-
Notifications
You must be signed in to change notification settings - Fork 818
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No results in sarif
file
#1434
Comments
Thank you @musabmirza-amperon for reporting. It looks like the issue occurs when scanning a specific file. |
I am new to That workaround is okay, however there is a larger issue which I tried to simplify in this report. The issue is that the Here is how to reproduce it by scanning mkdir argocd-rendered
kustomize build https://github.com/argoproj/argo-cd//manifests/cluster-install > argocd-rendered/out.yamlkubescape
kubescape scan argocd-rendered -f sarif
# Result:
Initialized scanner
✅ Loaded policies
✅ Loaded exceptions
✅ Loaded account configurations
✅ Done accessing local objects
Control: C-0046 100% |███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| (48/48, 142 it/s)
✅ Done scanning Directory
✅ Done aggregating results
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Controls: 48 (Failed: 17, Passed: 29, Action Required: 2)
Failed Resources by Severity: Critical — 0, High — 23, Medium — 22, Low — 18
┌──────────┬────────────────────────────────────┬──────────────────┬───────────────┬────────────────────┐
│ SEVERITY │ CONTROL NAME │ FAILED RESOURCES │ ALL RESOURCES │ % COMPLIANCE-SCORE │
├──────────┼────────────────────────────────────┼──────────────────┼───────────────┼────────────────────┤
│ High │ Forbidden Container Registries │ 0 │ 7 │ Action Required * │
│ High │ Resources memory limit and request │ 7 │ 7 │ 0% │
│ High │ Resource limits │ 7 │ 7 │ 0% │
│ High │ List Kubernetes secrets │ 2 │ 7 │ 71% │
│ High │ Resources CPU limit and request │ 7 │ 7 │ 0% │
│ Medium │ Exec into container │ 1 │ 7 │ 86% │
│ Medium │ Data Destruction │ 2 │ 7 │ 71% │
│ Medium │ Ingress and Egress blocked │ 6 │ 14 │ 57% │
│ Medium │ Delete Kubernetes events │ 2 │ 7 │ 71% │
│ Medium │ Cluster-admin binding │ 1 │ 7 │ 86% │
│ Medium │ CoreDNS poisoning │ 2 │ 7 │ 71% │
│ Medium │ Access container service account │ 2 │ 2 │ 0% │
│ Medium │ Configured liveness probe │ 4 │ 7 │ 43% │
│ Medium │ Portforwarding privileges │ 1 │ 7 │ 86% │
│ Medium │ No impersonation │ 1 │ 7 │ 86% │
│ Medium │ Images from allowed registry │ 0 │ 7 │ Action Required * │
│ Low │ Configured readiness probe │ 4 │ 7 │ 43% │
│ Low │ Pods in default namespace │ 7 │ 7 │ 0% │
│ Low │ Label usage for resources │ 7 │ 7 │ 0% │
├──────────┼────────────────────────────────────┼──────────────────┼───────────────┼────────────────────┤
│ │ RESOURCE SUMMARY │ 9 │ 42 │ 76.49% │
└──────────┴────────────────────────────────────┴──────────────────┴───────────────┴────────────────────┘
FRAMEWORKS: AllControls (compliance: 76.60), NSA (compliance: 90.48), MITRE (compliance: 85.71)
* Control configurations are empty
✅ Scan results saved. filename: report.sarif
View results
────────────
Now, take your scan results to the next level with actionable insights on ARMO Platform.
Sign up for free here - https://cloud.armosec.io/repository-scanning/323b93f9-c300-4ffc-b079-8583a152c396
ℹ️ Run with '--verbose'/'-v' flag for detailed resources view Now if you check the What am I missing? |
I'm not understanding this and I have Norton LifeLock that says it's a
possible scam so unsubscribe me please
…On Tue, Oct 17, 2023, 11:42 AM musabmirza-amperon ***@***.***> wrote:
I am new to kubescape so apologies for anything silly I might be be
pointing out.
That workaround is okay, however there is a larger issue which I tried to
simplify in this report. The issue is that the sarif report seems
incomplete and missing several reports showed in stdout.
Here is how to reproduce it by scanning argocd. I will use kustomize to
render the templates into a dir (as you mentioned) and then scan the dir.
Notice how the report on stdout and sarif differ (sarif missing stuff):
mkdir argocd-rendered
kustomize build https://github.com/argoproj/argo-cd//manifests/cluster-install > argocd-rendered/out.yamlkubescape
kubescape scan argocd-rendered -f sarif# Result:
Initialized scanner
✅ Loaded policies
✅ Loaded exceptions
✅ Loaded account configurations
✅ Done accessing local objects
Control: C-0046 100% |███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| (48/48, 142 it/s)
✅ Done scanning Directory
✅ Done aggregating results
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Controls: 48 (Failed: 17, Passed: 29, Action Required: 2)
Failed Resources by Severity: Critical — 0, High — 23, Medium — 22, Low — 18
┌──────────┬────────────────────────────────────┬──────────────────┬───────────────┬────────────────────┐
│ SEVERITY │ CONTROL NAME │ FAILED RESOURCES │ ALL RESOURCES │ % COMPLIANCE-SCORE │
├──────────┼────────────────────────────────────┼──────────────────┼───────────────┼────────────────────┤
│ High │ Forbidden Container Registries │ 0 │ 7 │ Action Required * │
│ High │ Resources memory limit and request │ 7 │ 7 │ 0% │
│ High │ Resource limits │ 7 │ 7 │ 0% │
│ High │ List Kubernetes secrets │ 2 │ 7 │ 71% │
│ High │ Resources CPU limit and request │ 7 │ 7 │ 0% │
│ Medium │ Exec into container │ 1 │ 7 │ 86% │
│ Medium │ Data Destruction │ 2 │ 7 │ 71% │
│ Medium │ Ingress and Egress blocked │ 6 │ 14 │ 57% │
│ Medium │ Delete Kubernetes events │ 2 │ 7 │ 71% │
│ Medium │ Cluster-admin binding │ 1 │ 7 │ 86% │
│ Medium │ CoreDNS poisoning │ 2 │ 7 │ 71% │
│ Medium │ Access container service account │ 2 │ 2 │ 0% │
│ Medium │ Configured liveness probe │ 4 │ 7 │ 43% │
│ Medium │ Portforwarding privileges │ 1 │ 7 │ 86% │
│ Medium │ No impersonation │ 1 │ 7 │ 86% │
│ Medium │ Images from allowed registry │ 0 │ 7 │ Action Required * │
│ Low │ Configured readiness probe │ 4 │ 7 │ 43% │
│ Low │ Pods in default namespace │ 7 │ 7 │ 0% │
│ Low │ Label usage for resources │ 7 │ 7 │ 0% │
├──────────┼────────────────────────────────────┼──────────────────┼───────────────┼────────────────────┤
│ │ RESOURCE SUMMARY │ 9 │ 42 │ 76.49% │
└──────────┴────────────────────────────────────┴──────────────────┴───────────────┴────────────────────┘
FRAMEWORKS: AllControls (compliance: 76.60), NSA (compliance: 90.48), MITRE (compliance: 85.71)
* Control configurations are empty
✅ Scan results saved. filename: report.sarif
View results
────────────
Now, take your scan results to the next level with actionable insights on ARMO Platform.
Sign up for free here - https://cloud.armosec.io/repository-scanning/323b93f9-c300-4ffc-b079-8583a152c396
ℹ️ Run with '--verbose'/'-v' flag for detailed resources view
Now if you check the sarif file, its not reporting any HIGH or MEDIUM
severities, there are just warnings and notes. For instance, C-0015 which
is reported in stdout (List kubernetes secrets) is missing in the sarif
file and many others too.
What am I missing?
—
Reply to this email directly, view it on GitHub
<#1434 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ATYNZAEOY7CQTUXMGNRRKFDX72YQFAVCNFSM6AAAAAA6C2RUHSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONRWG44TGMZTGI>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Hi @musabmirza-amperon,
|
Have you tried to reproduce #1434 (comment) please? The issue is that |
yes @musabmasood. in the next version of kubescape all the severities in the |
Can you link the issue/ticket for the above the above statement ^ 🙏? |
Hi @musabmasood, |
What I don't understand is that the |
I updated to verion cc @musabmasood |
I'm on |
Resolved in release v3.0.4 |
This issue is marked as resolved but running
still results in
Am I missing something, I did make sure to run v3.0.4? |
Description
sarif
file does not have the findings in it.Environment
OS:
MacOS Venture 13
Version:
Your current version is: v2.9.1
Steps To Reproduce
deployment.yaml
file (taken from here) :kubescape scan deployment.yaml --verbose -f sarif
. This would output something like this:vulnerabilities
highlighted therecat report.sarif
which results in this:Expected behavior
All the vulns reported in
stdout
would also be present in thereport.sarif
file.Actual Behavior
report.sarif
has an emptyresults[]
array.Additional context
I tested it out with other production manifests (e.g.
kustomize
forargocd
etc) and the results contained only couple of vulns (that too with a warning or note) but nothing more.The text was updated successfully, but these errors were encountered: