Merge pull request #213 from kubero-dev/212-run-kubero-vulnscanner-container-as-non-root

mms-gianni · web-flow · commit ff7f0932b9e1 · 2023-10-03T16:44:06.000+02:00
run vulnerability scans as nonroot
diff --git a/src/modules/kubectl.ts b/src/modules/kubectl.ts
@@ -574,6 +574,9 @@ export class Kubectl {
                     },
                     spec: {
                         restartPolicy: 'Never',
+                        securityContext: {
+                            runAsUser: 1000
+                        },
                         containers: [
                             {
                                 name: 'trivy-repo-scan',
@@ -589,6 +592,8 @@ export class Kubectl {
                                     "json",
                                     "--scanners",
                                     "vuln,secret,config",
+                                    "--cache-dir",
+                                    "/tmp/trivy",
                                     "--exit-code",
                                     "0"
                                 ],
@@ -627,6 +632,9 @@ export class Kubectl {
                     },
                     spec: {
                         restartPolicy: 'Never',
+                        securityContext: {
+                            runAsUser: 1000
+                        },
                         containers: [
                             {
                                 name: 'trivy-repo-scan',
@@ -640,6 +648,8 @@ export class Kubectl {
                                     "json",
                                     "--scanners",
                                     "vuln",
+                                    "--cache-dir",
+                                    "/tmp/trivy",
                                     "--exit-code",
                                     "0"
                                 ],
