Prepare for v0.51.0 #6605
knqyf263
started this conversation in
Development
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Draft to collaborate on v0.51.0 release announcement
📑 Table of Contents
💔 Breaking Change 💔
⎈ Trivy Kubernetes new experience 😄
We've been collecting feedback from the community about Trivy's Kubernetes scanning (
trivy k8s
), and we are happy to finally incorporate many of the small changes that have been discussed. The new Kubernetes scanning user experience is simplified and more intuitive. We recommended to re-read the Kubernetes Scanning documentation page, but here is a summary of changes:New usage:
Kubeconfig context is optional name of existing context in the relevant kubeconfig. If omitted, default context from kubeconfig will be used.
Flags:
--skip-images
- prevent pulling and scanning container images (including vulnerabilities and secrets).--include-kinds
- include the listed kinds in scanning.--exclude-kinds
- exclude the listed kinds from scanning--include-namespaces
- include the listed namespaces in scanning.--exclude-namespaces
- exclude the listed namespaces from scanning.--disable-node-collector
- disable the scan-job that Trivy spawns on nodes by default (no node-level findings).Removed from the new experience
Target name:
trivy k8s cluster
)trivy k8s all
) - assumed by defaulttrivy k8s deployment/orion)
Flags:
--context
- promoted to target name--component (workload, infra)
- use namespaces and kinds selectors instead (in the future we might provide more convenience around this)--all-namespaces
- assumed by default--namespace (namespace name)
- replaced by include/exclude-namespacesFor additional info, please refer to the documentattion or ask us in discussions.
🛫 Deprecation 🌆
🐹 Policies have now been renamed into Checks ✅
We've simplified our nomenclature by renaming misconfiguration "policies" into "checks", in order to avoid ambiguity (initially discussed here. Detailed migration steps are shared here.
For the time being, all existing checks that reference
--policy-*
will continue to work but going forwards the recommendation is to move them over to the new names.This also applies to the checks repo which has been renamed into
trivy-checks
and can be found here: https://github.com/aquasecurity/trivy-checksThe previously known policy bundle will also continue to be available at
ghcr.io/aquasecurity/trivy-policies
but we advise to start using the new checks bundle over atghcr.io/aquasecurity/trivy-checks
.🚀 What's new? 🚀
🥽 Detecting Vulnerabilities in Standard Packages for Go Binaries 🔍
Trivy has introduced a new feature that enables the detection of vulnerabilities in standard packages for Go binaries. For example, when a Go binary is found to have been compiled with Go 1.22.1, Trivy will identify vulnerabilities in standard packages (e.g.,
crypto/rand
andnet/http
) that were detected in Go 1.22.1 and earlier versions. It's important to note that the detection is based on the Go version, and Trivy does not consider whether the standard package is actually being used in the binary.🧩 Go Binary Parser Enhancement 🔄
We've enhanced Trivy's Go binary parser to extract the main module name and its version from build information. Even if Trivy had found a Grafana binary, it could not acquire Grafana information and include it in the SBOM or use it for vulnerability detection, but this additional functionality makes it possible to do so.
This update involves parsing
-ldflags
to search for-X
sub-flags which are commonly used to set the binary version during the build.Thanks to @oatovar
📜 License Detection for Conan Files 🔄
Trivy now supports license detection in Conan projects by parsing
conanfile.py
in the cache directory. This enhancement allows for improving compliance tracking and reporting.css
Copy code
📦 Conan v2.x Lockfile Support 🔍
Trivy now supports Conan v2.x lockfiles. This update specifically adapts to changes in the lockfile format, which has reduced the amount of information available compared to v1. Therefore, current support is limited: all dependent packages are included in the scan results, but it does not detect which packages are direct/transitive dependencies and does not support dependency trees.
Thanks to @[dus7eh]
🌱 Conda: Support for environment.yaml Files 📋
Trivy now supports scanning
environment.yaml
files, used with Conda. This update enables Trivy to detect packages listed in these files, although currently, vulnerability detection is not supported due to the absence of a Conda-specific vulnerability database. The scanning can be done for package listing and SBOM generation in various formats.✍🏼Ignoring Terraform resources by Nested Attributes 🪵
It's now possible to ignore checks with nested attributes.
Read more here
🪻Checks bundle now supports Private Registries ⼛
You can now pass the
--check-bundle-repository
flag which includes a bundles that lives in a private registry by specifying credentials as suchRead more here
Thanks to @JeffResc for your contribution.
🧌Improved fallback support for checks 🧚🏻♂️
We've made misconfiguration scanning more robust in case things don't go as expected. If case a check from the downloaded checks bundle is not loaded as expected, Trivy will now fallback to using the check's previous (known good) version, which is embedded with the Trivy engine itseld.
This would allow the users to always have a working misconfiguration check instead of skipping the errornous checks completely. It would also allow the Trivy team to maintain backwards compatibility with each new release of the checks bundle, even if the input schema is changed.
👷♂️ Notable Fixes 🛠️
Beta Was this translation helpful? Give feedback.
All reactions