secureCodeBox · Reet00 · May 9, 2025 · May 7, 2025 · May 7, 2025 · May 7, 2025
diff --git a/documentation/docs/getting-started/upgrading.md b/documentation/docs/getting-started/upgrading.md
@@ -26,6 +26,13 @@ If you maintain a custom deployment that directly references `manager-role` or `
 
 ➡️  [Reference: #3002](https://github.com/secureCodeBox/secureCodeBox/pull/3002)
 
+### Changes to trivy k8s scope (namespace / cluster)
+
+The `kubeauditScope` on the `trivy` ScanType chart was renamed to `k8sScanScope` Scope. The previous name was used for consistency with the `kubeaudit` ScanType, but it never really made sense and was confusing.
+The default `k8sScanScope` scope was also changed from `cluster` to `namespace`, The cluster mode needs cluster wide permissions, which makes the trivy chart hard to install in properly locked down RBAC setups.
+
+➡️  [Reference: #3025](https://github.com/secureCodeBox/secureCodeBox/pull/3025)
+
 ## From 3.X to 4.X
 
 ### Renamed the docker images of demo-targets to include a "demo-target-" prefix

diff --git a/scanners/trivy/Makefile b/scanners/trivy/Makefile
@@ -9,3 +9,13 @@ include_guard = set
 scanner = trivy
 
 include ../../scanners.mk
+
+.PHONY: deploy-without-scanner
+deploy-without-scanner:
+	@echo ".: 💾 Deploying '$(name)' $(scanner-prefix) HelmChart with the docker tag '$(IMG_TAG)' into kind namespace 'integration-tests'."
+	helm -n integration-tests upgrade --install $(name) ./ --wait \
+		--set="parser.image.repository=docker.io/$(IMG_NS)/$(parser-prefix)-$(name)" \
+		--set="parser.image.tag=$(IMG_TAG)" \
+    	--set="parser.env[0].name=CRASH_ON_FAILED_VALIDATION" \
+    	--set-string="parser.env[0].value=true" \
+		--set="k8sScanScope=cluster"
diff --git a/scanners/trivy/README.md b/scanners/trivy/README.md
@@ -133,7 +133,7 @@ Kubernetes: `>=v1.11.0-0`
 | cascadingRules.enabled | bool | `false` | Enables or disables the installation of the default cascading rules for this scanner |
 | createAutoDiscoveryScanType | bool | `false` | Creates a `trivy-image-autodiscovery` scanType with its own ServiceAccount for the SCB AutoDiscovery, enabled to scan images from both public & private registries. |
 | imagePullSecrets | list | `[]` | Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) |
-| kubeauditScope | string | `"cluster"` | Automatically sets up rbac roles for kubeaudit to access the resources it scans. Can be either "cluster" (ClusterRole) or "namespace" (Role) |
+| k8sScanScope | string | `"cluster"` | Automatically sets up rbac roles for trivy to access the resources it scans. Can be either "cluster" (ClusterRole) or "namespace" (Role) |
 | parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) |
 | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
 | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images |

diff --git a/scanners/trivy/docs/README.ArtifactHub.md b/scanners/trivy/docs/README.ArtifactHub.md
@@ -140,7 +140,7 @@ Kubernetes: `>=v1.11.0-0`
 | cascadingRules.enabled | bool | `false` | Enables or disables the installation of the default cascading rules for this scanner |
 | createAutoDiscoveryScanType | bool | `false` | Creates a `trivy-image-autodiscovery` scanType with its own ServiceAccount for the SCB AutoDiscovery, enabled to scan images from both public & private registries. |
 | imagePullSecrets | list | `[]` | Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) |
-| kubeauditScope | string | `"cluster"` | Automatically sets up rbac roles for kubeaudit to access the resources it scans. Can be either "cluster" (ClusterRole) or "namespace" (Role) |
+| k8sScanScope | string | `"cluster"` | Automatically sets up rbac roles for trivy to access the resources it scans. Can be either "cluster" (ClusterRole) or "namespace" (Role) |
 | parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) |
 | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
 | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images |

diff --git a/scanners/trivy/examples/k8s-cluster/README.md b/scanners/trivy/examples/k8s-cluster/README.md
@@ -0,0 +1,13 @@
+<!--
+SPDX-FileCopyrightText: the secureCodeBox authors
+
+SPDX-License-Identifier: Apache-2.0
+-->
+
+This example shows how to use the `trivy k8s` scan with the secureCodeBox to scan an entire cluster with trivy.
+
+Note: To scan the entire cluster you need to set the `k8sScanScope=cluster` for the trivy ScanType, otherwise the scanner doesn't have sufficient RBAC permissions to access all resources.
+
+```bash
+helm upgrade --install trivy oci://ghcr.io/securecodebox/helm/trivy --set="k8sScanScope=cluster"
+```
diff --git a/scanners/trivy/examples/k8s-cluster/scan.yaml b/scanners/trivy/examples/k8s-cluster/scan.yaml
@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: the secureCodeBox authors
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: "execution.securecodebox.io/v1"
+kind: Scan
+metadata:
+  name: "trivy-k8s"
+spec:  
+  scanType: "trivy-k8s"
+  parameters: [] # to can the entire cluster you need no parameters
diff --git a/scanners/trivy/examples/k8s/README.md → ...rs/trivy/examples/k8s-namespace/README.md b/scanners/trivy/examples/k8s/README.md → ...rs/trivy/examples/k8s-namespace/README.md
@@ -4,4 +4,4 @@ SPDX-FileCopyrightText: the secureCodeBox authors
 SPDX-License-Identifier: Apache-2.0
 -->
 
-This example shows how to use the `trivy k8s` scan with the secureCodeBox.
+This example shows how to use the `trivy k8s` scan with the secureCodeBox to scan a single namespace.
diff --git a/scanners/trivy/examples/k8s/scan.yaml → ...rs/trivy/examples/k8s-namespace/scan.yaml b/scanners/trivy/examples/k8s/scan.yaml → ...rs/trivy/examples/k8s-namespace/scan.yaml
@@ -9,4 +9,5 @@ metadata:
 spec:  
   scanType: "trivy-k8s"
   parameters:
-    - "cluster"
+    - "--include-namespaces"
+    - default # can be any namespace
diff --git a/scanners/trivy/templates/trivy-rbac.yaml b/scanners/trivy/templates/trivy-rbac.yaml
@@ -70,7 +70,7 @@ roleRef:
   kind: Role
   name: lurker
 ---
-  {{- if eq .Values.kubeauditScope "namespace" }}
+{{- if eq .Values.k8sScanScope "namespace" }}
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -82,20 +82,31 @@ rules:
       - pods
       - podtemplates
       - replicationcontrollers
-      - namespaces
+      - serviceaccounts
+      - services
+      - configmaps
+      - resourcequotas
+      - limitranges
     verbs: ["get", "list"]
   - apiGroups: ["apps"]
        resources:
       - daemonsets
       - statefulsets
       - deployments
     verbs: ["get", "list"]
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources:
+      - rolebindings
+      - roles
+    verbs: ["get", "list"]
   - apiGroups: ["batch"]
     resources:
+      - jobs
       - cronjobs
     verbs: ["get", "list"]
-  - apiGroups: ["networking"]
+  - apiGroups: ["networking.k8s.io"]
     resources:
+      - ingresses
       - networkpolicies
     verbs: ["get", "list"]
 ---
@@ -112,33 +123,45 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: trivy-k8s
-  {{- end }}
-  {{- if eq .Values.kubeauditScope "cluster" }}
+{{- end }}
+{{- if eq .Values.k8sScanScope "cluster" }}
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: trivy-k8s
 rules:
   - apiGroups: [""]
     resources:
+      - namespaces
       - pods
       - podtemplates
       - replicationcontrollers
-      - namespaces
+      - serviceaccounts
+      - services
+      - configmaps
+      - resourcequotas
+      - limitranges
     verbs: ["get", "list"]
   - apiGroups: ["apps"]
     resources:
       - daemonsets
       - statefulsets
       - deployments
     verbs: ["get", "list"]
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources:
+      - rolebindings
+      - roles
+    verbs: ["get", "list"]
   - apiGroups: ["batch"]
     resources:
+      - jobs
       - cronjobs
     verbs: ["get", "list"]
-  - apiGroups: ["networking"]
+  - apiGroups: ["networking.k8s.io"]
     resources:
       - networkpolicies
+      - ingresses
     verbs: ["get", "list"]
 ---
 kind: ClusterRoleBinding
@@ -153,4 +176,4 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cluster-admin
-  {{- end }}
+{{- end }}