-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(checks): Deprecate remaining PSP checks #277
Conversation
@nikpivkin since you recently checked the CIS benchmarks, should they be updated as well as some of them check for this check as can be seen here: trivy-checks/pkg/specs/compliance/k8s-cis-1.23.yaml Lines 285 to 293 in 6f4dbd8
|
@simar7 You mean update the k8s checks to align with the benchmarks? |
2abcbba
to
605b0fd
Compare
I think we will need to keep that check as we only target 1.23 which still has it. Unless we update to target a newer version of k8s. For now we can just add a deprecation message to inform the users about it. I've updated the PR accordingly. |
@simar7 In such a situation, we specify a frameworks field for cloud checks that lists the benchmarks. If the user passes a compliance flag with one of the benchmarks when scanning, only then this check is applied. An example of a check that will not be loaded by default when scanning: https://github.com/aquasecurity/trivy-checks/blob/main/checks/cloud/aws/cloudwatch/require_cloudtrail_change_alarm.rego#L19-L23. I think we can do something like this here. Wdyt? |
605b0fd
to
df6995b
Compare
Good point, updated. |
df6995b
to
82951a5
Compare
Close: aquasecurity/trivy#5541