Shopify · genevieveluyt · Jul 13, 2021 · Jul 12, 2021 · Jul 12, 2021 · Jul 13, 2021
diff --git a/auditors/all/all.go b/auditors/all/all.go
@@ -40,13 +40,8 @@ var AuditorNames = []string{
 }
 
 func Auditors(conf config.KubeauditConfig) ([]kubeaudit.Auditable, error) {
-	enabledAuditors := conf.GetEnabledAuditors()
-	if len(enabledAuditors) == 0 {
-		enabledAuditors = AuditorNames
-	}
-
-	auditors := make([]kubeaudit.Auditable, 0, len(enabledAuditors))
-	for _, auditorName := range enabledAuditors {
+	auditors := []kubeaudit.Auditable{}
+	for _, auditorName := range getEnabledAuditors(conf) {
 		auditor, err := initAuditor(auditorName, conf)
 		if err != nil {
 			return nil, err
@@ -57,6 +52,19 @@ func Auditors(conf config.KubeauditConfig) ([]kubeaudit.Auditable, error) {
 	return auditors, nil
 }
 
+// getEnabledAuditors returns a list of all auditors excluding any explicitly disabled in the config
+func getEnabledAuditors(conf config.KubeauditConfig) []string {
+	auditors := []string{}
+	for _, auditorName := range AuditorNames {
+		// if value is not found in the `conf.GetEnabledAuditors()` map, this means
+		// it wasn't added to the config file, so it should be enabled by default
+		if enabled, ok := conf.GetEnabledAuditors()[auditorName]; !ok || enabled {
+			auditors = append(auditors, auditorName)
+		}
+	}
+	return auditors
+}
+
 func initAuditor(name string, conf config.KubeauditConfig) (kubeaudit.Auditable, error) {
 	switch name {
 	case apparmor.Name:

diff --git a/auditors/all/all_test.go b/auditors/all/all_test.go
@@ -8,6 +8,7 @@ import (
 	"github.com/Shopify/kubeaudit/auditors/apparmor"
 	"github.com/Shopify/kubeaudit/auditors/asat"
 	"github.com/Shopify/kubeaudit/auditors/capabilities"
+	"github.com/Shopify/kubeaudit/auditors/mounts"
 
 	"github.com/Shopify/kubeaudit/auditors/hostns"
 	"github.com/Shopify/kubeaudit/auditors/image"
@@ -20,6 +21,7 @@ import (
 	"github.com/Shopify/kubeaudit/auditors/seccomp"
 	"github.com/Shopify/kubeaudit/config"
 	"github.com/Shopify/kubeaudit/internal/test"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
@@ -97,6 +99,83 @@ func TestAllWithConfig(t *testing.T) {
 	}
 }
 
+func TestGetEnabledAuditors(t *testing.T) {
+	cases := []struct {
+		testName         string
+		enabledAuditors  map[string]bool
+		expectedAuditors []string
+	}{
+		{
+			// If no config is provided, all auditors should be enabled
+			testName:         "No config",
+			enabledAuditors:  map[string]bool{},
+			expectedAuditors: AuditorNames,
+		},
+		{
+			// If some auditors are explicitly disabled, the rest should default to being enabled
+			testName: "Some disabled",
+			enabledAuditors: map[string]bool{
+				"apparmor": false,
+				"rootfs":   false,
+			},
+			expectedAuditors: []string{
+				asat.Name,
+				capabilities.Name,
+				hostns.Name,
+				image.Name,
+				limits.Name,
+				mounts.Name,
+				netpols.Name,
+				nonroot.Name,
+				privesc.Name,
+				privileged.Name,
+				seccomp.Name,
+			},
+		},
+		{
+			testName: "Some enabled",
+			enabledAuditors: map[string]bool{
+				"apparmor": true,
+				"rootfs":   true,
+			},
+			expectedAuditors: AuditorNames,
+		},
+		{
+			// If some auditors are explicitly disabled, the rest should default to being enabled
+			testName: "Some enabled, some disabled",
+			enabledAuditors: map[string]bool{
+				"asat":         true,
+				"apparmor":     false,
+				"capabilities": true,
+				"rootfs":       false,
+			},
+			expectedAuditors: []string{
+				asat.Name,
+				capabilities.Name,
+				hostns.Name,
+				image.Name,
+				limits.Name,
+				mounts.Name,
+				netpols.Name,
+				nonroot.Name,
+				privesc.Name,
+				privileged.Name,
+				seccomp.Name,
+			},
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.testName, func(t *testing.T) {
+			conf := config.KubeauditConfig{
+				EnabledAuditors: tc.enabledAuditors,
+			}
+			got := getEnabledAuditors(conf)
+			assert.ElementsMatch(t, got, tc.expectedAuditors)
+		})
+	}
+}
+
 func enabledAuditorsToMap(enabledAuditors []string) map[string]bool {
 	enabledAuditorMap := map[string]bool{}
 	for _, auditorName := range AuditorNames {

diff --git a/cmd/commands/VERSION b/cmd/commands/VERSION
@@ -1 +1 @@
-0.14.1
+0.14.2
diff --git a/config/config.go b/config/config.go
@@ -1,10 +1,11 @@
 package config
 
 import (
-	"github.com/Shopify/kubeaudit/auditors/mounts"
 	"io"
 	"io/ioutil"
 
+	"github.com/Shopify/kubeaudit/auditors/mounts"
+
 	"github.com/Shopify/kubeaudit/auditors/capabilities"
 	"github.com/Shopify/kubeaudit/auditors/image"
 	"github.com/Shopify/kubeaudit/auditors/limits"
@@ -31,17 +32,11 @@ type KubeauditConfig struct {
 	AuditorConfig   AuditorConfig   `yaml:"auditors"`
 }
 
-func (conf *KubeauditConfig) GetEnabledAuditors() []string {
+func (conf *KubeauditConfig) GetEnabledAuditors() map[string]bool {
 	if conf == nil {
-		return []string{}
-	}
-	enabledAuditors := make([]string, 0, len(conf.EnabledAuditors))
-	for auditorName, enabled := range conf.EnabledAuditors {
-		if enabled {
-			enabledAuditors = append(enabledAuditors, auditorName)
-		}
+		return map[string]bool{}
 	}
-	return enabledAuditors
+	return conf.EnabledAuditors
 }
 
 func (conf *KubeauditConfig) GetAuditorConfigs() AuditorConfig {