Virtual Machine Image Compliance Scanning (VM, VMDK, AWS AMI)

[tburow]

I would like to request CIS Compliance scanning for VM images.

The current CVE scanning is great! love it! and the early experimental release for the container CIS Scanning is a great start and we are already using it. It would be very helpful for our adoption of Trivy if compliance scanning for VMs was available.

Thanks!

[knqyf263]

Thanks for the feature request. Is there any compliance specification for VM images in your mind?

[tburow]

I was thinking CIS level one and level 2 options as the basis. The experimental Container compliance is already aligned with CIS. CIS is the most common publicly accepted standard and maps well to other government based standards such as DISA STIG, OSCAP, NIST, & CMMC.

[knqyf263]

Which benchmark are you referring to?

[tburow]

CIS Level 1, & Level 2 benchmarks for Linux operating systems.

There are basically 2 groupings, RPM based, and Debian Based. Linux OS's in these 2 categories are largely the same with some minor changes between them. thus supporting the 2 macro patterns, then adjusting for the minor deltas should be achievable with the foundations in place.

There might be ultimately a larger list, but these are the common ones that hold the market share of deployments. Limiting scope for a first release would be advantageous. then perhaps pass a scanner option to run a generic test mode based on technology: "rpm-based" or "deb-based" for those outer edge cases.

RPM (RHEL) based:
AWS Amazon Linux2
AWS Amazon Linux 2023
RHEL 7,8,9
Rocky 8,9
rhel based: 8 -> 9, al2->23 represent a major leap in linux

Debian Based:
Ubuntu 18,20,22
Deb 9, 10,11
deb based U20->22, deb 10->11 also represent a major leap.

[tburow]

Whats the thoughts on this?

[tburow]

Although I havnt really tested it - would integration of linux-bench into trivy as a scanner be an approach?? would follow the integration reuse approach of other scanners like tfsec. Tho it looks like Linux-bench may be abandoned?

[knqyf263]

It sounds interesting, but linux-bench runs OS commands. Trivy analyzes images statically. It takes work to migrate it.

[itaysk]

just to mention that it sounds similar to trivy's "node-collector" which collects data from host by running commands, and making this data available for compliance decisions. it still is work to migrate linux-bench into node-collector and then write policies for it, which I'm not sure we want to do

[tburow]

Thats ok, I hadn't used bench before, was just looking through the projects for something else and noticed it. Any chance compliance for VMs is on the roadmap yet for Trivy?? Pretty big issue for me right now, trying to rely on Qualys which is not the greatest or stable platform to use. I have already replaced vulnerability scanning with Trivy, and we use tfsec and trivy both extensively in other areas. It is a really nice tool, appreciate all you guys do with it!

[tburow]

Im wondering if this got accepted as a feature and either prioritized or added to the backlog? We are trying to find a compliance scanning solution replacement for Qualys, but if this isn't going to make the list ill need to continue searching. - thanks in advance

[itaysk]

we don't have plans to work on this in the near term

[tburow]

Thats disconcerting :( That might drive us away from Trivy.

Are their any recommended community options out there? (other then openscap)