Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cli: help message for --scanners flag does not match actual behavior for trivy k8s #5538

Closed
1 of 2 tasks
nikpivkin opened this issue Nov 8, 2023 Discussed in #5527 · 0 comments · Fixed by #5561
Closed
1 of 2 tasks

cli: help message for --scanners flag does not match actual behavior for trivy k8s #5538

nikpivkin opened this issue Nov 8, 2023 Discussed in #5527 · 0 comments · Fixed by #5561
Assignees
Labels
kind/bug Categorizes issue or PR as related to a bug. target/kubernetes Issues relating to kubernetes cluster scanning

Comments

@nikpivkin
Copy link
Contributor

The default value defines the type of flag, so it must be a list. https://github.com/aquasecurity/trivy/blob/main/pkg/commands/app.go#L865

Also the list of allowed values should be overridden for the flag (add rbac and remove license?).

Discussed in #5527

Originally posted by tjanson November 6, 2023

Description

The help message for the CLI arg --scanners reads as follows:

 --scanners string         comma-separated list of what security issues to detect (vuln,config,secret,license) (default "vuln,config,secret,rbac")

I.e., the following should be valid values:

  • rbac
  • vuln,config

Neither works:

$ trivy k8s -n kube-system --report summary --scanners rbac all >/dev/null
2023-11-06T16:12:09.215+0100    FATAL   invalid argument "rbac" for "--scanners" flag: must be one of ["vuln" "config" "secret" "license"]
$ trivy k8s -n kube-system --report summary --scanners vuln,config all >/dev/null
2023-11-06T16:12:39.454+0100    FATAL   invalid argument "vuln,config" for "--scanners" flag: must be one of ["vuln" "config" "secret" "license"]

It seems --scanners only accepts single values, and it seems rbac is no longer (?) a valid value.

Desired Behavior

Adjust help message or accept args as described, whichever is desired.

Actual Behavior

see above

Reproduction Steps

$ trivy --version | head -1
Version: 0.47.0
$ trivy k8s --help | grep rbac
      --scanners string         comma-separated list of what security issues to detect (vuln,config,secret,license) (default "vuln,config,secret,rbac")
$ trivy k8s -n kube-system --report summary --scanners rbac all >/dev/null
2023-11-06T16:12:09.215+0100    FATAL   invalid argument "rbac" for "--scanners" flag: must be one of ["vuln" "config" "secret" "license"]
$ trivy k8s -n kube-system --report summary --scanners vuln,config all >/dev/null
2023-11-06T16:12:39.454+0100    FATAL   invalid argument "vuln,config" for "--scanners" flag: must be one of ["vuln" "config" "secret" "license"]

Target

Kubernetes

Scanner

see above

Operating System

macOS 14

Version

Version: 0.47.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-11-06 12:11:49.492717847 +0000 UTC
  NextUpdate: 2023-11-06 18:11:49.492717586 +0000 UTC
  DownloadedAt: 2023-11-06 12:48:52.892341 +0000 UTC
Policy Bundle:
  Digest: sha256:1df8ade71efc830877ca3b1130f83e0c6368e3a45b0d4c0f0418955501644054
  DownloadedAt: 2023-11-06 12:56:33.902378 +0000 UTC

Checklist

@nikpivkin nikpivkin added the kind/bug Categorizes issue or PR as related to a bug. label Nov 8, 2023
@DmitriyLewen DmitriyLewen self-assigned this Nov 13, 2023
@DmitriyLewen DmitriyLewen added the target/kubernetes Issues relating to kubernetes cluster scanning label Nov 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug. target/kubernetes Issues relating to kubernetes cluster scanning
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants