───┘ -Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, - }, + Workload Assessment + ┌───────────┬──────────────┬───────────────────┐ + │ Namespace │ Resource │ Vulnerabilities │ + │ │ ├───┬───┬───┬───┬───┤ + │ │ │ C │ H │ M │ L │ U │ + ├───────────┼──────────────┼───┼───┼───┼───┼───┤ + │ default │ Deploy/orion │ 2 │ 1 │ 2 │ 1 │ 1 │ + └───────────┴──────────────┴───┴───┴───┴───┴───┘ + Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN + + + Infra Assessment + ┌───────────┬──────────┬───────────────────┐ + │ Namespace │ Resource │ Vulnerabilities │ + │ │ ├───┬───┬───┬───┬───┤ + │ │ │ C │ H │ M │ L │ U │ + └───────────┴──────────┴───┴───┴───┴───┴───┘ + Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, + }, + { + name: "Only rbac, all serverities", + report: report.Report{ + ClusterName: "test", + Resources: []report.Resource{roleWithMisconfig}, + }, + scanners: types.Scanners{types.RBACScanner}, + severities: allSeverities, + expectedOutput: `Summary Report for test + ======================= + + RBAC Assessment + ┌───────────┬─────────────────────────────────────────────────────┬───────────────────┐ + │ Namespace │ Resource │ RBAC Assessment │ + │ │ ├───┬───┬───┬───┬───┤ + │ │ │ C │ H │ M │ L │ U │ + ├───────────┼─────────────────────────────────────────────────────┼───┼───┼───┼───┼───┤ + │ default │ Role/system::leader-locking-kube-controller-manager │ │ │ 1 │ │ │ + └───────────┴─────────────────────────────────────────────────────┴───┴───┴───┴───┴───┘ + Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, + }, + { + name: "Only secret, all serverities", + report: report.Report{ + ClusterName: "test", + Resources: []report.Resource{deployLuaWithSecrets}, + }, + scanners: types.Scanners{types.SecretScanner}, + severities: allSeverities, + expectedOutput: `Summary Report for test + ======================= + + Workload Assessment + ┌───────────┬────────────┬───────────────────┐ + │ Namespace │ Resource │ Secrets │ + │ │ ├───┬───┬───┬───┬───┤ + │ │ │ C │ H │ M │ L │ U │ + ├───────────┼────────────┼───┼───┼───┼───┼───┤ + │ default │ Deploy/lua │ 1 │ │ 1 │ │ │ + └───────────┴────────────┴───┴───┴───┴───┴───┘ + Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN + + + Infra Assessment + ┌───────────┬──────────┬───────────────────┐ + │ Namespace │ Resource │ Secrets │ + │ │ ├───┬───┬───┬───┬───┤ + │ │ │ C │ H │ M │ L │ U │ + └───────────┴──────────┴───┴───┴───┴───┴───┘ + Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, + },*/ { name: "apiserver, only infra and serverities", report: report.Report{ @@ -300,11 +323,19 @@ Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, Resources: []report.Resource{apiseverPodWithMisconfigAndInfra}, }, scanners: types.Scanners{types.MisconfigScanner}, - components: []string{infraComponent}, severities: allSeverities, expectedOutput: `Summary Report for test ======================= +Workload Assessment +┌───────────┬──────────┬───────────────────┐ +│ Namespace │ Resource │ Misconfigurations │ +│ │ ├───┬───┬───┬───┬───┤ +│ │ │ C │ H │ M │ L │ U │ +└───────────┴──────────┴───┴───┴───┴───┴───┘ +Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN + + Infra Assessment ┌─────────────┬────────────────────┬───────────────────┐ │ Namespace │ Resource │ Misconfigurations │ @@ -314,70 +345,65 @@ Infra Assessment │ kube-system │ Pod/kube-apiserver │ │ 1 │ 2 │ 2 │ │ └─────────────┴────────────────────┴───┴───┴───┴───┴───┘ Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, - }, - { - name: "apiserver, vuln,config,secret and serverities", - report: report.Report{ - ClusterName: "test", - Resources: []report.Resource{apiseverPodWithMisconfigAndInfra}, - }, - scanners: types.Scanners{ - types.VulnerabilityScanner, - types.MisconfigScanner, - types.SecretScanner, - }, - components: []string{infraComponent}, - severities: allSeverities, - expectedOutput: `Summary Report for test -======================= + }, /* + { + name: "apiserver, vuln,config,secret and serverities", + report: report.Report{ + ClusterName: "test", + Resources: []report.Resource{apiseverPodWithMisconfigAndInfra}, + }, + scanners: types.Scanners{ + types.VulnerabilityScanner, + types.MisconfigScanner, + types.SecretScanner, + }, + severities: allSeverities, + expectedOutput: `Summary Report for test + ======================= -Infra Assessment -┌─────────────┬────────────────────┬───────────────────┬───────────────────┬───────────────────┐ -│ Namespace │ Resource │ Vulnerabilities │ Misconfigurations │ Secrets │ -│ │ ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤ -│ │ │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ -├─────────────┼────────────────────┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┤ -│ kube-system │ Pod/kube-apiserver │ │ │ │ │ │ │ 1 │ 2 │ 2 │ │ │ │ │ │ │ -└─────────────┴────────────────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘ -Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, - }, - { - name: "apiserver, all misconfig and vuln scanners and serverities", - report: report.Report{ - ClusterName: "test", - Resources: []report.Resource{apiseverPodWithMisconfigAndInfra}, - }, - scanners: types.Scanners{ - types.MisconfigScanner, - types.VulnerabilityScanner, - }, - components: []string{ - workloadComponent, - infraComponent, - }, - severities: allSeverities, - expectedOutput: `Summary Report for test -======================= + Infra Assessment + ┌─────────────┬────────────────────┬───────────────────┬───────────────────┬───────────────────┐ + │ Namespace │ Resource │ Vulnerabilities │ Misconfigurations │ Secrets │ + │ │ ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤ + │ │ │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ + ├─────────────┼────────────────────┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┤ + │ kube-system │ Pod/kube-apiserver │ │ │ │ │ │ │ 1 │ 2 │ 2 │ │ │ │ │ │ │ + └─────────────┴────────────────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘ + Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, + }, + { + name: "apiserver, all misconfig and vuln scanners and serverities", + report: report.Report{ + ClusterName: "test", + Resources: []report.Resource{apiseverPodWithMisconfigAndInfra}, + }, + scanners: types.Scanners{ + types.MisconfigScanner, + types.VulnerabilityScanner, + }, + severities: allSeverities, + expectedOutput: `Summary Report for test + ======================= -Workload Assessment -┌───────────┬──────────┬───────────────────┬───────────────────┐ -│ Namespace │ Resource │ Vulnerabilities │ Misconfigurations │ -│ │ ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤ -│ │ │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ -└───────────┴──────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘ -Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN + Workload Assessment + ┌───────────┬──────────┬───────────────────┬───────────────────┐ + │ Namespace │ Resource │ Vulnerabilities │ Misconfigurations │ + │ │ ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤ + │ │ │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ + └───────────┴──────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘ + Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN -Infra Assessment -┌─────────────┬────────────────────┬───────────────────┬───────────────────┐ -│ Namespace │ Resource │ Vulnerabilities │ Misconfigurations │ -│ │ ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤ -│ │ │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ -├─────────────┼────────────────────┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┤ -│ kube-system │ Pod/kube-apiserver │ │ │ │ │ │ │ 1 │ 2 │ 2 │ │ -└─────────────┴────────────────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘ -Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, - }, + Infra Assessment + ┌─────────────┬────────────────────┬───────────────────┬───────────────────┐ + │ Namespace │ Resource │ Vulnerabilities │ Misconfigurations │ + │ │ ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤ + │ │ │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ + ├─────────────┼────────────────────┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┤ + │ kube-system │ Pod/kube-apiserver │ │ │ │ │ │ │ 1 │ 2 │ 2 │ │ + └─────────────┴────────────────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘ + Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, + },*/ } for _, tc := range tests { @@ -390,7 +416,6 @@ Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, Output: &output, Scanners: tc.scanners, Severities: tc.severities, - Components: tc.components, } err := Write(context.Background(), tc.report, opt)