admin/aquasecurity-trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2026-01-31 13:53:14 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
ba9feb66bf8f8292e0f9f936b0f01e244859c06e
aquasecurity-trivy/integration/testdata/helm_testchart.json.golden
Nikita Pivkin ba9feb66bf chore: bump trivy-checks to v2 (#9875) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
2026-01-30 08:02:58 +00:00

675 lines
27 KiB
Plaintext
Raw Blame History

{
"SchemaVersion": 2,
"Trivy": {
"Version": "dev"
},
"ReportID": "017b7d41-e09f-7000-80ea-000000000001",
"CreatedAt": "2021-08-25T12:20:30.000000005Z",
"ArtifactName": "testdata/fixtures/repo/helm_testchart",
"ArtifactType": "repository",
"Results": [
{
"Target": "templates/deployment.yaml",
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 92,
"Failures": 6
},
"Misconfigurations": [
{
"Type": "Helm Security Check",
"ID": "KSV-0001",
"Title": "Can elevate its own privileges",
"Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.",
"Message": "Container 'testchart' of Deployment 'testchart' should set 'securityContext.allowPrivilegeEscalation' to false",
"Namespace": "builtin.kubernetes.KSV001",
"Query": "data.builtin.kubernetes.KSV001.deny",
"Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv-0001",
"References": [
"https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted",
"https://avd.aquasec.com/misconfig/ksv-0001"
],
"Status": "FAIL",
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 28,
"EndLine": 57,
"Code": {
"Lines": [
{
"Number": 28,
"Content": " - name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
"FirstCause": true,
"LastCause": false
},
{
"Number": 29,
"Content": " securityContext:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 30,
"Content": " capabilities:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 31,
"Content": " drop:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 32,
"Content": " - ALL",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - ALL",
"FirstCause": false,
"LastCause": false
},
{
"Number": 33,
"Content": " readOnlyRootFilesystem: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 34,
"Content": " runAsGroup: 10001",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
"FirstCause": false,
"LastCause": false
},
{
"Number": 35,
"Content": " runAsNonRoot: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 36,
"Content": " runAsUser: 10001",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m10001",
"FirstCause": false,
"LastCause": true
},
{
"Number": 37,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV-0030",
"Title": "Runtime/Default Seccomp profile not set",
"Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.",
"Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'",
"Namespace": "builtin.kubernetes.KSV030",
"Query": "data.builtin.kubernetes.KSV030.deny",
"Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv-0030",
"References": [
"https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted",
"https://avd.aquasec.com/misconfig/ksv-0030"
],
"Status": "FAIL",
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 28,
"EndLine": 57,
"Code": {
"Lines": [
{
"Number": 28,
"Content": " - name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
"FirstCause": true,
"LastCause": false
},
{
"Number": 29,
"Content": " securityContext:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 30,
"Content": " capabilities:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 31,
"Content": " drop:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 32,
"Content": " - ALL",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - ALL",
"FirstCause": false,
"LastCause": false
},
{
"Number": 33,
"Content": " readOnlyRootFilesystem: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 34,
"Content": " runAsGroup: 10001",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
"FirstCause": false,
"LastCause": false
},
{
"Number": 35,
"Content": " runAsNonRoot: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 36,
"Content": " runAsUser: 10001",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m10001",
"FirstCause": false,
"LastCause": true
},
{
"Number": 37,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV-0104",
"Title": "Seccomp policies disabled",
"Description": "A program inside the container can bypass Seccomp protection policies.",
"Message": "container \"testchart\" of deployment \"testchart\" in \"default\" namespace should specify a seccomp profile",
"Namespace": "builtin.kubernetes.KSV104",
"Query": "data.builtin.kubernetes.KSV104.deny",
"Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv-0104",
"References": [
"https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline",
"https://avd.aquasec.com/misconfig/ksv-0104"
],
"Status": "FAIL",
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 28,
"EndLine": 57,
"Code": {
"Lines": [
{
"Number": 28,
"Content": " - name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
"FirstCause": true,
"LastCause": false
},
{
"Number": 29,
"Content": " securityContext:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 30,
"Content": " capabilities:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 31,
"Content": " drop:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 32,
"Content": " - ALL",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - ALL",
"FirstCause": false,
"LastCause": false
},
{
"Number": 33,
"Content": " readOnlyRootFilesystem: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 34,
"Content": " runAsGroup: 10001",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
"FirstCause": false,
"LastCause": false
},
{
"Number": 35,
"Content": " runAsNonRoot: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 36,
"Content": " runAsUser: 10001",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m10001",
"FirstCause": false,
"LastCause": true
},
{
"Number": 37,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV-0110",
"Title": "Workloads in the default namespace",
"Description": "Checks whether a workload is running in the default namespace.",
"Message": "deployment testchart in default namespace should set metadata.namespace to a non-default namespace",
"Namespace": "builtin.kubernetes.KSV110",
"Query": "data.builtin.kubernetes.KSV110.deny",
"Resolution": "Set 'metadata.namespace' to a non-default namespace.",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv-0110",
"References": [
"https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/",
"https://avd.aquasec.com/misconfig/ksv-0110"
],
"Status": "FAIL",
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 4,
"EndLine": 11,
"Code": {
"Lines": [
{
"Number": 4,
"Content": "metadata:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mmetadata\u001b[0m:",
"FirstCause": true,
"LastCause": false
},
{
"Number": 5,
"Content": " name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mname\u001b[0m: testchart",
"FirstCause": false,
"LastCause": false
},
{
"Number": 6,
"Content": " labels:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mlabels\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 7,
"Content": " helm.sh/chart: testchart-0.1.0",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mhelm.sh/chart\u001b[0m: testchart-0.1.0",
"FirstCause": false,
"LastCause": false
},
{
"Number": 8,
"Content": " app.kubernetes.io/name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
"FirstCause": false,
"LastCause": false
},
{
"Number": 9,
"Content": " app.kubernetes.io/instance: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": " app.kubernetes.io/version: \"1.16.0\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/version\u001b[0m: \u001b[38;5;37m\"1.16.0\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 11,
"Content": " app.kubernetes.io/managed-by: Helm",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mapp.kubernetes.io/managed-by\u001b[0m: Helm",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV-0117",
"Title": "Prevent binding to privileged ports",
"Description": "The ports which are lower than 1024 receive and transmit various sensitive and privileged data. Allowing containers to use them can bring serious implications.",
"Message": "deployment testchart in default namespace should not set spec.template.spec.containers.ports.containerPort to less than 1024",
"Namespace": "builtin.kubernetes.KSV117",
"Query": "data.builtin.kubernetes.KSV117.deny",
"Resolution": "Do not map the container ports to privileged host ports when starting a container.",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv-0117",
"References": [
"https://kubernetes.io/docs/concepts/security/pod-security-standards/",
"https://www.stigviewer.com/stig/kubernetes/2022-12-02/finding/V-242414",
"https://avd.aquasec.com/misconfig/ksv-0117"
],
"Status": "FAIL",
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general"
}
},
{
"Type": "Helm Security Check",
"ID": "KSV-0118",
"Title": "Default security context configured",
"Description": "Security context controls the allocation of security parameters for the pod/container/volume, ensuring the appropriate level of protection. Relying on default security context may expose vulnerabilities to potential attacks that rely on privileged access.",
"Message": "deployment testchart in default namespace is using the default security context, which allows root privileges",
"Namespace": "builtin.kubernetes.KSV118",
"Query": "data.builtin.kubernetes.KSV118.deny",
"Resolution": "To enhance security, it is strongly recommended not to rely on the default security context. Instead, it is advisable to explicitly define the required security parameters (such as runAsNonRoot, capabilities, readOnlyRootFilesystem, etc.) within the security context.",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv-0118",
"References": [
"https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
"https://avd.aquasec.com/misconfig/ksv-0118"
],
"Status": "FAIL",
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 23,
"EndLine": 57,
"Code": {
"Lines": [
{
"Number": 23,
"Content": " spec:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mspec\u001b[0m:",
"FirstCause": true,
"LastCause": false
},
{
"Number": 24,
"Content": " serviceAccountName: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mserviceAccountName\u001b[0m: testchart",
"FirstCause": false,
"LastCause": false
},
{
"Number": 25,
"Content": " securityContext:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 26,
"Content": " {}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " {}",
"FirstCause": false,
"LastCause": false
},
{
"Number": 27,
"Content": " containers:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcontainers\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 28,
"Content": " - name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
"FirstCause": false,
"LastCause": false
},
{
"Number": 29,
"Content": " securityContext:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 30,
"Content": " capabilities:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 31,
"Content": " drop:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
"FirstCause": false,
"LastCause": true
},
{
"Number": 32,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
}
}
}
]
},
{
"Target": "templates/service.yaml",
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 62,
"Failures": 0
}
},
{
"Target": "templates/serviceaccount.yaml",
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 61,
"Failures": 0
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink