--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 name: clustercompliancereports.aquasecurity.github.io spec: group: aquasecurity.github.io names: kind: ClusterComplianceReport listKind: ClusterComplianceReportList plural: clustercompliancereports shortNames: - compliance singular: clustercompliancereport scope: Cluster versions: - additionalPrinterColumns: - description: The age of the report jsonPath: .metadata.creationTimestamp name: Age type: date - description: The number of checks that failed jsonPath: .status.summary.failCount name: Fail priority: 1 type: integer - description: The number of checks that passed jsonPath: .status.summary.passCount name: Pass priority: 1 type: integer name: v1alpha1 schema: openAPIV3Schema: description: ClusterComplianceReport is a specification for the ClusterComplianceReport resource. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: ReportSpec represent the compliance specification properties: compliance: properties: controls: description: Control represent the cps controls data and mapping checks items: description: Control represent the cps controls data and mapping checks properties: checks: items: description: SpecCheck represent the scanner who perform the control check properties: id: description: id define the check id as produced by scanner type: string required: - id type: object type: array commands: items: description: Commands represent the commands to be executed by the node-collector properties: id: description: id define the commands id type: string required: - id type: object type: array defaultStatus: description: define the default value for check status in case resource not found enum: - PASS - WARN - FAIL type: string description: type: string id: description: id define the control check id type: string name: type: string severity: description: define the severity of the control enum: - CRITICAL - HIGH - MEDIUM - LOW - UNKNOWN type: string required: - id - name - severity type: object type: array description: type: string id: type: string platform: type: string relatedResources: items: type: string type: array title: type: string type: type: string version: type: string required: - controls - description - id - platform - relatedResources - title - type - version type: object cron: description: cron define the intervals for report generation pattern: ^(((([\*]{1}){1})|((\*\/){0,1}(([0-9]{1}){1}|(([1-5]{1}){1}([0-9]{1}){1}){1}))) ((([\*]{1}){1})|((\*\/){0,1}(([0-9]{1}){1}|(([1]{1}){1}([0-9]{1}){1}){1}|([2]{1}){1}([0-3]{1}){1}))) ((([\*]{1}){1})|((\*\/){0,1}(([1-9]{1}){1}|(([1-2]{1}){1}([0-9]{1}){1}){1}|([3]{1}){1}([0-1]{1}){1}))) ((([\*]{1}){1})|((\*\/){0,1}(([1-9]{1}){1}|(([1-2]{1}){1}([0-9]{1}){1}){1}|([3]{1}){1}([0-1]{1}){1}))|(jan|feb|mar|apr|may|jun|jul|aug|sep|okt|nov|dec)) ((([\*]{1}){1})|((\*\/){0,1}(([0-7]{1}){1}))|(sun|mon|tue|wed|thu|fri|sat)))$ type: string reportType: enum: - summary - all type: string required: - compliance - cron - reportType type: object status: properties: detailReport: description: ComplianceReport represents a kubernetes scan report properties: description: type: string id: type: string relatedVersion: items: type: string type: array results: items: properties: checks: items: description: ComplianceCheck provides the result of conducting a single compliance step. properties: category: type: string checkID: type: string description: type: string messages: items: type: string type: array remediation: description: Remediation provides description or links to external resources to remediate failing check. type: string severity: description: Severity level of a vulnerability or a configuration audit check. type: string success: type: boolean target: type: string title: type: string required: - checkID - severity - success type: object type: array description: type: string id: type: string name: type: string severity: type: string status: type: string required: - checks type: object type: array title: type: string version: type: string type: object x-kubernetes-preserve-unknown-fields: true summary: properties: failCount: type: integer passCount: type: integer type: object summaryReport: description: SummaryReport represents a kubernetes scan report with consolidated findings properties: controlCheck: items: properties: id: type: string name: type: string severity: type: string totalFail: type: integer type: object type: array id: type: string title: type: string type: object x-kubernetes-preserve-unknown-fields: true updateTimestamp: format: date-time type: string required: - updateTimestamp type: object type: object x-kubernetes-preserve-unknown-fields: true served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 name: clusterconfigauditreports.aquasecurity.github.io spec: group: aquasecurity.github.io names: kind: ClusterConfigAuditReport listKind: ClusterConfigAuditReportList plural: clusterconfigauditreports shortNames: - clusterconfigaudit singular: clusterconfigauditreport scope: Cluster versions: - additionalPrinterColumns: - description: The name of the config audit scanner jsonPath: .report.scanner.name name: Scanner type: string - description: The age of the report jsonPath: .metadata.creationTimestamp name: Age type: date - description: The number of failed checks with critical severity jsonPath: .report.summary.criticalCount name: Critical priority: 1 type: integer - description: The number of failed checks with high severity jsonPath: .report.summary.highCount name: High priority: 1 type: integer - description: The number of failed checks with medium severity jsonPath: .report.summary.mediumCount name: Medium priority: 1 type: integer - description: The number of failed checks with low severity jsonPath: .report.summary.lowCount name: Low priority: 1 type: integer name: v1alpha1 schema: openAPIV3Schema: description: ClusterConfigAuditReport is a specification for the ClusterConfigAuditReport resource. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object report: properties: checks: description: Checks provides results of conducting audit steps. items: description: Check provides the result of conducting a single audit step. properties: category: type: string checkID: type: string description: type: string messages: items: type: string type: array remediation: description: Remediation provides description or links to external resources to remediate failing check. type: string scope: description: Scope indicates the section of config that was audited. properties: type: description: Type indicates type of this scope, e.g. Container, ConfigMapKey or JSONPath. type: string value: description: Value indicates value of this scope that depends on Type, e.g. container name, ConfigMap key or JSONPath expression type: string required: - type - value type: object severity: description: Severity level of a vulnerability or a configuration audit check. type: string success: type: boolean title: type: string required: - checkID - severity - success type: object type: array scanner: description: Scanner is the spec for a scanner generating a security assessment report. properties: name: description: Name the name of the scanner. type: string vendor: description: Vendor the name of the vendor providing the scanner. type: string version: description: Version the version of the scanner. type: string required: - name - vendor - version type: object summary: description: ConfigAuditSummary counts failed checks by severity. properties: criticalCount: description: CriticalCount is the number of failed checks with critical severity. type: integer highCount: description: HighCount is the number of failed checks with high severity. type: integer lowCount: description: LowCount is the number of failed check with low severity. type: integer mediumCount: description: MediumCount is the number of failed checks with medium severity. type: integer required: - criticalCount - highCount - lowCount - mediumCount type: object updateTimestamp: format: date-time type: string required: - checks type: object required: - report type: object x-kubernetes-preserve-unknown-fields: true served: true storage: true subresources: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 name: clusterinfraassessmentreports.aquasecurity.github.io spec: group: aquasecurity.github.io names: kind: ClusterInfraAssessmentReport listKind: ClusterInfraAssessmentReportList plural: clusterinfraassessmentreports shortNames: - clusterinfraassessment singular: clusterinfraassessmentreport scope: Cluster versions: - additionalPrinterColumns: - description: The name of the infra assessement scanner jsonPath: .report.scanner.name name: Scanner type: string - description: The age of the report jsonPath: .metadata.creationTimestamp name: Age type: date - description: The number of failed checks with critical severity jsonPath: .report.summary.criticalCount name: Critical priority: 1 type: integer - description: The number of failed checks with high severity jsonPath: .report.summary.highCount name: High priority: 1 type: integer - description: The number of failed checks with medium severity jsonPath: .report.summary.mediumCount name: Medium priority: 1 type: integer - description: The number of failed checks with low severity jsonPath: .report.summary.lowCount name: Low priority: 1 type: integer name: v1alpha1 schema: openAPIV3Schema: description: ClusterInfraAssessmentReport is a specification for the ClusterInfraAssessmentReport resource. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object report: properties: checks: description: Checks provides results of conducting audit steps. items: description: Check provides the result of conducting a single audit step. properties: category: type: string checkID: type: string description: type: string messages: items: type: string type: array remediation: description: Remediation provides description or links to external resources to remediate failing check. type: string scope: description: Scope indicates the section of config that was audited. properties: type: description: Type indicates type of this scope, e.g. Container, ConfigMapKey or JSONPath. type: string value: description: Value indicates value of this scope that depends on Type, e.g. container name, ConfigMap key or JSONPath expression type: string required: - type - value type: object severity: description: Severity level of a vulnerability or a configuration audit check. type: string success: type: boolean title: type: string required: - checkID - severity - success type: object type: array scanner: description: Scanner is the spec for a scanner generating a security assessment report. properties: name: description: Name the name of the scanner. type: string vendor: description: Vendor the name of the vendor providing the scanner. type: string version: description: Version the version of the scanner. type: string required: - name - vendor - version type: object summary: description: InfraAssessmentSummary counts failed checks by severity. properties: criticalCount: description: CriticalCount is the number of failed checks with critical severity. type: integer highCount: description: HighCount is the number of failed checks with high severity. type: integer lowCount: description: LowCount is the number of failed check with low severity. type: integer mediumCount: description: MediumCount is the number of failed checks with medium severity. type: integer required: - criticalCount - highCount - lowCount - mediumCount type: object required: - checks - scanner - summary type: object required: - report type: object x-kubernetes-preserve-unknown-fields: true served: true storage: true subresources: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 name: clusterrbacassessmentreports.aquasecurity.github.io spec: group: aquasecurity.github.io names: kind: ClusterRbacAssessmentReport listKind: ClusterRbacAssessmentReportList plural: clusterrbacassessmentreports shortNames: - clusterrbacassessmentreport singular: clusterrbacassessmentreport scope: Cluster versions: - additionalPrinterColumns: - description: The name of the rbac assessment scanner jsonPath: .report.scanner.name name: Scanner type: string - description: The age of the report jsonPath: .metadata.creationTimestamp name: Age type: date - description: The number of failed checks with critical severity jsonPath: .report.summary.criticalCount name: Critical priority: 1 type: integer - description: The number of failed checks with high severity jsonPath: .report.summary.highCount name: High priority: 1 type: integer - description: The number of failed checks with medium severity jsonPath: .report.summary.mediumCount name: Medium priority: 1 type: integer - description: The number of failed checks with low severity jsonPath: .report.summary.lowCount name: Low priority: 1 type: integer name: v1alpha1 schema: openAPIV3Schema: description: ClusterRbacAssessmentReport is a specification for the ClusterRbacAssessmentReport resource. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object report: properties: checks: description: Checks provides results of conducting audit steps. items: description: Check provides the result of conducting a single audit step. properties: category: type: string checkID: type: string description: type: string messages: items: type: string type: array remediation: description: Remediation provides description or links to external resources to remediate failing check. type: string scope: description: Scope indicates the section of config that was audited. properties: type: description: Type indicates type of this scope, e.g. Container, ConfigMapKey or JSONPath. type: string value: description: Value indicates value of this scope that depends on Type, e.g. container name, ConfigMap key or JSONPath expression type: string required: - type - value type: object severity: description: Severity level of a vulnerability or a configuration audit check. type: string success: type: boolean title: type: string required: - checkID - severity - success type: object type: array scanner: description: Scanner is the spec for a scanner generating a security assessment report. properties: name: description: Name the name of the scanner. type: string vendor: description: Vendor the name of the vendor providing the scanner. type: string version: description: Version the version of the scanner. type: string required: - name - vendor - version type: object summary: description: RbacAssessmentSummary counts failed checks by severity. properties: criticalCount: description: CriticalCount is the number of failed checks with critical severity. type: integer highCount: description: HighCount is the number of failed checks with high severity. type: integer lowCount: description: LowCount is the number of failed check with low severity. type: integer mediumCount: description: MediumCount is the number of failed checks with medium severity. type: integer required: - criticalCount - highCount - lowCount - mediumCount type: object required: - checks - scanner - summary type: object required: - report type: object x-kubernetes-preserve-unknown-fields: true served: true storage: true subresources: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 name: clustersbomreports.aquasecurity.github.io spec: group: aquasecurity.github.io names: kind: ClusterSbomReport listKind: ClusterSbomReportList plural: clustersbomreports shortNames: - clustersbom singular: clustersbomreport scope: Cluster versions: - additionalPrinterColumns: - description: The name of image repository jsonPath: .report.artifact.repository name: Repository type: string - description: The name of image tag jsonPath: .report.artifact.tag name: Tag type: string - description: The name of the sbom generation scanner jsonPath: .report.scanner.name name: Scanner type: string - description: The age of the report jsonPath: .metadata.creationTimestamp name: Age type: date - description: The number of dependencies in bom jsonPath: .report.summary.componentsCount name: Components priority: 1 type: integer - description: The the number of components in bom jsonPath: .report.summary.dependenciesCount name: Dependencies priority: 1 type: integer name: v1alpha1 schema: openAPIV3Schema: description: ClusterSbomReport summarizes components and dependencies found in container image properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object report: description: Report is the actual sbom report data. properties: artifact: description: |- Artifact represents a standalone, executable package of software that includes everything needed to run an application. properties: digest: description: Digest is a unique and immutable identifier of an Artifact. type: string mimeType: description: MimeType represents a type and format of an Artifact. type: string repository: description: Repository is the name of the repository in the Artifact registry. type: string tag: description: Tag is a mutable, human-readable string used to identify an Artifact. type: string type: object components: description: Bom is artifact bill of materials. properties: bomFormat: type: string components: items: properties: bom-ref: type: string group: type: string hashes: items: properties: alg: type: string content: type: string type: object type: array licenses: items: properties: expression: type: string license: properties: id: type: string name: type: string url: type: string type: object type: object type: array name: type: string properties: items: properties: name: type: string value: type: string type: object type: array purl: type: string supplier: properties: contact: items: properties: email: type: string name: type: string phone: type: string type: object type: array name: type: string url: items: type: string type: array type: object type: type: string version: type: string type: object type: array dependencies: items: properties: dependsOn: items: type: string type: array ref: type: string type: object type: array metadata: properties: component: properties: bom-ref: type: string group: type: string hashes: items: properties: alg: type: string content: type: string type: object type: array licenses: items: properties: expression: type: string license: properties: id: type: string name: type: string url: type: string type: object type: object type: array name: type: string properties: items: properties: name: type: string value: type: string type: object type: array purl: type: string supplier: properties: contact: items: properties: email: type: string name: type: string phone: type: string type: object type: array name: type: string url: items: type: string type: array type: object type: type: string version: type: string type: object timestamp: type: string tools: properties: components: items: properties: bom-ref: type: string group: type: string hashes: items: properties: alg: type: string content: type: string type: object type: array licenses: items: properties: expression: type: string license: properties: id: type: string name: type: string url: type: string type: object type: object type: array name: type: string properties: items: properties: name: type: string value: type: string type: object type: array purl: type: string supplier: properties: contact: items: properties: email: type: string name: type: string phone: type: string type: object type: array name: type: string url: items: type: string type: array type: object type: type: string version: type: string type: object type: array type: object type: object serialNumber: type: string specVersion: type: string version: type: integer required: - bomFormat - specVersion type: object registry: description: Registry is the registry the Artifact was pulled from. properties: server: description: Server the FQDN of registry server. type: string type: object scanner: description: Scanner is the scanner that generated this report. properties: name: description: Name the name of the scanner. type: string vendor: description: Vendor the name of the vendor providing the scanner. type: string version: description: Version the version of the scanner. type: string required: - name - vendor - version type: object summary: description: Summary is a summary of sbom report. properties: componentsCount: description: ComponentsCount is the number of components in bom. minimum: 0 type: integer dependenciesCount: description: DependenciesCount is the number of dependencies in bom. minimum: 0 type: integer required: - componentsCount - dependenciesCount type: object updateTimestamp: description: UpdateTimestamp is a timestamp representing the server time in UTC when this report was updated. format: date-time type: string required: - artifact - components - scanner - summary - updateTimestamp type: object required: - report type: object served: true storage: true subresources: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 name: clustervulnerabilityreports.aquasecurity.github.io spec: group: aquasecurity.github.io names: kind: ClusterVulnerabilityReport listKind: ClusterVulnerabilityReportList plural: clustervulnerabilityreports shortNames: - clustervuln singular: clustervulnerabilityreport scope: Cluster versions: - additionalPrinterColumns: - description: The name of image repository jsonPath: .report.artifact.repository name: Repository type: string - description: The name of image tag jsonPath: .report.artifact.tag name: Tag type: string - description: The name of the vulnerability scanner jsonPath: .report.scanner.name name: Scanner type: string - description: The age of the report jsonPath: .metadata.creationTimestamp name: Age type: date - description: The number of critical vulnerabilities jsonPath: .report.summary.criticalCount name: Critical priority: 1 type: integer - description: The number of high vulnerabilities jsonPath: .report.summary.highCount name: High priority: 1 type: integer - description: The number of medium vulnerabilities jsonPath: .report.summary.mediumCount name: Medium priority: 1 type: integer - description: The number of low vulnerabilities jsonPath: .report.summary.lowCount name: Low priority: 1 type: integer - description: The number of unknown vulnerabilities jsonPath: .report.summary.unknownCount name: Unknown priority: 1 type: integer name: v1alpha1 schema: openAPIV3Schema: description: |- ClusterVulnerabilityReport summarizes vulnerabilities in application dependencies and operating system packages built into container images. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object report: description: Report is the actual vulnerability report data. properties: artifact: description: |- Artifact represents a standalone, executable package of software that includes everything needed to run an application. properties: digest: description: Digest is a unique and immutable identifier of an Artifact. type: string mimeType: description: MimeType represents a type and format of an Artifact. type: string repository: description: Repository is the name of the repository in the Artifact registry. type: string tag: description: Tag is a mutable, human-readable string used to identify an Artifact. type: string type: object os: description: OS information of the artifact properties: eosl: description: Eosl is true if OS version has reached end of service life type: boolean family: description: Operating System Family type: string name: description: Name or version of the OS type: string type: object registry: description: Registry is the registry the Artifact was pulled from. properties: server: description: Server the FQDN of registry server. type: string type: object scanner: description: Scanner is the scanner that generated this report. properties: name: description: Name the name of the scanner. type: string vendor: description: Vendor the name of the vendor providing the scanner. type: string version: description: Version the version of the scanner. type: string required: - name - vendor - version type: object summary: description: Summary is a summary of Vulnerability counts grouped by Severity. properties: criticalCount: description: CriticalCount is the number of vulnerabilities with Critical Severity. minimum: 0 type: integer highCount: description: HighCount is the number of vulnerabilities with High Severity. minimum: 0 type: integer lowCount: description: LowCount is the number of vulnerabilities with Low Severity. minimum: 0 type: integer mediumCount: description: MediumCount is the number of vulnerabilities with Medium Severity. minimum: 0 type: integer noneCount: description: NoneCount is the number of packages without any vulnerability. minimum: 0 type: integer unknownCount: description: UnknownCount is the number of vulnerabilities with unknown severity. minimum: 0 type: integer required: - criticalCount - highCount - lowCount - mediumCount - unknownCount type: object updateTimestamp: description: UpdateTimestamp is a timestamp representing the server time in UTC when this report was updated. format: date-time type: string vulnerabilities: description: Vulnerabilities is a list of operating system (OS) or application software Vulnerability items found in the Artifact. items: description: Vulnerability is the spec for a vulnerability record. properties: class: type: string cvss: additionalProperties: properties: V2Score: type: number V2Vector: type: string V3Score: type: number V3Vector: type: string V40Score: type: number V40Vector: type: string type: object type: object cvsssource: type: string description: type: string fixedVersion: description: FixedVersion indicates the version of the Resource in which this vulnerability has been fixed. type: string installedVersion: description: InstalledVersion indicates the installed version of the Resource. type: string lastModifiedDate: description: LastModifiedDate indicates the last date CVE has been modified. type: string links: items: type: string type: array packagePURL: type: string packagePath: type: string packageType: type: string primaryLink: type: string publishedDate: description: PublishedDate indicates the date of published CVE. type: string resource: description: Resource is a vulnerable package, application, or library. type: string score: type: number severity: description: Severity level of a vulnerability or a configuration audit check. enum: - CRITICAL - HIGH - MEDIUM - LOW - UNKNOWN type: string target: type: string title: type: string vulnerabilityID: description: VulnerabilityID the vulnerability identifier. type: string required: - fixedVersion - installedVersion - lastModifiedDate - publishedDate - resource - severity - title - vulnerabilityID type: object type: array required: - artifact - os - scanner - summary - updateTimestamp - vulnerabilities type: object required: - report type: object x-kubernetes-preserve-unknown-fields: true served: true storage: true subresources: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 name: configauditreports.aquasecurity.github.io spec: group: aquasecurity.github.io names: kind: ConfigAuditReport listKind: ConfigAuditReportList plural: configauditreports shortNames: - configaudit - configaudits singular: configauditreport scope: Namespaced versions: - additionalPrinterColumns: - description: The name of the config audit scanner jsonPath: .report.scanner.name name: Scanner type: string - description: The age of the report jsonPath: .metadata.creationTimestamp name: Age type: date - description: The number of failed checks with critical severity jsonPath: .report.summary.criticalCount name: Critical priority: 1 type: integer - description: The number of failed checks with high severity jsonPath: .report.summary.highCount name: High priority: 1 type: integer - description: The number of failed checks with medium severity jsonPath: .report.summary.mediumCount name: Medium priority: 1 type: integer - description: The number of failed checks with low severity jsonPath: .report.summary.lowCount name: Low priority: 1 type: integer name: v1alpha1 schema: openAPIV3Schema: description: ConfigAuditReport is a specification for the ConfigAuditReport resource. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object report: properties: checks: description: Checks provides results of conducting audit steps. items: description: Check provides the result of conducting a single audit step. properties: category: type: string checkID: type: string description: type: string messages: items: type: string type: array remediation: description: Remediation provides description or links to external resources to remediate failing check. type: string scope: description: Scope indicates the section of config that was audited. properties: type: description: Type indicates type of this scope, e.g. Container, ConfigMapKey or JSONPath. type: string value: description: Value indicates value of this scope that depends on Type, e.g. container name, ConfigMap key or JSONPath expression type: string required: - type - value type: object severity: description: Severity level of a vulnerability or a configuration audit check. type: string success: type: boolean title: type: string required: - checkID - severity - success type: object type: array scanner: description: Scanner is the spec for a scanner generating a security assessment report. properties: name: description: Name the name of the scanner. type: string vendor: description: Vendor the name of the vendor providing the scanner. type: string version: description: Version the version of the scanner. type: string required: - name - vendor - version type: object summary: description: ConfigAuditSummary counts failed checks by severity. properties: criticalCount: description: CriticalCount is the number of failed checks with critical severity. type: integer highCount: description: HighCount is the number of failed checks with high severity. type: integer lowCount: description: LowCount is the number of failed check with low severity. type: integer mediumCount: description: MediumCount is the number of failed checks with medium severity. type: integer required: - criticalCount - highCount - lowCount - mediumCount type: object updateTimestamp: format: date-time type: string required: - checks type: object required: - report type: object x-kubernetes-preserve-unknown-fields: true served: true storage: true subresources: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 name: exposedsecretreports.aquasecurity.github.io spec: group: aquasecurity.github.io names: kind: ExposedSecretReport listKind: ExposedSecretReportList plural: exposedsecretreports shortNames: - exposedsecret - exposedsecrets singular: exposedsecretreport scope: Namespaced versions: - additionalPrinterColumns: - description: The name of image repository jsonPath: .report.artifact.repository name: Repository type: string - description: The name of image tag jsonPath: .report.artifact.tag name: Tag type: string - description: The name of the exposed secret scanner jsonPath: .report.scanner.name name: Scanner type: string - description: The age of the report jsonPath: .metadata.creationTimestamp name: Age type: date - description: The number of critical exposed secrets jsonPath: .report.summary.criticalCount name: Critical priority: 1 type: integer - description: The number of high exposed secrets jsonPath: .report.summary.highCount name: High priority: 1 type: integer - description: The number of medium exposed secrets jsonPath: .report.summary.mediumCount name: Medium priority: 1 type: integer - description: The number of low exposed secrets jsonPath: .report.summary.lowCount name: Low priority: 1 type: integer name: v1alpha1 schema: openAPIV3Schema: description: ExposedSecretReport summarizes exposed secrets in plaintext files built into container images. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object report: description: Report is the actual exposed secret report data. properties: artifact: description: |- Artifact represents a standalone, executable package of software that includes everything needed to run an application. properties: digest: description: Digest is a unique and immutable identifier of an Artifact. type: string mimeType: description: MimeType represents a type and format of an Artifact. type: string repository: description: Repository is the name of the repository in the Artifact registry. type: string tag: description: Tag is a mutable, human-readable string used to identify an Artifact. type: string type: object registry: description: Registry is the registry the Artifact was pulled from. properties: server: description: Server the FQDN of registry server. type: string type: object scanner: description: Scanner is the scanner that generated this report. properties: name: description: Name the name of the scanner. type: string vendor: description: Vendor the name of the vendor providing the scanner. type: string version: description: Version the version of the scanner. type: string required: - name - vendor - version type: object secrets: description: Exposed secrets is a list of passwords, api keys, tokens and others items found in the Artifact. items: description: ExposedSecret is the spec for a exposed secret record. properties: category: type: string match: description: Match where the exposed rule matched. type: string ruleID: description: RuleID is rule the identifier. type: string severity: description: Severity level of a vulnerability or a configuration audit check. enum: - CRITICAL - HIGH - MEDIUM - LOW type: string target: description: Target is where the exposed secret was found. type: string title: type: string required: - category - match - ruleID - severity - target - title type: object type: array summary: description: Summary is the exposed secrets counts grouped by Severity. properties: criticalCount: description: CriticalCount is the number of exposed secrets with Critical Severity. minimum: 0 type: integer highCount: description: HighCount is the number of exposed secrets with High Severity. minimum: 0 type: integer lowCount: description: LowCount is the number of exposed secrets with Low Severity. minimum: 0 type: integer mediumCount: description: MediumCount is the number of exposed secrets with Medium Severity. minimum: 0 type: integer required: - criticalCount - highCount - lowCount - mediumCount type: object updateTimestamp: description: UpdateTimestamp is a timestamp representing the server time in UTC when this report was updated. format: date-time type: string required: - artifact - scanner - secrets - summary - updateTimestamp type: object required: - report type: object x-kubernetes-preserve-unknown-fields: true served: true storage: true subresources: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 name: infraassessmentreports.aquasecurity.github.io spec: group: aquasecurity.github.io names: kind: InfraAssessmentReport listKind: InfraAssessmentReportList plural: infraassessmentreports shortNames: - infraassessment - infraassessments singular: infraassessmentreport scope: Namespaced versions: - additionalPrinterColumns: - description: The name of the infra assessment scanner jsonPath: .report.scanner.name name: Scanner type: string - description: The age of the report jsonPath: .metadata.creationTimestamp name: Age type: date - description: The number of failed checks with critical severity jsonPath: .report.summary.criticalCount name: Critical priority: 1 type: integer - description: The number of failed checks with high severity jsonPath: .report.summary.highCount name: High priority: 1 type: integer - description: The number of failed checks with medium severity jsonPath: .report.summary.mediumCount name: Medium priority: 1 type: integer - description: The number of failed checks with low severity jsonPath: .report.summary.lowCount name: Low priority: 1 type: integer name: v1alpha1 schema: openAPIV3Schema: description: InfraAssessmentReport is a specification for the InfraAssessmentReport resource. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object report: properties: checks: description: Checks provides results of conducting audit steps. items: description: Check provides the result of conducting a single audit step. properties: category: type: string checkID: type: string description: type: string messages: items: type: string type: array remediation: description: Remediation provides description or links to external resources to remediate failing check. type: string scope: description: Scope indicates the section of config that was audited. properties: type: description: Type indicates type of this scope, e.g. Container, ConfigMapKey or JSONPath. type: string value: description: Value indicates value of this scope that depends on Type, e.g. container name, ConfigMap key or JSONPath expression type: string required: - type - value type: object severity: description: Severity level of a vulnerability or a configuration audit check. type: string success: type: boolean title: type: string required: - checkID - severity - success type: object type: array scanner: description: Scanner is the spec for a scanner generating a security assessment report. properties: name: description: Name the name of the scanner. type: string vendor: description: Vendor the name of the vendor providing the scanner. type: string version: description: Version the version of the scanner. type: string required: - name - vendor - version type: object summary: description: InfraAssessmentSummary counts failed checks by severity. properties: criticalCount: description: CriticalCount is the number of failed checks with critical severity. type: integer highCount: description: HighCount is the number of failed checks with high severity. type: integer lowCount: description: LowCount is the number of failed check with low severity. type: integer mediumCount: description: MediumCount is the number of failed checks with medium severity. type: integer required: - criticalCount - highCount - lowCount - mediumCount type: object required: - checks - scanner - summary type: object required: - report type: object served: true storage: true subresources: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 name: rbacassessmentreports.aquasecurity.github.io spec: group: aquasecurity.github.io names: kind: RbacAssessmentReport listKind: RbacAssessmentReportList plural: rbacassessmentreports shortNames: - rbacassessment - rbacassessments singular: rbacassessmentreport scope: Namespaced versions: - additionalPrinterColumns: - description: The name of the rbac assessment scanner jsonPath: .report.scanner.name name: Scanner type: string - description: The age of the report jsonPath: .metadata.creationTimestamp name: Age type: date - description: The number of failed checks with critical severity jsonPath: .report.summary.criticalCount name: Critical priority: 1 type: integer - description: The number of failed checks with high severity jsonPath: .report.summary.highCount name: High priority: 1 type: integer - description: The number of failed checks with medium severity jsonPath: .report.summary.mediumCount name: Medium priority: 1 type: integer - description: The number of failed checks with low severity jsonPath: .report.summary.lowCount name: Low priority: 1 type: integer name: v1alpha1 schema: openAPIV3Schema: description: RbacAssessmentReport is a specification for the RbacAssessmentReport resource. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object report: properties: checks: description: Checks provides results of conducting audit steps. items: description: Check provides the result of conducting a single audit step. properties: category: type: string checkID: type: string description: type: string messages: items: type: string type: array remediation: description: Remediation provides description or links to external resources to remediate failing check. type: string scope: description: Scope indicates the section of config that was audited. properties: type: description: Type indicates type of this scope, e.g. Container, ConfigMapKey or JSONPath. type: string value: description: Value indicates value of this scope that depends on Type, e.g. container name, ConfigMap key or JSONPath expression type: string required: - type - value type: object severity: description: Severity level of a vulnerability or a configuration audit check. type: string success: type: boolean title: type: string required: - checkID - severity - success type: object type: array scanner: description: Scanner is the spec for a scanner generating a security assessment report. properties: name: description: Name the name of the scanner. type: string vendor: description: Vendor the name of the vendor providing the scanner. type: string version: description: Version the version of the scanner. type: string required: - name - vendor - version type: object summary: description: RbacAssessmentSummary counts failed checks by severity. properties: criticalCount: description: CriticalCount is the number of failed checks with critical severity. type: integer highCount: description: HighCount is the number of failed checks with high severity. type: integer lowCount: description: LowCount is the number of failed check with low severity. type: integer mediumCount: description: MediumCount is the number of failed checks with medium severity. type: integer required: - criticalCount - highCount - lowCount - mediumCount type: object required: - checks - scanner - summary type: object required: - report type: object x-kubernetes-preserve-unknown-fields: true served: true storage: true subresources: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 name: sbomreports.aquasecurity.github.io spec: group: aquasecurity.github.io names: kind: SbomReport listKind: SbomReportList plural: sbomreports shortNames: - sbom - sboms singular: sbomreport scope: Namespaced versions: - additionalPrinterColumns: - description: The name of image repository jsonPath: .report.artifact.repository name: Repository type: string - description: The name of image tag jsonPath: .report.artifact.tag name: Tag type: string - description: The name of the sbom generation scanner jsonPath: .report.scanner.name name: Scanner type: string - description: The age of the report jsonPath: .metadata.creationTimestamp name: Age type: date - description: The number of dependencies in bom jsonPath: .report.summary.componentsCount name: Components priority: 1 type: integer - description: The the number of components in bom jsonPath: .report.summary.dependenciesCount name: Dependencies priority: 1 type: integer name: v1alpha1 schema: openAPIV3Schema: description: SbomReport summarizes components and dependencies found in container image properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object report: description: Report is the actual sbom report data. properties: artifact: description: |- Artifact represents a standalone, executable package of software that includes everything needed to run an application. properties: digest: description: Digest is a unique and immutable identifier of an Artifact. type: string mimeType: description: MimeType represents a type and format of an Artifact. type: string repository: description: Repository is the name of the repository in the Artifact registry. type: string tag: description: Tag is a mutable, human-readable string used to identify an Artifact. type: string type: object components: description: Bom is artifact bill of materials. properties: bomFormat: type: string components: items: properties: bom-ref: type: string group: type: string hashes: items: properties: alg: type: string content: type: string type: object type: array licenses: items: properties: expression: type: string license: properties: id: type: string name: type: string url: type: string type: object type: object type: array name: type: string properties: items: properties: name: type: string value: type: string type: object type: array purl: type: string supplier: properties: contact: items: properties: email: type: string name: type: string phone: type: string type: object type: array name: type: string url: items: type: string type: array type: object type: type: string version: type: string type: object type: array dependencies: items: properties: dependsOn: items: type: string type: array ref: type: string type: object type: array metadata: properties: component: properties: bom-ref: type: string group: type: string hashes: items: properties: alg: type: string content: type: string type: object type: array licenses: items: properties: expression: type: string license: properties: id: type: string name: type: string url: type: string type: object type: object type: array name: type: string properties: items: properties: name: type: string value: type: string type: object type: array purl: type: string supplier: properties: contact: items: properties: email: type: string name: type: string phone: type: string type: object type: array name: type: string url: items: type: string type: array type: object type: type: string version: type: string type: object timestamp: type: string tools: properties: components: items: properties: bom-ref: type: string group: type: string hashes: items: properties: alg: type: string content: type: string type: object type: array licenses: items: properties: expression: type: string license: properties: id: type: string name: type: string url: type: string type: object type: object type: array name: type: string properties: items: properties: name: type: string value: type: string type: object type: array purl: type: string supplier: properties: contact: items: properties: email: type: string name: type: string phone: type: string type: object type: array name: type: string url: items: type: string type: array type: object type: type: string version: type: string type: object type: array type: object type: object serialNumber: type: string specVersion: type: string version: type: integer required: - bomFormat - specVersion type: object registry: description: Registry is the registry the Artifact was pulled from. properties: server: description: Server the FQDN of registry server. type: string type: object scanner: description: Scanner is the scanner that generated this report. properties: name: description: Name the name of the scanner. type: string vendor: description: Vendor the name of the vendor providing the scanner. type: string version: description: Version the version of the scanner. type: string required: - name - vendor - version type: object summary: description: Summary is a summary of sbom report. properties: componentsCount: description: ComponentsCount is the number of components in bom. minimum: 0 type: integer dependenciesCount: description: DependenciesCount is the number of dependencies in bom. minimum: 0 type: integer required: - componentsCount - dependenciesCount type: object updateTimestamp: description: UpdateTimestamp is a timestamp representing the server time in UTC when this report was updated. format: date-time type: string required: - artifact - components - scanner - summary - updateTimestamp type: object required: - report type: object x-kubernetes-preserve-unknown-fields: true served: true storage: true subresources: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 name: vulnerabilityreports.aquasecurity.github.io spec: group: aquasecurity.github.io names: kind: VulnerabilityReport listKind: VulnerabilityReportList plural: vulnerabilityreports shortNames: - vuln - vulns singular: vulnerabilityreport scope: Namespaced versions: - additionalPrinterColumns: - description: The name of image repository jsonPath: .report.artifact.repository name: Repository type: string - description: The name of image tag jsonPath: .report.artifact.tag name: Tag type: string - description: The name of the vulnerability scanner jsonPath: .report.scanner.name name: Scanner type: string - description: The age of the report jsonPath: .metadata.creationTimestamp name: Age type: date - description: The number of critical vulnerabilities jsonPath: .report.summary.criticalCount name: Critical priority: 1 type: integer - description: The number of high vulnerabilities jsonPath: .report.summary.highCount name: High priority: 1 type: integer - description: The number of medium vulnerabilities jsonPath: .report.summary.mediumCount name: Medium priority: 1 type: integer - description: The number of low vulnerabilities jsonPath: .report.summary.lowCount name: Low priority: 1 type: integer - description: The number of unknown vulnerabilities jsonPath: .report.summary.unknownCount name: Unknown priority: 1 type: integer name: v1alpha1 schema: openAPIV3Schema: description: |- VulnerabilityReport summarizes vulnerabilities in application dependencies and operating system packages built into container images. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object report: description: Report is the actual vulnerability report data. properties: artifact: description: |- Artifact represents a standalone, executable package of software that includes everything needed to run an application. properties: digest: description: Digest is a unique and immutable identifier of an Artifact. type: string mimeType: description: MimeType represents a type and format of an Artifact. type: string repository: description: Repository is the name of the repository in the Artifact registry. type: string tag: description: Tag is a mutable, human-readable string used to identify an Artifact. type: string type: object os: description: OS information of the artifact properties: eosl: description: Eosl is true if OS version has reached end of service life type: boolean family: description: Operating System Family type: string name: description: Name or version of the OS type: string type: object registry: description: Registry is the registry the Artifact was pulled from. properties: server: description: Server the FQDN of registry server. type: string type: object scanner: description: Scanner is the scanner that generated this report. properties: name: description: Name the name of the scanner. type: string vendor: description: Vendor the name of the vendor providing the scanner. type: string version: description: Version the version of the scanner. type: string required: - name - vendor - version type: object summary: description: Summary is a summary of Vulnerability counts grouped by Severity. properties: criticalCount: description: CriticalCount is the number of vulnerabilities with Critical Severity. minimum: 0 type: integer highCount: description: HighCount is the number of vulnerabilities with High Severity. minimum: 0 type: integer lowCount: description: LowCount is the number of vulnerabilities with Low Severity. minimum: 0 type: integer mediumCount: description: MediumCount is the number of vulnerabilities with Medium Severity. minimum: 0 type: integer noneCount: description: NoneCount is the number of packages without any vulnerability. minimum: 0 type: integer unknownCount: description: UnknownCount is the number of vulnerabilities with unknown severity. minimum: 0 type: integer required: - criticalCount - highCount - lowCount - mediumCount - unknownCount type: object updateTimestamp: description: UpdateTimestamp is a timestamp representing the server time in UTC when this report was updated. format: date-time type: string vulnerabilities: description: Vulnerabilities is a list of operating system (OS) or application software Vulnerability items found in the Artifact. items: description: Vulnerability is the spec for a vulnerability record. properties: class: type: string cvss: additionalProperties: properties: V2Score: type: number V2Vector: type: string V3Score: type: number V3Vector: type: string V40Score: type: number V40Vector: type: string type: object type: object cvsssource: type: string description: type: string fixedVersion: description: FixedVersion indicates the version of the Resource in which this vulnerability has been fixed. type: string installedVersion: description: InstalledVersion indicates the installed version of the Resource. type: string lastModifiedDate: description: LastModifiedDate indicates the last date CVE has been modified. type: string links: items: type: string type: array packagePURL: type: string packagePath: type: string packageType: type: string primaryLink: type: string publishedDate: description: PublishedDate indicates the date of published CVE. type: string resource: description: Resource is a vulnerable package, application, or library. type: string score: type: number severity: description: Severity level of a vulnerability or a configuration audit check. enum: - CRITICAL - HIGH - MEDIUM - LOW - UNKNOWN type: string target: type: string title: type: string vulnerabilityID: description: VulnerabilityID the vulnerability identifier. type: string required: - fixedVersion - installedVersion - lastModifiedDate - publishedDate - resource - severity - title - vulnerabilityID type: object type: array required: - artifact - os - scanner - summary - updateTimestamp - vulnerabilities type: object required: - report type: object x-kubernetes-preserve-unknown-fields: true served: true storage: true subresources: {} --- apiVersion: v1 kind: Namespace metadata: name: trivy-system labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: kubectl --- # Source: trivy-operator/templates/configmaps/operator.yaml apiVersion: v1 kind: ConfigMap metadata: name: trivy-operator namespace: trivy-system labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: kubectl data: nodeCollector.volumes: "[{\"hostPath\":{\"path\":\"/var/lib/etcd\"},\"name\":\"var-lib-etcd\"},{\"hostPath\":{\"path\":\"/var/lib/kubelet\"},\"name\":\"var-lib-kubelet\"},{\"hostPath\":{\"path\":\"/var/lib/kube-scheduler\"},\"name\":\"var-lib-kube-scheduler\"},{\"hostPath\":{\"path\":\"/var/lib/kube-controller-manager\"},\"name\":\"var-lib-kube-controller-manager\"},{\"hostPath\":{\"path\":\"/etc/systemd\"},\"name\":\"etc-systemd\"},{\"hostPath\":{\"path\":\"/lib/systemd\"},\"name\":\"lib-systemd\"},{\"hostPath\":{\"path\":\"/etc/kubernetes\"},\"name\":\"etc-kubernetes\"},{\"hostPath\":{\"path\":\"/etc/cni/net.d/\"},\"name\":\"etc-cni-netd\"}]" nodeCollector.volumeMounts: "[{\"mountPath\":\"/var/lib/etcd\",\"name\":\"var-lib-etcd\",\"readOnly\":true},{\"mountPath\":\"/var/lib/kubelet\",\"name\":\"var-lib-kubelet\",\"readOnly\":true},{\"mountPath\":\"/var/lib/kube-scheduler\",\"name\":\"var-lib-kube-scheduler\",\"readOnly\":true},{\"mountPath\":\"/var/lib/kube-controller-manager\",\"name\":\"var-lib-kube-controller-manager\",\"readOnly\":true},{\"mountPath\":\"/etc/systemd\",\"name\":\"etc-systemd\",\"readOnly\":true},{\"mountPath\":\"/lib/systemd/\",\"name\":\"lib-systemd\",\"readOnly\":true},{\"mountPath\":\"/etc/kubernetes\",\"name\":\"etc-kubernetes\",\"readOnly\":true},{\"mountPath\":\"/etc/cni/net.d/\",\"name\":\"etc-cni-netd\",\"readOnly\":true}]" scanJob.useGCRServiceAccount: "true" scanJob.podTemplateContainerSecurityContext: "{\"allowPrivilegeEscalation\":false,\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"readOnlyRootFilesystem\":true}" scanJob.compressLogs: "true" vulnerabilityReports.scanner: "Trivy" vulnerabilityReports.scanJobsInSameNamespace: "false" configAuditReports.scanner: "Trivy" compliance.failEntriesLimit: "10" report.recordFailedChecksOnly: "true" node.collector.imageRef: "ghcr.io/aquasecurity/node-collector:0.3.1" policies.bundle.oci.ref: "mirror.gcr.io/aquasec/trivy-checks:1" policies.bundle.insecure: "false" node.collector.nodeSelector: "true" --- # Source: trivy-operator/templates/configmaps/trivy-operator-config.yaml kind: ConfigMap apiVersion: v1 metadata: name: trivy-operator-config namespace: trivy-system labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: kubectl data: OPERATOR_LOG_DEV_MODE: "false" OPERATOR_SCAN_JOB_TTL: "" OPERATOR_SCAN_JOB_TIMEOUT: "5m" OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT: "10" OPERATOR_CONCURRENT_NODE_COLLECTOR_LIMIT: "1" OPERATOR_SCAN_JOB_RETRY_AFTER: "30s" OPERATOR_BATCH_DELETE_LIMIT: "10" OPERATOR_BATCH_DELETE_DELAY: "10s" OPERATOR_METRICS_BIND_ADDRESS: ":8080" OPERATOR_METRICS_FINDINGS_ENABLED: "true" OPERATOR_METRICS_VULN_ID_ENABLED: "false" OPERATOR_HEALTH_PROBE_BIND_ADDRESS: ":9090" OPERATOR_PPROF_BIND_ADDRESS: "" OPERATOR_VULNERABILITY_SCANNER_ENABLED: "true" OPERATOR_SBOM_GENERATION_ENABLED: "true" OPERATOR_CLUSTER_SBOM_CACHE_ENABLED: "false" OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS: "true" OPERATOR_SCANNER_REPORT_TTL: "24h" OPERATOR_CACHE_REPORT_TTL: "120h" CONTROLLER_CACHE_SYNC_TIMEOUT: "5m" OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED: "true" OPERATOR_RBAC_ASSESSMENT_SCANNER_ENABLED: "true" OPERATOR_INFRA_ASSESSMENT_SCANNER_ENABLED: "true" OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS: "true" OPERATOR_EXPOSED_SECRET_SCANNER_ENABLED: "true" OPERATOR_METRICS_EXPOSED_SECRET_INFO_ENABLED: "false" OPERATOR_METRICS_CONFIG_AUDIT_INFO_ENABLED: "false" OPERATOR_METRICS_RBAC_ASSESSMENT_INFO_ENABLED: "false" OPERATOR_METRICS_INFRA_ASSESSMENT_INFO_ENABLED: "false" OPERATOR_METRICS_IMAGE_INFO_ENABLED: "false" OPERATOR_METRICS_CLUSTER_COMPLIANCE_INFO_ENABLED: "false" OPERATOR_WEBHOOK_BROADCAST_URL: "" OPERATOR_WEBHOOK_BROADCAST_TIMEOUT: "30s" OPERATOR_WEBHOOK_BROADCAST_CUSTOM_HEADERS: "" OPERATOR_SEND_DELETED_REPORTS: "false" OPERATOR_PRIVATE_REGISTRY_SCAN_SECRETS_NAMES: "{}" OPERATOR_ACCESS_GLOBAL_SECRETS_SERVICE_ACCOUNTS: "true" OPERATOR_BUILT_IN_TRIVY_SERVER: "false" TRIVY_SERVER_HEALTH_CHECK_CACHE_EXPIRATION: "10h" OPERATOR_MERGE_RBAC_FINDING_WITH_CONFIG_AUDIT: "false" OPERATOR_CLUSTER_COMPLIANCE_ENABLED: "true" --- # Source: trivy-operator/templates/configmaps/trivy.yaml apiVersion: v1 kind: ConfigMap metadata: name: trivy-operator-trivy-config namespace: trivy-system labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: kubectl data: trivy.repository: "mirror.gcr.io/aquasec/trivy" trivy.tag: "0.67.0" trivy.imagePullPolicy: "IfNotPresent" trivy.additionalVulnerabilityReportFields: "" trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" trivy.slow: "true" trivy.skipJavaDBUpdate: "false" trivy.includeDevDeps: "false" trivy.imageScanCacheDir: "/tmp/trivy/.cache" trivy.filesystemScanCacheDir: "/var/trivyoperator/trivy-db" trivy.dbRepository: "mirror.gcr.io/aquasec/trivy-db" trivy.javaDbRepository: "mirror.gcr.io/aquasec/trivy-java-db" trivy.command: "image" trivy.sbomSources: "" trivy.dbRepositoryInsecure: "false" trivy.useBuiltinRegoPolicies: "false" trivy.useEmbeddedRegoPolicies: "true" trivy.supportedConfigAuditKinds: "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota" trivy.timeout: "5m0s" trivy.mode: "Standalone" trivy.resources.requests.cpu: "100m" trivy.resources.requests.memory: "100M" trivy.resources.limits.cpu: "500m" trivy.resources.limits.memory: "500M" --- # Source: trivy-operator/templates/secrets/operator.yaml apiVersion: v1 kind: Secret metadata: name: trivy-operator namespace: trivy-system labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: kubectl data: --- # Source: trivy-operator/templates/secrets/trivy.yaml apiVersion: v1 kind: Secret metadata: name: trivy-operator-trivy-config namespace: trivy-system labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: kubectl data: --- # Source: trivy-operator/templates/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: trivy-operator namespace: trivy-system labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: kubectl spec: replicas: 1 strategy: type: Recreate selector: matchLabels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator template: metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator spec: serviceAccountName: trivy-operator automountServiceAccountToken: true containers: - name: "trivy-operator" image: "mirror.gcr.io/aquasec/trivy-operator:0.29.0" imagePullPolicy: IfNotPresent env: - name: OPERATOR_NAMESPACE value: trivy-system - name: OPERATOR_TARGET_NAMESPACES value: "" - name: OPERATOR_EXCLUDE_NAMESPACES value: "" - name: OPERATOR_TARGET_WORKLOADS value: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job" - name: OPERATOR_SERVICE_ACCOUNT value: "trivy-operator" envFrom: - configMapRef: name: trivy-operator-config ports: - name: metrics containerPort: 8080 - name: probes containerPort: 9090 readinessProbe: httpGet: path: /readyz/ port: probes initialDelaySeconds: 5 periodSeconds: 10 successThreshold: 1 failureThreshold: 3 livenessProbe: httpGet: path: /healthz/ port: probes initialDelaySeconds: 5 periodSeconds: 10 successThreshold: 1 failureThreshold: 10 securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true volumeMounts: - mountPath: /tmp name: cache-policies readOnly: false volumes: - emptyDir: {} name: cache-policies --- # Source: trivy-operator/templates/monitor/service.yaml apiVersion: v1 kind: Service metadata: name: trivy-operator namespace: trivy-system labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: kubectl spec: clusterIP: None ports: - name: metrics port: 80 targetPort: metrics protocol: TCP appProtocol: TCP selector: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator type: ClusterIP --- # Source: trivy-operator/templates/rbac/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: trivy-operator rules: - apiGroups: - "" resources: - configmaps - limitranges - nodes - pods - replicationcontrollers - resourcequotas - services verbs: - get - list - watch - apiGroups: - "" resources: - namespaces verbs: - get - apiGroups: - "" resources: - pods/log verbs: - get - list - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - get - list - watch - apiGroups: - apps resources: - daemonsets - deployments - replicasets - statefulsets verbs: - get - list - watch - apiGroups: - apps.openshift.io resources: - deploymentconfigs verbs: - get - list - watch - apiGroups: - aquasecurity.github.io resources: - clustercompliancedetailreports - clustercompliancereports - clusterconfigauditreports - clusterinfraassessmentreports - clusterrbacassessmentreports - clustersbomreports - clustervulnerabilityreports - configauditreports - exposedsecretreports - infraassessmentreports - rbacassessmentreports - sbomreports - vulnerabilityreports verbs: - create - delete - get - list - patch - update - watch - apiGroups: - aquasecurity.github.io resources: - clustercompliancereports/status verbs: - get - patch - update - apiGroups: - batch resources: - cronjobs verbs: - get - list - watch - apiGroups: - batch resources: - jobs verbs: - create - delete - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses - networkpolicies verbs: - get - list - watch - apiGroups: - rbac.authorization.k8s.io resources: - clusterrolebindings - clusterroles - rolebindings - roles verbs: - get - list - watch - apiGroups: - "" resources: - secrets verbs: - create - get - update - apiGroups: - "" resources: - serviceaccounts verbs: - get - apiGroups: - "" resources: - nodes/proxy verbs: - get --- # Source: trivy-operator/templates/rbac/clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: trivy-operator labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: kubectl roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: trivy-operator subjects: - kind: ServiceAccount name: trivy-operator namespace: trivy-system --- # Source: trivy-operator/templates/rbac/leader-election-role.yaml # permissions to do leader election. apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: trivy-operator-leader-election namespace: trivy-system labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: kubectl rules: - apiGroups: - coordination.k8s.io resources: - leases verbs: - create - get - update - apiGroups: - "" resources: - events verbs: - create --- # Source: trivy-operator/templates/rbac/leader-election-rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: trivy-operator-leader-election namespace: trivy-system labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: kubectl roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: trivy-operator-leader-election subjects: - kind: ServiceAccount name: trivy-operator namespace: trivy-system --- # Source: trivy-operator/templates/rbac/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: trivy-operator namespace: trivy-system labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: kubectl rules: - apiGroups: - "" resources: - configmaps verbs: - create - get - list - watch - apiGroups: - "" resources: - secrets verbs: - create - get - delete - update --- # Source: trivy-operator/templates/rbac/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: trivy-operator namespace: trivy-system labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: kubectl roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: trivy-operator subjects: - kind: ServiceAccount name: trivy-operator namespace: trivy-system --- # Source: trivy-operator/templates/rbac/view-configauditreports-clusterrole.yaml # permissions for end users to view configauditreports apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: aggregate-config-audit-reports-view labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: kubectl rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" rules: - apiGroups: - aquasecurity.github.io resources: - configauditreports verbs: - get - list - watch --- # Source: trivy-operator/templates/rbac/view-exposedsecretreports-clusterrole.yaml # permissions for end users to view exposedsecretreports apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: aggregate-exposed-secret-reports-view labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: kubectl rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" rules: - apiGroups: - aquasecurity.github.io resources: - exposedsecretreports verbs: - get - list - watch --- # Source: trivy-operator/templates/rbac/view-vulnerabilityreports-clusterrole.yaml # permissions for end users to view vulnerabilityreports apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: aggregate-vulnerability-reports-view labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: kubectl rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" rules: - apiGroups: - aquasecurity.github.io resources: - vulnerabilityreports verbs: - get - list - watch --- # Source: trivy-operator/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: trivy-operator namespace: trivy-system labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: kubectl