fix false failures with trivy config scan

Signed-off-by: Tuomas Katila <[email protected]>

Author: tkatila

.github/workflows/lib-trivy.yaml

@@ -39,6 +39,7 @@ jobs:
         scan-ref: deployments/
         exit-code: 1
         severity: CRITICAL,HIGH
+        ignore-file: .trivyignore.yaml
 
   trivy-scan-dockerfiles:
     name: Scan Dockerfiles

.trivyignore

@@ -4,24 +4,3 @@
 # adding # a ‘USER’ statement to the Dockerfile.
 AVD-DS-0002
 
-# Privileged containers share namespaces with the host system and do not offer any security.
-# They should be used exclusively for system containers that require high  # privileges.
-# initcontainers require privileged access
-AVD-KSV-0017
-
-# Do not allow privilege escalation from node proxy
-# Check whether role permits privilege escalation from node proxy
-# gpu plugin in kubelet mode requires "nodes/proxy" resource access
-AVD-KSV-0047
-
-# Do not allow update/create of a malicious pod
-# Check whether role permits update/create of a malicious pod
-# device plugin operator requires access to daemonset creation etc.
-AVD-KSV-0048
-
-# HostPath present many security risks and as a security practice it is better to avoid critical host paths mounts.
-# Some plugins require access to various host paths
-AVD-KSV-0121
-
-# Device plugins do not use any CSIs
-## CVE-2019-11255

.trivyignore.yaml

@@ -0,0 +1,55 @@
+misconfigurations:
+  - id: AVD-KSV-0121
+    statement: Some plugins require access to various host paths
+    paths:
+      - dlb_plugin/base/intel-dlb-plugin.yaml
+      - fpga_plugin/base/intel-fpga-plugin-daemonset.yaml
+      - qat_plugin/base/intel-qat-kernel-plugin.yaml
+      - qat_plugin/overlays/qat_initcontainer/qat_initcontainer.yaml
+
+  - id: AVD-KSV-0017
+    statement: initcontainers require privileged access
+    paths:
+      - dlb_plugin/overlays/dlb_initcontainer/dlb_initcontainer.yaml
+      - dsa_plugin/overlays/dsa_initcontainer/dsa_initcontainer.yaml
+      - qat_dpdk_app/patches/crypto-perf/env_replace_testcmd.yaml
+      - iaa_plugin/overlays/iaa_initcontainer/iaa_initcontainer.yaml
+      - qat_plugin/base/intel-qat-kernel-plugin.yaml
+      - qat_plugin/overlays/qat_initcontainer/qat_initcontainer.yaml
+
+  - id: AVD-KSV-0047
+    statement: gpu plugin in kubelet mode requires "nodes/proxy" resource access
+    paths:
+      - gpu_plugin/overlays/fractional_resources/gpu-manager-role.yaml
+      - operator/rbac/gpu_manager_role.yaml
+      - operator/rbac/role.yaml
+
+  - id: AVD-KSV-0014
+    statement: These are false detections for not setting "readOnlyFilesystem"
+    paths:
+      - fpga_plugin/overlays/region/mode-region.yaml
+      - gpu_plugin/overlays/fractional_resources/add-mounts.yaml
+      - gpu_plugin/overlays/fractional_resources/add-args.yaml
+      - gpu_plugin/overlays/fractional_resources/gpu-manager-role.yaml
+      - gpu_plugin/overlays/monitoring_shared-dev_nfd/add-args.yaml
+      - gpu_plugin/overlays/nfd_labeled_nodes/add-args.yaml
+      - iaa_plugin/overlays/iaa_initcontainer/iaa_initcontainer.yaml
+      - fpga_admissionwebhook/base/manager_webhook_patch.yaml
+      - operator/device/dlb/dlb.yaml
+      - operator/device/dsa/dsa.yaml
+      - operator/device/fpga/fpga.yaml
+      - operator/device/gpu/gpu.yaml
+      - operator/device/qat/qat.yaml
+      - operator/device/sgx/sgx.yaml
+      - gpu_tensorflow_test/deployment.yaml
+      - sgx_enclave_apps/overlays/sgx_ecdsa_inproc_quote/add_sgx_default_qcnl_conf.yaml
+      - xpumanager_sidecar/kustom/kustom_xpumanager.yaml
+      - operator/default/manager_auth_proxy_patch.yaml
+      - operator/default/manager_webhook_patch.yaml
+      - qat_dpdk_app/patches/compress-perf/env_replace_testcmd.yaml
+      - qat_dpdk_app/patches/compress-perf/volume_add_configmap.yaml
+      - qat_plugin/overlays/debug/add-args.yaml
+      - qat_plugin/overlays/e2e/add-args.yaml
+      - qat_plugin/overlays/debug/add-args.yaml
+      - qat_dpdk_app/patches/crypto-perf/env_replace_testcmd.yaml
+      - sgx_admissionwebhook/base/manager_webhook_patch.yaml

deployments/sgx_plugin/overlays/epc-register/init-daemonset.yaml

@@ -30,6 +30,7 @@ spec:
               fieldPath: spec.nodeName
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           capabilities:
             drop:
               - ALL