Limit targets or control types in k8s scan

[ahmedwaleedmalik]

Question

I'm using trivy for k8s CIS benchmark and would like to limit it to only scan nodes or certain targets. While this is possible with kube-bench as described below, I can't seem to figure out how to do it using trivy it self.

kube-bench -D ./cfg/ run --targets=node --benchmark=cis-1.8

Target

Kubernetes

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Operating System

No response

Version

No response

[afdesk]

@ahmedwaleedmalik Thanks for your interest in Trivy!
If you’d like to scan only specific kinds, you can use the flags --include-kinds / --exclude-kinds.
For generating corresponding reports, there’s also the --compliance flag, which supports several built-in report types (ex k8s-cis-1.23, eks-cis-1.4 etc).

Hope this helps you find the right solution!

[ahmedwaleedmalik]

I'm not sure if that really works or atleast there is not enough documentation for that. For example, how do i stop it from running tests for API server in that case?

[afdesk]

@ahmedwaleedmalik it seems I misunderstood your question. Could you share more details?
the docs:

• https://trivy.dev/latest/docs/target/kubernetes/#includeexclude-kinds
• https://trivy.dev/latest/docs/target/kubernetes/#compliance
• https://trivy.dev/latest/docs/compliance/compliance/

[ahmedwaleedmalik]

I was specifically looking for the equivalent of https://aquasecurity.github.io/kube-bench/v0.6.15/flags-and-commands/#:~:text=benchmark%20flags%20together-,Specifying%20Benchmark%20sections,-If%20you%20want

[afdesk]

Trivy isn't a full equivalent of kube-bench and provide broader functionality. Could you specify which functionality you are particularly interested in?