2019-06-28 08:48:52 +00:00
|
|
|
module github.com/aquasecurity/kube-bench
|
2019-06-26 10:58:51 +00:00
|
|
|
|
2024-10-24 06:40:41 +00:00
|
|
|
go 1.22.0
|
|
|
|
|
|
|
|
toolchain go1.22.7
|
2019-06-26 10:58:51 +00:00
|
|
|
|
|
|
|
require (
|
2024-11-15 05:32:36 +00:00
|
|
|
github.com/aws/aws-sdk-go-v2 v1.32.4
|
2024-11-15 12:21:14 +00:00
|
|
|
github.com/aws/aws-sdk-go-v2/config v1.28.4
|
2024-11-15 05:32:36 +00:00
|
|
|
github.com/aws/aws-sdk-go-v2/service/securityhub v1.54.6
|
2024-11-15 10:14:30 +00:00
|
|
|
github.com/fatih/color v1.18.0
|
2024-11-15 11:53:09 +00:00
|
|
|
github.com/golang/glog v1.2.3
|
2022-12-22 08:58:53 +00:00
|
|
|
github.com/magiconair/properties v1.8.7
|
2021-10-14 12:04:02 +00:00
|
|
|
github.com/onsi/ginkgo v1.16.5
|
2020-11-23 19:43:53 +00:00
|
|
|
github.com/pkg/errors v0.9.1
|
2024-11-01 04:31:03 +00:00
|
|
|
github.com/spf13/cobra v1.8.1
|
2024-11-15 11:34:30 +00:00
|
|
|
github.com/spf13/viper v1.19.0
|
2024-11-29 07:20:56 +00:00
|
|
|
github.com/stretchr/testify v1.10.0
|
2021-08-04 08:38:18 +00:00
|
|
|
gopkg.in/yaml.v2 v2.4.0
|
2024-10-10 04:37:41 +00:00
|
|
|
gorm.io/driver/postgres v1.5.9
|
2024-10-25 09:37:35 +00:00
|
|
|
gorm.io/gorm v1.25.12
|
2024-11-29 06:41:36 +00:00
|
|
|
k8s.io/apimachinery v0.31.3
|
|
|
|
k8s.io/client-go v0.31.3
|
2022-10-03 05:52:06 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
require (
|
2024-11-15 12:21:14 +00:00
|
|
|
github.com/aws/aws-sdk-go-v2/credentials v1.17.45 // indirect
|
|
|
|
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.19 // indirect
|
2024-11-15 05:32:36 +00:00
|
|
|
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.23 // indirect
|
|
|
|
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.23 // indirect
|
2024-09-28 07:36:44 +00:00
|
|
|
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
|
2024-11-15 12:21:14 +00:00
|
|
|
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0 // indirect
|
|
|
|
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.4 // indirect
|
|
|
|
github.com/aws/aws-sdk-go-v2/service/sso v1.24.5 // indirect
|
|
|
|
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.4 // indirect
|
|
|
|
github.com/aws/aws-sdk-go-v2/service/sts v1.33.0 // indirect
|
2024-11-01 05:14:40 +00:00
|
|
|
github.com/aws/smithy-go v1.22.0 // indirect
|
2024-01-05 05:59:17 +00:00
|
|
|
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
|
2024-01-11 08:34:21 +00:00
|
|
|
github.com/emicklei/go-restful/v3 v3.11.0 // indirect
|
2024-01-05 05:59:17 +00:00
|
|
|
github.com/fsnotify/fsnotify v1.7.0 // indirect
|
2024-10-24 06:51:14 +00:00
|
|
|
github.com/fxamacker/cbor/v2 v2.7.0 // indirect
|
|
|
|
github.com/go-logr/logr v1.4.2 // indirect
|
2024-01-11 08:34:21 +00:00
|
|
|
github.com/go-openapi/jsonpointer v0.19.6 // indirect
|
|
|
|
github.com/go-openapi/jsonreference v0.20.2 // indirect
|
2024-10-24 06:51:14 +00:00
|
|
|
github.com/go-openapi/swag v0.22.4 // indirect
|
Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s (#1523)
* add Support VMware Tanzu(TKGI) Benchmarks v1.2.53
with this change, we are adding
1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53
2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks.
3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster
Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397
* add Support VMware Tanzu(TKGI) Benchmarks v1.2.53
with this change, we are adding
1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53
2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks.
3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster
Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397
* release: prepare v0.6.15 (#1455)
Signed-off-by: chenk <hen.keinan@gmail.com>
* build(deps): bump golang from 1.19.4 to 1.20.4 (#1436)
Bumps golang from 1.19.4 to 1.20.4.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* build(deps): bump actions/setup-go from 3 to 4 (#1402)
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v3...v4)
---
updated-dependencies:
- dependency-name: actions/setup-go
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
* Fix test_items in cis-1.7 - node - 4.2.12 (#1469)
Related issue: https://github.com/aquasecurity/kube-bench/issues/1468
* Fix node.yaml - 4.1.7 and 4.1.8 audit by adding uniq (#1472)
* chore: add fips compliant images (#1473)
For fips complaince we need to generate fips compliant images.
As part of this change, we will create new kube-bench image which will be fips compliant. Image name follows this tag pattern <version>-ubi-fips
* release: prepare v0.6.16-rc (#1476)
* release: prepare v0.6.16-rc
Signed-off-by: chenk <hen.keinan@gmail.com>
* release: prepare v0.6.16-rc
Signed-off-by: chenk <hen.keinan@gmail.com>
---------
Signed-off-by: chenk <hen.keinan@gmail.com>
* release: prepare v0.6.16 official (#1479)
Signed-off-by: chenk <hen.keinan@gmail.com>
* Update job.yaml (#1477)
* Update job.yaml
Fix on typo for image version
* chore: sync with upstream
Signed-off-by: chenk <hen.keinan@gmail.com>
---------
Signed-off-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
* release: prepare v0.6.17 (#1480)
Signed-off-by: chenk <hen.keinan@gmail.com>
* Bump docker base images (#1465)
During a recent CVE scan we found kube-bench to use `alpine:3.18` as the final image which has a known high CVE.
```
grype aquasec/kube-bench:v0.6.15
✔ Vulnerability DB [no update available]
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [73 packages]
✔ Scanning image... [4 vulnerabilities]
├── 0 critical, 4 high, 0 medium, 0 low, 0 negligible
└── 4 fixed
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
libcrypto3 3.1.0-r4 3.1.1-r0 apk CVE-2023-2650 High
libssl3 3.1.0-r4 3.1.1-r0 apk CVE-2023-2650 High
openssl 3.1.0-r4 3.1.1-r0 apk CVE-2023-2650 High
```
The CVE in question was addressed in the latest [alpine release](https://www.alpinelinux.org/posts/Alpine-3.15.9-3.16.6-3.17.4-3.18.2-released.html), hence updating the dockerfiles accordingly
* build(deps): bump golang from 1.20.4 to 1.20.6 (#1475)
Bumps golang from 1.20.4 to 1.20.6.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s
Based on the information furnished in https://ranchermanager.docs.rancher.com/v2.7/pages-for-subheaders/rancher-hardening-guides
kube-bench executes CIS-1.23 (Kubernetes v1.23) , CIS-1.24(Kubernetes v1.24),CIS-1.7 (Kubernetes v1.25,v1.26,v1.27) CIS Benchmarks of respective distributions.
* RKE/RKE2 CIS Benchmarks
Updated the order of checks for RKE and RKE2 Platforms.
* fixed vulnerabilities|upgraded package golang.org/x/net to version v0.17.0
* Error handling for RKE Detection Pre-requisites
* Based on the information furnished in https://ranchermanager.docs.rancher.com/v2.7/pages-for-subheaders/rancher-hardening-guides#hardening-guides-and-benchmark-versions, kube-bench executes CIS-1.23 (Kubernetes v1.23) , CIS-1.24(Kubernetes v1.24),CIS-1.7 (Kubernetes v1.25,v1.26,v1.27) CIS Benchmarks of respective distributions.
updated documentation specific to added rancher platforms
* addressed review comments
1.Implemented IsRKE functionality in kube-bench
2. Removed containerd from global level config and accommodated in individual config file
3. Corrected the control id from 1.2.25 to 1.2.23 in master.yaml(k3s-cis-1.23 and k3s-cis-1.24)
* Removed unncessary dependency - kubernetes-provider-detector
---------
Signed-off-by: chenk <hen.keinan@gmail.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Andy Pitcher <andy.pitcher@suse.com>
Co-authored-by: Devendra Turkar <devendra.turkar@gmail.com>
Co-authored-by: Guille Vigil <contact@guillermotti.com>
Co-authored-by: Jonas-Taha El Sesiy <jonas-taha.elsesiy@snowflake.com>
2023-11-26 10:27:38 +00:00
|
|
|
github.com/gogo/protobuf v1.3.2 // indirect
|
2024-04-18 06:54:55 +00:00
|
|
|
github.com/golang/protobuf v1.5.4 // indirect
|
2024-01-11 08:34:21 +00:00
|
|
|
github.com/google/gnostic-models v0.6.8 // indirect
|
2024-10-25 04:26:08 +00:00
|
|
|
github.com/google/go-cmp v0.6.0 // indirect
|
2024-01-11 08:34:21 +00:00
|
|
|
github.com/google/gofuzz v1.2.0 // indirect
|
2024-10-24 06:51:14 +00:00
|
|
|
github.com/google/uuid v1.6.0 // indirect
|
2022-10-03 05:52:06 +00:00
|
|
|
github.com/hashicorp/hcl v1.0.0 // indirect
|
2023-12-08 06:07:14 +00:00
|
|
|
github.com/inconshreveable/mousetrap v1.1.0 // indirect
|
2022-10-03 05:52:06 +00:00
|
|
|
github.com/jackc/pgpassfile v1.0.0 // indirect
|
2023-02-04 20:15:32 +00:00
|
|
|
github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
|
2024-10-10 04:37:41 +00:00
|
|
|
github.com/jackc/pgx/v5 v5.5.5 // indirect
|
2024-04-06 05:59:45 +00:00
|
|
|
github.com/jackc/puddle/v2 v2.2.1 // indirect
|
2022-10-03 05:52:06 +00:00
|
|
|
github.com/jinzhu/inflection v1.0.0 // indirect
|
|
|
|
github.com/jinzhu/now v1.1.5 // indirect
|
Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s (#1523)
* add Support VMware Tanzu(TKGI) Benchmarks v1.2.53
with this change, we are adding
1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53
2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks.
3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster
Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397
* add Support VMware Tanzu(TKGI) Benchmarks v1.2.53
with this change, we are adding
1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53
2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks.
3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster
Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397
* release: prepare v0.6.15 (#1455)
Signed-off-by: chenk <hen.keinan@gmail.com>
* build(deps): bump golang from 1.19.4 to 1.20.4 (#1436)
Bumps golang from 1.19.4 to 1.20.4.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* build(deps): bump actions/setup-go from 3 to 4 (#1402)
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v3...v4)
---
updated-dependencies:
- dependency-name: actions/setup-go
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
* Fix test_items in cis-1.7 - node - 4.2.12 (#1469)
Related issue: https://github.com/aquasecurity/kube-bench/issues/1468
* Fix node.yaml - 4.1.7 and 4.1.8 audit by adding uniq (#1472)
* chore: add fips compliant images (#1473)
For fips complaince we need to generate fips compliant images.
As part of this change, we will create new kube-bench image which will be fips compliant. Image name follows this tag pattern <version>-ubi-fips
* release: prepare v0.6.16-rc (#1476)
* release: prepare v0.6.16-rc
Signed-off-by: chenk <hen.keinan@gmail.com>
* release: prepare v0.6.16-rc
Signed-off-by: chenk <hen.keinan@gmail.com>
---------
Signed-off-by: chenk <hen.keinan@gmail.com>
* release: prepare v0.6.16 official (#1479)
Signed-off-by: chenk <hen.keinan@gmail.com>
* Update job.yaml (#1477)
* Update job.yaml
Fix on typo for image version
* chore: sync with upstream
Signed-off-by: chenk <hen.keinan@gmail.com>
---------
Signed-off-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
* release: prepare v0.6.17 (#1480)
Signed-off-by: chenk <hen.keinan@gmail.com>
* Bump docker base images (#1465)
During a recent CVE scan we found kube-bench to use `alpine:3.18` as the final image which has a known high CVE.
```
grype aquasec/kube-bench:v0.6.15
✔ Vulnerability DB [no update available]
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [73 packages]
✔ Scanning image... [4 vulnerabilities]
├── 0 critical, 4 high, 0 medium, 0 low, 0 negligible
└── 4 fixed
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
libcrypto3 3.1.0-r4 3.1.1-r0 apk CVE-2023-2650 High
libssl3 3.1.0-r4 3.1.1-r0 apk CVE-2023-2650 High
openssl 3.1.0-r4 3.1.1-r0 apk CVE-2023-2650 High
```
The CVE in question was addressed in the latest [alpine release](https://www.alpinelinux.org/posts/Alpine-3.15.9-3.16.6-3.17.4-3.18.2-released.html), hence updating the dockerfiles accordingly
* build(deps): bump golang from 1.20.4 to 1.20.6 (#1475)
Bumps golang from 1.20.4 to 1.20.6.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s
Based on the information furnished in https://ranchermanager.docs.rancher.com/v2.7/pages-for-subheaders/rancher-hardening-guides
kube-bench executes CIS-1.23 (Kubernetes v1.23) , CIS-1.24(Kubernetes v1.24),CIS-1.7 (Kubernetes v1.25,v1.26,v1.27) CIS Benchmarks of respective distributions.
* RKE/RKE2 CIS Benchmarks
Updated the order of checks for RKE and RKE2 Platforms.
* fixed vulnerabilities|upgraded package golang.org/x/net to version v0.17.0
* Error handling for RKE Detection Pre-requisites
* Based on the information furnished in https://ranchermanager.docs.rancher.com/v2.7/pages-for-subheaders/rancher-hardening-guides#hardening-guides-and-benchmark-versions, kube-bench executes CIS-1.23 (Kubernetes v1.23) , CIS-1.24(Kubernetes v1.24),CIS-1.7 (Kubernetes v1.25,v1.26,v1.27) CIS Benchmarks of respective distributions.
updated documentation specific to added rancher platforms
* addressed review comments
1.Implemented IsRKE functionality in kube-bench
2. Removed containerd from global level config and accommodated in individual config file
3. Corrected the control id from 1.2.25 to 1.2.23 in master.yaml(k3s-cis-1.23 and k3s-cis-1.24)
* Removed unncessary dependency - kubernetes-provider-detector
---------
Signed-off-by: chenk <hen.keinan@gmail.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Andy Pitcher <andy.pitcher@suse.com>
Co-authored-by: Devendra Turkar <devendra.turkar@gmail.com>
Co-authored-by: Guille Vigil <contact@guillermotti.com>
Co-authored-by: Jonas-Taha El Sesiy <jonas-taha.elsesiy@snowflake.com>
2023-11-26 10:27:38 +00:00
|
|
|
github.com/josharian/intern v1.0.0 // indirect
|
|
|
|
github.com/json-iterator/go v1.1.12 // indirect
|
2024-01-11 08:34:21 +00:00
|
|
|
github.com/mailru/easyjson v0.7.7 // indirect
|
2022-10-03 05:52:06 +00:00
|
|
|
github.com/mattn/go-colorable v0.1.13 // indirect
|
2023-11-12 08:47:01 +00:00
|
|
|
github.com/mattn/go-isatty v0.0.20 // indirect
|
2022-10-03 05:52:06 +00:00
|
|
|
github.com/mitchellh/mapstructure v1.5.0 // indirect
|
Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s (#1523)
* add Support VMware Tanzu(TKGI) Benchmarks v1.2.53
with this change, we are adding
1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53
2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks.
3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster
Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397
* add Support VMware Tanzu(TKGI) Benchmarks v1.2.53
with this change, we are adding
1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53
2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks.
3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster
Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397
* release: prepare v0.6.15 (#1455)
Signed-off-by: chenk <hen.keinan@gmail.com>
* build(deps): bump golang from 1.19.4 to 1.20.4 (#1436)
Bumps golang from 1.19.4 to 1.20.4.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* build(deps): bump actions/setup-go from 3 to 4 (#1402)
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v3...v4)
---
updated-dependencies:
- dependency-name: actions/setup-go
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
* Fix test_items in cis-1.7 - node - 4.2.12 (#1469)
Related issue: https://github.com/aquasecurity/kube-bench/issues/1468
* Fix node.yaml - 4.1.7 and 4.1.8 audit by adding uniq (#1472)
* chore: add fips compliant images (#1473)
For fips complaince we need to generate fips compliant images.
As part of this change, we will create new kube-bench image which will be fips compliant. Image name follows this tag pattern <version>-ubi-fips
* release: prepare v0.6.16-rc (#1476)
* release: prepare v0.6.16-rc
Signed-off-by: chenk <hen.keinan@gmail.com>
* release: prepare v0.6.16-rc
Signed-off-by: chenk <hen.keinan@gmail.com>
---------
Signed-off-by: chenk <hen.keinan@gmail.com>
* release: prepare v0.6.16 official (#1479)
Signed-off-by: chenk <hen.keinan@gmail.com>
* Update job.yaml (#1477)
* Update job.yaml
Fix on typo for image version
* chore: sync with upstream
Signed-off-by: chenk <hen.keinan@gmail.com>
---------
Signed-off-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
* release: prepare v0.6.17 (#1480)
Signed-off-by: chenk <hen.keinan@gmail.com>
* Bump docker base images (#1465)
During a recent CVE scan we found kube-bench to use `alpine:3.18` as the final image which has a known high CVE.
```
grype aquasec/kube-bench:v0.6.15
✔ Vulnerability DB [no update available]
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [73 packages]
✔ Scanning image... [4 vulnerabilities]
├── 0 critical, 4 high, 0 medium, 0 low, 0 negligible
└── 4 fixed
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
libcrypto3 3.1.0-r4 3.1.1-r0 apk CVE-2023-2650 High
libssl3 3.1.0-r4 3.1.1-r0 apk CVE-2023-2650 High
openssl 3.1.0-r4 3.1.1-r0 apk CVE-2023-2650 High
```
The CVE in question was addressed in the latest [alpine release](https://www.alpinelinux.org/posts/Alpine-3.15.9-3.16.6-3.17.4-3.18.2-released.html), hence updating the dockerfiles accordingly
* build(deps): bump golang from 1.20.4 to 1.20.6 (#1475)
Bumps golang from 1.20.4 to 1.20.6.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s
Based on the information furnished in https://ranchermanager.docs.rancher.com/v2.7/pages-for-subheaders/rancher-hardening-guides
kube-bench executes CIS-1.23 (Kubernetes v1.23) , CIS-1.24(Kubernetes v1.24),CIS-1.7 (Kubernetes v1.25,v1.26,v1.27) CIS Benchmarks of respective distributions.
* RKE/RKE2 CIS Benchmarks
Updated the order of checks for RKE and RKE2 Platforms.
* fixed vulnerabilities|upgraded package golang.org/x/net to version v0.17.0
* Error handling for RKE Detection Pre-requisites
* Based on the information furnished in https://ranchermanager.docs.rancher.com/v2.7/pages-for-subheaders/rancher-hardening-guides#hardening-guides-and-benchmark-versions, kube-bench executes CIS-1.23 (Kubernetes v1.23) , CIS-1.24(Kubernetes v1.24),CIS-1.7 (Kubernetes v1.25,v1.26,v1.27) CIS Benchmarks of respective distributions.
updated documentation specific to added rancher platforms
* addressed review comments
1.Implemented IsRKE functionality in kube-bench
2. Removed containerd from global level config and accommodated in individual config file
3. Corrected the control id from 1.2.25 to 1.2.23 in master.yaml(k3s-cis-1.23 and k3s-cis-1.24)
* Removed unncessary dependency - kubernetes-provider-detector
---------
Signed-off-by: chenk <hen.keinan@gmail.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Andy Pitcher <andy.pitcher@suse.com>
Co-authored-by: Devendra Turkar <devendra.turkar@gmail.com>
Co-authored-by: Guille Vigil <contact@guillermotti.com>
Co-authored-by: Jonas-Taha El Sesiy <jonas-taha.elsesiy@snowflake.com>
2023-11-26 10:27:38 +00:00
|
|
|
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
|
|
|
|
github.com/modern-go/reflect2 v1.0.2 // indirect
|
|
|
|
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
|
2024-11-15 11:34:30 +00:00
|
|
|
github.com/pelletier/go-toml/v2 v2.2.2 // indirect
|
2024-01-05 05:59:17 +00:00
|
|
|
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
|
|
|
|
github.com/sagikazarmark/locafero v0.4.0 // indirect
|
|
|
|
github.com/sagikazarmark/slog-shim v0.1.0 // indirect
|
|
|
|
github.com/sourcegraph/conc v0.3.0 // indirect
|
|
|
|
github.com/spf13/afero v1.11.0 // indirect
|
|
|
|
github.com/spf13/cast v1.6.0 // indirect
|
2022-10-03 05:52:06 +00:00
|
|
|
github.com/spf13/pflag v1.0.5 // indirect
|
2024-10-24 06:51:14 +00:00
|
|
|
github.com/stretchr/objx v0.5.2 // indirect
|
2024-01-05 05:59:17 +00:00
|
|
|
github.com/subosito/gotenv v1.6.0 // indirect
|
2024-10-24 06:51:14 +00:00
|
|
|
github.com/x448/float16 v0.8.4 // indirect
|
2024-01-05 05:59:17 +00:00
|
|
|
go.uber.org/atomic v1.10.0 // indirect
|
|
|
|
go.uber.org/multierr v1.9.0 // indirect
|
2024-10-24 06:51:14 +00:00
|
|
|
golang.org/x/crypto v0.24.0 // indirect
|
2024-01-05 05:59:17 +00:00
|
|
|
golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
|
2024-10-24 06:51:14 +00:00
|
|
|
golang.org/x/net v0.26.0 // indirect
|
2024-10-25 04:26:08 +00:00
|
|
|
golang.org/x/oauth2 v0.21.0 // indirect
|
2024-10-24 06:51:14 +00:00
|
|
|
golang.org/x/sync v0.7.0 // indirect
|
2024-11-15 10:14:30 +00:00
|
|
|
golang.org/x/sys v0.25.0 // indirect
|
2024-10-24 06:51:14 +00:00
|
|
|
golang.org/x/term v0.21.0 // indirect
|
|
|
|
golang.org/x/text v0.16.0 // indirect
|
2024-01-05 05:59:17 +00:00
|
|
|
golang.org/x/time v0.5.0 // indirect
|
2024-10-24 06:51:14 +00:00
|
|
|
google.golang.org/protobuf v1.34.2 // indirect
|
Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s (#1523)
* add Support VMware Tanzu(TKGI) Benchmarks v1.2.53
with this change, we are adding
1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53
2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks.
3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster
Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397
* add Support VMware Tanzu(TKGI) Benchmarks v1.2.53
with this change, we are adding
1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53
2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks.
3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster
Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397
* release: prepare v0.6.15 (#1455)
Signed-off-by: chenk <hen.keinan@gmail.com>
* build(deps): bump golang from 1.19.4 to 1.20.4 (#1436)
Bumps golang from 1.19.4 to 1.20.4.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* build(deps): bump actions/setup-go from 3 to 4 (#1402)
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v3...v4)
---
updated-dependencies:
- dependency-name: actions/setup-go
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
* Fix test_items in cis-1.7 - node - 4.2.12 (#1469)
Related issue: https://github.com/aquasecurity/kube-bench/issues/1468
* Fix node.yaml - 4.1.7 and 4.1.8 audit by adding uniq (#1472)
* chore: add fips compliant images (#1473)
For fips complaince we need to generate fips compliant images.
As part of this change, we will create new kube-bench image which will be fips compliant. Image name follows this tag pattern <version>-ubi-fips
* release: prepare v0.6.16-rc (#1476)
* release: prepare v0.6.16-rc
Signed-off-by: chenk <hen.keinan@gmail.com>
* release: prepare v0.6.16-rc
Signed-off-by: chenk <hen.keinan@gmail.com>
---------
Signed-off-by: chenk <hen.keinan@gmail.com>
* release: prepare v0.6.16 official (#1479)
Signed-off-by: chenk <hen.keinan@gmail.com>
* Update job.yaml (#1477)
* Update job.yaml
Fix on typo for image version
* chore: sync with upstream
Signed-off-by: chenk <hen.keinan@gmail.com>
---------
Signed-off-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
* release: prepare v0.6.17 (#1480)
Signed-off-by: chenk <hen.keinan@gmail.com>
* Bump docker base images (#1465)
During a recent CVE scan we found kube-bench to use `alpine:3.18` as the final image which has a known high CVE.
```
grype aquasec/kube-bench:v0.6.15
✔ Vulnerability DB [no update available]
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [73 packages]
✔ Scanning image... [4 vulnerabilities]
├── 0 critical, 4 high, 0 medium, 0 low, 0 negligible
└── 4 fixed
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
libcrypto3 3.1.0-r4 3.1.1-r0 apk CVE-2023-2650 High
libssl3 3.1.0-r4 3.1.1-r0 apk CVE-2023-2650 High
openssl 3.1.0-r4 3.1.1-r0 apk CVE-2023-2650 High
```
The CVE in question was addressed in the latest [alpine release](https://www.alpinelinux.org/posts/Alpine-3.15.9-3.16.6-3.17.4-3.18.2-released.html), hence updating the dockerfiles accordingly
* build(deps): bump golang from 1.20.4 to 1.20.6 (#1475)
Bumps golang from 1.20.4 to 1.20.6.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s
Based on the information furnished in https://ranchermanager.docs.rancher.com/v2.7/pages-for-subheaders/rancher-hardening-guides
kube-bench executes CIS-1.23 (Kubernetes v1.23) , CIS-1.24(Kubernetes v1.24),CIS-1.7 (Kubernetes v1.25,v1.26,v1.27) CIS Benchmarks of respective distributions.
* RKE/RKE2 CIS Benchmarks
Updated the order of checks for RKE and RKE2 Platforms.
* fixed vulnerabilities|upgraded package golang.org/x/net to version v0.17.0
* Error handling for RKE Detection Pre-requisites
* Based on the information furnished in https://ranchermanager.docs.rancher.com/v2.7/pages-for-subheaders/rancher-hardening-guides#hardening-guides-and-benchmark-versions, kube-bench executes CIS-1.23 (Kubernetes v1.23) , CIS-1.24(Kubernetes v1.24),CIS-1.7 (Kubernetes v1.25,v1.26,v1.27) CIS Benchmarks of respective distributions.
updated documentation specific to added rancher platforms
* addressed review comments
1.Implemented IsRKE functionality in kube-bench
2. Removed containerd from global level config and accommodated in individual config file
3. Corrected the control id from 1.2.25 to 1.2.23 in master.yaml(k3s-cis-1.23 and k3s-cis-1.24)
* Removed unncessary dependency - kubernetes-provider-detector
---------
Signed-off-by: chenk <hen.keinan@gmail.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Andy Pitcher <andy.pitcher@suse.com>
Co-authored-by: Devendra Turkar <devendra.turkar@gmail.com>
Co-authored-by: Guille Vigil <contact@guillermotti.com>
Co-authored-by: Jonas-Taha El Sesiy <jonas-taha.elsesiy@snowflake.com>
2023-11-26 10:27:38 +00:00
|
|
|
gopkg.in/inf.v0 v0.9.1 // indirect
|
2022-10-03 05:52:06 +00:00
|
|
|
gopkg.in/ini.v1 v1.67.0 // indirect
|
|
|
|
gopkg.in/yaml.v3 v3.0.1 // indirect
|
2024-11-29 06:41:36 +00:00
|
|
|
k8s.io/api v0.31.3 // indirect
|
2024-10-24 06:51:14 +00:00
|
|
|
k8s.io/klog/v2 v2.130.1 // indirect
|
|
|
|
k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
|
|
|
|
k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect
|
2024-01-11 08:34:21 +00:00
|
|
|
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
|
|
|
|
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
|
2024-10-24 06:51:14 +00:00
|
|
|
sigs.k8s.io/yaml v1.4.0 // indirect
|
2019-06-26 10:58:51 +00:00
|
|
|
)
|