Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trivy client server mode not scanning secrets exposed in image, Trivy standalone works. #1836

Open
gsingh737 opened this issue Feb 6, 2024 · 6 comments
Open

Trivy client server mode not scanning secrets exposed in image, Trivy standalone works. #1836

gsingh737 opened this issue Feb 6, 2024 · 6 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence. target/kubernetes Issues relating to kubernetes cluster scanning

Comments

@gsingh737
Copy link

gsingh737 commented Feb 6, 2024
edited

What steps did you take and what happened:
Running Trivy operator with these ENV values

OPERATOR_TARGET_NAMESPACES:
OPERATOR_EXCLUDE_NAMESPACES:
OPERATOR_TARGET_WORKLOADS: pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job
OPERATOR_SERVICE_ACCOUNT: trivy-operator
OPERATOR_LOG_DEV_MODE: false
OPERATOR_SCAN_JOB_TTL:
OPERATOR_SCAN_JOB_TIMEOUT: 5m
OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT: 10
OPERATOR_CONCURRENT_NODE_COLLECTOR_LIMIT: 1
OPERATOR_SCAN_JOB_RETRY_AFTER: 30s
OPERATOR_BATCH_DELETE_LIMIT: 10
OPERATOR_BATCH_DELETE_DELAY: 10s
OPERATOR_METRICS_BIND_ADDRESS: :8080
OPERATOR_METRICS_FINDINGS_ENABLED: true
OPERATOR_METRICS_VULN_ID_ENABLED: false
OPERATOR_HEALTH_PROBE_BIND_ADDRESS: :9090
OPERATOR_VULNERABILITY_SCANNER_ENABLED: true
OPERATOR_SBOM_GENERATION_ENABLED: true
OPERATOR_CLUSTER_SBOM_CACHE_ENABLED: false
OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS: true
OPERATOR_SCANNER_REPORT_TTL: 24h
OPERATOR_CACHE_REPORT_TTL: 120h
CONTROLLER_CACHE_SYNC_TIMEOUT: 5m
OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED: true
OPERATOR_RBAC_ASSESSMENT_SCANNER_ENABLED: true
OPERATOR_INFRA_ASSESSMENT_SCANNER_ENABLED: true
OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS: true
OPERATOR_EXPOSED_SECRET_SCANNER_ENABLED: true
OPERATOR_METRICS_EXPOSED_SECRET_INFO_ENABLED: false
OPERATOR_METRICS_CONFIG_AUDIT_INFO_ENABLED: false
OPERATOR_METRICS_RBAC_ASSESSMENT_INFO_ENABLED: false
OPERATOR_METRICS_INFRA_ASSESSMENT_INFO_ENABLED: false
OPERATOR_METRICS_IMAGE_INFO_ENABLED: false
OPERATOR_METRICS_CLUSTER_COMPLIANCE_INFO_ENABLED: false
OPERATOR_WEBHOOK_BROADCAST_URL:
OPERATOR_WEBHOOK_BROADCAST_TIMEOUT: 30s
OPERATOR_SEND_DELETED_REPORTS: false
OPERATOR_PRIVATE_REGISTRY_SCAN_SECRETS_NAMES: {}
OPERATOR_ACCESS_GLOBAL_SECRETS_SERVICE_ACCOUNTS: true
OPERATOR_BUILT_IN_TRIVY_SERVER: true
TRIVY_SERVER_HEALTH_CHECK_CACHE_EXPIRATION: 10h
OPERATOR_MERGE_RBAC_FINDING_WITH_CONFIG_AUDIT: false
OPERATOR_CLUSTER_COMPLIANCE_ENABLED: true

Built a Dockerfile with following

FROM nginx:latest

ENV AWS_SECRET_ACCESS_KEY hKTiTyckWru9Bji4OCm7Keif7fm7Uz11LmTjbx

CMD ["nginx", "-g", "daemon off;"]

Running a pod in cluster with Trivy Operator running with Trivy server in Client/Server Mode
image

Exposed Secret Report is not catching any secret.
image

[A clear and concise description of what the bug is, and what commands you ran.]

What did you expect to happen:
Expected Trivy operator to catch exposed secrets.

Anything else you would like to add:
Running in standalone Trivy image scan catches exposed secrets using Trivy cli i.e
trivy image --image-config-scanners secret --scanners secret --timeout 10m nginxwithsecret:v1

image

When running Trivy cli using Trivy Server, its back to not catching those secrets for the same image.
trivy image --server http://localhost:4954 --image-config-scanners secret --scanners secret --timeout 10m nginxwithsecret:v1
image
image

This issue was also reported here
#1297 and was thought to be fixed in #1301
But I believe the fix is addressing FS mode scanning not image scanning as fix was only put in
func (p *plugin) getFSScanningArgs(ctx trivyoperator.PluginContext, command Command, mode Mode, trivyServerURL string) []string

Environment:

  • Trivy-Operator version (use trivy-operator version): 0.18.3 Chart version: 0.20.4
  • Kubernetes version (use kubectl version): v1.27.7
@gsingh737 gsingh737 added the kind/bug Categorizes issue or PR as related to a bug. label Feb 6, 2024
@gsingh737 gsingh737 changed the title Trivy server not scanning secrets exposed in image, Trivy standalone works. Trivy client server mode not scanning secrets exposed in image, Trivy standalone works. Feb 6, 2024
@chen-keinan
Copy link
Collaborator

@gsingh737 thanks for the input, I'll have a look.
btw: do you have a public image name where I can use it for testing ?

@gsingh737
Copy link
Author

@chen-keinan gsingh737/nginxwithsecret:v1 its public on dockerhub.

@chen-keinan chen-keinan added priority/backlog Higher priority than priority/awaiting-more-evidence. target/kubernetes Issues relating to kubernetes cluster scanning labels Feb 19, 2024
@chen-keinan
Copy link
Collaborator

@gsingh737 sorry for getting late to this, I have tried scanning you image with trivy 0.51.1, image mode and did not got any results:

trivy image gsingh737/nginxwithsecret:v1 --image-config-scanners secret --scanners secret
2024-05-20T11:55:30+03:00	INFO	Container image config scanners	scanners=[secret]
2024-05-20T11:55:30+03:00	INFO	Secret scanning is enabled
2024-05-20T11:55:30+03:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-20T11:55:30+03:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection

am I missing anything ?

@jemag
Copy link
Contributor

jemag commented May 21, 2024

Weird, here is me trying it with 0.48.0
image
and then with 0.51.2:
image

In both case it is reported

@chen-keinan
Copy link
Collaborator

@jemag does it works for you in client/server mode:
trivy server --listen 0.0.0.0:8081

AND

trivy image gsingh737/nginxwithsecret:v1 --image-config-scanners secret --scanners secret --server http://0.0.0.0:8081

@chen-keinan
Copy link
Collaborator

Related aquasecurity/trivy#6742

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence. target/kubernetes Issues relating to kubernetes cluster scanning
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jemag @chen-keinan @gsingh737