我的书签
添加书签
移除书签Filter Misconfigurations
By Severity
Use --severity option.
trivy conf --severity HIGH,CRITICAL examples/misconf/mixed
Result
2021-07-10T17:37:13.267+0300 INFO Detected config files: 4configs/Dockerfile (dockerfile)===============================Tests: 23 (SUCCESSES: 21, FAILURES: 2, EXCEPTIONS: 0)Failures: 2 (HIGH: 1, CRITICAL: 0)+---------------------------+------------+----------------------+----------+------------------------------------------+| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |+---------------------------+------------+----------------------+----------+------------------------------------------+| Dockerfile Security Check | DS002 | Image user is 'root' | HIGH | Specify at least 1 USER || | | | | command in Dockerfile with || | | | | non-root user as argument || | | | | -->avd.aquasec.com/appshield/ds002 |+---------------------------+------------+----------------------+----------+------------------------------------------+configs/deployment.yaml (kubernetes)====================================Tests: 28 (SUCCESSES: 14, FAILURES: 14, EXCEPTIONS: 0)Failures: 14 (HIGH: 1, CRITICAL: 0)+---------------------------+------------+-------------------------------------+----------+------------------------------------------+| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |+---------------------------+------------+-------------------------------------+----------+------------------------------------------+| Kubernetes Security Check | KSV006 | docker.sock is mounted to container | HIGH | Deployment 'hello-kubernetes' should || | | | | not specify '/var/run/docker.socker' in || | | | | 'spec.template.volumes.hostPath.path' || | | | | -->avd.aquasec.com/appshield/ksv006 |+---------------------------+------------+-------------------------------------+----------+------------------------------------------+configs/main.tf (terraform)===========================Tests: 19 (SUCCESSES: 11, FAILURES: 8, EXCEPTIONS: 0)Failures: 8 (HIGH: 6, CRITICAL: 1)+------------------------------------------+------------+------------------------------------------+----------+--------------------------------------------------------+| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |+------------------------------------------+------------+------------------------------------------+----------+--------------------------------------------------------+| Terraform Security Check powered by | AWS003 | AWS Classic resource usage. | HIGH | Resource || tfsec | | | | 'aws_db_security_group.my-group' || | | | | uses EC2 Classic. Use a VPC instead. || | | | | -->tfsec.dev/docs/aws/AWS003/ |+ +------------+------------------------------------------+----------+--------------------------------------------------------+| | AWS004 | Use of plain HTTP. | CRITICAL | Resource || | | | | 'aws_alb_listener.my-alb-listener' || | | | | uses plain HTTP instead of HTTPS. || | | | | -->tfsec.dev/docs/aws/AWS004/ |+ +------------+------------------------------------------+----------+--------------------------------------------------------+| | AWS018 | Missing description for security | HIGH | Resource || | | group/security group rule. | | 'aws_security_group_rule.my-rule' should || | | | | include a description for auditing || | | | | purposes. -->tfsec.dev/docs/aws/AWS018/ |+ +------------+------------------------------------------+ +--------------------------------------------------------+| | AWS025 | API Gateway domain name uses outdated | | Resource || | | SSL/TLS protocols. | | 'aws_api_gateway_domain_name.empty_security_policy' || | | | | defines outdated SSL/TLS policies (not using || | | | | TLS_1_2). -->tfsec.dev/docs/aws/AWS025/ |+ + + + +--------------------------------------------------------+| | | | | Resource || | | | | 'aws_api_gateway_domain_name.missing_security_policy' || | | | | should include security_policy (defauls to outdated || | | | | SSL/TLS policy). -->tfsec.dev/docs/aws/AWS025/ |+ + + + +--------------------------------------------------------+| | | | | Resource || | | | | 'aws_api_gateway_domain_name.outdated_security_policy' || | | | | defines outdated SSL/TLS policies (not using TLS_1_2). || | | | | -->tfsec.dev/docs/aws/AWS025/ |+ +------------+------------------------------------------+ +--------------------------------------------------------+| | AZU003 | Unencrypted managed disk. | | Resource 'azurerm_managed_disk.source' || | | | | defines an unencrypted managed disk. || | | | | -->tfsec.dev/docs/azure/AZU003/ |+------------------------------------------+------------+------------------------------------------+----------+--------------------------------------------------------+configs/variables.tf (terraform)================================Tests: 1 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 0)Failures: 0 (HIGH: 0, CRITICAL: 0)
By Misconfiguration IDs
Use .trivyignore.
$ cat .trivyignore# Accept the riskAWS003AWS018AWS025$ trivy conf --severity HIGH,CRITICAL examples/misconf/mixed
Result
2021-07-10T17:38:51.306+0300 INFO Detected config files: 4configs/Dockerfile (dockerfile)===============================Tests: 23 (SUCCESSES: 21, FAILURES: 2, EXCEPTIONS: 0)Failures: 2 (HIGH: 1, CRITICAL: 0)+---------------------------+------------+----------------------+----------+------------------------------------------+| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |+---------------------------+------------+----------------------+----------+------------------------------------------+| Dockerfile Security Check | DS002 | Image user is 'root' | HIGH | Specify at least 1 USER || | | | | command in Dockerfile with || | | | | non-root user as argument || | | | | -->avd.aquasec.com/appshield/ds002 |+---------------------------+------------+----------------------+----------+------------------------------------------+configs/deployment.yaml (kubernetes)====================================Tests: 28 (SUCCESSES: 14, FAILURES: 14, EXCEPTIONS: 0)Failures: 14 (HIGH: 1, CRITICAL: 0)+---------------------------+------------+-------------------------------------+----------+------------------------------------------+| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |+---------------------------+------------+-------------------------------------+----------+------------------------------------------+| Kubernetes Security Check | KSV006 | docker.sock is mounted to container | HIGH | Deployment 'hello-kubernetes' should || | | | | not specify '/var/run/docker.socker' in || | | | | 'spec.template.volumes.hostPath.path' || | | | | -->avd.aquasec.com/appshield/ksv006 |+---------------------------+------------+-------------------------------------+----------+------------------------------------------+configs/main.tf (terraform)===========================Tests: 19 (SUCCESSES: 11, FAILURES: 8, EXCEPTIONS: 0)Failures: 8 (HIGH: 1, CRITICAL: 1)+------------------------------------------+------------+---------------------------+----------+------------------------------------------+| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |+------------------------------------------+------------+---------------------------+----------+------------------------------------------+| Terraform Security Check powered by | AWS004 | Use of plain HTTP. | CRITICAL | Resource || tfsec | | | | 'aws_alb_listener.my-alb-listener' || | | | | uses plain HTTP instead of HTTPS. || | | | | -->tfsec.dev/docs/aws/AWS004/ |+ +------------+---------------------------+----------+------------------------------------------+| | AZU003 | Unencrypted managed disk. | HIGH | Resource 'azurerm_managed_disk.source' || | | | | defines an unencrypted managed disk. || | | | | -->tfsec.dev/docs/azure/AZU003/ |+------------------------------------------+------------+---------------------------+----------+------------------------------------------+configs/variables.tf (terraform)================================Tests: 1 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 0)Failures: 0 (HIGH: 0, CRITICAL: 0)
By Exceptions
See Exceptions
Show Successes and Exceptions
Use --include-non-failures option to show successes and exceptions as well as failures.
trivy conf --severity CRITICAL --include-non-failures examples/misconf/mixed
Result
2021-07-10T17:44:02.049+0300 INFO Detected config files: 4configs/Dockerfile (dockerfile)===============================Tests: 23 (SUCCESSES: 21, FAILURES: 2, EXCEPTIONS: 0)Failures: 2 (CRITICAL: 0)+---------------------------+------------+------------------------------------------+----------+--------+-----------------+| TYPE | MISCONF ID | CHECK | SEVERITY | STATUS | MESSAGE |+---------------------------+------------+------------------------------------------+----------+--------+-----------------+| Dockerfile Security Check | DS006 | COPY '--from' refers to the current | CRITICAL | PASS | No issues found || | | image | | | |+ +------------+------------------------------------------+ + + +| | DS007 | Multiple ENTRYPOINT instructions are | | | || | | listed | | | |+ +------------+------------------------------------------+ + + +| | DS008 | Exposed port is out of range | | | |+ +------------+------------------------------------------+ + + +| | DS010 | 'sudo' is used | | | |+ +------------+------------------------------------------+ + + +| | DS011 | COPY with more than two arguments is not | | | || | | ending with slash | | | |+ +------------+------------------------------------------+ + + +| | DS012 | Duplicate aliases are defined in | | | || | | different FROMs | | | |+---------------------------+------------+------------------------------------------+----------+--------+-----------------+...
