forked from kagenti/kagenti
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.trivyignore
More file actions
95 lines (73 loc) · 4.08 KB
/
.trivyignore
File metadata and controls
95 lines (73 loc) · 4.08 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
# Trivy Ignore File
# These are intentional exceptions with documented rationale
# Use AVD- prefix format (e.g., AVD-DS-0002, AVD-KSV-0041)
# AVD-DS-0002: mlflow-oauth-secret runs in OpenShift with random UID
# The Dockerfile sets g=u permissions for OpenShift compatibility (random UID assignment).
# Adding a fixed USER directive would conflict with OpenShift's security model.
# File: kagenti/auth/mlflow-oauth-secret/Dockerfile
# Note: This is a global suppression (Trivy doesn't support per-file suppressions for DS-* checks)
AVD-DS-0002
# HyperShift CI ClusterRole RBAC permissions
# The k8s-ci-clusterrole.yaml has documented security notes explaining why broad permissions
# are required:
# 1. Kubernetes RBAC doesn't support namespace prefix wildcards
# 2. HyperShift dynamically creates control plane namespaces (clusters-<name>)
# 3. The operator, not CI, creates these namespaces so we can't pre-create RoleBindings
# 4. Permissions are minimized to specific resources (not wildcards)
# See file comments for full security analysis: .github/scripts/hypershift/policies/k8s-ci-clusterrole.yaml
# AVD-KSV-0041: ClusterRole managing secrets (required for HyperShift kubeconfig)
AVD-KSV-0041
# AVD-KSV-0048: ClusterRole managing pods/deployments (required for CI cleanup)
AVD-KSV-0048
# AVD-KSV-0049: ClusterRole managing configmaps (required for Kagenti config)
AVD-KSV-0049
# Sandbox deployment manifests use trusted registries:
# - image-registry.openshift-image-registry.svc:5000: OpenShift internal build registry
# - registry.redhat.io: Red Hat certified images
# - ghcr.io/berriai: LiteLLM upstream
AVD-KSV-0125
# Internal agent base image uses :latest (built on-cluster, no external tag)
AVD-DS-0001
# --- OpenShell PoC agents (remove when MVP Helm chart replaces kustomize) ---
# OpenShell agent-sandbox-controller (upstream NVIDIA component)
# KSV-0014 and KSV-0118 are fixed via kustomize patch
# (deployments/openshell/agent-sandbox-security-patch.yaml)
# OpenShell RBAC (gateway + agent-sandbox-controller)
# Both components need broad permissions by design:
# - Gateway: pods/exec (sandbox session), services, network policies (isolation)
# - Controller: services, endpoints, network policies (sandbox enforcement)
# Scope is limited to the sandbox namespace (team1) and openshell-system.
# AVD-KSV-0042: pods/log access — gateway needs to stream sandbox logs
AVD-KSV-0042
# AVD-KSV-0053: pods/exec — gateway creates shell sessions in sandboxes
AVD-KSV-0053
# AVD-KSV-0056: Broad network resource access — sandbox network isolation
AVD-KSV-0056
# AVD-KSV-0113: Secrets management — gateway injects credentials into sandboxes
AVD-KSV-0113
# AVD-KSV-0013: Locally-built agent images use :latest (no external registry tag)
AVD-KSV-0013
# OpenShell supervised agents require privileged mode for namespace creation.
# The supervisor creates network namespaces, applies Landlock filesystem
# restrictions, and sets up seccomp filters — all requiring root + CAP_SYS_ADMIN.
# After setup, the supervisor drops to the sandbox user.
# AVD-KSV-0001: allowPrivilegeEscalation — supervisor agent containers
AVD-KSV-0001
# AVD-KSV-0012: runAsNonRoot — supervised agents must start as root for
# namespace creation, then drop to sandbox user. Non-supervised agents set this.
AVD-KSV-0012
# AVD-KSV-0017: privileged mode — supervisor needs root for namespace setup
AVD-KSV-0017
# AVD-KSV-0014: readOnlyRootFilesystem — supervised agent containers need
# writable root for namespace/cgroup setup during sandbox initialization.
# Non-supervised agents and gateway have readOnlyRootFilesystem: true.
AVD-KSV-0014
# AVD-KSV-0104: seccomp profile — supervised agents use privileged mode which
# is incompatible with seccomp (Landlock provides equivalent sandboxing).
# Non-supervised agents and gateway have seccomp RuntimeDefault set.
AVD-KSV-0104
# AVD-KSV-0118: default security context — supervised agents run privileged,
# non-supervised agents have full security context set. This catches the
# supervised agents where securityContext.privileged=true is set but not the
# full pod-level context Trivy expects.
AVD-KSV-0118