Trivy Kubernetes Scan Error with specific rule check on AKS

[chosenonehacks]

Description

Hi there, I am doing trivy scan or Azure Kubernetes cluster (AKS) and while performing misconfig scan I am getting following error always related to the same check rule:

024-08-26T10:53:22.198+0200 FATAL get k8s artifacts with node info error: running node-collector job: warning event received: policy require-run-as-nonroot/autogen-run-as-non-root fail: validation error: Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to true, or the fields spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to true. rule autogen-run-as-non-root[0] failed at path /spec/template/spec/securityContext/runAsNonRoot/ rule autogen-run-as-non-root[1] failed at path /spec/template/spec/containers/0/securityContext/runAsNonRoot/ (PolicyViolation)

Is there a way to skip this rule? Or where is the problem and how to overcome this error?

Desired Behavior

Misconfig scan completes without errors.

Actual Behavior

Misconfig scan errors and is not completed

Reproduction Steps

1.Begin scan with command:
trivy k8s --scanners misconfig --report=summary --timeout=1800s cluster 


2. Receive error :

2024-08-26T11:13:11.377+0200    FATAL   get k8s artifacts with node info error: running node-collector job: warning event received: policy require-run-as-non-root-user/autogen-run-as-non-root-user fail: validation error: Running as root is not allowed. The fields spec.securityContext.runAsUser, spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser, and spec.ephemeralContainers[*].securityContext.runAsUser must be unset or set to a number greater than zero. rule autogen-run-as-non-root-user failed at path /spec/template/spec/securityContext/runAsUser/ (PolicyViolation)

Target

Kubernetes

Scanner

Misconfiguration

Output Format

None

Mode

Standalone

Debug Output

trivy k8s --scanners misconfig --report=summary --timeout=1800s --debug cluster 
2024-08-26T11:15:05.628+0200    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-08-26T11:15:05.629+0200    DEBUG   Ignore statuses {"statuses": null}
2024-08-26T11:16:20.107+0200    FATAL   get k8s artifacts with node info error:
    github.com/aquasecurity/trivy/pkg/k8s/commands.clusterRun
        /build/trivy-6IhveB/trivy-0.48.0/pkg/k8s/commands/cluster.go:38
  - running node-collector job: warning event received: policy require-run-as-non-root-user/autogen-run-as-non-root-user fail: validation error: Running as root is not allowed. The fields spec.securityContext.runAsUser, spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser, and spec.ephemeralContainers[*].securityContext.runAsUser must be unset or set to a number greater than zero. rule autogen-run-as-non-root-user failed at path /spec/template/spec/securityContext/runAsUser/ (PolicyViolation)

Operating System

Kali

Version

trivy --version                                                 
Version: dev
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-08-26 06:12:02.525659114 +0000 UTC
  NextUpdate: 2024-08-26 12:12:02.525658754 +0000 UTC
  DownloadedAt: 2024-08-26 07:55:43.703817437 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-08-26 01:06:48.069224053 +0000 UTC
  NextUpdate: 2024-08-29 01:06:48.069223873 +0000 UTC
  DownloadedAt: 2024-08-26 08:08:02.301882724 +0000 UTC
Policy Bundle:
  Digest: sha256:5c4c5f5b566ddbc83888108ba8d6c6f23098cf51a848a8d4f40e2865f18861aa
  DownloadedAt: 2024-08-13 09:04:52.699763188 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[nikpivkin]

Hi @chosenonehacks !

I'll take a look.

[afdesk]

Hi @chosenonehacks!

which Trivy version do you use? it looks like v0.48
There was a breaking change in v0.51.0 #6622

$ trivy k8s --scanners misconfig --report=summary --timeout=1800s cluster
2024-08-26T23:32:58+06:00	FATAL	Fatal error	failed getting k8s cluster: context "cluster" does not exist
$ trivy -v                                                               
Version: 0.54.1