AVD-KSV-0013 containers should specify an image tag - false positive

[huornlmj]

IDs

AVD-KSV-0013

Description

A false positive is found by Trivy in misconfiguration scanning mode.
Trivy output:

AVD-KSV-0013 (MEDIUM): Container 'planner' of Pod 'planner' should specify an image tag
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version.

See https://avd.aquasec.com/misconfig/ksv013
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 artefacts/deploy/manifest.yaml:201-232
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 201 ┌     - name: planner
 202 │       image: 127.0.0.1:5000/planner:0.4.0
 203 │       ports:
 204 │         - containerPort: 33333
 205 │       imagePullPolicy: Always
 206 │       args: [ "-config", "/config/defaults.json", "-v", "2" ]
 207 │       securityContext:
 208 │         capabilities:
 209 └           drop: [ 'ALL' ]

Reproduction Steps

1. Scan https://github.com/intel/intent-driven-orchestration/blob/9f37fe0552245f1c8b41285aed61696c3b375ceb/artefacts/deploy/manifest.yaml#L202
2. Observe that a pinned version is used.
3. Observe the false positive result from Trivy.

Target

Kubernetes

Scanner

Misconfiguration

Target OS

N/A

Debug Output

$ trivy config . -d
2025-08-08T14:43:07+01:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-08-08T14:43:07+01:00       DEBUG   Cache dir       dir="/home/user/.cache/trivy"
2025-08-08T14:43:07+01:00       DEBUG   Cache dir       dir="/home/user/.cache/trivy"
2025-08-08T14:43:07+01:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-08-08T14:43:07+01:00       INFO    [misconfig] Misconfiguration scanning is enabled
2025-08-08T14:43:07+01:00       DEBUG   [notification] Running version check
2025-08-08T14:43:07+01:00       DEBUG   [misconfig] Checks successfully loaded from disk
2025-08-08T14:43:07+01:00       DEBUG   [notification] Version check completed  latest_version="0.65.0"
2025-08-08T14:43:07+01:00       DEBUG   [rego] Overriding filesystem for checks
2025-08-08T14:43:07+01:00       DEBUG   [rego] Embedded libraries are loaded    count=17
2025-08-08T14:43:08+01:00       DEBUG   [rego] Embedded checks are loaded       count=519
2025-08-08T14:43:08+01:00       DEBUG   [rego] Checks from disk are loaded      count=536
2025-08-08T14:43:08+01:00       DEBUG   [rego] Overriding filesystem for data
2025-08-08T14:43:08+01:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-08-08T14:43:08+01:00       DEBUG   Initializing scan cache...      type="memory"
2025-08-08T14:43:08+01:00       DEBUG   [fs] Analyzing...       root="."
2025-08-08T14:43:08+01:00       DEBUG   [fs] Using the latest commit hash for calculating cache key     commit_hash="9f37fe0552245f1c8b41285aed61696c3b375ceb"
2025-08-08T14:43:08+01:00       DEBUG   Skipping path   path=".git"
2025-08-08T14:43:08+01:00       DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Kubernetes"
2025-08-08T14:43:08+01:00       DEBUG   [kubernetes scanner] Scanning files...  count=31
2025-08-08T14:43:08+01:00       DEBUG   [rego] Scanning inputs  count=31
2025-08-08T14:43:09+01:00       DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Dockerfile"
2025-08-08T14:43:09+01:00       DEBUG   [dockerfile scanner] Scanning files...  count=5
2025-08-08T14:43:09+01:00       DEBUG   [rego] Scanning inputs  count=5
2025-08-08T14:43:09+01:00       DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Helm"
2025-08-08T14:43:09+01:00       DEBUG   OS is not detected.
2025-08-08T14:43:09+01:00       INFO    Detected config files   num=14
2025-08-08T14:43:09+01:00       DEBUG   Scanned config file     file_path="Dockerfile"
2025-08-08T14:43:09+01:00       DEBUG   Scanned config file     file_path="plugins/scale_out/scaleout-actuator-plugin.yaml"
2025-08-08T14:43:09+01:00       DEBUG   Scanned config file     file_path="plugins/scale_out/Dockerfile"
2025-08-08T14:43:09+01:00       DEBUG   Scanned config file     file_path="plugins/cpu_scale/Dockerfile"
2025-08-08T14:43:09+01:00       DEBUG   Scanned config file     file_path="plugins/cpu_scale/cpu-scale-actuator-plugin.yaml"
2025-08-08T14:43:09+01:00       DEBUG   Scanned config file     file_path="plugins/rdt/Dockerfile"
2025-08-08T14:43:09+01:00       DEBUG   Scanned config file     file_path="plugins/rdt/rdt-actuator-plugin.yaml"
2025-08-08T14:43:09+01:00       DEBUG   Scanned config file     file_path="plugins/rm_pod/Dockerfile"
2025-08-08T14:43:09+01:00       DEBUG   Scanned config file     file_path="plugins/rm_pod/rmpod-actuator-plugin.yaml"
2025-08-08T14:43:09+01:00       DEBUG   Scanned config file     file_path="artefacts/deploy/manifest.yaml"
2025-08-08T14:43:09+01:00       DEBUG   Scanned config file     file_path="artefacts/examples/default_profiles.yaml"
2025-08-08T14:43:09+01:00       DEBUG   Scanned config file     file_path="artefacts/examples/example_deployment.yaml"
2025-08-08T14:43:09+01:00       DEBUG   Scanned config file     file_path="artefacts/examples/example_intent.yaml"
2025-08-08T14:43:09+01:00       DEBUG   Scanned config file     file_path="artefacts/intents_crds_v1alpha1.yaml"
2025-08-08T14:43:09+01:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-08-08T14:43:09+01:00       DEBUG   [vex] VEX filtering is disabled

Report Summary

SNIP

artefacts/deploy/manifest.yaml (kubernetes)

Tests: 120 (SUCCESSES: 112, FAILURES: 8)
Failures: 8 (UNKNOWN: 0, LOW: 2, MEDIUM: 4, HIGH: 2, CRITICAL: 0)

AVD-KSV-0013 (MEDIUM): Container 'planner' of Pod 'planner' should specify an image tag
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version.

See https://avd.aquasec.com/misconfig/ksv013
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 artefacts/deploy/manifest.yaml:201-232
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 201 ┌     - name: planner
 202 │       image: 127.0.0.1:5000/planner:0.3.0
 203 │       ports:
 204 │         - containerPort: 33333
 205 │       imagePullPolicy: Always
 206 │       args: [ "-config", "/config/defaults.json", "-v", "2" ]
 207 │       securityContext:
 208 │         capabilities:
 209 └           drop: [ 'ALL' ]
 ...
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

SNIP

Version

$ trivy --version
Version: 0.64.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-08-07 06:28:58.287270346 +0000 UTC
  NextUpdate: 2025-08-08 06:28:58.287270005 +0000 UTC
  DownloadedAt: 2025-08-07 09:51:54.845313477 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-11-06 03:52:35.137443806 +0000 UTC
  NextUpdate: 2024-11-09 03:52:35.137443696 +0000 UTC
  DownloadedAt: 2024-11-06 12:34:58.556721347 +0000 UTC
Check Bundle:
  Digest: sha256:a471e90b7c7335e914ec9075b74cf8f65e4c91e6cecfa7e39c587382808d2684
  DownloadedAt: 2025-08-08 11:23:24.612747178 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[simar7]

hi @huornlmj - thanks for the report track #9328