adds support for sarif output

README.md

@@ -175,6 +175,8 @@ The minimum severity level can be set using the `--minSeverity/-m` flag.
 
 By default kubeaudit will output results in a human-readable way. If the output is intended to be further processed, it can be set to output JSON using the `--format json` flag. To output results as logs (the previous default) use `--format logrus`. Some output formats include colors to make results easier to read in a terminal. To disable colors (for example, if you are sending output to a text file), you can use the `--no-color` flag.
 
+You can generate a kubeaudit report in [SARIF](https://docs.oasis-open.org/sarif/sarif/v2.0/sarif-v2.0.html) and write it to a file by using the `-s/--sarif` flag.
+
 If there are results of severity level `error`, kubeaudit will exit with exit code 2. This can be changed using the `--exitcode/-e` flag.
 
 For all the ways kubeaudit can be customized, see [Global Flags](#global-flags).
@@ -221,6 +223,7 @@ Auditors can also be run individually.
 | -m    | --minseverity      | Set the lowest severity level to report (one of "error", "warning", "info") (default is "info")                                                           |
 | -e    | --exitcode         | Exit code to use if there are results with severity of "error". Conventionally, 0 is used for success and all non-zero codes for an error. (default is 2) |
 |       | --no-color         | Don't use colors in the output (default is false) |
+| -s    | --sarif            | The file location to save the SARIF output |
 
 ## Configuration File
 

auditors/apparmor/apparmor.go

@@ -64,7 +64,8 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi
 
 	if isAppArmorAnnotationMissing(containerAnnotation, annotations) {
 		return &kubeaudit.AuditResult{
-			Name:     AppArmorAnnotationMissing,
+			Auditor:  Name,
+			Rule:     AppArmorAnnotationMissing,
 			Severity: kubeaudit.Error,
 			Message:  fmt.Sprintf("AppArmor annotation missing. The annotation '%s' should be added.", containerAnnotation),
 			Metadata: kubeaudit.Metadata{
@@ -80,7 +81,8 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi
 
 	if isAppArmorDisabled(containerAnnotation, annotations) {
 		return &kubeaudit.AuditResult{
-			Name:     AppArmorDisabled,
+			Auditor:  Name,
+			Rule:     AppArmorDisabled,
 			Message:  fmt.Sprintf("AppArmor is disabled. The apparmor annotation should be set to '%s' or start with '%s'.", ProfileRuntimeDefault, ProfileNamePrefix),
 			Severity: kubeaudit.Error,
 			Metadata: kubeaudit.Metadata{
@@ -107,7 +109,8 @@ func auditPodAnnotations(resource k8s.Resource, containerNames []string) []*kube
 		containerName := strings.Split(annotationKey, "/")[1]
 		if !contains(containerNames, containerName) {
 			auditResults = append(auditResults, &kubeaudit.AuditResult{
-				Name:     AppArmorInvalidAnnotation,
+				Auditor:  Name,
+				Rule:     AppArmorInvalidAnnotation,
 				Severity: kubeaudit.Error,
 				Message:  fmt.Sprintf("AppArmor annotation key refers to a container that doesn't exist. Remove the annotation '%s: %s'.", annotationKey, annotationValue),
 				Metadata: kubeaudit.Metadata{

auditors/asat/asat.go

@@ -45,7 +45,8 @@ func auditResource(resource k8s.Resource, resources []k8s.Resource) *kubeaudit.A
 
 	if isDeprecatedServiceAccountName(podSpec) && !hasServiceAccountName(podSpec) {
 		return &kubeaudit.AuditResult{
-			Name:     AutomountServiceAccountTokenDeprecated,
+			Auditor:  Name,
+			Rule:     AutomountServiceAccountTokenDeprecated,
 			Severity: kubeaudit.Warn,
 			Message:  "serviceAccount is a deprecated alias for serviceAccountName. serviceAccountName should be used instead.",
 			PendingFix: &fixDeprecatedServiceAccountName{
@@ -60,7 +61,8 @@ func auditResource(resource k8s.Resource, resources []k8s.Resource) *kubeaudit.A
 	defaultServiceAccount := getDefaultServiceAccount(resources)
 	if usesDefaultServiceAccount(podSpec) && isAutomountTokenTrue(podSpec, defaultServiceAccount) {
 		return &kubeaudit.AuditResult{
-			Name:     AutomountServiceAccountTokenTrueAndDefaultSA,
+			Auditor:  Name,
+			Rule:     AutomountServiceAccountTokenTrueAndDefaultSA,
 			Severity: kubeaudit.Error,
 			Message:  "Default service account with token mounted. automountServiceAccountToken should be set to 'false' on either the ServiceAccount or on the PodSpec or a non-default service account should be used.",
 			PendingFix: &fixDefaultServiceAccountWithAutomountToken{

auditors/capabilities/capabilities.go

@@ -75,7 +75,8 @@ func auditContainer(container *k8s.ContainerV1, capability string, allowAddList
 		if IsCapabilityInAddList(container, capability) {
 			message := fmt.Sprintf("Capability \"%s\" added. It should be removed from the capability add list. If you need this capability, add an override label such as '%s: SomeReason'.", capability, override.GetContainerOverrideLabel(container.Name, getOverrideLabel(capability)))
 			auditResult := &kubeaudit.AuditResult{
-				Name:     CapabilityAdded,
+				Auditor:  Name,
+				Rule:     CapabilityAdded,
 				Severity: kubeaudit.Error,
 				Message:  message,
 				PendingFix: &fixCapabilityAdded{
@@ -103,7 +104,8 @@ func auditContainerForDropAll(container *k8s.ContainerV1) *kubeaudit.AuditResult
 	if !SecurityContextOrCapabilities(container) {
 		message := "Security Context not set. The Security Context should be specified and all Capabilities should be dropped by setting the Drop list to ALL."
 		return &kubeaudit.AuditResult{
-			Name:     CapabilityOrSecurityContextMissing,
+			Auditor:  Name,
+			Rule:     CapabilityOrSecurityContextMissing,
 			Severity: kubeaudit.Error,
 			Message:  message,
 			PendingFix: &fixMissingSecurityContextOrCapability{
@@ -118,7 +120,8 @@ func auditContainerForDropAll(container *k8s.ContainerV1) *kubeaudit.AuditResult
 	if !IsDropAll(container) {
 		message := "Capability Drop list should be set to ALL. Add the specific ones you need to the Add list and set an override label."
 		return &kubeaudit.AuditResult{
-			Name:     CapabilityShouldDropAll,
+			Auditor:  Name,
+			Rule:     CapabilityShouldDropAll,
 			Severity: kubeaudit.Error,
 			Message:  message,
 			PendingFix: &fixCapabilityNotDroppedAll{

auditors/deprecatedapis/depreceatedapis.go

@@ -119,7 +119,8 @@ func (deprecatedAPIs *DeprecatedAPIs) Audit(resource k8s.Resource, _ []k8s.Resou
 					}
 				}
 				auditResult := &kubeaudit.AuditResult{
-					Name:     DeprecatedAPIUsed,
+					Auditor:  Name,
+					Rule:     DeprecatedAPIUsed,
 					Severity: severity,
 					Message:  deprecationMessage,
 					Metadata: metadata,

auditors/deprecatedapis/depreceatedapis_test.go

@@ -2,6 +2,7 @@ package deprecatedapis
 
 import (
 	"fmt"
+	"os"
 	"strings"
 	"testing"
 
@@ -53,6 +54,12 @@ func TestAuditDeprecatedAPIs(t *testing.T) {
 			require.Nil(t, err)
 			report := test.AuditManifest(t, fixtureDir, tc.file, auditor, []string{DeprecatedAPIUsed})
 			assertReport(t, report, tc.expectedSeverity, message, metadata)
+
+			// disable local tests when running in dev mode
+			if os.Getenv("USE_KIND") == "false" {
+				return
+			}
+
 			report = test.AuditLocal(t, fixtureDir, tc.file, auditor, fmt.Sprintf("%s-%d", strings.Split(tc.file, ".")[0], i), []string{DeprecatedAPIUsed})
 			assertReport(t, report, tc.expectedSeverity, message, metadata)
 		})

auditors/hostns/hostns.go

@@ -62,7 +62,8 @@ func auditHostNetwork(podSpec *k8s.PodSpecV1) *kubeaudit.AuditResult {
 			metadata["PodHost"] = podSpec.Hostname
 		}
 		return &kubeaudit.AuditResult{
-			Name:     NamespaceHostNetworkTrue,
+			Auditor:  Name,
+			Rule:     NamespaceHostNetworkTrue,
 			Severity: kubeaudit.Error,
 			Message:  "hostNetwork is set to 'true' in PodSpec. It should be set to 'false'.",
 			PendingFix: &fixHostNetworkTrue{
@@ -82,7 +83,8 @@ func auditHostIPC(podSpec *k8s.PodSpecV1) *kubeaudit.AuditResult {
 			metadata["PodHost"] = podSpec.Hostname
 		}
 		return &kubeaudit.AuditResult{
-			Name:     NamespaceHostIPCTrue,
+			Auditor:  Name,
+			Rule:     NamespaceHostIPCTrue,
 			Severity: kubeaudit.Error,
 			Message:  "hostIPC is set to 'true' in PodSpec. It should be set to 'false'.",
 			PendingFix: &fixHostIPCTrue{
@@ -102,7 +104,8 @@ func auditHostPID(podSpec *k8s.PodSpecV1) *kubeaudit.AuditResult {
 			metadata["PodHost"] = podSpec.Hostname
 		}
 		return &kubeaudit.AuditResult{
-			Name:     NamespaceHostPIDTrue,
+			Auditor:  Name,
+			Rule:     NamespaceHostPIDTrue,
 			Severity: kubeaudit.Error,
 			Message:  "hostPID is set to 'true' in PodSpec. It should be set to 'false'.",
 			PendingFix: &fixHostPIDTrue{

auditors/image/image.go

@@ -50,7 +50,8 @@ func auditContainer(container *k8s.ContainerV1, image string) *kubeaudit.AuditRe
 
 	if isImageTagMissing(containerTag) {
 		return &kubeaudit.AuditResult{
-			Name:     ImageTagMissing,
+			Auditor:  Name,
+			Rule:     ImageTagMissing,
 			Severity: kubeaudit.Warn,
 			Message:  "Image tag is missing.",
 			Metadata: kubeaudit.Metadata{
@@ -61,7 +62,8 @@ func auditContainer(container *k8s.ContainerV1, image string) *kubeaudit.AuditRe
 
 	if isImageTagIncorrect(name, tag, containerName, containerTag) {
 		return &kubeaudit.AuditResult{
-			Name:     ImageTagIncorrect,
+			Auditor:  Name,
+			Rule:     ImageTagIncorrect,
 			Severity: kubeaudit.Error,
 			Message:  fmt.Sprintf("Container tag is incorrect. It should be set to '%s'.", tag),
 			Metadata: kubeaudit.Metadata{
@@ -72,7 +74,8 @@ func auditContainer(container *k8s.ContainerV1, image string) *kubeaudit.AuditRe
 
 	if isImageCorrect(name, tag, containerName, containerTag) {
 		return &kubeaudit.AuditResult{
-			Name:     ImageCorrect,
+			Auditor:  Name,
+			Rule:     ImageCorrect,
 			Severity: kubeaudit.Info,
 			Message:  "Image tag is correct",
 			Metadata: kubeaudit.Metadata{

auditors/limits/limits.go

@@ -65,7 +65,8 @@ func (limits *Limits) Audit(resource k8s.Resource, _ []k8s.Resource) ([]*kubeaud
 func (limits *Limits) auditContainer(container *k8s.ContainerV1) (auditResults []*kubeaudit.AuditResult) {
 	if isLimitsNil(container) {
 		auditResult := &kubeaudit.AuditResult{
-			Name:     LimitsNotSet,
+			Auditor:  Name,
+			Rule:     LimitsNotSet,
 			Severity: kubeaudit.Warn,
 			Message:  "Resource limits not set.",
 			Metadata: kubeaudit.Metadata{
@@ -81,7 +82,8 @@ func (limits *Limits) auditContainer(container *k8s.ContainerV1) (auditResults [
 
 	if isCPULimitUnset(container) {
 		auditResult := &kubeaudit.AuditResult{
-			Name:     LimitsCPUNotSet,
+			Auditor:  Name,
+			Rule:     LimitsCPUNotSet,
 			Severity: kubeaudit.Warn,
 			Message:  "Resource CPU limit not set.",
 			Metadata: kubeaudit.Metadata{
@@ -92,7 +94,8 @@ func (limits *Limits) auditContainer(container *k8s.ContainerV1) (auditResults [
 	} else if exceedsCPULimit(container, limits) {
 		maxCPU := limits.maxCPU.String()
 		auditResult := &kubeaudit.AuditResult{
-			Name:     LimitsCPUExceeded,
+			Auditor:  Name,
+			Rule:     LimitsCPUExceeded,
 			Severity: kubeaudit.Warn,
 			Message:  fmt.Sprintf("CPU limit exceeded. It is set to '%s' which exceeds the max CPU limit of '%s'.", cpu, maxCPU),
 			Metadata: kubeaudit.Metadata{
@@ -106,7 +109,8 @@ func (limits *Limits) auditContainer(container *k8s.ContainerV1) (auditResults [
 
 	if isMemoryLimitUnset(container) {
 		auditResult := &kubeaudit.AuditResult{
-			Name:     LimitsMemoryNotSet,
+			Auditor:  Name,
+			Rule:     LimitsMemoryNotSet,
 			Severity: kubeaudit.Warn,
 			Message:  "Resource Memory limit not set.",
 			Metadata: kubeaudit.Metadata{
@@ -117,7 +121,8 @@ func (limits *Limits) auditContainer(container *k8s.ContainerV1) (auditResults [
 	} else if exceedsMemoryLimit(container, limits) {
 		maxMemory := limits.maxMemory.String()
 		auditResult := &kubeaudit.AuditResult{
-			Name:     LimitsMemoryExceeded,
+			Auditor:  Name,
+			Rule:     LimitsMemoryExceeded,
 			Severity: kubeaudit.Warn,
 			Message:  fmt.Sprintf("Memory limit exceeded. It is set to '%s' which exceeds the max Memory limit of '%s'.", memory, maxMemory),
 			Metadata: kubeaudit.Metadata{

auditors/mounts/mounts.go

@@ -100,7 +100,8 @@ func auditContainer(container *k8s.ContainerV1, sensitiveVolumes map[string]v1.V
 	for _, mount := range container.VolumeMounts {
 		if volume, ok := sensitiveVolumes[mount.Name]; ok {
 			auditResults = append(auditResults, &kubeaudit.AuditResult{
-				Name:     SensitivePathsMounted,
+				Auditor:  Name,
+				Rule:     SensitivePathsMounted,
 				Severity: kubeaudit.Error,
 				Message:  fmt.Sprintf("Sensitive path mounted as volume: %s (hostPath: %s). It should be removed from the container's mounts list.", mount.Name, volume.HostPath.Path),
 				Metadata: kubeaudit.Metadata{

auditors/netpols/netpols.go

@@ -72,7 +72,8 @@ func auditNetworkPolicy(networkPolicy *k8s.NetworkPolicyV1) []*kubeaudit.AuditRe
 
 	if allIngressTrafficAllowed(networkPolicy) {
 		auditResult := &kubeaudit.AuditResult{
-			Name:     AllowAllIngressNetworkPolicyExists,
+			Auditor:  Name,
+			Rule:     AllowAllIngressNetworkPolicyExists,
 			Severity: kubeaudit.Warn,
 			Message:  "Found allow all ingress traffic NetworkPolicy.",
 			Metadata: kubeaudit.Metadata{
@@ -84,7 +85,8 @@ func auditNetworkPolicy(networkPolicy *k8s.NetworkPolicyV1) []*kubeaudit.AuditRe
 
 	if allEgressTrafficAllowed(networkPolicy) {
 		auditResult := &kubeaudit.AuditResult{
-			Name:     AllowAllEgressNetworkPolicyExists,
+			Auditor:  Name,
+			Rule:     AllowAllEgressNetworkPolicyExists,
 			Severity: kubeaudit.Warn,
 			Message:  "Found allow all egress traffic NetworkPolicy.",
 			Metadata: kubeaudit.Metadata{
@@ -108,7 +110,8 @@ func auditNetworkPoliciesForDenyAll(resource k8s.Resource, resources []k8s.Resou
 	if hasCatchAllNetPol {
 		if !hasDefaultDenyIngress {
 			auditResult := &kubeaudit.AuditResult{
-				Name:     MissingDefaultDenyIngressNetworkPolicy,
+				Auditor:  Name,
+				Rule:     MissingDefaultDenyIngressNetworkPolicy,
 				Severity: kubeaudit.Error,
 				Message:  fmt.Sprintf("All ingress traffic should be blocked by default for namespace %s.", namespace),
 				Metadata: kubeaudit.Metadata{
@@ -125,7 +128,8 @@ func auditNetworkPoliciesForDenyAll(resource k8s.Resource, resources []k8s.Resou
 
 		if !hasDefaultDenyEgress {
 			auditResult := &kubeaudit.AuditResult{
-				Name:     MissingDefaultDenyEgressNetworkPolicy,
+				Auditor:  Name,
+				Rule:     MissingDefaultDenyEgressNetworkPolicy,
 				Severity: kubeaudit.Error,
 				Message:  fmt.Sprintf("All egress traffic should be blocked by default for namespace %s.", namespace),
 				Metadata: kubeaudit.Metadata{
@@ -149,7 +153,8 @@ func auditNetworkPoliciesForDenyAll(resource k8s.Resource, resources []k8s.Resou
 
 	if !hasIngressOverride && !hasEgressOverride {
 		auditResult := &kubeaudit.AuditResult{
-			Name:     MissingDefaultDenyIngressAndEgressNetworkPolicy,
+			Auditor:  Name,
+			Rule:     MissingDefaultDenyIngressAndEgressNetworkPolicy,
 			Severity: kubeaudit.Error,
 			Message:  "Namespace is missing a default deny ingress and egress NetworkPolicy.",
 			Metadata: kubeaudit.Metadata{
@@ -165,7 +170,8 @@ func auditNetworkPoliciesForDenyAll(resource k8s.Resource, resources []k8s.Resou
 
 	if hasIngressOverride && hasEgressOverride {
 		auditResult := &kubeaudit.AuditResult{
-			Name:     override.GetOverriddenResultName(MissingDefaultDenyIngressAndEgressNetworkPolicy),
+			Auditor:  Name,
+			Rule:     override.GetOverriddenResultName(MissingDefaultDenyIngressAndEgressNetworkPolicy),
 			Severity: kubeaudit.Warn,
 			Message:  "Namespace is missing a default deny ingress and egress NetworkPolicy.",
 			Metadata: kubeaudit.Metadata{
@@ -179,7 +185,8 @@ func auditNetworkPoliciesForDenyAll(resource k8s.Resource, resources []k8s.Resou
 	// At this point there is exactly one override label for either ingress or egress which means one needs to be
 	// fixed and the other is overridden
 	auditResult := &kubeaudit.AuditResult{
-		Name:     MissingDefaultDenyIngressNetworkPolicy,
+		Auditor:  Name,
+		Rule:     MissingDefaultDenyIngressNetworkPolicy,
 		Severity: kubeaudit.Error,
 		Message:  "Namespace is missing a default deny ingress NetworkPolicy.",
 		Metadata: kubeaudit.Metadata{
@@ -194,7 +201,8 @@ func auditNetworkPoliciesForDenyAll(resource k8s.Resource, resources []k8s.Resou
 	auditResults = append(auditResults, auditResult)
 
 	auditResult = &kubeaudit.AuditResult{
-		Name:     MissingDefaultDenyEgressNetworkPolicy,
+		Auditor:  Name,
+		Rule:     MissingDefaultDenyEgressNetworkPolicy,
 		Severity: kubeaudit.Error,
 		Message:  "Namespace is missing a default deny egress NetworkPolicy.",
 		Metadata: kubeaudit.Metadata{

auditors/nonroot/nonroot.go

@@ -56,7 +56,8 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi
 	if !isContainerRunAsUserNil(container) {
 		if *container.SecurityContext.RunAsUser == 0 {
 			return &kubeaudit.AuditResult{
-				Name:     RunAsUserCSCRoot,
+				Auditor:  Name,
+				Rule:     RunAsUserCSCRoot,
 				Severity: kubeaudit.Error,
 				Message:  "runAsUser is set to UID 0 (root user) in the container SecurityContext. Either set it to a value > 0 or remove it and set runAsNonRoot to true.",
 				PendingFix: &fixRunAsNonRoot{
@@ -71,7 +72,8 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi
 		if !isPodRunAsUserNil(podSpec) {
 			if *podSpec.SecurityContext.RunAsUser == 0 {
 				return &kubeaudit.AuditResult{
-					Name:     RunAsUserPSCRoot,
+					Auditor:  Name,
+					Rule:     RunAsUserPSCRoot,
 					Severity: kubeaudit.Warn,
 					Message:  "runAsUser is set to UID 0 (root user) in the PodSecurityContext. Either set it to a value > 0 or remove it and set runAsNonRoot to true.",
 					Metadata: kubeaudit.Metadata{
@@ -87,7 +89,8 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi
 	if !isPodRunAsUserNil(podSpec) {
 		if *podSpec.SecurityContext.RunAsUser == 0 {
 			return &kubeaudit.AuditResult{
-				Name:     RunAsUserPSCRoot,
+				Auditor:  Name,
+				Rule:     RunAsUserPSCRoot,
 				Severity: kubeaudit.Error,
 				Message:  "runAsUser is set to UID 0 (root user) in the PodSecurityContext. Either set it to a value > 0 or remove it and set runAsNonRoot to true.",
 				PendingFix: &fixRunAsNonRoot{
@@ -104,7 +107,8 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi
 
 	if isContainerRunAsNonRootCSCFalse(container) {
 		return &kubeaudit.AuditResult{
-			Name:     RunAsNonRootCSCFalse,
+			Auditor:  Name,
+			Rule:     RunAsNonRootCSCFalse,
 			Severity: kubeaudit.Error,
 			Message:  "runAsNonRoot is set to false in the container SecurityContext. Either set it to true or set runAsUser to a value > 0.",
 			PendingFix: &fixRunAsNonRoot{
@@ -119,7 +123,8 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi
 	if isContainerRunAsNonRootNil(container) {
 		if isPodRunAsNonRootNil(podSpec) {
 			return &kubeaudit.AuditResult{
-				Name:     RunAsNonRootPSCNilCSCNil,
+				Auditor:  Name,
+				Rule:     RunAsNonRootPSCNilCSCNil,
 				Severity: kubeaudit.Error,
 				Message:  "runAsNonRoot should be set to true or runAsUser should be set to a value > 0 either in the container SecurityContext or PodSecurityContext.",
 				PendingFix: &fixRunAsNonRoot{
@@ -133,7 +138,8 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi
 
 		if isPodRunAsNonRootFalse(podSpec) {
 			return &kubeaudit.AuditResult{
-				Name:     RunAsNonRootPSCFalseCSCNil,
+				Auditor:  Name,
+				Rule:     RunAsNonRootPSCFalseCSCNil,
 				Severity: kubeaudit.Error,
 				Message:  "runAsNonRoot is set to false in the PodSecurityContext. Either set it to true or set runAsUser to a value > 0.",
 				PendingFix: &fixRunAsNonRoot{