Trivy scan detected 0 files - Helm

[a-devops-guy]

Description

Trivy is detecting 0 files when performing scan if tpllib is used to generate set of resources like deployment, services etc
yaml renders works just fine as well as helm install

happy to provide more example or our full helm library on request.

Desired Behavior

trivy should scan helm chart even when chart is highly templated. scanning the templated yaml file using helm template works fine

Actual Behavior

trivy should scan detects 0 files when helm chart is highly templated.

Reproduction Steps

1. create a helm chart helm create test
2. remove all files in template folder
3. add file _helper.tpl

{{- define "deployment" -}}
apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "tpl.resource.name" . }}
  labels: {{- include "tpl.labels" . | nindent 4 }}
{{- end -}}

3. add file deployment.yaml

{{- include "deployment" . }}
spec:
  selector:
    matchLabels:
      app: myapp
  template:
    metadata:
      labels:
        app: myapp
    spec:
      containers:
      - name: myapp
        image: test:latest
        resources:
          limits:
            memory: "128Mi"
            cpu: "500m"
        ports:
        - containerPort: 80

4. perform trivy scan trivy config . --debug

2024-01-11T12:03:01.878+0530    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-01-11T12:03:01.961+0530    DEBUG   cache dir:  /Users/kiran/Library/Caches/trivy
2024-01-11T12:03:01.961+0530    INFO    Misconfiguration scanning is enabled
2024-01-11T12:03:01.961+0530    DEBUG   Failed to open the policy metadata: open /Users/kiran/Library/Caches/trivy/policy/metadata.json: no such file or directory
2024-01-11T12:03:01.961+0530    INFO    Need to update the built-in policies
2024-01-11T12:03:01.961+0530    INFO    Downloading the built-in policies...
2024-01-11T12:03:01.961+0530    DEBUG   Using URL: ghcr.io/aquasecurity/trivy-policies:0 to load policy bundle
44.78 KiB / 44.78 KiB [--------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 100ms
2024-01-11T12:03:04.637+0530    DEBUG   Digest of the built-in policies: sha256:8bfc31f3e4301ef758b6793a07e0b12b4306e0b54d03a640efb2ff5e5ef29b9e
2024-01-11T12:03:04.637+0530    DEBUG   Policies successfully loaded from disk
2024-01-11T12:03:04.637+0530    DEBUG   Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-01-11T12:03:04.678+0530    DEBUG   The nuget packages directory couldn't be found. License search disabled
2024-01-11T12:03:04.678+0530    DEBUG   Walk the file tree rooted at '.' in series
2024-01-11T12:03:04.686+0530    DEBUG   Scanning Helm files for misconfigurations...
2024-01-11T12:03:04.772+0530    DEBUG   OS is not detected.
2024-01-11T12:03:04.772+0530    INFO    Detected config files: 0

Target

None

Scanner

None

Output Format

None

Mode

None

Debug Output

Operating System

Mac sonoma, Redhat ubi9 container image

Version

0.48.2

Checklist

• Run trivy image --reset
• Read the troubleshooting

[a-devops-guy]

the deployment helper function I provided is just example. But trivy fails to detect and scan this simple templating.
In our case we used to import tpl.manifest helper function which will render ingress, deployment, service etc

[DmitriyLewen]

Hello @a-devops-guy
Thanks for your report!

2024-01-11T12:03:04.686+0530 DEBUG Scanning Helm files for misconfigurations...

Looks like Trivy found helm files.

2024-01-11T12:03:04.772+0530 INFO Detected config files: 0

But, if i understand correctly, Trivy didn't find configuration issues for these files.

@nikpivkin can you take a look?

[a-devops-guy]

yes Trivy didn't find configuration issues for these files. @DmitriyLewen
But when scanned with the templated yaml. trivy is able to detect misconfigs

[a-devops-guy]

deployment.yaml is templated using helm template. trivy is able to find misconfigs this way but not the acutual way trivy config . --debug

trivy config deployment.yaml --debug
2024-01-11T13:18:55.964+0530    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-01-11T13:18:56.003+0530    DEBUG   cache dir:  /Users/kiran/Library/Caches/trivy
2024-01-11T13:18:56.003+0530    INFO    Misconfiguration scanning is enabled
2024-01-11T13:18:56.004+0530    DEBUG   Policies successfully loaded from disk
2024-01-11T13:18:56.004+0530    DEBUG   Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-01-11T13:18:56.018+0530    DEBUG   The nuget packages directory couldn't be found. License search disabled
2024-01-11T13:18:56.046+0530    DEBUG   Walk the file tree rooted at 'deployment.yaml' in series
2024-01-11T13:18:56.046+0530    DEBUG   Scanning Helm files for misconfigurations...
2024-01-11T13:18:56.047+0530    DEBUG   Scanning Kubernetes files for misconfigurations...
2024-01-11T13:18:56.047+0530    DEBUG   [misconf] 18:56.047325000 kubernetes.scanner.rego          Overriding filesystem for policies!
2024-01-11T13:18:56.113+0530    DEBUG   [misconf] 18:56.113237000 kubernetes.scanner.rego          Loaded 188 policies from disk.
2024-01-11T13:18:56.113+0530    DEBUG   [misconf] 18:56.113615000 kubernetes.scanner.rego          Overriding filesystem for data!
2024-01-11T13:18:56.567+0530    DEBUG   [misconf] 18:56.567039000 kubernetes.scanner               Scanning 1 files...
2024-01-11T13:18:56.567+0530    DEBUG   [misconf] 18:56.567070000 kubernetes.scanner.rego          Scanning 1 inputs...
2024-01-11T13:18:56.919+0530    DEBUG   OS is not detected.
2024-01-11T13:18:56.920+0530    INFO    Detected config files: 1
2024-01-11T13:18:56.920+0530    DEBUG   Scanned config file: deployment.yaml

deployment.yaml (kubernetes)

Tests: 152 (SUCCESSES: 139, FAILURES: 13, EXCEPTIONS: 0)
Failures: 13 (UNKNOWN: 0, LOW: 9, MEDIUM: 3, HIGH: 1, CRITICAL: 0)

MEDIUM: Container 'myapp' of Deployment 'myapp' should set 'securityContext.allowPrivilegeEscalation' to false
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.

See https://avd.aquasec.com/misconfig/ksv001
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 deployment.yaml:15-22
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  15 ┌       - name: myapp
  16 │         image: test:1.2.2
  17 │         resources:
  18 │           limits:
  19 │             memory: "128Mi"
  20 │             cpu: "500m"
  21 │         ports:
  22 └         - containerPort: 80
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


LOW: Container 'myapp' of Deployment 'myapp' should add 'ALL' to 'securityContext.capabilities.drop'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
The container should drop all default capabilities and add only those that are needed for its execution.

See https://avd.aquasec.com/misconfig/ksv003
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 deployment.yaml:15-22
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  15 ┌       - name: myapp
  16 │         image: test:1.2.2
  17 │         resources:
  18 │           limits:
  19 │             memory: "128Mi"
  20 │             cpu: "500m"
  21 │         ports:
  22 └         - containerPort: 80
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


MEDIUM: Container 'myapp' of Deployment 'myapp' should set 'securityContext.runAsNonRoot' to true
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Force the running image to run as a non-root user to ensure least privileges.

See https://avd.aquasec.com/misconfig/ksv012
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 deployment.yaml:15-22
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  15 ┌       - name: myapp
  16 │         image: test:1.2.2
  17 │         resources:
  18 │           limits:
  19 │             memory: "128Mi"
  20 │             cpu: "500m"
  21 │         ports:
  22 └         - containerPort: 80
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


LOW: Container 'myapp' of Deployment 'myapp' should set 'securityContext.readOnlyRootFilesystem' to true
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.

See https://avd.aquasec.com/misconfig/ksv014
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 deployment.yaml:15-22
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  15 ┌       - name: myapp
  16 │         image: test:1.2.2
  17 │         resources:
  18 │           limits:
  19 │             memory: "128Mi"
  20 │             cpu: "500m"
  21 │         ports:
  22 └         - containerPort: 80
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


LOW: Container 'myapp' of Deployment 'myapp' should set 'resources.requests.cpu'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.

See https://avd.aquasec.com/misconfig/ksv015
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 deployment.yaml:15-22
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  15 ┌       - name: myapp
  16 │         image: test:1.2.2
  17 │         resources:
  18 │           limits:
  19 │             memory: "128Mi"
  20 │             cpu: "500m"
  21 │         ports:
  22 └         - containerPort: 80
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


LOW: Container 'myapp' of Deployment 'myapp' should set 'resources.requests.memory'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.

See https://avd.aquasec.com/misconfig/ksv016
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 deployment.yaml:15-22
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  15 ┌       - name: myapp
  16 │         image: test:1.2.2
  17 │         resources:
  18 │           limits:
  19 │             memory: "128Mi"
  20 │             cpu: "500m"
  21 │         ports:
  22 └         - containerPort: 80
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


LOW: Container 'myapp' of Deployment 'myapp' should set 'securityContext.runAsUser' > 10000
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.

See https://avd.aquasec.com/misconfig/ksv020
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 deployment.yaml:15-22
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  15 ┌       - name: myapp
  16 │         image: test:1.2.2
  17 │         resources:
  18 │           limits:
  19 │             memory: "128Mi"
  20 │             cpu: "500m"
  21 │         ports:
  22 └         - containerPort: 80
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


LOW: Container 'myapp' of Deployment 'myapp' should set 'securityContext.runAsGroup' > 10000
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.

See https://avd.aquasec.com/misconfig/ksv021
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 deployment.yaml:15-22
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  15 ┌       - name: myapp
  16 │         image: test:1.2.2
  17 │         resources:
  18 │           limits:
  19 │             memory: "128Mi"
  20 │             cpu: "500m"
  21 │         ports:
  22 └         - containerPort: 80
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


LOW: Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.

See https://avd.aquasec.com/misconfig/ksv030
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 deployment.yaml:15-22
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  15 ┌       - name: myapp
  16 │         image: test:1.2.2
  17 │         resources:
  18 │           limits:
  19 │             memory: "128Mi"
  20 │             cpu: "500m"
  21 │         ports:
  22 └         - containerPort: 80
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


MEDIUM: container myapp of deployment myapp in default namespace should specify a seccomp profile
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
A program inside the container can bypass Seccomp protection policies.

See https://avd.aquasec.com/misconfig/ksv104
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


LOW: container should drop all
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.

See https://avd.aquasec.com/misconfig/ksv106
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 deployment.yaml:15-22
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  15 ┌       - name: myapp
  16 │         image: test:1.2.2
  17 │         resources:
  18 │           limits:
  19 │             memory: "128Mi"
  20 │             cpu: "500m"
  21 │         ports:
  22 └         - containerPort: 80
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


LOW: deployment myapp in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID.

See https://avd.aquasec.com/misconfig/ksv116
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: deployment myapp in default namespace should not set spec.template.spec.containers.ports.containerPort to less than 1024
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
The ports which are lower than 1024 receive and transmit various sensitive and privileged data. Allowing containers to use them can bring serious implications.

See https://avd.aquasec.com/misconfig/ksv117
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

[nikpivkin]

Hi @a-devops-guy !

I see that in the _helper.tpl file you are using the tpl.resource.name and tpl.labels templates, but they are not defined anywhere. So Trivy can't render templates. Did you provide all files?

I am getting the following error when validating chart:

helm lint test
==> Linting test
...
[ERROR] templates/: template: test/templates/deployment.yaml:1:4: executing "test/templates/deployment.yaml" at <include "deployment" .>: error calling include: template: test/templates/_helper.tpl:5:11: executing "deployment" at <include "tpl.resource.name" .>: error calling include: template: no template "tpl.resource.name" associated with template "gotpl"

Error: 1 chart(s) linted, 1 chart(s) failed

[a-devops-guy]

@nikpivkin it seems it rendered via chart dependency.

try this test chart with tpl functions. it renders fine but scan will fails
chart.tar.gz

[a-devops-guy]

I directly added all the files from tpllib to this templates folder.

[nikpivkin]

@simar7 I investigated and found that in trivy-iac, templates rendering returns the following error: chart requires kubeVersion: >=1.27 which is incompatible with Kubernetes v1.20.0. This is because Chart.yaml specifies the constraint of the supported Kubernetes version, but since we run the render command only in client mode, helm uses the default Kubernetes version.

The output if I remove the constraint:

templates/deployment.yaml (helm)

Tests: 152 (SUCCESSES: 138, FAILURES: 14, EXCEPTIONS: 0)
Failures: 14 (UNKNOWN: 0, LOW: 9, MEDIUM: 4, HIGH: 1, CRITICAL: 0)

[a-devops-guy]

hmm, but should trivy take this constrain under consideration for scanning misconfigs?

[simar7]

cc @chen-keinan would you know?

[nikpivkin]

Track #6337