Itay Shakury

we're still working on supporting CIS benchmark checks to Trivy (CLI), which is tracked here: https://github.com/aquasecurity/trivy/issues/2198

Thanks for opening an issue @isugimpy Trivy tries to scan images from local image store if available, and if not it will pull them from registry. The interaction with local...

I just tried to run nginx from ECR just to see how how the Pod Status looks like, and it has the following: ``` containerID: containerd://366a98117285434b8869ff692a020a136b01b7f6444aaa6e83a158ded431584b image: public.ecr.aws/nginx/nginx:stable imageID: public.ecr.aws/nginx/nginx@sha256:76503f7e2c5cf0910640e70264588f264016acdcdb91c99bc7b007efa971c708...

Also I wanted to point out a couple of additional options to address the original question: 1. There's an [option](https://github.com/aquasecurity/trivy-operator/blob/d5c90a2615432ac374b0592b3d69c38449607067/docs/vulnerability-scanning/trivy.md#L99) to specify the mirror as configuration (somehow lost in the...

> I can confirm with 100% certainty that despite this pointing at quay.io, it was pulled from our internal passthrough cache via mirror rewrites at runtime. CRI-O (and containerd as...

> Filesystem could work, it's an intriguing approach! Wouldn't that require a daemonset though, since not every image is present on every host? This feature is meant to be used...

We should probably update the docs still

doesn't the fact that most of these rules are already merged into defsec mean that they'll end up in this release anyway?

can you please clarify - if someone does a `trivy aws` scan right now (with the CIS 1.4 checks already merged but no way to select CIS version), which check...

Thanks for explaining. So why do we say that it is pushed to next release? Isn't it out already?