Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🎉 Add Trivy Operator clustercompliance report #11279

Merged

Conversation

manuel-sommer
Copy link
Contributor

@manuel-sommer manuel-sommer commented Nov 18, 2024

  • Enables Trivy Operator to parse the clustercompliance report.
  • Refactoring of trivy operator parser to have it better structured.

Copy link

dryrunsecurity bot commented Nov 18, 2024

DryRun Security Summary

The pull request enhances the functionality and security of the Trivy Operator, a tool for scanning Kubernetes clusters and workloads, by adding a new test case, improving the output_findings function, introducing the TrivyClusterComplianceHandler class, and updating the clustercompliancereport.json file to include the configuration and reporting for the Kubernetes cluster's compliance with the CIS Kubernetes Benchmarks.

Expand for full summary

Summary:

The code changes in this pull request focus on enhancing the functionality and security of the Trivy Operator, a tool for scanning Kubernetes clusters and workloads for vulnerabilities, secrets, and configuration issues. The key changes include:

  1. Addition of a new test case to the TestTrivyOperatorParser class, which ensures that the TrivyOperatorParser can correctly handle and parse the "clustercompliancereport.json" file format. This type of testing helps improve the overall robustness and reliability of the application security tooling.

  2. Improvements to the output_findings function in the dojo/tools/trivy_operator/parser.py file, which now includes the ability to process cluster compliance reports generated by the Trivy Operator. This enhances the tool's capability to identify configuration issues and policy violations in Kubernetes environments, which is crucial for maintaining a secure infrastructure.

  3. Introduction of the TrivyClusterComplianceHandler class, which is responsible for processing the results of the cluster compliance checks and generating findings based on the results. This class maps the severities of the Trivy findings to a predefined set of severities, ensuring consistency in the way the findings are reported and classified.

  4. Changes to the clustercompliancereport.json file, which includes the configuration and reporting for the Kubernetes cluster's compliance with the CIS Kubernetes Benchmarks. This helps identify and address security vulnerabilities and misconfigurations in the Kubernetes cluster, contributing to a more secure and compliant infrastructure.

Overall, these changes are a positive step towards enhancing the security capabilities of the Trivy Operator and improving the overall security of Kubernetes environments.

Files Changed:

  1. unittests/tools/test_trivy_operator_parser.py: This file adds a new test case to the TestTrivyOperatorParser class, which ensures that the TrivyOperatorParser can correctly handle the "clustercompliancereport.json" file format.

  2. dojo/tools/trivy_operator/parser.py: The changes in this file include the addition of the TrivyClusterComplianceHandler class and enhancements to the output_findings function to handle cluster compliance reports generated by the Trivy Operator.

  3. unittests/scans/trivy_operator/clustercompliancereport.json: This file contains the configuration and reporting for the Kubernetes cluster's compliance with the CIS Kubernetes Benchmarks, including three compliance checks related to the Kubernetes cluster's configuration.

  4. dojo/tools/trivy_operator/clustercompliance_handler.py: This file contains the implementation of the TrivyClusterComplianceHandler class, which is responsible for processing the results of the cluster compliance checks and generating findings based on the results.

Code Analysis

We ran 9 analyzers against 4 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@manuel-sommer manuel-sommer force-pushed the trivy_clustercompliancereport branch from e53ef97 to 4bdac27 Compare November 18, 2024 08:58
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch merged commit 3f12592 into DefectDojo:bugfix Nov 22, 2024
73 checks passed
@manuel-sommer manuel-sommer deleted the trivy_clustercompliancereport branch November 22, 2024 05:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants