Comments (12)
Interesting - so to confirm - you'd like a way to configure the trivy plugin to be able to use AWS ECR as a private registry? I assume that means it need to be a single account only (for each trivy connection)?
from steampipe-plugin-trivy.
@e-gineer correct. or at least 1 connection per account/region and we can aggregate like normal for multiple accounts
one possible use case (would have to be setup in the connector settings currently) would be to pull a list of repos/images from the aws plugin and pass it into trivy to do a scan
from steampipe-plugin-trivy.
'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 30 days.'
from steampipe-plugin-trivy.
'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 30 days.'
from steampipe-plugin-trivy.
'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.'
from steampipe-plugin-trivy.
Hey @tinder-tder, sorry for the delayed response.
As per the doc available, Trivy uses the same authentication methods as the AWS CLI to configure and authenticate your access to the AWS platform.
Few other reference links -
https://blog.axiomio.com/scanning-your-aws-account-for-misconfigurations-with-trivy-73ce844bb107
https://lia.mg/posts/trivy-aws/
Based on my tests with the Trivy CLI, I found the following results:
Tested with default profile from ~/.aws/credentials file - Worked
Tested a named profile from ~/.aws/credentials file with the AWS_PROFILE env variable - Worked
Tested with SSO creds in ~/.aws/config file - Worked
➜ steampipe-plugin-trivy git:(main) trivy image 097350832434.dkr.ecr.ap-south-1.amazonaws.com/development/turbot:5.35.8
2023-06-14T12:34:19.949+0530 INFO Vulnerability scanning is enabled
2023-06-14T12:34:19.949+0530 INFO Secret scanning is enabled
2023-06-14T12:34:19.949+0530 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-06-14T12:34:19.949+0530 INFO Please see also https://aquasecurity.github.io/trivy/v0.42/docs/secret/scanning/#recommendation for faster secret detection
2023-06-14T12:34:24.608+0530 INFO Detected OS: ubuntu
2023-06-14T12:34:24.608+0530 INFO Detecting Ubuntu vulnerabilities...
2023-06-14T12:34:24.615+0530 INFO Number of language-specific files: 1
2023-06-14T12:34:24.615+0530 INFO Detecting node-pkg vulnerabilities...
0973234346455.dkr.ecr.ap-south-1.amazonaws.com/development/turbot:5.35.8 (ubuntu 22.04)
Total: 88 (UNKNOWN: 0, LOW: 52, MEDIUM: 36, HIGH: 0, CRITICAL: 0)
┌───────────────────────┬────────────────┬──────────┬──────────────────────────────┬───────────────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├───────────────────────┼────────────────┼──────────┼──────────────────────────────┼───────────────────────────┼─────────────────────────────────────────────────────────────┤
│ bash │ CVE-2022-3715 │ LOW │ 5.1-6ubuntu1 │ │ a heap-buffer-overflow in valid_parameter_transform │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3715 │
├───────────────────────┼────────────────┤ ├──────────────────────────────┼───────────────────────────┼─────────────────────────────────────────────────────────────┤
│ coreutils │ CVE-2016-2781 │ │ 8.32-4.1ubuntu1 │ │ coreutils: Non-privileged session can escape to the parent │
│ │ │ │ │ │ session in chroot │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-2781 │
├───────────────────────┼────────────────┤ ├──────────────────────────────┼───────────────────────────┼─────────────────────────────────────────────────────────────┤
│ curl │ CVE-2023-28321 │ │ 7.81.0-1ubuntu1.10 │ │ IDN wildcard match may lead to Improper Cerificate │
│ │ │ │ │ │ Validation │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-28321 │
│ ├────────────────┤ │ ├───────────────────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-28322 │ │ │ │ more POST-after-PUT confusion │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-28322 │
├───────────────────────┼────────────────┤ ├──────────────────────────────┼───────────────────────────┼─────────────────────────────────────────────────────────────┤
Tested with AssumeRole Creds in ~/.aws/config file - Worked
➜ steampipe-plugin-trivy git:(main) trivy aws --service ecr
[1/1] Scanning ecr...
Resource Summary for Service 'ecr' (AWS Account 53362343435)
No problems detected.
Tested with IAM Access Key Pair Credentials by passing them as env vars - Worked
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_DEFAULT_REGION=ap-south-1
export AWS_SESSION_TOKEN=AQoDYXdzEJr...
➜ steampipe-plugin-trivy git:(main) trivy aws --service ecr
[1/1] Scanning ecr...
Resource Summary for Service 'ecr' (AWS Account 09735324345)
┌──────────────────────────────────────────────────────────────────┬──────────────────────────────────────────┐
│ │ Misconfigurations │
│ ├──────────┬──────┬────────┬─────┬─────────┤
│ Resource │ Critical │ High │ Medium │ Low │ Unknown │
├──────────────────────────────────────────────────────────────────┼──────────┼──────┼────────┼─────┼─────────┤
│ arn:aws:ecr:us-east-2:09735324345:repository/development/turbot │ 0 │ 2 │ 0 │ 1 │ 0 │
└──────────────────────────────────────────────────────────────────┴──────────┴──────┴────────┴─────┴─────────┘
Trivy CLI does support the below flags specific to AWS -
AWS Flags
--account string The AWS account to scan. It's useful to specify this when reviewing cached results for multiple accounts.
--arn string The AWS ARN to show results for. Useful to filter results once a scan is cached.
--endpoint string AWS Endpoint override
--region string AWS Region to scan
--service strings Only scan AWS Service(s) specified with this flag. Can specify multiple services using --service A --service B etc.
In our current plugin setup, if we provide AWS credentials through the above methods and specify the image URIs in the trivy.spc file, the plugin can scan those images successfully.
> select * from trivy_scan_package
+-----------------------------------------------------------+-----------------+--------------------------------------------------------------------------+---------+--------+--------------
| artifact_name | artifact_type | target | class | type | name
+-----------------------------------------------------------+-----------------+--------------------------------------------------------------------------+---------+--------+--------------
| 0973234346455.dkr.ecr.ap-south-1.amazonaws.com/hello:hello | container_image | 0973234346455.dkr.ecr.ap-south-1.amazonaws.com/hello:hello (ubuntu 18.04) | os-pkgs | ubuntu | e2fsprogs
| 0973234346455.dkr.ecr.ap-south-1.amazonaws.com/hello:hello | container_image | 0973234346455.dkr.ecr.ap-south-1.amazonaws.com/hello:hello (ubuntu 18.04) | os-pkgs | ubuntu | libnginx-mod-
| 0973234346455.dkr.ecr.ap-south-1.amazonaws.com/hello:hello | container_image | 0973234346455.dkr.ecr.ap-south-1.amazonaws.com/hello:hello (ubuntu 18.04) | os-pkgs | ubuntu | zlib1g
| 0973234346455.dkr.ecr.ap-south-1.amazonaws.com/hello:hello | container_image | 0973234346455.dkr.ecr.ap-south-1.amazonaws.com/hello:hello (ubuntu 18.04) | os-pkgs | ubuntu | libfdisk1
| 0973234346455.dkr.ecr.ap-south-1.amazonaws.com/hello:hello | container_image | 0973234346455.dkr.ecr.ap-south-1.amazonaws.com/hello:hello (ubuntu 18.04) | os-pkgs | ubuntu | libxcb1
| 0973234346455.dkr.ecr.ap-south-1.amazonaws.com/hello:hello | container_image | 0973234346455.dkr.ecr.ap-south-1.amazonaws.com/hello:hello (ubuntu 18.04) | os-pkgs | ubuntu | ca-certificat
| 0973234346455.dkr.ecr.ap-south-1.amazonaws.com/hello:hello | container_image | 0973234346455.dkr.ecr.ap-south-1.amazonaws.com/hello:hello (ubuntu 18.04) | os-pkgs | ubuntu | libxdmcp6
| 0973234346455.dkr.ecr.ap-south-1.amazonaws.com/hello:hello | container_image | 0973234346455.dkr.ecr.ap-south-1.amazonaws.com/hello:hello (ubuntu 18.04) | os-pkgs | ubuntu | libjpeg-turbo
| 0973234346455.dkr.ecr.ap-south-1.amazonaws.com/hello:hello | container_image | 0973234346455.dkr.ecr.ap-south-1.amazonaws.com/hello:hello (ubuntu 18.04) | os-pkgs | ubuntu | fdisk
| 0973234346455.dkr.ecr.ap-south-1.amazonaws.com/hello:hello | container_image | 0973234346455.dkr.ecr.ap-south-1.amazonaws.com/hello:hello (ubuntu 18.04) | os-pkgs | ubuntu | libnginx-mod-
| 0973234346455.dkr.ecr.ap-south-1.amazonaws.com/hello:hello | container_image | 0973234346455.dkr.ecr.ap-south-1.amazonaws.com/hello:hello (ubuntu 18.04) | os-pkgs | ubuntu | bash
| 0973234346455.dkr.ecr.ap-south-1.amazonaws.com/hello:hello | container_image | 0973234346455.dkr.ecr.ap-south-1.amazonaws.com/hello:hello (ubuntu 18.04) | os-pkgs | ubuntu | libjbig0
| 0973234346455.dkr.ecr.ap-south-1.amazonaws.com/hello:hello | container_image | 0973234346455.dkr.ecr.ap-south-1.amazonaws.com/hello:hello (ubuntu 18.04) | os-pkgs | ubuntu | libjpeg8
The Trivy CLI, internally utilizes the AWS SDK to load the default configuration. This means that Trivy can perform operations using the available CLI credentials. Since our plugin incorporates the Trivy CLI, it is capable of scanning ECR images if they are provided in the plugin configuration.
Based on the requirement, we need to support passing multiple sets of credentials (profiles) to the plugin in order to process all available images simultaneously. For instance, if there are multiple profiles defined in the credential file, setting one profile per plugin connection should enable the plugin to fetch all the images and process them. In other words, each plugin connection will be associated with a specific profile, allowing the plugin to access and process images from different sources using the respective credentials provided. Please let me know if my understanding aligns with the requirement.
If we decide to incorporate AWS environment variables in the Trivy plugin config file, we will need to include configuration/client creation similar to what we have in the AWS plugin. This will allow us to retrieve all the ECR image URIs.
It would be ideal to utilize the AWS_PROFILE environment variable as a configuration file argument in the plugin. Users can specify a profile based on Assume Role or an IAM Access Key Pair. They would need to set up the AWS CLI accordingly with the credential file, as the plugin will rely on it for authentication. Each connection can be associated with a single profile passed by the user.
I would appreciate your thoughts and suggestions on this matter.
@cbruno10 ++
from steampipe-plugin-trivy.
@bigdatasourav If there was a way to pass in images through the quals, would it also be possible to get a list of ECR repos and/or images from the AWS plugin tables, and then pass them into Trivy plugin table queries? I believe you can only pass in a list of images in the images
config arg today, but if we provided a way to pass those in through quals (which would override any config arg), then we wouldn't need plugin updates.
I'm concerned with the effort and maintenance of adding AWS authentication and region code into this repository. We already maintain code in the AWS plugin, and while the Trivy CLI does support it, Trivy doesn't have another tool that allows them to interact with AWS accounts (or other cloud providers).
from steampipe-plugin-trivy.
@cbruno10 we can use the key column called artifact_name to pass the images in the below tables but to use AWS tables user should have installed the AWS plugin also.
trivy_scan_artifact
trivy_scan_package
trivy_scan_secret
trivy_scan_vulnerability
Below are some sample queries with AWS -
select
artifact_name,
artifact_type,
metadata
from
trivy_scan_artifact
join aws_ecr_image on artifact_name = concat(account_id,'.dkr.ecr.',region,'.amazonaws.com/',repository_name,'@',image_digest)
with ecr_images as (
select
concat(repository_uri,'@',image_digest) as image_uri
from
aws_ecr_repository as r,
aws_ecr_image as i
where
i.repository_name = r.repository_name
)select
artifact_name,
artifact_type,
metadata
from
trivy_scan_artifact
join ecr_images on artifact_name = image_uri
from steampipe-plugin-trivy.
A working example with AWS -
> select
artifact_name,
artifact_type,
metadata
from
trivy_scan_artifact
where
artifact_name in (select
concat(repository_uri,'@',image_digest) as image_uri
from
aws_ecr_repository as r
join aws_ecr_image as i on i.repository_name = r.repository_name
where
r.repository_name = 'hello'
order by
r.repository_name)
+-----------------------------------------------------------------------------------------------------------------------------+-----------------+------------------------------------------
| artifact_name | artifact_type | metadata
+-----------------------------------------------------------------------------------------------------------------------------+-----------------+------------------------------------------
| 09133444546455.dkr.ecr.ap-south-1.amazonaws.com/hello@sha256:2296c41dd6da8a8c42d84ea310037c72117c15ee0cb01d7557561d2876b3e422 | container_image | {"DiffIDs":["sha256:cc4590d6a7187ce8879dd
| | | 6122bde485e0e3a4ec3696"],"ImageConfig":{"
| | | pkg-divert --local --rename --add /sbin/i
| | | u0026\u0026 echo 'Apt::AutoRemove::Sugges
| | | ginx.conf"},{"author":"Karthik Gaekwad","
| | | :40:31.4518071Z","created_by":"/bin/sh -c
| | | 3f88fdb70f85ef35c4f89a6e0953e499b16874235
| 09133444546455.dkr.ecr.ap-south-1.amazonaws.com/hello@sha256:984804a8ed358e0a3bce2df193c6b4d687076cc3a8f9606d5e30f3660e8f6e60 | container_image | {"DiffIDs":["sha256:cc4590d6a7187ce8879dd
| | | ab7a3accfc7bc55624676e"],"ImageConfig":{"
| | | pkg-divert --local --rename --add /sbin/i
| | | u0026\u0026 echo 'Apt::AutoRemove::Sugges
| | | ginx.conf"},{"author":"Karthik Gaekwad","
| | | 7T08:30:32.6982242Z","created_by":"/bin/s
| | | 77e13f88fdb70f85ef35c4f89a6e0953e499b1687
+-----------------------------------------------------------------------------------------------------------------------------+-----------------+------------------------------------------
But with this, we can only scan one account.
from steampipe-plugin-trivy.
We have added the image_uri column in the aws_ecr_image table, which will help us join queries with trivy tables.
Here is the sample query -
select
artifact_name,
artifact_type,
metadata,
results
from
trivy_scan_artifact as a,
aws_ecr_image as i
where
artifact_name = image_uri
and repository_name = 'hello';
from steampipe-plugin-trivy.
As Trivy can work with AWS CLI, based on our findings above, we are thinking of adding support for two env vars, AWS_PROFILE and AWS_REGION, in Trivy SPC as a config parameter. We will set them before the API call using OS.Setenv
so Trivy can pick them before processing the image.
I have already tested this, and it is working fine. There will be no impact on other plugin queries or in AWS CLI commands in the terminal due to os.Setenv
.
@johnsmyth Please share your thoughts.
from steampipe-plugin-trivy.
Hi @tinder-tder , sorry for the long response times!
We've thought about how to approach this feature request a fair bit, but don't have a clear path forward at the moment. Part of that is based on how the Trivy SDK interacts with AWS auth information, in particular where it uses the same creds resolution as the AWS SDK, but it's difficult to override this configuration when using the Trivy SDK.
Also, for Steampipe plugins, ultimately we'd like to add some cross-plugin connection feature to allow for smoother interactions in cases like these, but also don't have a clear direction yet for this feature.
As a workaround, I think setting the AWS env vars with each Steampipe session would be a way to leverage existing AWS creds, e.g.,
AWS_PROFILE=profile1 steampipe query "select * from ..."
AWS_PROFILE=profile2 steampipe query "select * from ..."
Though you'd have to avoid service mode or restart Steampipe frequently, depending on how often you need to use each set of credentials.
So unfortunately right now, this is a feature request we won't be implementing in this plugin, but if we missed some way to set AWS credentials more easily through the Trivy SDK or when we have a better direction on cross-plugin credential sharing, we're happy to re-open this feature request and see how we can support multiple connections.
from steampipe-plugin-trivy.
Related Issues (1)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from steampipe-plugin-trivy.