Merge pull request #1652 from tkatila/trivy-config-false-failures

mythi · web-flow · commit 4059067ab353 · 2024-01-18T07:51:27.000+02:00
Fix false failures with trivy config scan
diff --git a/.github/workflows/lib-trivy.yaml b/.github/workflows/lib-trivy.yaml
@@ -39,6 +39,9 @@ jobs:
         scan-ref: deployments/
         exit-code: 1
         severity: CRITICAL,HIGH
+        # When trivy-action starts supporting this, use it instead of .trivyaction
+        # https://github.com/aquasecurity/trivy-action/issues/284
+        #ignorefile: .trivyignore.yaml
 
   trivy-scan-dockerfiles:
     name: Scan Dockerfiles
diff --git a/.trivyignore b/.trivyignore
@@ -23,5 +23,5 @@ AVD-KSV-0048
 # Some plugins require access to various host paths
 AVD-KSV-0121
 
-# Device plugins do not use any CSIs
-## CVE-2019-11255
+# Ignore invalid "readOnlyRootFilesystem" detections
+AVD-KSV-0014
diff --git a/.trivyignore.yaml b/.trivyignore.yaml
@@ -0,0 +1,55 @@
+misconfigurations:
+  - id: AVD-KSV-0121
+    statement: Some plugins require access to various host paths
+    paths:
+      - dlb_plugin/base/intel-dlb-plugin.yaml
+      - fpga_plugin/base/intel-fpga-plugin-daemonset.yaml
+      - qat_plugin/base/intel-qat-kernel-plugin.yaml
+      - qat_plugin/overlays/qat_initcontainer/qat_initcontainer.yaml
+
+  - id: AVD-KSV-0017
+    statement: initcontainers require privileged access
+    paths:
+      - dlb_plugin/overlays/dlb_initcontainer/dlb_initcontainer.yaml
+      - dsa_plugin/overlays/dsa_initcontainer/dsa_initcontainer.yaml
+      - qat_dpdk_app/patches/crypto-perf/env_replace_testcmd.yaml
+      - iaa_plugin/overlays/iaa_initcontainer/iaa_initcontainer.yaml
+      - qat_plugin/base/intel-qat-kernel-plugin.yaml
+      - qat_plugin/overlays/qat_initcontainer/qat_initcontainer.yaml
+
+  - id: AVD-KSV-0047
+    statement: gpu plugin in kubelet mode requires "nodes/proxy" resource access
+    paths:
+      - gpu_plugin/overlays/fractional_resources/gpu-manager-role.yaml
+      - operator/rbac/gpu_manager_role.yaml
+      - operator/rbac/role.yaml
+
+  - id: AVD-KSV-0014
+    statement: These are false detections for not setting "readOnlyFilesystem"
+    paths:
+      - fpga_plugin/overlays/region/mode-region.yaml
+      - gpu_plugin/overlays/fractional_resources/add-mounts.yaml
+      - gpu_plugin/overlays/fractional_resources/add-args.yaml
+      - gpu_plugin/overlays/fractional_resources/gpu-manager-role.yaml
+      - gpu_plugin/overlays/monitoring_shared-dev_nfd/add-args.yaml
+      - gpu_plugin/overlays/nfd_labeled_nodes/add-args.yaml
+      - iaa_plugin/overlays/iaa_initcontainer/iaa_initcontainer.yaml
+      - fpga_admissionwebhook/base/manager_webhook_patch.yaml
+      - operator/device/dlb/dlb.yaml
+      - operator/device/dsa/dsa.yaml
+      - operator/device/fpga/fpga.yaml
+      - operator/device/gpu/gpu.yaml
+      - operator/device/qat/qat.yaml
+      - operator/device/sgx/sgx.yaml
+      - gpu_tensorflow_test/deployment.yaml
+      - sgx_enclave_apps/overlays/sgx_ecdsa_inproc_quote/add_sgx_default_qcnl_conf.yaml
+      - xpumanager_sidecar/kustom/kustom_xpumanager.yaml
+      - operator/default/manager_auth_proxy_patch.yaml
+      - operator/default/manager_webhook_patch.yaml
+      - qat_dpdk_app/patches/compress-perf/env_replace_testcmd.yaml
+      - qat_dpdk_app/patches/compress-perf/volume_add_configmap.yaml
+      - qat_plugin/overlays/debug/add-args.yaml
+      - qat_plugin/overlays/e2e/add-args.yaml
+      - qat_plugin/overlays/debug/add-args.yaml
+      - qat_dpdk_app/patches/crypto-perf/env_replace_testcmd.yaml
+      - sgx_admissionwebhook/base/manager_webhook_patch.yaml
diff --git a/deployments/sgx_plugin/overlays/epc-register/init-daemonset.yaml b/deployments/sgx_plugin/overlays/epc-register/init-daemonset.yaml
@@ -30,6 +30,7 @@ spec:
               fieldPath: spec.nodeName
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           capabilities:
             drop:
               - ALL
