Ingress-nginx "server-tokens" parameter reported as unsafe

[bovy89]

Description

Ingress-nginx "server-tokens" parameter reported as unsafe: "Storing secrets in configMaps is unsafe"

What did you expect to happen?

server-tokens parameter should not be reported as unsafe

What happened instead?

server-tokens parameter reported as unsafe

Output of trivy -v:

Version: 0.37.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-11-08 12:09:11.842458865 +0000 UTC
  NextUpdate: 2022-11-08 18:09:11.842458665 +0000 UTC
  DownloadedAt: 2022-11-08 15:44:12.614908 +0000 UTC

Additional details (base image name, container registry info...):

HIGH: ConfigMap 'ingress-nginx-x-values-public-controller' in 'ingress-nginx-x-values-public' namespace stores secrets in key(s) or value(s) '{"server-tokens"}'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Storing secrets in configMaps is unsafe

See https://avd.aquasec.com/misconfig/avd-ksv-0109
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 ingress-nginx-x-values-public.yaml:120
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 120 [ ---

config map:

apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.4.2
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx-x-values-public
    app.kubernetes.io/version: "1.5.1"
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-x-values-public-controller
  namespace: ingress-nginx-x-values-public
data:
  allow-snippet-annotations: "true"
  proxy-set-headers: ingress-nginx-x-values-public/ingress-nginx-x-values-public-custom-proxy-headers
  ssl-dh-param: ingress-nginx-x-values-public/ingress-nginx-x-values-public-controller
  annotation-value-word-blocklist: "load_module,lua_package,_by_lua,root,proxy_pass,serviceaccount,',\""
  gzip-level: "5"
  hide-headers: "X-Powered-By,Server"
  proxy-cookie-path: "/ \"/; SameSite=None; HTTPOnly; Secure\""
  server-snippet: "location ~ /\\.(?!well-known\\/) {\n    deny all;\n    return 404;\n}\n"
  server-tokens: "false"
  ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
  ssl-protocols: "TLSv1.2 TLSv1.3"
  ssl-redirect: "true"
  ssl-session-tickets: "false"
  use-gzip: "true"
  use-http2: "true"
  use-proxy-protocol: "true"

[bovy89]

Same issue with:

argocd argocd-ssh-known-hosts-cm

HIGH: ConfigMap 'argocd-ssh-known-hosts-cm' in 'argocd' namespace stores sensitive contents in key(s) or value(s) '{"github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ"}'

argocd-cm

HIGH: ConfigMap 'argocd-cm' in 'argocd' namespace stores secrets in key(s) or value(s) '{"    bindPW"}'
HIGH: ConfigMap 'argocd-cm' in 'argocd' namespace stores sensitive contents in key(s) or value(s) '{"      username"}'

apiVersion: v1
data:
  dex.config: |
    connectors:
    - type: ldap
      name: xxxxx
      id: xxxxx
      config:
        host: xxxxxx
        insecureSkipVerify: false
        bindDN: $ldap.bindDN
        bindPW: $ldap.bindPW
        userSearch:
          baseDN: "xxxxxx"
          filter: "xxxxxxx"
          username: uid
          idAttr: uid
          emailAttr: mail
          nameAttr: uid

argocd-image-updater-config

HIGH: ConfigMap 'argocd-image-updater-config' in 'argocd' namespace stores secrets in key(s) or value(s) '{"  credentials"}'

  registries.conf: |
    registries:
    - name: xxxxxxx
      api_url: xxxxxxx
      prefix: xxxxxxx
      ping: yes
      credentials: secret:argocd/argocd-image-updater-xxxxxx#pullcredential

is there a way to exclude that check?

tried KSV0110 and KSV110 inside .trivyignore but nothing

[knqyf263]

I thought secret scanning detects it, but it looks like it comes from misconfiguration. Also, this AVD-ID returns 404.
https://avd.aquasec.com/misconfig/avd-ksv-0109

@giorod3 Would you look into it?