Use only AuditScanner as a CIS-compliance control

[kapistka]

We plan to use only the compliance report, scan periodically and collect the result in metrics. Thus, we want to control the change of some cluster security settings. At the same time, we don't need other functionality and other reports (CRD).
It seems that only configAuditScannerEnabled: true will not be enough, since not all CIS checks will be performed. That's why trivy-operator was deploy like this:

operator:
  vulnerabilityScannerEnabled: false
  sbomGenerationEnabled: false
  rbacAssessmentScannerEnabled: true
  exposedSecretScannerEnabled: true
  infraAssessmentScannerEnabled: true
  configAuditScannerEnabled: true
  clusterComplianceEnabled: true
  metricsClusterComplianceInfo: true

trivy:
  offlineScan: true

compliance:
  cron: "*/10 * * * *"

After that we get the expected CIS-result: 21 fail/95 pass.

But there are questions.

1. How to delete (or not create) reports from other modules in other namespaces: ConfigAuditReport, RbacAssessmentReport, ClusterRbacAssessmentReport, ExposedSecretReport, InfraAssessmentReport. We don't use them and they look superfluous in the ArgoCD interface.
2. After changing the operator settings (turning off other scanning modules and changing targetNamespaces), the result became 0/116. But after returning to the original settings, the result became 14/102 instead of 21/95 (5.x ids only). Nothing changed in the cluster and every changing the operator settings was accompanied by a pod restart. It seems that CIS checks give an unstable result.
3. An honest Pass result. If the CIS-check was not performed, it is considered as Pass. How do I know when a check is really a Pass?

trivy-operator: 0.21.1
helm-chart: trivy-operator-0.23.1
k8s: v1.29.4
ArgoCD: v2.11.2

[chen-keinan]

@kapistka the reports are generate in the namespaces where resources exist, for example a workload which has been deployed to namespace dev it report will be generated in the same namespace.

the crds are deployed by default, by setting the param you mention above it disable scanners
1.
you can exclude namespace scanning or target specific namespace

2. if you change targetNamespaces you'll have to delete reports and restart trivy-operator
3. can you explain what do you mean by check wasn't performed , can you give an example ?

[kapistka]

1, 2 We have decided on the optimal settings for us.

targetNamespaces="kube-system"

operator:
  vulnerabilityScannerEnabled: false
  sbomGenerationEnabled: false
  rbacAssessmentScannerEnabled: false
  exposedSecretScannerEnabled: false
  infraAssessmentScannerEnabled: true
  configAuditScannerEnabled: true
  clusterComplianceEnabled: true
  metricsClusterComplianceInfo: true

There is no workloads checking here (CIS ids 5.X), but we control it through the Policy Engine.

3. For example, if specify infraAssessmentScannerEnabled: false and configAuditScannerEnabled: false, the result of CIS will be 0/116 (each ID is totalFail: 0). But honestly, it would be better to give x Fail / y Pass / z Unknown

[chen-keinan]

infraAssessmentScannerEnabled trigger the node-collector which collect info from node and evaluate it.
infraAssessmentScannerEnabled evaluate info from k8s core components (api-server, etcd, controller-manager and etc)
therefore both should be enabled