bug(k8s): inconsistent results from summary and all report on k8s workload - Githubissues

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

https://aquasecurity.github.io/trivy

Apache License 2.0

23.79k stars 2.34k forks source link

bug(k8s): inconsistent results from summary and all report on k8s workload #7937

Closed afdesk closed 2 days ago

afdesk commented 4 days ago

Description

There are cases when summary report doesn't contain information about vulnerabilities.

Reason

For consolidated report Trivy looks for vulns and secrets only in the first result. The second and next results are skipped now.

https://github.com/aquasecurity/trivy/blob/main/pkg/k8s/report/report.go#L282-L283

Reproduction steps:

#!/bin/sh
kind delete cluster && kind create cluster
kubectl cluster-info
kubectl wait --for=condition=Ready nodes --all --timeout=300s

kubectl create namespace test
kubectl create -f pod.yaml

trivy k8s --report summary --include-namespaces test

pod.yaml:

apiVersion: v1
kind: Pod
metadata:
  namespace: test
  name: postgres-pod
spec:
  containers:
  - name: postgres
    image: postgres:15-alpine3.19
    ports:
    - containerPort: 5432
    env:
    - name: POSTGRES_USER
      value: "admin"
    - name: POSTGRES_PASSWORD
      value: "password"
    - name: POSTGRES_DB
      value: "exampledb"

Discussed in https://github.com/aquasecurity/trivy/discussions/7927