search

aquasecurity / trivy-operator

Kubernetes-native security toolkit
https://aquasecurity.github.io/trivy-operator/latest
Apache License 2.0
1.28k stars 211 forks source link

Trivy client server mode not scanning secrets exposed in image, Trivy standalone works. #1836

Open gsingh737 opened 9 months ago

gsingh737 commented 9 months ago

What steps did you take and what happened: Running Trivy operator with these ENV values

OPERATOR_TARGET_NAMESPACES:
OPERATOR_EXCLUDE_NAMESPACES:
OPERATOR_TARGET_WORKLOADS: pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job
OPERATOR_SERVICE_ACCOUNT: trivy-operator
OPERATOR_LOG_DEV_MODE: false
OPERATOR_SCAN_JOB_TTL:
OPERATOR_SCAN_JOB_TIMEOUT: 5m
OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT: 10
OPERATOR_CONCURRENT_NODE_COLLECTOR_LIMIT: 1
OPERATOR_SCAN_JOB_RETRY_AFTER: 30s
OPERATOR_BATCH_DELETE_LIMIT: 10
OPERATOR_BATCH_DELETE_DELAY: 10s
OPERATOR_METRICS_BIND_ADDRESS: :8080
OPERATOR_METRICS_FINDINGS_ENABLED: true
OPERATOR_METRICS_VULN_ID_ENABLED: false
OPERATOR_HEALTH_PROBE_BIND_ADDRESS: :9090
OPERATOR_VULNERABILITY_SCANNER_ENABLED: true
OPERATOR_SBOM_GENERATION_ENABLED: true
OPERATOR_CLUSTER_SBOM_CACHE_ENABLED: false
OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS: true
OPERATOR_SCANNER_REPORT_TTL: 24h
OPERATOR_CACHE_REPORT_TTL: 120h
CONTROLLER_CACHE_SYNC_TIMEOUT: 5m
OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED: true
OPERATOR_RBAC_ASSESSMENT_SCANNER_ENABLED: true
OPERATOR_INFRA_ASSESSMENT_SCANNER_ENABLED: true
OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS: true
OPERATOR_EXPOSED_SECRET_SCANNER_ENABLED: true
OPERATOR_METRICS_EXPOSED_SECRET_INFO_ENABLED: false
OPERATOR_METRICS_CONFIG_AUDIT_INFO_ENABLED: false
OPERATOR_METRICS_RBAC_ASSESSMENT_INFO_ENABLED: false
OPERATOR_METRICS_INFRA_ASSESSMENT_INFO_ENABLED: false
OPERATOR_METRICS_IMAGE_INFO_ENABLED: false
OPERATOR_METRICS_CLUSTER_COMPLIANCE_INFO_ENABLED: false
OPERATOR_WEBHOOK_BROADCAST_URL:
OPERATOR_WEBHOOK_BROADCAST_TIMEOUT: 30s
OPERATOR_SEND_DELETED_REPORTS: false
OPERATOR_PRIVATE_REGISTRY_SCAN_SECRETS_NAMES: {}
OPERATOR_ACCESS_GLOBAL_SECRETS_SERVICE_ACCOUNTS: true
OPERATOR_BUILT_IN_TRIVY_SERVER: true
TRIVY_SERVER_HEALTH_CHECK_CACHE_EXPIRATION: 10h
OPERATOR_MERGE_RBAC_FINDING_WITH_CONFIG_AUDIT: false
OPERATOR_CLUSTER_COMPLIANCE_ENABLED: true

Built a Dockerfile with following 

FROM nginx:latest

ENV AWS_SECRET_ACCESS_KEY hKTiTyckWru9Bji4OCm7Keif7fm7Uz11LmTjbx

CMD ["nginx", "-g", "daemon off;"]

Running a pod in cluster with Trivy Operator running with Trivy server in Client/Server Mode image

Exposed Secret Report is not catching any secret. image

[A clear and concise description of what the bug is, and what commands you ran.]

What did you expect to happen: Expected Trivy operator to catch exposed secrets.

Anything else you would like to add: Running in standalone Trivy image scan catches exposed secrets using Trivy cli i.e trivy image --image-config-scanners secret --scanners secret --timeout 10m nginxwithsecret:v1

image

When running Trivy cli using Trivy Server, its back to not catching those secrets for the same image. trivy image --server http://localhost:4954 --image-config-scanners secret --scanners secret --timeout 10m nginxwithsecret:v1 image image

This issue was also reported here https://github.com/aquasecurity/trivy-operator/issues/1297 and was thought to be fixed in https://github.com/aquasecurity/trivy-operator/pull/1301 But I believe the fix is addressing FS mode scanning not image scanning as fix was only put in func (p *plugin) getFSScanningArgs(ctx trivyoperator.PluginContext, command Command, mode Mode, trivyServerURL string) []string

Environment:

chen-keinan commented 9 months ago

@gsingh737 thanks for the input, I'll have a look. btw: do you have a public image name where I can use it for testing ?

gsingh737 commented 9 months ago

@chen-keinan gsingh737/nginxwithsecret:v1 its public on dockerhub.

chen-keinan commented 5 months ago

@gsingh737 sorry for getting late to this, I have tried scanning you image with trivy 0.51.1, image mode and did not got any results:

trivy image gsingh737/nginxwithsecret:v1 --image-config-scanners secret --scanners secret
2024-05-20T11:55:30+03:00   INFO    Container image config scanners scanners=[secret]
2024-05-20T11:55:30+03:00   INFO    Secret scanning is enabled
2024-05-20T11:55:30+03:00   INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-20T11:55:30+03:00   INFO    Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection

am I missing anything ?

jemag commented 5 months ago

Weird, here is me trying it with 0.48.0 image and then with 0.51.2: image

In both case it is reported

chen-keinan commented 5 months ago

@jemag does it works for you in client/server mode: trivy server --listen 0.0.0.0:8081

AND

trivy image gsingh737/nginxwithsecret:v1 --image-config-scanners secret --scanners secret --server http://0.0.0.0:8081

chen-keinan commented 5 months ago

Related https://github.com/aquasecurity/trivy/issues/6742

jemag commented 5 months ago

I do detect the image secret with regular trivy-cli: image However I do not detect it running the trivy-server included in trivy-operator (port-forwarding it locally): image

edit: both are running 0.52.0

chen-keinan commented 5 months ago

@jemag , thanks for checking it out, I have made several tests and got mixed result. I'll investigate it