�R���e�i�^Kubernetes�̐Ǝ㐫�A�@�����A�ݒ�ԈႢ��������OSS�uTrivy�v�O�����`�����C���[�W�X�L���������Ƃ͌��킹�Ȃ��FCloud Native�`�[�g�V�[�g�i17�j
Kubernetes��N���E�h�l�C�e�B�u�����֗��ɗ��p����Z�p��c�[���̊T�v�A�g�������Ïk���ďЉ��A�ځB����́A�R���e�i�^Kubernetes�̐Ǝ㐫�A�@�����A�ݒ�ԈႢ��f�f�A���o����OSS�uTrivy�v���Љ��i�ŐV��v0.56.2�܂�2024�N�̏��ɍ����悤�ɍX�V�j�B
�@OS�p�b�P�[�W��C�u�����A�A�v���P�[�V�����Ŕ��������Ǝ�i�������Ⴍ�j���͓��X���������Ă��܂����A�F����̃A�v���P�[�V�����A�V�X�e���͑��v�ł��傤���H
�@���X�ŐV�̃o�[�W�����ɏC�����ĐƎ㐫��Ώ����Ă���Ζ�肠��܂��A�C���^�[�l�b�g��ɓ]�����Ă���T���v���Ȃǂ��Q�l���Ď��������ꍇ�A�u�L���ŗ��p����Ă���Â��o�[�W���������̂܂g�p���ĐƎ㐫���������Ă��܂��Ă���v�Ȃ�Ă��Ƃ����邩������܂���B
�@�܂��A�{�A�ڂŃe�[�}�ɂ��Ă���Kubernetes�ł����Aroot���[�U�[�ŃR���e�i�����s������Aroot�t�@�C���V�X�e����s�K�v�ɏ������݉\�ɐݒ肵���肵�āA�u�U������₷���R���e�i�ɂȂ��Ă��܂��Ă���v�Ȃ�Ă��Ƃ����蓾�܂��B
�@Kubernetes��N���E�h�l�C�e�B�u�����֗��ɗ��p����Z�p��c�[���̊T�v�A�g�������Ïk���ďЉ��{�A�ځuCloud Native�`�[�g�V�[�g�v�B����́A����ȃA�v���P�[�V�����̐Ǝ㐫����y�Ɍ��m���Ă����uTrivy�v���Љ�܂��B
�@Trivy�́A�����[�X�����̓R���e�i�C���[�W�̐Ǝ㐫�X�L�����c�[���Ƃ����C���[�W�����������̂ł����A�p�b�P�[�W��C�u�����ȊO�̐Ǝ㐫���X�L�����ł���悤�ɂȂ��Ă���̂ŁA���̕ӂ���܂߂ďЉ�܂��B
�ڎ�
Trivy�Ƃ�
�@Trivy�̓p�b�P�[�W��C�u�����̐Ǝ㐫���X�L�����ł���I�[�v���\�[�X�\�t�g�E�F�A�iOSS�j�̐f�f�c�[���ł��B�����̓R���e�i�C���[�W�̐Ǝ㐫�X�L�����ɓ������Ă��܂������A�ŋ߂ł̓R���e�i�Ɍ��炸�t�@�C���V�X�e����Git���|�W�g����Ώۂɂ�����A�ݒ�t�@�C�����X�L�������Đݒ�̖��_���m�F�����肷�邱�Ƃ��ł��܂��B
�@�����́A�����V���v���ł��邱�ƁBGo�̃V���O���o�C�i���Œ���邽�ߊȒP�ɃX�L�����ł��܂����A�p�C�v���C���ւ̑g�ݍ��݂��e�Ղł��B�܂��X�L�����͍����ŁA���x���]������Ă��܂��B
�@�p�b�P�[�W��C�u�����̐Ǝ㐫�X�L�����c�[���͑��ɂ�����܂����A�g������̗ǂ��Ȃǂ���u�����̗��p�҂Ɉ�����Ă����\�I�ȃX�L�����c�[���v�Ƃ����܂��B
�@Trivy�͓��{�l��Fukuda Teppei�����l�ŊJ����i�߁A���̌��т��F�߂���Aqua Security�ɏ��n���ꂽOSS�ł��BTrivy�̎����ɒ��肵���w�i�ȂǕ�����₷���L�ڂ���Ă���̂ŁA�����̂�����͓������u���O�����m�F���������B
�@Trivy�́uHarbor�v�uGitLab�v�uVMware Tanzu�v�̃f�t�H���g�̃X�L���i�[�Ƃ��Ă��̗p����Ă��܂��B���Ƃ��ƕʂ̃X�L���i�[�𗘗p���Ă����ɂ�������炸Trivy�Ɉڍs����Ƃ������f�́ATrivy�̗L�p���������Ă��鎖�Ⴞ�Ǝv���܂��B
�@Trivy�͐��͓I�ɐV�@�\���J������Ă���A�V�����@�\�����X�lj�����Ă��܂����A�{�e�ł́A2024�N10���̌��e���M���_�ōŐV�̃o�[�W�����Av0.56.2����ɏЉ�܂��B
Trivy�̎�ȋ@�\
�@���L�\�́ATrivy�̎�ȋ@�\�ł��B
| �@�\ | ���e | �X�L�����Ώ� |
|---|---|---|
| 1.�Ǝ㐫�̃X�L���� | CVE-ID������U��ꂽ�p�b�P�[�W��C�u�����̐Ǝ㐫�����m���� | �R���e�i�C���[�W�A�t�@�C���V�X�e���AGit���|�W�g�� |
| 2.�ݒ�t�@�C���̃X�L���� | ���������ݒ�Ɣ�r���Đݒ�̌�����_���w�E���� | Terraform�ADockerfile�AKubernetes�}�j�t�F�X�g�AAWS CloudFormation�AHelm�`���[�g |
| 3.�V�[�N���b�g���̃X�L���� | �n�[�h�R�[�f�B���O���ꂽ�@���������m���� | �R���e�i�C���[�W�A�t�@�C���V�X�e���AGit���|�W�g�� |
| 4.Kubernetes�N���X�^�̃X�L���� | �N���X�^���̃��\�[�X��ΏۂɃR���e�i�C���[�W�̐Ǝ㐫�X�L�����AKubernetes�}�j�t�F�X�g�̃X�L�����A�V�[�N���b�g���̃X�L�������s�� | Kubernetes�N���X�^ |
1.�Ǝ㐫�̃X�L����
�@Trivy��OS�p�b�P�[�W��A�v���P�[�V�����̈ˑ����C�u�������X�L�������āA�uCVE-ID�v������U��ꂽ�Ǝ㐫�����m���܂��BCVE-ID�Ƃ́uCVE-YYYY-XXXX�v�̌`���Ŋ���U�����ӂȐƎ㐫�̎��ʔԍ��ł��B�������N�͊���U����CVE-ID�̌������N�X�������Ă���A2021�N��2�������܂����B���̂悤�ɓ��X�V���ȐƎ㐫�����������̂ŁA�J���ŗ��p���Ă���p�b�P�[�W��C�u���������I�ɃX�L�������邱�Ƃ��d�v�ł��B
�@Trivy�̓R���e�i�C���[�W�̐Ǝ㐫���X�L��������c�[���Ƃ��ă��[�U�[�𑝂₵�Ă��܂������A���݂̓R���e�i�C���[�W�Ɍ��炸�A�z�X�g�}�V����̃t�@�C���V�X�e����Git���|�W�g����ΏۂɃX�L�����ł��܂��B
�@v0.56.2�ł͈ȉ���OS�p�b�P�[�W���T�|�[�g���Ă��܂��B�ڍׂ�OS Packages�����m�F���������B�u���C���̐Ǝ㐫���m�v��No�̏ꍇ�́A�C�����ꂽ�o�[�W���������݂��郉�C�u�����݂̂����m���܂��B
| OS | �T�|�[�g�o�[�W���� | �p�b�P�[�W�}�l�[�W���[ |
|---|---|---|
| Alpine Linux | 2.2�`2.7�A3.0�`3.16�Aedge | apk |
| Wolfi Linux | �in/a�j | apk |
| Chainguard | �in/a�j | apk |
| Red Hat Enterprise Linux | 6�A7�A8 | dnf/yum/rpm |
| CentOS | 6�A7�A8 | dnf/yum/rpm |
| AlmaLinux | 8�A9 | dnf/yum/rpm |
| Rocky Linux | 8�A9 | dnf/yum/rpm |
| Oracle Linux | 5�A6�A7�A8 | dnf/yum/rpm |
| Azure Linux�iCBL-Mariner�j | 1.0�A2.0�A3.0 | tdnf/dnf/yum/rpm |
| Amazon Linux | 1�A2�A2023 | yum/rpm |
| openSUSE Leap | 42�A15 | zypper/rpm |
| openSUSE Tumbleweed | �in/a�j | zypper/rpm |
| SUSE Linux Enterprise | 11�A12�A15 | zypper/rpm |
| SUSE Linux Enterprise Micro | 5�A6 | zypper/rpm |
| Photon OS | 1.0�A2.0�A3.0�A4.0 | tdnf/yum/rpm |
| Debian GNU/Linux | 7�A8�A9�A10�A11�A12 | apt/dpkg |
| Ubuntu | All versions supported by Canonical | apt/apt-get/dpkg |
| OSs with installed Conda | - | conda |
�@�A�v���P�[�V�����̈ˑ����C�u�����̃X�L�����͈ȉ��̌�����T�|�[�g���Ă��܂��B�ڍׂ́uLanguage-specific Packages�v�����m�F���������BTrivy�̓X�L�����Ώۂ���ȉ��̂悤�ȃt�@�C����T���Ĉˑ����C�u�����̏����擾���Ă��܂��B�X�L�����Ώۂ�p�b�P�[�W�Ǘ����@�̈Ⴂ�ŃX�L�����̏������ς�邱�Ƃɂ����ӂ��������B
| ���� | �t�@�C�� | Image�^Rootfs | Filesystem�^Repository |
|---|---|---|---|
| Ruby | Gemfile.lock | - | �Z |
| gemspe | �Z | - | |
| Python | Pipfile.lock | - | �Z |
| poetry.lock | - | �Z | |
| requirements.txt | - | �Z | |
| egg package�i\*.egg-info�A\*.egg-info/PKG-INFO�A\*.egg�AEGG-INFO/PKG-INFO�j | �Z | - | |
| wheel package�i.dist-info/META-DATA�j | �Z | - | |
| PHP | composer.lock | - | �Z |
| installed.json | �Z | - | |
| Node.js | package-lock.json | - | �Z |
| yarn.lock | - | �Z | |
| package.json | �Z | - | |
| .NET | packages.lock.json | �Z | �Z |
| packages.config | �Z | �Z | |
| .deps.json | �Z | �Z | |
| \*Packages.props�iDirectory.Packages.props and legacy Packages.props file names are supported�j | �Z | �Z | |
| Java | JAR�AWAR�APAR�AEAR�i\*.jar�A\*.war�A\*.par�A\*.ear�j | �Z | - |
| pom.xml | - | �Z | |
| \*gradle.lockfile | - | �Z | |
| \*.sbt.lock | - | �Z | |
| Go | Binaries built with cargo-auditable | �Z | - |
| go.mod | - | �Z | |
| Rust | Cargo.lock | �Z | �Z |
| Binaries built with cargo-auditable | �Z | - | |
| C/C++ | conan.lock | - | �Z |
| Elixir | mix.lock | - | �Z |
| Dart | pubspec.lock | - | �Z |
| Swift | Podfile.lock | - | �Z |
| Package.resolved | - | �Z | |
| Julia | Manifest.toml | �Z | �Z |
�@Trivy�̓X�L��������OS�p�b�P�[�W��A�v���P�[�V�����̈ˑ����C�u�����̏����Ǝ㐫�̃f�[�^�\�[�X�Ɠˍ����邱�ƂŁA�C���X�g�[������Ă���p�b�P�[�W��C�u�����ɐƎ㐫���܂܂�邩�ǂ��������Ă���܂��B
2.�ݒ�t�@�C���̃X�L����
�@Trivy��v0.19.0����ݒ�t�@�C�����X�L�����ł���悤�ɂȂ�܂����B�ݒ�t�@�C�����X�L�������邱�ƂŁA�ݒ���〈���Ƃ��Ă������_���m�F�ł��܂��B���݂́A���̂悤�Ȑݒ�t�@�C�����X�L�����ł��܂��B
- Dockerfile
- Kubernetes�}�j�t�F�X�g
- Terraform
- AWS CloudFormation
- Helm�`���[�g
�@�C���^�[�l�b�g��ɓ]�����Ă���T���v���t�@�C���̓Z�L�����e�B���l�����Ă��Ȃ����̂������A�C�t���Ȃ������ɐƎ�Ȑݒ�t�@�C�����쐬���Ă���\��������܂��B���̂悤�ȏꍇ�ɂ�Trivy�̂悤�ȃc�[���ɂ��X�L���������ʓI�ł��B
�@�ݒ�t�@�C���̃X�L�����ł́A�Ⴆ�Ύ��̂悤�Ȗ��_�����m�ł��܂��B
- root���[�U�[�Ŏ��s�����Dockerfile
- �����R���e�i�̋N�����������Kubernetes�}�j�t�F�X�g
- �uAmazon S3�v�o�P�b�g���O���Ɍ��J�����Terraform�R�[�h
�R�����@Terraform�X�L���i�[�utfsec�v���p�҂�Trivy�ւ̈ڍs�𐄏�
�@Terraform���X�L�������邽�߂�OSS�X�L���i�[�utfsec�v���������ł��傤���H
�@tfsec�͈ȑO��Trivy�Ƃ͓Ɨ����ĊJ������Ă��܂������Atfsec v1.28.2�̍X�V���Ō�ɁA�ȍ~�̐V�@�\��Trivy�݂̂ŊJ������Ă��܂��B���̂悤�Ȏ������̂ŁATerraform��OpenTofu�̃X�L������tfsec�𗘗p����Ă�����́ATrivy�ւ̈ڍs�𐄏����܂��B
3.�V�[�N���b�g���̃X�L����
�@Trivy��v0.27.0����V�[�N���b�g�����X�L�����ł���悤�ɂȂ�܂����B�R���e�i�C���[�W��t�@�C���V�X�e���Ƀn�[�h�R�[�f�B���O����Ă���V�[�N���b�g�������m�ł��܂��B
�@���݂�50�ȏ�̃J�e�S���[�ɑ��ăV�[�N���b�g�������m�ł��܂��B�Ⴆ�Έȉ��̂悤�Ȃ��̂ɂȂ�܂��B
| �J�e�S���[ | �V�[�N���b�g��� | �d��x |
|---|---|---|
| AWS | Access Key ID�ASecret Access Key | CRITICAL |
| Alibaba | AccessKey ID�ASecret Key | HIGH |
| GCP | Service Account | CRITICAL |
| GitHub | Personal Access Token�AOAuth Access Token�AApp Token�ARefresh Token | CRITICAL |
| GitLab | Personal Access Token | CRITICAL |
| Slack | Access Token | HIGH |
| Webhook | MEDIUM | |
| Heroku | API Key | HIGH |
| npm | Access Token | CRITICAL |
4.Kubernetes�N���X�^�̃X�L����
�@Trivy�ł́AKubernetes�N���X�^���X�L�����ł��܂��BKubernetes��API Server�ƒʐM���邱�ƂŁA�N���X�^���ɑ��݂��郊�\�[�X����ʂ��Ď��̂悤�ȃX�L�������\�ł��B
- �X�L�����̕���
- Kubernetes�N���X�^�iapi-server�Akubelet�Ȃǁj
- �N���X�^�\���iRoles�AClusterRoles�j
- �A�v���P�[�V�������[�N���[�h
- �X�L�����̓��e
- �Ǝ㐫
- �ݒ���
- �V�[�N���b�g���
Trivy�łł��邱�ƁA�ł��Ȃ�����
�@Trivy��CLI�ɂ��Ǝ㐫�̐ÓI�ȃX�L�����i���m�j����ȋ@�\�ł��B�V���v���ȃX�L�������傫�ȓ����ł���ATrivy�݂̂ł͂ł��Ȃ����Ƃ�����܂��B�Ⴆ�Ύ��̂悤�Ȃ��Ƃ̓��[�U�[���l������K�v������܂��B
- �X�L�������ʂ��R���\�[����t�@�C���ɏo�͂ł��邪�A���p�̂悤�ȃ_�b�V���{�[�h�͗p�ӂ���Ă��Ȃ��̂ʼn������@�ɂ��Č�������
- �Ǝ㐫�̑Ώ��̓��[�U�[�̔��f�Ői�߂�B�܂�^�p�v���Z�X�����đΏ����j������
- ��{�I�ɂ͐ÓI�ȃX�L�������T�|�[�g���Ă���̂ŁA���s���̃��\�[�X���X�L��������ꍇ�͒lj��������K�v�i���������AKubernetes��ΏۂƂ���ꍇ�͎��s���̃��\�[�X���X�L����������@���������Ă���j
�@�܂��A�V�X�e���J���S�̂ł̓}���E�F�A��E�C���X�̃X�L�����AWeb�A�v���P�[�V�����̋��Б�A�A�N�Z�X����Ȃǂ��܂��܂Ȋϓ_�ŃZ�L�����e�B�̑K�v�ł��B�uTrivy������ΑS�ĉ�������I�v�ƍl�����ɁATrivy�̎g���ǂ���𐳂�������������ŗL���ɗ��p����悤�ɂ��܂��傤�B
Trivy�̃Z�b�g�A�b�v
�������
�@Trivy��Linux�AUNIX�AmacOS�AWindows�Ƃ�����OS��œ��삵�܂��B
�@�����}�j���A���ɃC���X�g�[���菇�̂Ȃ�OS������̂ŁA�ŐV�̃T�|�[�gOS��GitHub���|�W�g����Releaes���Q�Ƃ��Ă��������B
Trivy�̃C���X�g�[��
�@Trivy��RPM�iRed Hat Package Manager�j��o�C�i���Ȃǂ��܂��܂ȃC���X�g�[�����@���T�|�[�g���Ă��܂��BKubernetes�ł́uHelm Chart�v�����p�ł��܂����ADocker�R���e�i�Ƃ��Ď��s���邱�Ƃ��ł��܂��B
�@�����ł������h�L�������g�ŏЉ��Ă���C���X�g�[���X�N���v�g�𗘗p���āA�ŐV�o�[�W������Trivy��Go�o�C�i����Linux��ɃC���X�g�[�����܂��B
$ TRIVY_VERSION=$(curl -s "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
$ curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v${TRIVY_VERSION}
aquasecurity/trivy info checking GitHub for tag 'v0.56.2'
aquasecurity/trivy info found version: 0.56.2 for v0.56.2/Linux/64bit
aquasecurity/trivy info installed /usr/local/bin/trivy
# v0.56.2���w�肵�ăC���X�g�[������ꍇ
$ curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.56.2
aquasecurity/trivy info checking GitHub for tag 'v0.56.2'
aquasecurity/trivy info found version: 0.56.2 for v0.56.2/Linux/64bit
�@�o�[�W�������m�F���܂��B
$ trivy -v Version: 0.56.2 Vulnerability DB: Version: 2 UpdatedAt: 2024-10-12 12:17:55.431066579 +0000 UTC NextUpdate: 2024-10-13 12:17:55.431066439 +0000 UTC DownloadedAt: 2024-10-12 15:10:37.876440539 +0000 UTC Check Bundle: Digest: sha256:ae151c4eecf35c507d8f866121ddfbf46540b041bc7bca7cdd8d9f70ceb6f12c DownloadedAt: 2024-10-12 15:01:11.925420399 +0000 UTC
�R���e�i�C���[�W�̃X�L����
�@��\�I�ȋ@�\�̃R���e�i�C���[�W�̐Ǝ㐫�X�L�����������܂��B�R���e�i�C���[�W�̃X�L�����́utrivy image <�C���[�W��:�C���[�W�^�O>�v�̌`���Ŏ��s���܂��B
�@�����ł�Docker Hub�Ō��J����Ă��鏭���Â�Python�̃C���[�W�ipython:alpine3.13�j���X�L�������܂��B
$ trivy image python:alpine3.13 2024-10-13T04:58:16Z INFO [vuln] Vulnerability scanning is enabled 2024-10-13T04:58:16Z INFO [secret] Secret scanning is enabled 2024-10-13T04:58:16Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-13T04:58:16Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-13T04:58:19Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="pip" version="21.2.4" 2024-10-13T04:58:19Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="setuptools" version="57.5.0" 2024-10-13T04:58:19Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="wheel" version="0.37.0" 2024-10-13T04:58:20Z INFO Detected OS family="alpine" version="3.13.7" 2024-10-13T04:58:20Z INFO [alpine] Detecting vulnerabilities... os_version="3.13" repository="3.13" pkg_num=36 2024-10-13T04:58:20Z INFO Number of language-specific files num=1 2024-10-13T04:58:20Z INFO [python-pkg] Detecting vulnerabilities... 2024-10-13T04:58:20Z WARN This OS version is no longer supported by the distribution family="alpine" version="3.13.7" 2024-10-13T04:58:20Z WARN The vulnerability detection may be insufficient because security updates are not provided python:alpine3.13 (alpine 3.13.7) Total: 36 (UNKNOWN: 0, LOW: 0, MEDIUM: 7, HIGH: 21, CRITICAL: 8) ��-----------------------��----------------��----------��--------��-------------------��------------------��-------------------------------------------------------------�� �� Library �� Vulnerability �� Severity �� Status �� Installed Version �� Fixed Version �� Title �� ��-----------------------��----------------��----------��--------��-------------------��------------------��-------------------------------------------------------------�� �� busybox �� CVE-2022-28391 �� HIGH �� fixed �� 1.32.1-r7 �� 1.32.1-r8 �� busybox: remote attackers may execute arbitrary code if �� �� �� �� �� �� �� �� netstat is used �� �� �� �� �� �� �� �� https://avd.aquasec.com/nvd/cve-2022-28391 �� �� ��----------------�� �� �� ��------------------��-------------------------------------------------------------�� �� �� CVE-2022-30065 �� �� �� �� 1.32.1-r9 �� busybox: A use-after-free in Busybox's awk applet leads to �� �� �� �� �� �� �� �� denial of service... �� �� �� �� �� �� �� �� https://avd.aquasec.com/nvd/cve-2022-30065 �� ��-----------------------��----------------��----------�� ��-------------------��------------------��-------------------------------------------------------------�� �� expat �� CVE-2022-22822 �� CRITICAL �� �� 2.2.10-r1 �� 2.2.10-r2 �� expat: Integer overflow in addBinding in xmlparse.c �� �� �� �� �� �� �� �� https://avd.aquasec.com/nvd/cve-2022-22822 �� �� ��----------------�� �� �� �� ��-------------------------------------------------------------�� �i���j Python (python-pkg) Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 3, CRITICAL: 0) ��-----------------------��----------------��----------��--------��-------------------��---------------��------------------------------------------------------------�� �� Library �� Vulnerability �� Severity �� Status �� Installed Version �� Fixed Version �� Title �� ��-----------------------��----------------��----------��--------��-------------------��---------------��------------------------------------------------------------�� �� pip (METADATA) �� CVE-2023-5752 �� MEDIUM �� fixed �� 21.2.4 �� 23.3 �� pip: Mercurial configuration injectable in repo revision �� �� �� �� �� �� �� �� when installing via pip �� �� �� �� �� �� �� �� https://avd.aquasec.com/nvd/cve-2023-5752 �� ��-----------------------��----------------��----------�� ��-------------------��---------------��------------------------------------------------------------�� �i���j
�@�X�L�������ʂ�����ƁA�R���e�i�C���[�W����OS�p�b�P�[�W��Python�̈ˑ����C�u�����̐Ǝ㐫�������Ō��m����A���������L�̂悤�ɕ\������܂����B�Ǝ㐫�̌����͏d��x�iCRITICAL�AHIGH�Ȃǁj���ƂɊm�F�ł��܂��B�����OS�p�b�P�[�W��36���̐Ǝ㐫�����m����APython�̈ˑ����C�u�����ł�4���̐Ǝ㐫�����m����܂����B
# OS�p�b�P�[�W�̐Ǝ㐫�T�}���[ python:alpine3.13 (alpine 3.13.7) Total: 25 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 10, CRITICAL: 10) ---------------------------------------------------------------------------- # Python�̈ˑ����C�u�����̐Ǝ㐫�T�}���[ Python (python-pkg) Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
�@�e�[�u���`���Ŏ��̂悤�ȐƎ㐫��\������܂��B
| ���� | ���e |
|---|---|
| Library | �p�b�P�[�W��C�u�����̖��O |
| Vulnerability | CVE-ID�i�Ǝ㐫�̎��ʔԍ��j |
| Severity | �d��x�iCRITICAL / HIGH / MEDIUM / LOW / UNKNOWN�j |
| Status | �Ǝ㐫�̃X�e�[�^�X�i�ڍׂ��������j |
| Installed Version | �C���X�g�[���������o�[�W���� |
| Fixed Version | �Ǝ㐫���C�����ꂽ�o�[�W���� |
| Title | �Ǝ㐫�̊T�v��Aqua Vulnerability Database�iAVD�j�̃����N |
�@����́ubusybox�v�ŁuCRITICAL�v�ȐƎ㐫���m�F�ł��܂����Bbusybox�̃o�[�W�������u1.32.1-r7�v����u1.32.1-r8�v�ɏグ�邱�ƂŐƎ㐫����菜�����Ƃ��ł��܂��B
�@�uSeverity�i�d��x�j�v�͉e���̑傫�����J�e�S���[���������̂ŁA�Ǝ㐫�̋��Ђ̓x������c������̂ɖ𗧂��܂��BTrivy�́uSeverity�i�d��x�j�v��CVSS v3�̃X�R�A����Ƃ��ĉ��L�̂悤�Ɋ��蓖�Ă��܂��B�Ȃ��A���l���傫���قǏd��x�������܂��B
| Severity�i�d��x�j | �Ǝ㐫�X�R�A |
|---|---|
| CRITICAL | 9.0 - 10.0 |
| HIGH | 7.0 - 8.9 |
| MEDIUM | 4.0 - 6.9 |
| LOW | 0.1 - 3.9 |
| UNKNOWN | �Ȃ� |
�@�uTitle�v���ɋL�ڂ���Ă���Aqua Vulnerability Database�iAVD�j�̃����N���J�����ƂŁA���m�����Ǝ㐫�̏ڍׂ��u���E�U�Ŋm�F�ł��܂��B
�R�����@Aqua Vulnerability Database�iAVD�j�Ƃ�
�@AVD��Aqua Security���Ǘ�����Ǝ㐫�������J����T�C�g�ł��B�Ǝ㐫�̏���National Vulnerability Database�iNVD�j��x���_�[�̃Z�L�����e�B�A�h�o�C�U���Ȃǂ̂��܂��܂ȃf�[�^�\�[�X�ŊǗ�����Ă��܂����AAVD�͕��U����Ă���f�[�^�\�[�X�̏����W�邱�ƂŁA1�̃T�C�g�ŐƎ㐫�����܂Ƃ߂Ċm�F�ł��܂��B
�@Trivy�̃X�L�������ʂɂ�AVD�̃T�C�g�ւ̃����N�����ߍ��܂�Ă��܂��B���̃����N���J���ƁA���}�̂悤�ȉ�ʂ��\������A�Ǝ㐫�̊T�v�A�Ǝ㐫�̃X�R�A�A�e������\�t�g�E�F�A�A�Ǝ㐫�̃f�[�^�\�[�X�A�ɘa��Ȃǂ̎��A�N�V�����ɖ𗧂����m�F�ł��܂��B�Ǝ㐫�����������邱�Ƃ��ł��܂��B
�ݒ�t�@�C���̃X�L����
�@�ݒ�t�@�C���̃X�L�����ɂ��ĉ�����܂��B�����ł́A�R���e�i��Kubernetes�ɊW���鎟��2�̐ݒ�t�@�C�����X�L�������܂��B
�R�����@Trivy�̃|���V�[�L�q����uRego�v
�@Trivy�́uRego�v�ŋL�q���ꂽ�|���V�[�𗘗p���Đݒ�t�@�C�����X�L�������܂��B
�@Rego�͔ėp�i�͂�悤�j�I�ȃ|���V�[����ł��B�|���V�[���\�����郋�[����Rego�Ŏ������A�f�[�^�̒��g�����[���Ɉᔽ���Ă��Ȃ����������邱�Ƃ�OK�^NG�̂悤�Ȕ��茋�ʂ��o�͂ł��܂��B��\�I�ȃ|���V�[�G���W���uOpen Policy Agent�v�iOPA�j��Rego�ŋL�q���ꂽ�|���V�[�𗘗p���Ă��܂��B
�@Trivy�̓f�[�^�i�ݒ�t�@�C���̒��g�j���|���V�[�iRego�Ŏ������ꂽ�e�ݒ�t�@�C���̐����ݒ�j�Ō������A�ݒ�̖��_�������܂��B�r���h�C���|���V�[�Ƃ���Rego�̃|���V�[�����炩���ߗp�ӂ���Ă���̂ŁA���[�U�[�͓���ȑ����K�v�Ƃ����ɐݒ�t�@�C�����X�L�����ł��܂��BRego�̃|���V�[���J�X�^�}�C�Y���Ď��샋�[����K�p���邱�Ƃ��ł��܂��B
1.Dockerfile�̃X�L����
�@Dockerfile���X�L�������܂��B�����ł́A�悭Web��ŃT���v���Ƃ��Č��J����Ă������ȁA���̂悤�ȊȒP��Dockerfile��p�ӂ��܂��B
# �x�[�X�C���[�W���w�� FROM alpine:latest # nginx�̃C���X�g�[�� RUN apk update && apk add --no-cache nginx # �ݒ�t�@�C���̔z�z ADD default.conf /etc/nginx/http.d/default.conf # nginx�̎��s CMD nginx -g "daemon off;"
�@�ݒ�t�@�C���̃X�L�����́utrivy config <�ݒ�t�@�C��>�v�̌`���Ŏ��s���܂��BDockerfile���w�肵�ăX�L�������Ă݂܂��B
$ trivy config Dockerfile 2024-10-12T12:32:17Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-12T12:32:20Z INFO Detected config files num=1 Dockerfile (dockerfile) Tests: 27 (SUCCESSES: 23, FAILURES: 4, EXCEPTIONS: 0) Failures: 4 (UNKNOWN: 0, LOW: 2, MEDIUM: 1, HIGH: 1, CRITICAL: 0) MEDIUM: Specify a tag in the 'FROM' statement for image 'alpine' ------------------------------------------------------------------------------------------------------------------------------------------------ When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated. See https://avd.aquasec.com/misconfig/ds001 ------------------------------------------------------------------------------------------------------------------------------------------------ Dockerfile:1 ------------------------------------------------------------------------------------------------------------------------------------------------ 1 [ FROM alpine:latest ------------------------------------------------------------------------------------------------------------------------------------------------ HIGH: Specify at least 1 USER command inDockerfilewith non-root user as argument ------------------------------------------------------------------------------------------------------------------------------------------------ Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. See https://avd.aquasec.com/misconfig/ds002 ------------------------------------------------------------------------------------------------------------------------------------------------ LOW: Consider using 'COPY default.conf /etc/nginx/http.d/default.conf' command instead of 'ADD default.conf /etc/nginx/http.d/default.conf' ------------------------------------------------------------------------------------------------------------------------------------------------ You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files. See https://avd.aquasec.com/misconfig/ds005 ------------------------------------------------------------------------------------------------------------------------------------------------ Dockerfile:7 ------------------------------------------------------------------------------------------------------------------------------------------------ 7 [ ADD default.conf /etc/nginx/http.d/default.conf ------------------------------------------------------------------------------------------------------------------------------------------------
�@�X�L�������ʂ̃T�}���[���\������Ă��܂��B27���̃��[���ŃX�L�������āA4�����uFailures�v�Ƃ��Ďw�E����܂����B
Dockerfile (dockerfile) Tests: 27 (SUCCESSES: 23, FAILURES: 4, EXCEPTIONS: 0) Failures: 4 (UNKNOWN: 0, LOW: 2, MEDIUM: 1, HIGH: 1, CRITICAL: 0)
�@�����āAFailures�̏ڍׂ��\������Ă��܂��B���L�̂悤�ɃR�[�h�X�j�y�b�g����w�E�ӏ����m�F�ł�����A���߂���ݒ�̏C�����@���m�F�ł����肵�܂��B
MEDIUM: Specify a tag in the 'FROM' statement for image 'alpine' ------------------------------------------------------------------------------------------------------------------------------------------------ When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated. See https://avd.aquasec.com/misconfig/ds001 ------------------------------------------------------------------------------------------------------------------------------------------------ Dockerfile:1 ------------------------------------------------------------------------------------------------------------------------------------------------ 1 [ FROM alpine:latest ------------------------------------------------------------------------------------------------------------------------------------------------
�@�ݒ�t�@�C���̃X�L�����ɗ��p����Rego�̃|���V�[�̓��j�[�N��ID�Ń��[�����Ǘ�����Ă��܂��B�R���e�i�C���[�W�̃X�L�����Ɠ��l�ɁA�ݒ�t�@�C���̃X�L�����ł�AVD�̃����N���\������Ă���A������̃����N���u���E�U�ŊJ�����Ƃ�ID���m�F�ł��܂��B
�@Dockerfile�̃X�L�����́uDS�v����n�܂�3���̐����ō̔Ԃ��ꂽID�ŊǗ�����Ă���A�����3����Failures���܂Ƃ߂�Ɖ��L�̂悤�ɂȂ�܂��B�����͂������Dockerfile�̃x�X�g�v���N�e�B�X�ɏ]���w�E�����ł��B
| ID | �d��x | �����ݒ�̓��e |
|---|---|---|
| DS001 | MEDIUM | �R���e�i�C���[�W��latest�^�O�ł͂Ȃ�����̃^�O�̕t�^�𐄏� |
| DS002 | HIGH | �R���e�i���Root���[�U�[�Ŏ��s����悤��Dockerfile��user�X�e�[�g�����g�̗��p�𐄏� |
| DS005 | LOW | tar�t�@�C����W�J����K�v���Ȃ���AADD�ł͂Ȃ�COPY�R�}���h�𐄏� |
| DS026 | LOW | �R���e�i�̃w���X�`�F�b�N�ݒ�𐄏� |
�@���̂悤�ɁA���i�ӎ������ɗ��p���Ă���Dockerfile�ɂ��Ǝ�Ȑݒ肪����ł��܂��BTrivy�𗘗p���邱�Ƃɂ���āA�Ǝ�Ȑݒ�����o����ƂƂ��ɁA���p�҂ɃZ�L�����e�B�㒍�ӂ���ϓ_�����N�ł��܂��B
2.Kubernetes�}�j�t�F�X�g�̃X�L����
�@Kubernetes�}�j�t�F�X�g���X�L�������܂��B���̂悤�ȁA����܂��Ȃ�̕ϓN���Ȃ�Kubernetes�}�j�t�F�X�g�ideployment.yaml�j��p�ӂ��܂��B
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-alpine
spec:
selector:
matchLabels:
app: nginx-alpine
replicas: 2
template:
metadata:
labels:
app: nginx-alpine
spec:
containers:
- name: nginx-alpine
image: nginx:alpine
ports:
- containerPort: 80
�@Trivy�̃R�}���h��Kubernetes�}�j�t�F�X�g���X�L�������Ă݂܂��B
$ trivy config deployment.yaml 2024-10-13T05:26:51Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-13T05:26:56Z INFO Detected config files num=1 deployment.yaml (kubernetes) Tests: 94 (SUCCESSES: 80, FAILURES: 14, EXCEPTIONS: 0) Failures: 14 (UNKNOWN: 0, LOW: 9, MEDIUM: 3, HIGH: 2, CRITICAL: 0) MEDIUM: Container 'nginx-alpine' of Deployment 'nginx-alpine' should set 'securityContext.allowPrivilegeEscalation' to false ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node. See https://avd.aquasec.com/misconfig/ksv001 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ deployment.yaml:16-19 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ 16 �� - name: nginx-alpine 17 �� image: nginx:alpine 18 �� ports: 19 �� - containerPort: 80 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ LOW: Container 'nginx-alpine' of Deployment 'nginx-alpine' should add 'ALL' to 'securityContext.capabilities.drop' ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ The container should drop all default capabilities and add only those that are needed for its execution. See https://avd.aquasec.com/misconfig/ksv003 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ deployment.yaml:16-19 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ 16 �� - name: nginx-alpine 17 �� image: nginx:alpine 18 �� ports: 19 �� - containerPort: 80 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ �i���j
�@�������94���̃��[���ŃX�L�������āA14�����uFailures�v�Ƃ��Ďw�E����܂����BKubernetes�}�j�t�F�X�g�̃X�L�����ł́uKSV�v����n�܂�ID�Ń��[�����Ǘ�����Ă���A���o���ʂ��܂Ƃ߂�Ɖ��L�̂悤�ɂȂ�܂����B
| ID | �d��x | �����ݒ�̓��e |
|---|---|---|
| KSV001 | MEDIUM | �usecurityContext.allowPrivilegeEscalation�v���ufalse�v�ɂ��ē������i��h�����Ƃ𐄏� |
| KSV003 | LOW | �usecurityContext.capabilities.drop�v���uall�v�ɂ��Ď��s�ɕK�v�ȍŏ�������t�^���邱�Ƃ𐄏� |
| KSV011 | LOW | �uresources.limits.cpu�v��ݒ肵�ă��\�[�X�͊��ɂ�����h�~���邱�Ƃ𐄏� |
| KSV012 | MEDIUM | �usecurityContext.runAsNonRoot�v���utrue�v�ɐݒ肵�Ď��s���̃C���[�W���Root���[�U�[�Ŏ��s�����邱�Ƃ𐄏� |
| KSV014 | LOW | �usecurityContext.readOnlyRootFilesystem�v���utrue�v�ɐݒ肵�ăt�@�C���V�X�e���̉������t�@�C���̏������݂�h�~���ĐN���𐧌����邱�Ƃ𐄏� |
| KSV015 | LOW | �uresources.requests.cpu�v��ݒ肵��Pod��z�u����X�P�W���[���[�����K�ɔ��f�������邱�Ƃ𐄏� |
| KSV016 | LOW | �uresources.requests.memory�v��ݒ肵��Pod��z�u����X�P�W���[���[�����\�[�X�������̑Ώ���K�ɔ��f�ł���悤�ɂ��邱�Ƃ𐄏� |
| KSV018 | LOW | �uresources.limits.memory�v��ݒ肵�ă��\�[�X�͊��ɂ�����h�~���邱�Ƃ𐄏� |
| KSV020 | LOW | �usecurityContext.runAsUser�v��10000���傫�Ȓl�ɐݒ肵�ăz�X�g���[�U�[�e�[�u���Ƃ̋���������邱�Ƃ𐄏� |
| KSV021 | LOW | �usecurityContext.runAsGroup�v��10000���傫�Ȓl�ɐݒ肵�ăz�X�g�O���[�v�e�[�u���Ƃ̋���������邱�Ƃ𐄏� |
| KSV030 | LOW | �usecurityContext.seccompProfile.type�v��Pod�܂��̓R���e�i�̂ǂ��炩�ŁuRuntimeDefault�v�ɂ��邱�Ƃ𐄏� |
| KSV104 | LOW | Seccomp�v���t�@�C�����w�肷�邱�Ƃ𐄏� |
| KSV106 | LOW | �R���e�i�͑S�Ă�capabilities��drop���ANET_BIND_SERVICE��capabilities�̂����邱�Ƃ𐄏� |
| KSV117 | HIGH | spec.template.spec.containers.ports.containerPort��1024�����ɂ��Ȃ����Ƃ𐄏� |
�@�������Kubernetes�}�j�t�F�X�g��ݒ肷��ۂɈӎ����������悢���e���w�E����Ă��܂��B�ȈՂȓ���m�F�ł���C�ɂ��Ȃ��Ă悢�Ǝv���܂����A�{�Ԋ��œ������ۂɂ͏�L�̂悤�Ȏw�E�ɑ���v���j�����Đi�߂邱�Ƃ��]�܂����ł��傤�B
�R�����@Trivy��Rego�|���V�[�ƁuPod Security Standards�v
�@Kubernetes��Pod�̃Z�L�����e�B�֘A�̃x�X�g�v���N�e�B�X�֑Ή����邽�߂ɁA�uPod Security Standards�v�iPSS�j�����J���Ă��܂��BPSS��Kubernetes���l����Z�L�����e�B��̊�{���j�ł���A�W���I�ȃZ�L�����e�B�����j�uBaseline�v�ƁA���Z�L�����e�B������������j�uRestricted�v��2�̃|���V�[���p�ӂ���Ă��܂��B
�@Trivy��Rego�̃|���V�[�́APSS�́uBaseline�v�ƁuRestricted�v�̃|���V�[�ɏ���������j�Œ���Ă��܂��B�Ⴆ�A��L��Kubernetes�}�j�t�F�X�g�X�L�������ʂł́A�uKSV001�v�uKSV012�v�́A�uRestricted�v�ɏ������郋�[���Ƃ��ĊǗ�����Ă��܂��B
�@����ATrivy��PSS�̊ϓ_�����łȂ��AKubernetes�}�j�t�F�X�g�̐����ݒ�Ƃ��ēƎ��̃|���V�[�����Ă��܂��B�Ⴆ�A���[�U�[���쐬����Pod��kube-system��Namespace�Ƀf�v���C���邱�Ƃ���Ƃ��Ďw�E���Ă���܂��B
�@�|���V�[�̏ڍׂ������̃��|�W�g�������m�F���������B
�f�B���N�g�����w�肵�������t�@�C���̃X�L����
�@Trivy�̓f�B���N�g�����w�肷�邱�Ƃŕ����̃t�@�C�����ɃX�L�����ł��܂��B�ݒ�t�@�C���������Ŏ��ʂ���̂ŁA���̂悤��Dockerfile��Kubernetes�}�j�t�F�X�g���f�B���N�g���ɔz�u���Ă����Ȃ��X�L�����ł��܂��B
$ ls ./conf deployment.yaml Dockerfile $ trivy config ./conf 2022-06-20T17:42:00.451Z INFO Misconfiguration scanning is enabled 2022-06-20T17:42:01.027Z INFO Detected config files: 2 Dockerfile (dockerfile) Tests: 22 (SUCCESSES: 19, FAILURES: 3, EXCEPTIONS: 0) Failures: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 1, CRITICAL: 0) �i���j deployment.yaml (kubernetes) Tests: 34 (SUCCESSES: 22, FAILURES: 12, EXCEPTIONS: 0) Failures: 12 (UNKNOWN: 0, LOW: 10, MEDIUM: 2, HIGH: 0, CRITICAL: 0) �i���j
�V�[�N���b�g���̃X�L����
�@�R���e�i�C���[�W�Ɋ܂܂��V�[�N���b�g�����X�L��������ɂ́A�V�[�N���b�g�����܂ރR���e�i�C���[�W��p�ӂ���K�v������܂��B
�@�܂�GitHub�̃p�[�\�i���A�N�Z�X�g�[�N�����L�ڂ���Ă���usecret.txt�v��p�ӂ��܂��B
# ghp_7gTUtmVZrL5fdz2wbR6LLxuw5zgjuzLhKBNf ghp_393pk5rdnTKwVgXp69aZap6KV8KAr9cSiE5d
�@secret.txt���R���e�i�C���[�W���ɔz�u���܂��B
# �x�[�X�C���[�W���w�� FROM alpine:latest # nginx�̃C���X�g�[�� RUN apk update && apk add --no-cache nginx # �ݒ�t�@�C���̔z�z ADD default.conf /etc/nginx/http.d/default.conf # �V�[�N���b�g��L�ڂ��ꂽ�t�@�C����z�u COPY secret.txt . # nginxn�̎��s CMD nginx -g "daemon off;"
�@�R���e�i�C���[�W���r���h���܂��B
$ docker build . -t nginx-secret:v1
�@�R���e�i�C���[�W���X�L�������܂��B
$ trivy image nginx-secret:v1 2022-06-20T17:43:51.339Z INFO Vulnerability scanning is enabled 2022-06-20T17:43:51.339Z INFO Secret scanning is enabled 2022-06-20T17:43:51.339Z INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning 2022-06-20T17:43:51.339Z INFO Please see also https://aquasecurity.github.io/trivy/v0.29.1/docs/secret/scanning/#recommendation for faster secret detection 2022-06-20T17:43:51.617Z INFO Detected OS: alpine 2022-06-20T17:43:51.617Z INFO Detecting Alpine vulnerabilities... 2022-06-20T17:43:51.619Z INFO Number of language-specific files: 0 nginx-secret:v1 (alpine 3.16.0) Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) /secret.txt (secrets) Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2) ��----------��------------------------------��----------��---------��---------�� �� Category �� Description �� Severity �� Line No �� Match �� ��----------��------------------------------��----------��---------��---------�� �� GitHub �� GitHub Personal Access Token �� CRITICAL �� 1 �� # ***** �� �� �� �� ��---------��---------�� �� �� �� �� 2 �� ***** �� ��----------��------------------------------��----------��---------��---------��
�@�V�[�N���b�g��܂܂��t�@�C�����isecret.txt�j�ƁA�ڍׂȏ�e�[�u���`���ŏo�͂���܂����B
| ���� | ���e |
|---|---|
| Category | �V�[�N���b�g���̃J�e�S���[�iAWS�AGitHub�Ȃǁj |
| Description | �e�J�e�S���[�̃V�[�N���b�g��� |
| Severity | �d��x�iCRITICAL�AHIGH�AMEDIUM�ALOW�j |
| Line No | �V�[�N���b�g�������m�����s�� |
| Match | �V�[�N���b�g�����}�X�N���ĕ\�� |
�@����̓n�[�h�R�[�f�B���O���ꂽGitHub�̃p�[�\�i���A�N�Z�X�g�[�N�������m�ł��܂����BTrivy��GitHub�̃p�[�\�i���A�N�Z�X�g�[�N���ȊO�ɂ����܂��܂ȃJ�e�S���[�̃V�[�N���b�g�����X�L�����ł��܂��B�ڍׂ������������m�F���������B
�@�����GitHub�̃p�[�\�i���A�N�Z�X�g�[�N���́A���K�\���ughp_[0-9a-zA-Z]{36}�v�̕���������m���郋�[�������炩���ߗp�ӂ���Ă���̂ŁA�V�[�N���b�g���Ƃ��Č��m�ł��܂����B�ڍׂȌ��m���[�����C�ɂȂ���́A�r���g�C�����[�����������������B
�@�f�t�H���g�ł́uallow-rule�v���K�p����܂��B�R���e�i�C���[�W���̃V�[�N���b�g�����̃t�@�C������f�B���N�g���z���Ɋi�[����Ă���ꍇ�͌��m�ΏۊO�ƂȂ邱�Ƃɂ����ӂ��������B�Ⴆ�A�V�[�N���b�g��L�ڂ��ꂽ�t�@�C�����ȉ��̂悤�ȃt�@�C������f�B���N�g���z���ɔz�u����Ă���ƃV�[�N���b�g���Ƃ��Č��m����܂���B
- �u-test�v���܂܂��t�@�C����
- hoge-testsecret.txt
- secret-test.txt
- �u.md�v�̊g���q�ł���}�[�N�_�E���`���̃t�@�C����
- secret.md
- �u/vendor/�v�f�B���N�g���z���̃t�@�C��
- /vendor/secret.txt
Kubernetes�N���X�^�̃X�L����
�@�����܂ŃR���e�i�C���[�W�A�ݒ�t�@�C���A�V�[�N���b�g���̃X�L������������Ă��܂������A�����͐ÓI�ȉ�͂ł��B�R���e�i�C���[�W���f�v���C������ɁA�V���ȐƎ㐫����������邱�Ƃ�����܂����ATrivy�ɂ��`�F�b�N���Ă��Ȃ��}�j�t�F�X�g�A�C���[�W������Ƀf�v���C����邱�Ƃ����蓾�܂��B
�@Trivy��Kubernetes�N���X�^�X�L�����̋@�\�𗘗p����ƁA���삵�Ă���N���X�^������Ǝ㐫�����o���邱�Ƃ��ł��܂��B
�@���݂͎��̂悤��2�̊ϓ_�ŃX�L�������ʂ��m�F�ł��܂��B
�@���Ԃ�Kubernetes�N���X�^�̃X�L�����������܂��B
���O����
�@�N���X�^�\�z�̗���͏ȗ����܂����A����́uGoogle Kubernetes Engine�v�iGKE�j�N���X�^��ΏۂɃX�L�������Ă݂܂��B
�@�܂���Trivy�̎��s������Kubernetes�N���X�^�ɐڑ��ł���悤�ɁAkubeconfig�t�@�C����p�ӂ��āukubectl�v�R�}���h��Kubernetes�N���X�^�Ɛڑ��ł���悤�ɂ��Ă����܂��傤�B����́u~/.kube/config�v�̔F�؏���GKE�N���X�^�ɐڑ��������p�ӂ��ATrivy�����s���܂��B
�@�u2.Kubernetes�}�j�t�F�X�g�̃X�L�����v�ō쐬����Kubernetes�}�j�t�F�X�g�ideployment.yaml�j���udefault�v��Namespace�Ƀf�v���C���Ă����܂��B
$ kubectl apply -f deployment.yaml
�@Deployment���\�[�X�́unginx-alpine�v���쐬����܂����B
$ kubectl get deployment NAME READY UP-TO-DATE AVAILABLE AGE nginx-alpine 2/2 2 2 8s
1.Kubernetes�N���X�^�̐Ǝ㐫���|�[�g
�@Kubernetes�N���X�^���̃��\�[�X�̐Ǝ㐫��w�E��������Ձi�ӂ���j�I�Ɋm�F������@���Љ�܂��B
�@Kubernetes�N���X�^�̃X�L�����͉��L�̂悤�Ȍ`���Ŏ��s���܂��B�����ł́Adefault�l�[���X�y�[�X�i--include-namespaces default�j�̃��[�N���[�h�̃X�L�����̂݁i--disable-node-collector�j�����s���܂��B
$ trivy k8s --include-namespaces default --disable-node-collector --report all �i���j namespace: default, deployment: nginx-alpine (kubernetes) Tests: 94 (SUCCESSES: 79, FAILURES: 15, EXCEPTIONS: 0) Failures: 15 (UNKNOWN: 0, LOW: 10, MEDIUM: 3, HIGH: 2, CRITICAL: 0) MEDIUM: Container 'nginx-alpine' of Deployment 'nginx-alpine' should set 'securityContext.allowPrivilegeEscalation' to false ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node. See https://avd.aquasec.com/misconfig/ksv001 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ namespace: default, deployment: nginx-alpine:18-21 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ 18 �� - image: nginx:alpine 19 �� name: nginx-alpine 20 �� ports: 21 �� - containerPort: 80 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ LOW: Container 'nginx-alpine' of Deployment 'nginx-alpine' should add 'ALL' to 'securityContext.capabilities.drop' ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ The container should drop all default capabilities and add only those that are needed for its execution. See https://avd.aquasec.com/misconfig/ksv003 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ namespace: default, deployment: nginx-alpine:18-21 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ 18 �� - image: nginx:alpine 19 �� name: nginx-alpine 20 �� ports: 21 �� - containerPort: 80 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
�@���̂悤�ɁAKubernetes�N���X�^�Ŏ��s����Deployment���\�[�X�ɑ��ĐƎ㐫���X�L�����ł��܂����B�������A1��Deployment���\�[�X�ł�����قǑ����̐Ǝ㐫���X�L��������邽�߁A�S�̑���c������̂�����Ȃ�܂��B
2.Kubernetes���\�[�X�̐Ǝ㐫�ڍ�
�@�����ŁA���́u--report summary�v���w�肵�Ď��s���Ă݂܂��傤�B
$ trivy k8s --include-namespaces default --disable-node-collector --report summary �i���j Summary Report for [cluster name] Workload Assessment ��-----------��-------------------------��-------------------��--------------------��-------------------�� �� Namespace �� Resource �� Vulnerabilities �� Misconfigurations �� Secrets �� �� �� ��---��---��---��---��---��---��---��---��----��---��---��---��---��---��---�� �� �� �� C �� H �� M �� L �� U �� C �� H �� M �� L �� U �� C �� H �� M �� L �� U �� ��-----------��-------------------------��---��---��---��---��---��---��---��---��----��---��---��---��---��---��---�� �� default �� Deployment/nginx-alpine �� �� �� �� �� �� �� 2 �� 3 �� 10 �� �� �� �� �� �� �� ��-----------��-------------------------��---��---��---��---��---��---��---��---��----��---��---��---��---��---��---�� Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN Infra Assessment ��-----------��----------��-------------------��-------------------��-------------------�� �� Namespace �� Resource �� Vulnerabilities �� Misconfigurations �� Secrets �� �� �� ��---��---��---��---��---��---��---��---��---��---��---��---��---��---��---�� �� �� �� C �� H �� M �� L �� U �� C �� H �� M �� L �� U �� C �� H �� M �� L �� U �� ��-----------��----------��---��---��---��---��---��---��---��---��---��---��---��---��---��---��---�� Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN RBAC Assessment ��-----------��----------��-------------------�� �� Namespace �� Resource �� RBAC Assessment �� �� �� ��---��---��---��---��---�� �� �� �� C �� H �� M �� L �� U �� ��-----------��----------��---��---��---��---��---�� Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN
�@���̂悤�ɁA3��ނ�Assessment�T�}���[�Ƃ��ĕ\�������̂ŐƎ㐫�̑S�̑���c�����₷���Ȃ�܂����B
- Workload Assessment
�N���X�^���̃A�v���P�[�V�������\�[�X��ΏۂɐƎ㐫���X�L���� - Infra Assessment
�N���X�^�̃C���t���R���|�[�l���g��ΏۂɐƎ㐫���X�L���� - RBAC Assessment
�N���X�^�ݒ�Ɋւ��ĐƎ㐫���X�L����
�@Namespaces��Flags�ݒ�ɉ����āA���L�̂悤��Flags�𗘗p���邱�ƂŁA���_��ɃX�L�����ł��܂��B
- --skip-images
�N���X�^���\�[�X�̃C���[�W�X�L�������X�L�b�v�ł��� - --include-kinds�܂���--exclude-kinds
�X�L�����Ώۂ̃��\�[�X���_��Ɏw��ł��� - --severity
�d��x�Ńt�B���^�����O�ł��� - --scanner
�X�L�����������Ǝ㐫�̃^�C�v���w��ł��� - --format
�e�[�u����JSON�`���Ō��ʂ��o�͂ł���
Trivy CLI�̎�ȃI�v�V����
�@Trivy�͂ǂ���V���v���ȃR�}���h�ŃX�L�����ł��邱�Ƃ�������܂����B����ŁA���܂��܂�CLI�̃R�}���h�I�v�V�������p�ӂ���Ă���A���p���@�ɉ����Č��ʂ��J�X�^�}�C�Y�ł��܂��B
�@�����ł͎�ɃR���e�i�C���[�W�̃X�L�����ɗL����CLI�̃R�}���h�I�v�V�����𒆐S�ɏЉ�܂��B
�Ǝ㐫���t�B���^�����O����
�E���C���̐Ǝ㐫�����m�ΏۊO�Ƃ���
�@Trivy�͖��C���̐Ǝ㐫�����m����ꍇ������܂��B���C���̐Ǝ㐫�����m�����ꍇ�A���C�u�������ŐV�o�[�W�����ɃA�b�v�f�[�g���Ă��Ώ��ł��܂��AWeb Application Firewall�iWAF�j��t�@�C�A�E�H�[���ȂǕʂ̐ݒ�Ŋɘa�ł���\��������܂��B����Ō��m����Ă��Ώ����Ȃ��Ȃ�A�K�v�Ȃ��̂������m����悤�ɖ��C���̐Ǝ㐫�����m�ΏۊO�Ƃ��邱�Ƃ��ł��܂��B���C���̐Ǝ㐫�����m�������Ȃ��ꍇ�́u--ignore-unfixed�v�I�v�V�������g�p���܂��B
# ���C���̐Ǝ㐫���܂� $ trivy image ruby:2.4.0 ruby:2.4.0 (debian 8.7) ======================= Total: 8602 (UNKNOWN: 67, LOW: 3108, MEDIUM: 3021, HIGH: 1932, CRITICAL: 474) # ���C���̐Ǝ㐫��ΏۊO�Ƃ��� $ trivy image --ignore-unfixed ruby:2.4.0 ruby:2.4.0 (debian 8.7) ======================= Total: 3755 (UNKNOWN: 66, LOW: 130, MEDIUM: 2077, HIGH: 1147, CRITICAL: 335)
�E�d��x�Ńt�B���^�����O����
�@�d��x���w�肵�Č��m�������ꍇ�́A��q�́u--severity�v�I�v�V�������g�p���܂��B���̗�ł͏d��x���uHIGH�v�uCRITICAL�v�̐Ǝ㐫�̂��m����܂��B
$ trivy image --severity HIGH,CRITICAL python:alpine3.13 python:alpine3.13 (alpine 3.13.7) Total: 20 (HIGH: 10, CRITICAL: 10)
�E�w�肵��CVE-ID�����m�ΏۊO�Ƃ���
�@�u.trivyignore�v�Ƃ������O�̃t�@�C����CVE-ID���L�q���邱�ƂŁA����̐Ǝ㐫�����m�ΏۊO�ɂł��܂��B���̗�ł́A�uCVE-2022-22822�v�����m�ΏۊO�Ƃ��Ă��܂��B
# �uCVE-2022-22822�v�����m����� $ trivy image python:alpine3.13 python:alpine3.13 (alpine 3.13.7) Total: 25 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 10, CRITICAL: 10) ��--------------��----------------��----------��-------------------��---------------��-------------------------------------------------------------�� �� Library �� Vulnerability �� Severity �� Installed Version �� Fixed Version �� Title �� ��--------------��----------------��----------��-------------------��---------------��-------------------------------------------------------------�� �� busybox �� CVE-2022-28391 �� CRITICAL �� 1.32.1-r7 �� 1.32.1-r8 �� busybox: remote attackers may execute arbitrary code if �� �� �� �� �� �� �� netstat is used �� �� �� �� �� �� �� https://avd.aquasec.com/nvd/cve-2022-28391 �� ��--------------��----------------��----------��-------------------��---------------��-------------------------------------------------------------�� �� expat �� CVE-2022-22822 �� CRITICAL �� 2.2.10-r1 �� 2.2.10-r2 �� expat: Integer overflow in addBinding in xmlparse.c �� �� �� �� �� �� �� https://avd.aquasec.com/nvd/cve-2022-22822 �� �� ��----------------�� �� �� ��-------------------------------------------------------------�� �� �� CVE-2022-22823 �� �� �� �� expat: Integer overflow in build_model in xmlparse.c �� �� �� �� �� �� �� https://avd.aquasec.com/nvd/cve-2022-22823 �� �� ��----------------�� �� �� ��-------------------------------------------------------------�� �i���j
�@�u.trivyignore�v�t�@�C����CVE-ID���L�����܂��B
# ���m�ΏۊO�Ƃ���CVE-ID CVE-2022-22822
�@�ēx�X�L��������ƁuCVE-2022-22822�v�͌��m����Ȃ��Ȃ�܂����B
# �uCVE-2022-22822�v�����m����Ȃ��Ȃ� $ trivy image python:alpine3.13 python:alpine3.13 (alpine 3.13.7) Total: 24 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 10, CRITICAL: 9) ��--------------��----------------��----------��-------------------��---------------��-------------------------------------------------------------�� �� Library �� Vulnerability �� Severity �� Installed Version �� Fixed Version �� Title �� ��--------------��----------------��----------��-------------------��---------------��-------------------------------------------------------------�� �� busybox �� CVE-2022-28391 �� CRITICAL �� 1.32.1-r7 �� 1.32.1-r8 �� busybox: remote attackers may execute arbitrary code if �� �� �� �� �� �� �� netstat is used �� �� �� �� �� �� �� https://avd.aquasec.com/nvd/cve-2022-28391 �� ��--------------��----------------��----------��-------------------��---------------��-------------------------------------------------------------�� �� expat �� CVE-2022-22823 �� CRITICAL �� 2.2.10-r1 �� 2.2.10-r2 �� expat: Integer overflow in build_model in xmlparse.c �� �� �� �� �� �� �� https://avd.aquasec.com/nvd/cve-2022-22823 �� �� ��----------------�� �� �� ��-------------------------------------------------------------�� �� �� CVE-2022-22824 �� �� �� �� expat: Integer overflow in defineAttribute in xmlparse.c �� �� �� �� �� �� �� https://avd.aquasec.com/nvd/cve-2022-22824 �� �� ��----------------�� �� ��---------------��-------------------------------------------------------------�� �i���j
�@�Ȃ��A�u--ignorefile�v�I�v�V�������g�p����ƁA�C�ӂ̖��O�̃t�@�C���ŏ�L�̂悤�ɐݒ�ł��܂��B
�EOS�p�b�P�[�W�܂��̓A�v���P�[�V�����̈ˑ����C�u�����݂̂��X�L��������
�@�u--pkg-types�v�I�v�V�����𗘗p����ƁA����̐Ǝ㐫�^�C�v��Ώۂɂł��܂��BOS�p�b�P�[�W�݂̂��X�L��������ꍇ�́uos�v�A�A�v���P�[�V�����̈ˑ����C�u�����݂̂��X�L��������ꍇ�́ulibrary�v���w�肵�܂��B�X�L�����Ɏ��Ԃ�������ꍇ�́A�ύX�ӏ��݂̂�Ώۂɂ��邽�߂ɂ��̐ݒ����������Ƃ悢�ł��傤�B
# OS�p�b�P�[�W�̂ݑΏ� $ trivy image --pkg-type os python:alpine3.13 python:alpine3.13 (alpine 3.13.7) Total: 34 (UNKNOWN: 0, LOW: 0, MEDIUM: 7, HIGH: 19, CRITICAL: 8) # �A�v���P�[�V�����̈ˑ����C�u�����̂ݑΏ� $ trivy image --pkg-type library python:alpine3.13 Python (python-pkg) Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 3, CRITICAL: 0)
�E�X�L���i�[���t�B���^�����O����
�@�u--scanners�v�ŃX�L�����̎�ނ�I���ł��܂��B�f�t�H���g�ł́uvuln,secret�v���w�肳��Ă���A�uvuln�v�̓R���e�i�C���[�W�̐Ǝ㐫�A�usecret�v�̓V�[�N���b�g�������ꂼ��X�L�������܂��B�܂�A�f�t�H���g�ݒ�ł̓R���e�i�C���[�W�̐Ǝ㐫�X�L�����ƃV�[�N���b�g���̃X�L�����������ɍs���܂��B
�@�V�[�N���b�g���̃X�L���������O�������ꍇ�́A�uvuln�v���I�Ɏw�肵�܂��B����ɂ��A�X�L�����̑��x�����サ�܂��B�ȉ��̗�ł́A�u�V�[�N���b�g���̃X�L�����v�ō쐬�����R���e�i�C���[�W�inginx-secret�j��ΏۂɃX�L���������s���A�V�[�N���b�g����o����Ȃ����Ƃ��m�F���Ă��܂��B
$ trivy image --scanners vuln nginx-secret:v1 nginx-secret:v1 (alpine 3.20.3) Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
�o�̓t�H�[�}�b�g���J�X�^�}�C�Y����
�@�R���e�i�C���[�W�̃X�L�������ʂ̃f�t�H���g�́uTable�v�`���ŕ\������܂����A���܂��܂ȃt�H�[�}�b�g�ŃX�L�������ʂ�\���ł��܂��B
| �t�H�[�}�b�g | ���� |
|---|---|
| Table | �f�t�H���g�̓e�[�u���`�� |
| JSON | JSON�`���ŏo�́A�e�[�u���`�����ڍׂȐƎ㐫�����m�F�\ |
| SARIF | GitHub��̃X�L�����Ŏg�p�ł���t�H�[�}�b�g |
| Template | Template�t�@�C���𗘗p���邱�Ƃʼn��L�̂悤�ȕ����̃t�H�[�}�b�g���T�|�[�g 1.�J�X�^���FSprig���𗘗p�����J�X�^�}�C�Y�`���ŏo�� 2.ASFF�F�uAWS Security Hub�v�ɘA�g�\�ȃt�H�[�}�b�g�ŏo�� 3.HTML�FHTML�`���ŏo�� 4.XML�FXML�`���ŏo�� |
| SBOM | CycloneDX��SPDX�`���ɑΉ������t�H�[�}�b�g |
| GitHub dependency snapshot | GitHub��ňˑ��W�����r���[����t�H�[�}�b�g |
�@�Ȃ��ATemplate�t�@�C����Trivy��RPM�ŃC���X�g�[�����邱�ƂŁu/usr/local/share/trivy/templates�v�Ɏ����I�ɔz�u����܂��BTrivy�̃C���X�g�[�����@�̈Ⴂ��Template�t�@�C���̗��p�ۂ��قȂ�̂ł����ӂ��������B
�EJSON�t�H�[�}�b�g
�@�u--format�v�I�v�V�����Ńt�H�[�}�b�g���w�肵�܂��BJSON�t�H�[�}�b�g�̏o�͗�͉��L�̂悤�ɂȂ�܂��B�Ȃ��A�u--output�v�I�v�V�������g�p���ăt�@�C���ɏo�͂��Ă��܂��B
$ trivy image --format json --output results.json python:alpine3.13
�@results.json�̈ꕔ���m�F���Ă݂܂��B
---
"Results": [
{
"Target": "python:alpine3.13 (alpine 3.13.7)",
"Class": "os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2022-28391",
"PkgName": "busybox",
"InstalledVersion": "1.32.1-r7",
"FixedVersion": "1.32.1-r8",
"Layer": {
"Digest": "sha256:5758d4e389a3f662e94a85fb76143dbe338b64f8d2a65f45536a9663b05305ad",
"DiffID": "sha256:7fcb75871b2101082203959c83514ac8a9f4ecfee77a0fe9aa73bbe56afdf1b4"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-28391",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Title": "busybox: remote attackers may execute arbitrary code if netstat is used",
"Description": "BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.",
"Severity": "CRITICAL",
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 7.5,
"V3Score": 9.8
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"V3Score": 6.5
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2022-28391",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28391",
"https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch",
"https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch",
"https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661",
"https://nvd.nist.gov/vuln/detail/CVE-2022-28391"
],
"PublishedDate": "2022-04-03T21:15:00Z",
"LastModifiedDate": "2022-04-12T17:31:00Z"
},
---
�p�b�P�[�W�ꗗ���o�͂���
�@�u--list-all-pkgs�v�I�v�V�������w�肷��ƁA�Ǝ㐫�ɊW�Ȃ��C���X�g�[������Ă���p�b�P�[�W�̈ꗗ���o�͂ł��܂��B���ӓ_�Ƃ��ăt�H�[�}�b�g��JSON�ɂ���K�v������܂��B�p�b�P�[�W�̈ꗗ���m�F���邱�ƂŃ\�t�g�E�F�A�̍\�����̊Ǘ��ɖ𗧂��܂��B
$ trivy image --list-all-pkgs --format json -o pkgs-list.json python:alpine3.13
�@pkgs-list.json�̈ꕔ���m�F���܂��B
---
"Results": [
{
"Target": "python:alpine3.13 (alpine 3.13.7)",
"Class": "os-pkgs",
"Type": "alpine",
"Packages": [
{
"Name": ".python-rundeps",
"Version": "20211113.034814",
"Layer": {
"Digest": "sha256:35d95eb0acaf68d870f4a0e1bb58d7ae9fc2c3b76b2a6f0827423e5099e19c9d",
"DiffID": "sha256:01640cf05d16090f4146ede8b3bfb5d8c3ed55c2f74e06114bd5478beea0a764"
}
},
{
"Name": "alpine-baselayout",
"Version": "3.2.0-r8",
"SrcName": "alpine-baselayout",
"SrcVersion": "3.2.0-r8",
"License": "GPL-2.0-only",
"Layer": {
"Digest": "sha256:5758d4e389a3f662e94a85fb76143dbe338b64f8d2a65f45536a9663b05305ad",
"DiffID": "sha256:7fcb75871b2101082203959c83514ac8a9f4ecfee77a0fe9aa73bbe56afdf1b4"
}
},
{
"Name": "alpine-keys",
"Version": "2.4-r0",
"SrcName": "alpine-keys",
"SrcVersion": "2.4-r0",
"License": "MIT",
"Layer": {
"Digest": "sha256:5758d4e389a3f662e94a85fb76143dbe338b64f8d2a65f45536a9663b05305ad",
"DiffID": "sha256:7fcb75871b2101082203959c83514ac8a9f4ecfee77a0fe9aa73bbe56afdf1b4"
}
},
---
�Ǝ㐫���m���̏I���R�[�h���w�肷��
�@�u--exit-code�v�I�v�V�������u1�v�Ɏw�肷��ƁA�Ǝ㐫�����m�����Ƃ��ɏI���R�[�h���u1�v�ɂȂ�܂��B����̓p�C�v���C�����~���������Ƃ��ɖ𗧂��܂��B�Ⴆ�A--severity�I�v�V������CRITICAL�̐Ǝ㐫���X�L�������A--exit-code��1�Ɏw�肷��ƁACRITICAL�̐Ǝ㐫�����m�����Ƃ��ɏI���R�[�h��1�ƂȂ�A�I���R�[�h��1�ɂȂ邱�ƂŃp�C�v���C�����~�߂邱�Ƃ��ł��܂��B����ɂ���āuCRITICAL�̐Ǝ㐫�����m�����Ƃ��Ƀp�C�v���C�����~�߂�v�Ƃ��������삪�ł��܂��B
$ trivy image --exit-code 0 --severity MEDIUM,HIGH python:alpine3.13 $ trivy image --exit-code 1 --severity CRITICAL python:alpine3.13
�܂Ƃ�
�@����́ATrivy�ɂ��ċ@�\��ԗ��I�ɉ�����܂����BTrivy�͓����R���e�i�C���[�W�̃X�L�����c�[���Ƃ����C���[�W������܂������A���ɃC���[�W�X�L�����̗̈���яo���A���܂��܂ȋ@�\����Ă��邱�Ƃ�������܂��B
�@����̋L���ł́ATrivy�R�}���h�P�Ƃ̗��p���@�����C���ɏЉ�܂������ATrivy��CI/CD�i�p���I�C���e�O���[�V�����^�p���I�f���o���[�j�p�C�v���C���ɑg�ݍ���A�R���e�i���W�X�g���Ƒg�ݍ��킹���肷�邱�Ƃɂ���āA���֗��ɗ��p�ł��܂��B����́A�����������p�I�ȗ��p���@���Љ�܂��B
���X�V����
�y2024/12/4�z�ŐV��v0.56.2�܂�2024�N�̏��ɍ����悤�ɍX�V���܂����B
�֘A�L��
Kubernetes�̃Z�L�����e�B�������u���Ѓ��f�����O�v�̂�����
�N���E�h�ւ̈ڍs���i�݁AKubernetes�ȂǃR���e�i�Z�p�����p����V�[���������������A�Ǘ��҂�Y�܂���̂͂��̃Z�L�����e�B�BGMO�y�p�{�̃Z�L�����e�B�G���W�j�A�ɂ��uCloud Native Days Tokyo 2021�v�̍u������A���Ѓ��f�����O�̊�{��Kubernetes�N���X�^���ނɂ�����̓I�ȃ��f�����O���@�Ȃǂ��������B
�U������ōl����u�R���e�i�Z�L�����e�B�v�̃��X�N�Ƒ�
�R���e�i��ՂɃZ�L�����e�B���X�N�����邱�Ƃ͔F�����Ă���B�Z�L�����e�B�̃K�C�h���C���Ȃǂ��`�F�b�N���Ă���B�����A���܂ЂƂU����X�N�̃C���[�W���N���Ȃ��B����ȊJ���҂Ɍ����āANTT�f�[�^�̃N���E�h�G���W�j�A�A�]���h��������̓I�ȍU���f����ʂ��āA�ӎ����ׂ����X�N���ɂ��ĕ�����₷���������B2021�N11��4�`5���ɃI�����C���ŊJ�Â��ꂽ�uCloudNative Days Tokyo 2021�v����u������R���e�i�I�I�`�J���҂��猩���R���e�i�Z�L�����e�B�̍l�����`�v�ŏЉ�ꂽ���e���B
Kubernetes�N���X�^�̃Z�L�����e�B���̍��{�����͉����AAlcide���T��
�uKubernetes�v�l�C�e�B�u�̃Z�L�����e�B�v���b�g�t�H�[������|����Alcide�́AKubernetes�N���X�^�̃Z�L�����e�B���m�ۂ����ł̉ۑ���T�������u���O�����J�����BKubernetes�̃Z�L�����e�B���̍��{�����ƌ������R�c���Љ�Ă���B
Copyright © ITmedia, Inc. All Rights Reserved.
��IT eBook
���ڂ̃e�[�}
ITmedia�̓A�C�e�B���f�B�A������Ђ̓o�^���W�ł��B