v0.19.0 #1112

aqua-bot · 2021-07-12T11:03:10Z

aqua-bot
Jul 12, 2021
Maintainer

💔 BREAKING CHANGES 💔

Migrate to new JSON schema of scan results

$ trivy image -f json alpine:3.11
...
2021-06-08T11:22:17.201+0300    WARN    DEPRECATED: the current JSON schema is deprecated, check https://github.com/aquasecurity/trivy/discussions/1050 for more information.
...

See here for the details.

🚀 What's new? 🚀

🍣 Misconfiguration Detection 🍤

Trivy scans Dockerfile, Kubernetes, and Terraform to detect configuration issues. Trivy provides plenty of managed policies and keep them up-to-date automatically. All you have to do is specify your directory including config files.

$ ls iac/
Dockerfile  deployment.yaml  main.tf
$ trivy conf --severith HIGH,CRITICAL ./iac
2021-07-09T11:51:08.212+0300    INFO    Need to update the built-in policies
2021-07-09T11:51:08.212+0300    INFO    Downloading the built-in policies...
2021-07-09T11:51:09.527+0300    INFO    Detected config files: 3

Dockerfile (dockerfile)
=======================
Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

+---------------------------+------------+--------------+----------+------------------------------------------+
|           TYPE            | MISCONF ID |     CHECK    | SEVERITY |                 MESSAGE                  |
+---------------------------+------------+--------------+----------+------------------------------------------+
| Dockerfile Security Check |   DS002    | 'root' user  |   HIGH   | Last USER command in                     |
|                           |            |              |          | Dockerfile should not be 'root'          |
|                           |            |              |          | -->avd.aquasec.com/appshield/ds002       |
+---------------------------+------------+--------------+----------+------------------------------------------+

deployment.yaml (kubernetes)
============================
Tests: 28 (SUCCESSES: 15, FAILURES: 13, EXCEPTIONS: 0)
Failures: 13 (HIGH: 1, CRITICAL: 0)

+---------------------------+------------+----------------------------+----------+------------------------------------------+
|           TYPE            | MISCONF ID |           CHECK            | SEVERITY |                 MESSAGE                  |
+---------------------------+------------+----------------------------+----------+------------------------------------------+
| Kubernetes Security Check |   KSV005   | SYS_ADMIN capability added |   HIGH   | Container 'hello-kubernetes' of          |
|                           |            |                            |          | Deployment 'hello-kubernetes'            |
|                           |            |                            |          | should not include 'SYS_ADMIN' in        |
|                           |            |                            |          | 'securityContext.capabilities.add'       |
|                           |            |                            |          | -->avd.aquasec.com/appshield/ksv005      |
+---------------------------+------------+----------------------------+----------+------------------------------------------+

main.tf (terraform)
===================
Tests: 23 (SUCCESSES: 14, FAILURES: 9, EXCEPTIONS: 0)
Failures: 9 (HIGH: 6, CRITICAL: 1)

+------------------------------------------+------------+------------------------------------------+----------+--------------------------------------------------------+
|                   TYPE                   | MISCONF ID |                  CHECK                   | SEVERITY |                        MESSAGE                         |
+------------------------------------------+------------+------------------------------------------+----------+--------------------------------------------------------+
|   Terraform Security Check powered by    |   AWS003   | AWS Classic resource usage.              |   HIGH   | Resource                                               |
|                  tfsec                   |            |                                          |          | 'aws_db_security_group.my-group'                       |
|                                          |            |                                          |          | uses EC2 Classic. Use a VPC instead.                   |
|                                          |            |                                          |          | -->tfsec.dev/docs/aws/AWS003/                          |
+                                          +------------+------------------------------------------+----------+--------------------------------------------------------+
|                                          |   AWS004   | Use of plain HTTP.                       | CRITICAL | Resource                                               |
|                                          |            |                                          |          | 'aws_alb_listener.my-alb-listener'                     |
|                                          |            |                                          |          | uses plain HTTP instead of HTTPS.                      |
|                                          |            |                                          |          | -->tfsec.dev/docs/aws/AWS004/                          |
+                                          +------------+------------------------------------------+----------+--------------------------------------------------------+
|                                          |   AWS018   | Missing description for security         |   HIGH   | Resource                                               |
|                                          |            | group/security group rule.               |          | 'aws_security_group_rule.my-rule' should               |
|                                          |            |                                          |          | include a description for auditing                     |
|                                          |            |                                          |          | purposes. -->tfsec.dev/docs/aws/AWS018/                |
+                                          +------------+------------------------------------------+          +--------------------------------------------------------+
|                                          |   AWS025   | API Gateway domain name uses outdated    |          | Resource                                               |
|                                          |            | SSL/TLS protocols.                       |          | 'aws_api_gateway_domain_name.empty_security_policy'    |
|                                          |            |                                          |          | defines outdated SSL/TLS policies (not using           |
|                                          |            |                                          |          | TLS_1_2). -->tfsec.dev/docs/aws/AWS025/                |
+                                          +            +                                          +          +--------------------------------------------------------+
|                                          |            |                                          |          | Resource                                               |
|                                          |            |                                          |          | 'aws_api_gateway_domain_name.missing_security_policy'  |
|                                          |            |                                          |          | should include security_policy (defauls to outdated    |
|                                          |            |                                          |          | SSL/TLS policy). -->tfsec.dev/docs/aws/AWS025/         |
+                                          +            +                                          +          +--------------------------------------------------------+
|                                          |            |                                          |          | Resource                                               |
|                                          |            |                                          |          | 'aws_api_gateway_domain_name.outdated_security_policy' |
|                                          |            |                                          |          | defines outdated SSL/TLS policies (not using TLS_1_2). |
|                                          |            |                                          |          | -->tfsec.dev/docs/aws/AWS025/                          |
+                                          +------------+------------------------------------------+          +--------------------------------------------------------+
|                                          |   AZU003   | Unencrypted managed disk.                |          | Resource 'azurerm_managed_disk.source'                 |
|                                          |            |                                          |          | defines an unencrypted managed disk.                   |
|                                          |            |                                          |          | -->tfsec.dev/docs/azure/AZU003/                        |
+------------------------------------------+------------+------------------------------------------+----------+--------------------------------------------------------+

Custom policies are also supported. You can see many examples here. CloudFormation and Ansible supports are coming 🔜

Our official GitHub Actions will support misconfiguration detection shortly.

For more details, see the documentation.

Generate CycloneDX Software Bill of Materials (SBOM) (#1076)

Trivy's SBOM is available.
https://github.com/aquasecurity/trivy/releases/download/v0.19.0/bom.json

Thanks to @VinodAnandan, @coderpatros, and @stevespringett

Support Google Artifact Registry (#1055)

Trivy scans container images in Google Artifact Registry

Support Alpine Linux 3.14 and Ubuntu 21.04

See #1072 and #1027.

Thanks to @chrisnovakovic and @mozillazg

Add GitLab Code Quality template (#895)

Trivy can be integrated into GitLab Code Quality.

See the documentation.

Thanks to @bmagistro

Support --list-all-pkgs flag in the `client` subcommand

$ trivy client --list-all-pkgs --remote http://localhost:8080 ubuntu:18.04

🐞 Bug fixes 🐛

Change unknown os from info to debug (#1109)

Reduce the Internet access (#1105)

Multiple prefixed data sources (#1070)

Replace slice with substr in ASFF template (#1058)

Parametrized ingress host path in the official Helm chart (#1049)

If patchedVersion is empty mark it as vulnerable (#1030)

Changelog

https://github.com/aquasecurity/trivy/releases/tag/v0.19.0

Docker images

docker pull aquasec/trivy:0.19.0
docker pull ghcr.io/aquasecurity/trivy:0.19.0
docker pull public.ecr.aws/aquasecurity/trivy:0.19.0
docker pull aquasec/trivy:latest
docker pull ghcr.io/aquasecurity/trivy:latest
docker pull public.ecr.aws/aquasecurity/trivy:latest

This discussion was created from the release v0.19.0.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v0.19.0 #1112

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 0 comments

Select a reply

v0.19.0 #1112

aqua-bot Jul 12, 2021 Maintainer

💔 BREAKING CHANGES 💔

Migrate to new JSON schema of scan results

🚀 What's new? 🚀

🍣 Misconfiguration Detection 🍤

Generate CycloneDX Software Bill of Materials (SBOM) (#1076)

Support Google Artifact Registry (#1055)

Support Alpine Linux 3.14 and Ubuntu 21.04

Add GitLab Code Quality template (#895)

Support --list-all-pkgs flag in the client subcommand

🐞 Bug fixes 🐛

Change unknown os from info to debug (#1109)

Reduce the Internet access (#1105)

Multiple prefixed data sources (#1070)

Replace slice with substr in ASFF template (#1058)

Parametrized ingress host path in the official Helm chart (#1049)

If patchedVersion is empty mark it as vulnerable (#1030)

Changelog

Docker images

Replies: 0 comments

aqua-bot
Jul 12, 2021
Maintainer

Support --list-all-pkgs flag in the `client` subcommand