Skip to content

Filter Misconfigurations

By Severity

Use --severity option.

trivy conf --severity HIGH,CRITICAL examples/misconf/mixed
Result
2021-07-10T17:37:13.267+0300    INFO    Detected config files: 4

configs/Dockerfile (dockerfile)
===============================
Tests: 23 (SUCCESSES: 21, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 0)

+---------------------------+------------+----------------------+----------+------------------------------------------+
|           TYPE            | MISCONF ID |        CHECK         | SEVERITY |                 MESSAGE                  |
+---------------------------+------------+----------------------+----------+------------------------------------------+
| Dockerfile Security Check |   DS002    | Image user is 'root' |   HIGH   | Specify at least 1 USER                  |
|                           |            |                      |          | command in Dockerfile with               |
|                           |            |                      |          | non-root user as argument                |
|                           |            |                      |          | -->avd.aquasec.com/appshield/ds002       |
+---------------------------+------------+----------------------+----------+------------------------------------------+

configs/deployment.yaml (kubernetes)
====================================
Tests: 28 (SUCCESSES: 14, FAILURES: 14, EXCEPTIONS: 0)
Failures: 14 (HIGH: 1, CRITICAL: 0)

+---------------------------+------------+-------------------------------------+----------+------------------------------------------+
|           TYPE            | MISCONF ID |                CHECK                | SEVERITY |                 MESSAGE                  |
+---------------------------+------------+-------------------------------------+----------+------------------------------------------+
| Kubernetes Security Check |   KSV006   | docker.sock is mounted to container |   HIGH   | Deployment 'hello-kubernetes' should     |
|                           |            |                                     |          | not specify '/var/run/docker.socker' in  |
|                           |            |                                     |          | 'spec.template.volumes.hostPath.path'    |
|                           |            |                                     |          | -->avd.aquasec.com/appshield/ksv006      |
+---------------------------+------------+-------------------------------------+----------+------------------------------------------+

configs/main.tf (terraform)
===========================
Tests: 19 (SUCCESSES: 11, FAILURES: 8, EXCEPTIONS: 0)
Failures: 8 (HIGH: 6, CRITICAL: 1)

+------------------------------------------+------------+------------------------------------------+----------+--------------------------------------------------------+
|                   TYPE                   | MISCONF ID |                  CHECK                   | SEVERITY |                        MESSAGE                         |
+------------------------------------------+------------+------------------------------------------+----------+--------------------------------------------------------+
|   Terraform Security Check powered by    |   AWS003   | AWS Classic resource usage.              |   HIGH   | Resource                                               |
|                  tfsec                   |            |                                          |          | 'aws_db_security_group.my-group'                       |
|                                          |            |                                          |          | uses EC2 Classic. Use a VPC instead.                   |
|                                          |            |                                          |          | -->tfsec.dev/docs/aws/AWS003/                          |
+                                          +------------+------------------------------------------+----------+--------------------------------------------------------+
|                                          |   AWS004   | Use of plain HTTP.                       | CRITICAL | Resource                                               |
|                                          |            |                                          |          | 'aws_alb_listener.my-alb-listener'                     |
|                                          |            |                                          |          | uses plain HTTP instead of HTTPS.                      |
|                                          |            |                                          |          | -->tfsec.dev/docs/aws/AWS004/                          |
+                                          +------------+------------------------------------------+----------+--------------------------------------------------------+
|                                          |   AWS018   | Missing description for security         |   HIGH   | Resource                                               |
|                                          |            | group/security group rule.               |          | 'aws_security_group_rule.my-rule' should               |
|                                          |            |                                          |          | include a description for auditing                     |
|                                          |            |                                          |          | purposes. -->tfsec.dev/docs/aws/AWS018/                |
+                                          +------------+------------------------------------------+          +--------------------------------------------------------+
|                                          |   AWS025   | API Gateway domain name uses outdated    |          | Resource                                               |
|                                          |            | SSL/TLS protocols.                       |          | 'aws_api_gateway_domain_name.empty_security_policy'    |
|                                          |            |                                          |          | defines outdated SSL/TLS policies (not using           |
|                                          |            |                                          |          | TLS_1_2). -->tfsec.dev/docs/aws/AWS025/                |
+                                          +            +                                          +          +--------------------------------------------------------+
|                                          |            |                                          |          | Resource                                               |
|                                          |            |                                          |          | 'aws_api_gateway_domain_name.missing_security_policy'  |
|                                          |            |                                          |          | should include security_policy (defaults to outdated   |
|                                          |            |                                          |          | SSL/TLS policy). -->tfsec.dev/docs/aws/AWS025/         |
+                                          +            +                                          +          +--------------------------------------------------------+
|                                          |            |                                          |          | Resource                                               |
|                                          |            |                                          |          | 'aws_api_gateway_domain_name.outdated_security_policy' |
|                                          |            |                                          |          | defines outdated SSL/TLS policies (not using TLS_1_2). |
|                                          |            |                                          |          | -->tfsec.dev/docs/aws/AWS025/                          |
+                                          +------------+------------------------------------------+          +--------------------------------------------------------+
|                                          |   AZU003   | Unencrypted managed disk.                |          | Resource 'azurerm_managed_disk.source'                 |
|                                          |            |                                          |          | defines an unencrypted managed disk.                   |
|                                          |            |                                          |          | -->tfsec.dev/docs/azure/AZU003/                        |
+------------------------------------------+------------+------------------------------------------+----------+--------------------------------------------------------+

configs/variables.tf (terraform)
================================
Tests: 1 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 0)
Failures: 0 (HIGH: 0, CRITICAL: 0)

By Misconfiguration IDs

Use .trivyignore.

$ cat .trivyignore
# Accept the risk
AWS003
AWS018
AWS025

$ trivy conf --severity HIGH,CRITICAL examples/misconf/mixed
Result
2021-07-10T17:38:51.306+0300    INFO    Detected config files: 4

configs/Dockerfile (dockerfile)
===============================
Tests: 23 (SUCCESSES: 21, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 0)

+---------------------------+------------+----------------------+----------+------------------------------------------+
|           TYPE            | MISCONF ID |        CHECK         | SEVERITY |                 MESSAGE                  |
+---------------------------+------------+----------------------+----------+------------------------------------------+
| Dockerfile Security Check |   DS002    | Image user is 'root' |   HIGH   | Specify at least 1 USER                  |
|                           |            |                      |          | command in Dockerfile with               |
|                           |            |                      |          | non-root user as argument                |
|                           |            |                      |          | -->avd.aquasec.com/appshield/ds002       |
+---------------------------+------------+----------------------+----------+------------------------------------------+

configs/deployment.yaml (kubernetes)
====================================
Tests: 28 (SUCCESSES: 14, FAILURES: 14, EXCEPTIONS: 0)
Failures: 14 (HIGH: 1, CRITICAL: 0)

+---------------------------+------------+-------------------------------------+----------+------------------------------------------+
|           TYPE            | MISCONF ID |                CHECK                | SEVERITY |                 MESSAGE                  |
+---------------------------+------------+-------------------------------------+----------+------------------------------------------+
| Kubernetes Security Check |   KSV006   | docker.sock is mounted to container |   HIGH   | Deployment 'hello-kubernetes' should     |
|                           |            |                                     |          | not specify '/var/run/docker.socker' in  |
|                           |            |                                     |          | 'spec.template.volumes.hostPath.path'    |
|                           |            |                                     |          | -->avd.aquasec.com/appshield/ksv006      |
+---------------------------+------------+-------------------------------------+----------+------------------------------------------+

configs/main.tf (terraform)
===========================
Tests: 19 (SUCCESSES: 11, FAILURES: 8, EXCEPTIONS: 0)
Failures: 8 (HIGH: 1, CRITICAL: 1)

+------------------------------------------+------------+---------------------------+----------+------------------------------------------+
|                   TYPE                   | MISCONF ID |           CHECK           | SEVERITY |                 MESSAGE                  |
+------------------------------------------+------------+---------------------------+----------+------------------------------------------+
|   Terraform Security Check powered by    |   AWS004   | Use of plain HTTP.        | CRITICAL | Resource                                 |
|                  tfsec                   |            |                           |          | 'aws_alb_listener.my-alb-listener'       |
|                                          |            |                           |          | uses plain HTTP instead of HTTPS.        |
|                                          |            |                           |          | -->tfsec.dev/docs/aws/AWS004/            |
+                                          +------------+---------------------------+----------+------------------------------------------+
|                                          |   AZU003   | Unencrypted managed disk. |   HIGH   | Resource 'azurerm_managed_disk.source'   |
|                                          |            |                           |          | defines an unencrypted managed disk.     |
|                                          |            |                           |          | -->tfsec.dev/docs/azure/AZU003/          |
+------------------------------------------+------------+---------------------------+----------+------------------------------------------+

configs/variables.tf (terraform)
================================
Tests: 1 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 0)
Failures: 0 (HIGH: 0, CRITICAL: 0)

By Exceptions

See Exceptions

Show Successes and Exceptions

Use --include-non-failures option to show successes and exceptions as well as failures.

trivy conf --severity CRITICAL --include-non-failures examples/misconf/mixed
Result
2021-07-10T17:44:02.049+0300    INFO    Detected config files: 4

configs/Dockerfile (dockerfile)
===============================
Tests: 23 (SUCCESSES: 21, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (CRITICAL: 0)

+---------------------------+------------+------------------------------------------+----------+--------+-----------------+
|           TYPE            | MISCONF ID |                  CHECK                   | SEVERITY | STATUS |     MESSAGE     |
+---------------------------+------------+------------------------------------------+----------+--------+-----------------+
| Dockerfile Security Check |   DS006    | COPY '--from' refers to the current      | CRITICAL |  PASS  | No issues found |
|                           |            | image                                    |          |        |                 |
+                           +------------+------------------------------------------+          +        +                 +
|                           |   DS007    | Multiple ENTRYPOINT instructions are     |          |        |                 |
|                           |            | listed                                   |          |        |                 |
+                           +------------+------------------------------------------+          +        +                 +
|                           |   DS008    | Exposed port is out of range             |          |        |                 |
+                           +------------+------------------------------------------+          +        +                 +
|                           |   DS010    | 'sudo' is used                           |          |        |                 |
+                           +------------+------------------------------------------+          +        +                 +
|                           |   DS011    | COPY with more than two arguments is not |          |        |                 |
|                           |            | ending with slash                        |          |        |                 |
+                           +------------+------------------------------------------+          +        +                 +
|                           |   DS012    | Duplicate aliases are defined in         |          |        |                 |
|                           |            | different FROMs                          |          |        |                 |
+---------------------------+------------+------------------------------------------+----------+--------+-----------------+

...