search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
22.86k stars 2.25k forks source link

fix(misconf): display irrelevant warnings #7426

Closed knqyf263 closed 1 week ago

knqyf263 commented 2 weeks ago

Description

Even when the misconfiguration scanner is disabled, some warnings are shown.

$ trivy image alpine:3.19 --scanners vuln
2024/08/30 18:16:35 WARN Check ID is empty file_path=lib/cloud/aws_trails.rego
2024/08/30 18:16:35 WARN Check ID is empty file_path=lib/docker/docker.rego
2024-08-30T18:16:35+04:00       INFO    [vuln] Vulnerability scanning is enabled

Commit

$ git log -1
commit bf64003ac8b209f34b88f228918a96d4f9dac5e0 (HEAD -> main, upstream/main, upstream/gh-readonly-queue/main/pr-7410-3a5d091759564496992a83fb2015a21c84a22213, upstream/HEAD)
Author: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
Date:   Fri Aug 30 13:15:10 2024 +0600

    fix(secret): use `.eyJ` keyword for JWT secret (#7410)
simar7 commented 2 weeks ago

It seems that the fix didn't work @nikpivkin

Scratch that, I didn't realize I hadn't updated the dependency 😌 opened to update and fix https://github.com/aquasecurity/trivy/pull/7427

knqyf263 commented 1 week ago

I took a look at the fix. It seems to me that the problem is not the warning itself, but that the checks are being loaded even though misconfiguration scanning is disabled, or that processing related to misconfiguration scanning is taking place. Is it possible to delay the initialization process so that it only takes place when misconfiguration scanning is enabled?