Trivy misconfig scan for nodes does not work for aks

[mbrand]

Description

When running a k8s trivy scan for misconfigs on "aks" nodes trivy throws an error.

I did some debugging and found out that the commands from trivy-checks are filtered by platform here in the code:

https://github.com/aquasecurity/trivy-kubernetes/blob/b070991579cacd7634052dee2e250350d6e493e8/pkg/jobs/collector.go#L569

Since trivy-checks contain no commands for "aks" the filtered list is of course empty and so the error is thrown.

Is this expected? Should these checks not be used with aks? Or should you maybe fall back to "k8s" commands if the kubernetes platform does not fit any given checks?

Desired Behavior

Scans should run :)

Actual Behavior

2024-10-18T10:16:52+02:00	FATAL	Fatal error
  - get k8s artifacts with node info error:
    github.com/aquasecurity/trivy/pkg/k8s/commands.clusterRun
        github.com/aquasecurity/trivy/pkg/k8s/commands/cluster.go:42

Reproduction Steps

1.Use aks
2.Call trivy with `trivy --debug k8s --report=summary cluster --scanners misconfig --include-kinds node`
3.Error :(

Target

Kubernetes

Scanner

Misconfiguration

Output Format

Table

Mode

Standalone

Debug Output

2024-10-18T10:16:48+02:00	DEBUG	No plugins loaded
2024-10-18T10:16:48+02:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-10-18T10:16:48+02:00	DEBUG	Cache dir	dir="/home/xxx/.cache/trivy"
2024-10-18T10:16:48+02:00	DEBUG	Cache dir	dir="/home/xxx/.cache/trivy"
2024-10-18T10:16:48+02:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-10-18T10:16:48+02:00	DEBUG	Ignore statuses	statuses=[]
2024-10-18T10:16:52+02:00	FATAL	Fatal error
  - get k8s artifacts with node info error:
    github.com/aquasecurity/trivy/pkg/k8s/commands.clusterRun
        github.com/aquasecurity/trivy/pkg/k8s/commands/cluster.go:42
`

Operating System

Arch Linux

Version

Version: 0.56.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-10-17 12:17:37.660183081 +0000 UTC
  NextUpdate: 2024-10-18 12:17:37.660182941 +0000 UTC
  DownloadedAt: 2024-10-17 14:13:43.439487579 +0000 UTC
Check Bundle:
  Digest: sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3
  DownloadedAt: 2024-10-17 13:59:11.567241136 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[simar7]

@afdesk could you take a look?

[afdesk]

@mbrand thanks for the report!
I'll take a look

[afdesk]

@mbrand thanks again!

Your suggestion about default k8s command is deffenitely make sence, I've created an issue to track it: #7786

there are two strange moments in your case:

1. there is no log message with error. did you clean up it?
2. Trivy v0.51.0 introduced Trivy Kubernetes new experience: v0.51.0 #6622
   but there is cluster in your command.

Just to make sure, could you confirm that these moments don't affect on your scans? thanks

[mbrand]

Hi!

1. The error log is under: "Actual Behavior". Seems like I forgot putting it under "Debug output".
2. I was trying to find a way to replicate what the trivy-operator does. This was the command that I could test with that failed the fastest :). I also had the problem with trivy-operator so I think that shouldn't be the issue.

[afdesk]

@mbrand thanks for your answer.
Based on #7763 (reply in thread), I close this discussion
you can track #7786.
thanks!