v0.33.0 #3077
aqua-bot
announced in
Announcements
v0.33.0
#3077
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
🧾 NSA Kubernetes hardening compliance ☑️
You can now use Trivy to scan your Kubernetes cluster for compliance with the NSA Kubernetes hardening guide, by adding the
--copmliance nsa
flag. Compliance granularity can be controlled using the familiar--report summary|all
flag and output format can be controlled using the familiar--output table|json
flag.The new compliance feature is currently dedicated for NSA report, but in next release will be generalized to provide flexible reporting infrastructure for more compliance framework and custom reporting. Stay tuned!
⎈ Scan Kubernetes cluster components 🔧
The
trivy k8s
now scans your Kubernetes cluster components in addition to workloads running in it.The new "Infra Assessment" sections scans Kubernetes management components for misconfigurations and best practices. You can also select a specific section when scanning using the
--components infra|workloads
.This feature is another small step in the direction of providing CIS Benchmark scanning using Trivy, as a modern alternative to kube-bench.
📦 Scan unpackaged binary files 🔥
Previously Trivy relied on package manager metadata in order to identify applications. If you included a piece of software outside of a package manager, Trivy could not have identified it. For example any Dockerfile centric workflow where you build the binary and
COPY
orADD
the binary into the container image would have been missed. Today we are releasing an experimental approach to address this common concern using SBOM and Sigstore. During scan, when Trivy stumble upon an executable binary, Trivy will lookup it's hash in Rekor (Sigstore public transparency log). If a relevant SBOM was found, Trivy will use it for vulnerability detection.There are 3 steps to enable this feature:
--sbom-sources
If someone already stored the SBOM attestation of the specific binary you want to scan, you can start with the step 3.
See here for the detail.
🚓 Rego checks improvements ✅
Trivy's misconfiguration checks could be authored either in Go or Rego. Going forward we will focus on rego based rules and in preparation for that we've made numerous improvements to the rego policy engine. One notable improvement is the move to standard rego annotations to describe checks metadata.
In the near future we will move to decouple the checks library from the policy engine to enable streamlined distribution of policies.
☁️ Azure/ARM support 💪
Trivy can now scan Azure Resource Manager templates for misconfigurations. ARM templates are parsed and interpolated automatically.
🐳 Support multi-arch images ⚔️
You can pass the
--platform
flag like Docker CLI if you want to scan a remote image with a specific OS and architecture.Thanks to @ShubhamPalriwala
🐓 Add client/server mode for rootfs scanning 🐕🦺
Added
--server
to therootfs
subcommand.Thanks to @bgoareguer
📍 Add dependency line numbers 🛫
Trivy now stores line numbers of each language-specific dependency in the JSON result. Currently,
package-lock.json
andyarn.lock
are supported.Support custom rego policies for AWS scanning
This enables the authoring of custom rego policies to apply to a live AWS account via the
trivy aws
command.🐛 Bug fixes 🐞
false
#2967This discussion was created from the release v0.33.0.
Beta Was this translation helpful? Give feedback.
All reactions