afdesk

## Description Trivy kubernetes scan gets stuck in Kubernetes v1.31.* (tested for v1.31.1). ## Reason it seems it appears here https://github.com/kubernetes/kubernetes/pull/126067 the docs - [Difference between "Complete" and "SuccessCriteriaMet"](https://github.com/kubernetes/enhancements/tree/master/keps/sig-apps/3998-job-success-completion-policy#difference-between-complete-and-successcriteriamet): ```md...

bug(k8s): Image scanned from "metadata:annotations:kubectl.kubernetes.io/last-applied-configuration" instead of "spec"

10

## Description since #4786 (https://github.com/aquasecurity/trivy-kubernetes/pull/189) Trivy scan last applied configuration instead of actual Resource state. ## Reason For scans Trivy prefers info from an annotation. so if a customer mixes...

## Description Trivy kubernetes scan takes a lot of time for small minikube cluster: ```sh $ time trivy k8s --report summary --debug --disable-node-collector --timeout 30m0s 491,23s user 49,05s system 55%...

## Description This PR bumps Trivy up to the latest version for the Helm chart. ## Checklist - [ ] I've read the [guidelines for contributing](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/) to this repository. -...

There are some vulnerabilities in kube-bench image: ``` $ tar zxf kube-bench_0.9.1_linux_amd64.tar.gz $ go version ./kube-bench ./kube-bench: go1.22.7 $ trivy version Version: 0.56.2 Vulnerability DB: Version: 2 UpdatedAt: 2024-10-24 00:22:57.860059738...

## Description [CIS Kubernetes Benchmark v1.10.0](https://workbench.cisecurity.org/benchmarks/17568) (targets k8s v1.28 - v1.31) has been released in CIS Workbench. ### Discussed in https://github.com/aquasecurity/kube-bench/discussions/1692

feat(k8s): add a flag to scan actual state of resources

12

## Description By default, Trivy retrieves Kubernetes resource information from `annotations` if they exist. https://github.com/aquasecurity/trivy-kubernetes/blob/ccf11d83e72ae31b91cb6d250e7128a601357650/pkg/trivyk8s/trivyk8s.go#L281-L287 This approach is used because some Kubernetes engines automatically convert API versions from applied YAML...

feat(k8s): improve k8s scanning to handle namespace-restricted controllers

4

# Description By design Trivy k8s scans only targeted control plane components (Infra Assessment), which made sense for cluster-level scanning (without namespaces). However, Trivy now supports scanning controllers that may...

bug(k8s): Trivy gets stuck when scanning a cluster with taints on nodes

3

## Description When using Trivy to scan a Kubernetes cluster, the scan process gets stuck if any node in the cluster has taints applied. For example, a control-plane node with...

Now Trivy k8s scan can filter k8s artifacts only by namespaces and/or kinds (nodes,pods etc). There is an idea to add a new filter option, that allows to filter artifacts...