Operator does not use .trivyignore for ClusterRbacAssessmentReport

[m-hofmann]

I've installed trivy-operator 0.14.1 into my cluster using the Helm chart. Scanning works fine and configauditreports as well as vulnerabilityreports are created reliably.

I'd like to suppress some vulnerabilities and have configured the following trivy.ignoreFile in the values.yaml:

ignoreFile: |
    # allow management of secrets for admin roles
    KSV041
    AVD-KSV-0041
    # some default roles in our cluster use wildcards verbs
    KSV044
    AVD-KSV-0044
    # some default roles in our cluster use wildcard resources
    KSV046
    AVD-KSV-0046
    # allow creation of "malicious pods" for some roles
    KSV048
    AVD-KSV-0048
    # roles that allow admins to manage RBAC resources are necessary (cluster-admin)
    KSV050
    AVD-KSV-0050
    # this works
    CVE-2022-1471

Unfortunately, ignore rules for ClusterRbacAssessmentReport do not seem to work:

$ kubectl describe clusterrbacassessmentreports.aquasecurity.github.io clusterrole-trivy-operator 
Name:         clusterrole-trivy-operator
Namespace:    
Labels:       plugin-config-hash=659b7b9c46
              resource-spec-hash=78c64bc8
              trivy-operator.resource.kind=ClusterRole
              trivy-operator.resource.name=trivy-operator
              trivy-operator.resource.namespace=
Annotations:  <none>
API Version:  aquasecurity.github.io/v1alpha1
Kind:         ClusterRbacAssessmentReport
Metadata:
  Creation Timestamp:  2023-06-16T08:57:29Z
  Generation:          1
  Managed Fields:
    # ... removed  ... 
  Owner References:
    API Version:           rbac.authorization.k8s.io/v1
    Block Owner Deletion:  false
    Controller:            true
    Kind:                  ClusterRole
    Name:                  trivy-operator
    UID:                   9d9004e9-4170-4b86-b83a-80c056029c1b
  Resource Version:        764583448
  UID:                     47be17e2-6ab4-4cd2-9fd5-5ddc9f26b87e
Report:
  Checks:
    Category:     Kubernetes Security Check
    Check ID:     KSV048
    Description:  Check whether role permits update/create of a malicious pod
    Messages:
      Role permits create/update of a malicious pod
    Severity:     HIGH
    Success:      false
    Title:        Do not allow update/create of a malicious pod
    Category:     Kubernetes Security Check
    Check ID:     KSV041
    Description:  Check whether role permits managing secrets
    Messages:
      Role permits management of secret(s)
    Severity:  CRITICAL
    Success:   false
    Title:     Do not allow management of secrets
  Scanner:
    Name:     Trivy
    Vendor:   Aqua Security
    Version:  0.14.1
  Summary:
    Critical Count:  1
    High Count:      1
    Low Count:       0
    Medium Count:    0
Events:              <none>

As you can see, KSV041 and KSV048 are still found though they're listed in the ignore file. However, ignoring CVE-2022-1471 for containers running a Java app works, meaning .trivyignore works to some degree.

How can I ignore findings for RBAC resources? Thanks in advance for any help!

[chen-keinan]

@m-hofmann you are correct ignore rules is not supported for these reports , do you mind opening an issue for it

[m-hofmann]

@chen-keinan thanks for clarifying. Issue has been opened