diff --git a/.github/workflows/lib-trivy.yaml b/.github/workflows/lib-trivy.yaml index fb125f18c..7afe9796f 100644 --- a/.github/workflows/lib-trivy.yaml +++ b/.github/workflows/lib-trivy.yaml @@ -39,6 +39,9 @@ jobs: scan-ref: deployments/ exit-code: 1 severity: CRITICAL,HIGH + # When trivy-action starts supporting this, use it instead of .trivyaction + # https://github.com/aquasecurity/trivy-action/issues/284 + #ignorefile: .trivyignore.yaml trivy-scan-dockerfiles: name: Scan Dockerfiles diff --git a/.trivyignore b/.trivyignore index f9f0b0860..e05594ad1 100644 --- a/.trivyignore +++ b/.trivyignore @@ -23,5 +23,5 @@ AVD-KSV-0048 # Some plugins require access to various host paths AVD-KSV-0121 -# Device plugins do not use any CSIs -## CVE-2019-11255 +# Ignore invalid "readOnlyRootFilesystem" detections +AVD-KSV-0014 diff --git a/.trivyignore.yaml b/.trivyignore.yaml new file mode 100644 index 000000000..52f5af693 --- /dev/null +++ b/.trivyignore.yaml @@ -0,0 +1,55 @@ +misconfigurations: + - id: AVD-KSV-0121 + statement: Some plugins require access to various host paths + paths: + - dlb_plugin/base/intel-dlb-plugin.yaml + - fpga_plugin/base/intel-fpga-plugin-daemonset.yaml + - qat_plugin/base/intel-qat-kernel-plugin.yaml + - qat_plugin/overlays/qat_initcontainer/qat_initcontainer.yaml + + - id: AVD-KSV-0017 + statement: initcontainers require privileged access + paths: + - dlb_plugin/overlays/dlb_initcontainer/dlb_initcontainer.yaml + - dsa_plugin/overlays/dsa_initcontainer/dsa_initcontainer.yaml + - qat_dpdk_app/patches/crypto-perf/env_replace_testcmd.yaml + - iaa_plugin/overlays/iaa_initcontainer/iaa_initcontainer.yaml + - qat_plugin/base/intel-qat-kernel-plugin.yaml + - qat_plugin/overlays/qat_initcontainer/qat_initcontainer.yaml + + - id: AVD-KSV-0047 + statement: gpu plugin in kubelet mode requires "nodes/proxy" resource access + paths: + - gpu_plugin/overlays/fractional_resources/gpu-manager-role.yaml + - operator/rbac/gpu_manager_role.yaml + - operator/rbac/role.yaml + + - id: AVD-KSV-0014 + statement: These are false detections for not setting "readOnlyFilesystem" + paths: + - fpga_plugin/overlays/region/mode-region.yaml + - gpu_plugin/overlays/fractional_resources/add-mounts.yaml + - gpu_plugin/overlays/fractional_resources/add-args.yaml + - gpu_plugin/overlays/fractional_resources/gpu-manager-role.yaml + - gpu_plugin/overlays/monitoring_shared-dev_nfd/add-args.yaml + - gpu_plugin/overlays/nfd_labeled_nodes/add-args.yaml + - iaa_plugin/overlays/iaa_initcontainer/iaa_initcontainer.yaml + - fpga_admissionwebhook/base/manager_webhook_patch.yaml + - operator/device/dlb/dlb.yaml + - operator/device/dsa/dsa.yaml + - operator/device/fpga/fpga.yaml + - operator/device/gpu/gpu.yaml + - operator/device/qat/qat.yaml + - operator/device/sgx/sgx.yaml + - gpu_tensorflow_test/deployment.yaml + - sgx_enclave_apps/overlays/sgx_ecdsa_inproc_quote/add_sgx_default_qcnl_conf.yaml + - xpumanager_sidecar/kustom/kustom_xpumanager.yaml + - operator/default/manager_auth_proxy_patch.yaml + - operator/default/manager_webhook_patch.yaml + - qat_dpdk_app/patches/compress-perf/env_replace_testcmd.yaml + - qat_dpdk_app/patches/compress-perf/volume_add_configmap.yaml + - qat_plugin/overlays/debug/add-args.yaml + - qat_plugin/overlays/e2e/add-args.yaml + - qat_plugin/overlays/debug/add-args.yaml + - qat_dpdk_app/patches/crypto-perf/env_replace_testcmd.yaml + - sgx_admissionwebhook/base/manager_webhook_patch.yaml diff --git a/deployments/sgx_plugin/overlays/epc-register/init-daemonset.yaml b/deployments/sgx_plugin/overlays/epc-register/init-daemonset.yaml index e513bc79c..76e7ae2ec 100644 --- a/deployments/sgx_plugin/overlays/epc-register/init-daemonset.yaml +++ b/deployments/sgx_plugin/overlays/epc-register/init-daemonset.yaml @@ -30,6 +30,7 @@ spec: fieldPath: spec.nodeName securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: - ALL