-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug(misconf): Apply AVD-DS-0016 only to final layer #7368
Comments
@simar7 @nikpivkin Does the misconfiguration scanner allow disabling checks by ID? When scanning image metadata, we want to pass AVD-DS-0011 as a disabled check. |
@knqyf263 currently we don't but for my own understanding, I'd like to know how we can pass the info when scanning Dockerfiles to the misconf scanner, to purposefully ignore a check just for the image metadata. From my understanding, we pass the Dockerfile as such. If we add another option in the misconfiguration scanner, how will the analyzer use it? |
It's certainly an interesting use case which I'd like to consider. It's more on the lines of disabling a check, but not completely ignoring it for all inputs. IOW, more granular than a simple selector or subtype based filter can accomplish today. |
@simar7 This is an interesting feature. It will disable the AVD-AWS-0169 check for all scanners except |
I may be missing something, but I meant to pass
This analyze is used only when scanning image configuration (a.k.a. history) and doesn't need AVD-DS-0011. |
Discussed in #7320
Originally posted by candrews August 8, 2024
IDs
ds016
Description
Trivy misconfiguration scan incorrectly reports duplicate CMD instructions for some docker images.
Trivy seems to be looking for
CMD
instructions in all of the layers of the docker image. Instead, it should only be looking at the final image.Here's an example:
The
Dockerfile
for this image can be seen at https://catalog.redhat.com/software/containers/ubi8/python-312/657c12cade3664622a12ed50?container-tabs=dockerfile - it contains exactly 1CMD
so it does not violate the https://avd.aquasec.com/misconfig/ds016 rule.Reproduction Steps
Target
Container Image
Scanner
Misconfiguration
Target OS
No response
Debug Output
Version
Checklist
-f json
that shows data sources and confirmed that the security advisory in data sources was correctThe text was updated successfully, but these errors were encountered: