aquasecurity · simar7 · Jan 4, 2025 · Jan 4, 2025 · Jan 4, 2025 · Jan 4, 2025
@@ -7,10 +7,9 @@ This document aims to answer the question *Where is the code that does X?*
 The directory structure is broken down as follows:
 
 - `cmd/` - These CLI tools are primarily used during development for end-to-end testing without needing to pull the library into trivy/tfsec etc.
-- `checks` - All of the checks are defined in this directory.
+- `checks` - All the checks are defined in this directory.
 - `commands` - All Node-collector commands are defined in this directory.
-- `pkg/spec` - Logic to handle standardized specs such as CIS.
-- `pkg/rules` - This package exposes internal rules, and imports them accordingly (see _rules.go_).
+- `pkg/rules` - This package exposes internal checks, and imports them accordingly (see _rules.go_).
 - `specs/` - Standaridized compliance specs such as CIS.
 - `test` - Integration tests and other high-level tests that require a full build of the project.
 - `scripts` - Usefule generation scripts for bundle generation and verification purposes.
@@ -29,6 +29,19 @@ wget https://github.com/aquasecurity/trivy-checks/raw/main/test/testdata/kuberne
 conftest test denied.yaml --policy myPolicy/ --namespace builtin.kubernetes.KSV008
 ```
 
+# Kubernetes checks classification
+There are several Kubernetes checks that target various subsystems. They are loosely classified as follows.
+
+| Target         | Description                                                                                                                        |
+|----------------|------------------------------------------------------------------------------------------------------------------------------------|
+| Network        | Checks primarily targeting the networking stack                                                                                    |
+| Dynamic        | Checks that evaluate deprecated and removed APIs                                                                                   |
+| CIS Benchmarks | Checks that are recommended by the CIS Benchmarks. The checks inside are targeted per each subsystem (e.g. apiserver, cni, etc.)   |
+| Advanced       | Checks that are recommended for the advanced uesrs of Kubernetes                                                                   |
+| GKE            | Checks specific to Google Kubernetes Engine                                                                                        |
+| PSS            | Checks pertaining to Pod Security Standards                                                                                        |
+
+
 # Standards and best practices
 This GitHub repository has controls that cover both [PodSecurityPolicy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) (PSP) and the Kubernetes [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) (PSS), plus additional best practices.
 

@@ -3,7 +3,7 @@ module github.com/aquasecurity/trivy-checks
 go 1.23.4
 
 require (
-	github.com/aquasecurity/trivy v0.58.1-0.20250109050215-f9a6a7192722
+	github.com/aquasecurity/trivy v0.58.1-0.20250111034400-243e5a3af99e
 	github.com/aws-cloudformation/rain v1.21.0
 	github.com/hashicorp/hcl/v2 v2.23.0
 	github.com/liamg/iamgo v0.0.9
@@ -407,6 +407,3 @@ require (
 	tags.cncf.io/container-device-interface v0.8.0 // indirect
 	tags.cncf.io/container-device-interface/specs-go v0.8.0 // indirect
 )
-
-// needed until the new name is used everywhere
-replace github.com/aquasecurity/trivy-policies v0.10.0 => github.com/aquasecurity/trivy-checks v0.10.2-0.20240417031955-932169bbd75f
@@ -355,8 +355,8 @@ github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8 h1:b43UVqY
 github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8/go.mod h1:wXA9k3uuaxY3yu7gxrxZDPo/04FEMJtwyecdAlYrEIo=
 github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo=
 github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
-github.com/aquasecurity/trivy v0.58.1-0.20250109050215-f9a6a7192722 h1:+YTyne1Ge2I8bpbqkClvMKCdK0U1qmQySjlS3cC4ih4=
-github.com/aquasecurity/trivy v0.58.1-0.20250109050215-f9a6a7192722/go.mod h1:pDTEekX8yWaSI094UO3dTBnwI2xSZhwekFCbTSog8Jk=
+github.com/aquasecurity/trivy v0.58.1-0.20250111034400-243e5a3af99e h1:d5JKS4O/5IO7lPweDsoH3DaEe3F96mMHwK9FqZeC2WY=
+github.com/aquasecurity/trivy v0.58.1-0.20250111034400-243e5a3af99e/go.mod h1:pDTEekX8yWaSI094UO3dTBnwI2xSZhwekFCbTSog8Jk=
 github.com/aquasecurity/trivy-db v0.0.0-20241209111357-8c398f13db0e h1:O5j5SeCNBrXApgBTOobO06q4LMxJxIhcSGE7H6Y154E=
 github.com/aquasecurity/trivy-db v0.0.0-20241209111357-8c398f13db0e/go.mod h1:gS8VhlNxhraiq60BBnJw9kGtjeMspQ9E8pX24jCL4jg=
 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=

diff --git a/pkg/specs/compliance/aws-cis-1.2.yaml → pkg/specs/aws-cis-1.2.yaml b/pkg/specs/compliance/aws-cis-1.2.yaml → pkg/specs/aws-cis-1.2.yaml
diff --git a/pkg/specs/compliance/aws-cis-1.4.yaml → pkg/specs/aws-cis-1.4.yaml b/pkg/specs/compliance/aws-cis-1.4.yaml → pkg/specs/aws-cis-1.4.yaml
diff --git a/pkg/specs/compliance/docker-cis-1.6.0.yaml → pkg/specs/docker-cis-1.6.0.yaml b/pkg/specs/compliance/docker-cis-1.6.0.yaml → pkg/specs/docker-cis-1.6.0.yaml
diff --git a/pkg/specs/compliance/eks-cis-1.4.yaml → pkg/specs/eks-cis-1.4.yaml b/pkg/specs/compliance/eks-cis-1.4.yaml → pkg/specs/eks-cis-1.4.yaml
diff --git a/pkg/specs/compliance/k8s-cis-1.23.yaml → pkg/specs/k8s-cis-1.23.yaml b/pkg/specs/compliance/k8s-cis-1.23.yaml → pkg/specs/k8s-cis-1.23.yaml
diff --git a/pkg/specs/compliance/k8s-nsa-1.0.yaml → pkg/specs/k8s-nsa-1.0.yaml b/pkg/specs/compliance/k8s-nsa-1.0.yaml → pkg/specs/k8s-nsa-1.0.yaml
diff --git a/...pecs/compliance/k8s-pss-baseline-0.1.yaml → pkg/specs/k8s-pss-baseline-0.1.yaml b/...pecs/compliance/k8s-pss-baseline-0.1.yaml → pkg/specs/k8s-pss-baseline-0.1.yaml
diff --git a/...cs/compliance/k8s-pss-restricted-0.1.yaml → pkg/specs/k8s-pss-restricted-0.1.yaml b/...cs/compliance/k8s-pss-restricted-0.1.yaml → pkg/specs/k8s-pss-restricted-0.1.yaml
@@ -10,24 +10,40 @@ import (
 	"gopkg.in/yaml.v3"
 )
 
-const ComplianceFolder = "compliance"
+// Loader access compliance specs
+type Loader interface {
+	GetSpecByName(name string) string
+}
+
+type specLoader struct {
+}
+
+// NewSpecLoader instansiate spec loader
+func NewSpecLoader() Loader {
+	return &specLoader{}
+}
+
+// GetSpecByName get spec name and return spec data
+func (sl specLoader) GetSpecByName(name string) string {
+	return GetSpec(name)
+}
 
 var (
-	//go:embed compliance
-	complainceFS embed.FS
+	//go:embed *.yaml
+	complianceFS embed.FS
 )
 
 var complianceSpecMap map[string]string
 
 // Load compliance specs
 func init() {
-	dir, _ := complainceFS.ReadDir(ComplianceFolder)
-	complianceSpecMap = make(map[string]string, 0)
+	dir, _ := complianceFS.ReadDir(".")
+	complianceSpecMap = make(map[string]string)
 	for _, r := range dir {
 		if !strings.Contains(r.Name(), ".yaml") {
 			continue
 		}
-		file, err := complainceFS.Open(fmt.Sprintf("%s/%s", ComplianceFolder, r.Name()))
+		file, err := complianceFS.Open(fmt.Sprintf("%s", r.Name()))
 		if err != nil {
 			panic(err)
 		}

@@ -13,14 +13,14 @@ func TestLoadSpecs(t *testing.T) {
 		specName     string
 		wantSpecPath string
 	}{
-		{name: "nsa spec", specName: "k8s-nsa-1.0", wantSpecPath: "./compliance/k8s-nsa-1.0.yaml"},
-		{name: "k8s cis bench", specName: "k8s-cis-1.23", wantSpecPath: "./compliance/k8s-cis-1.23.yaml"},
-		{name: "k8s pss baseline", specName: "k8s-pss-baseline-0.1", wantSpecPath: "./compliance/k8s-pss-baseline-0.1.yaml"},
-		{name: "k8s pss restricted", specName: "k8s-pss-restricted-0.1", wantSpecPath: "./compliance/k8s-pss-restricted-0.1.yaml"},
-		{name: "awscis1.2", specName: "aws-cis-1.2", wantSpecPath: "./compliance/aws-cis-1.2.yaml"},
-		{name: "awscis1.4", specName: "aws-cis-1.4", wantSpecPath: "./compliance/aws-cis-1.4.yaml"},
-		{name: "docker cis bench", specName: "docker-cis-1.6.0", wantSpecPath: "./compliance/docker-cis-1.6.0.yaml"},
-		{name: "awscis1.2 by filepath", specName: "@./compliance/aws-cis-1.2.yaml", wantSpecPath: "./compliance/aws-cis-1.2.yaml"},
+		{name: "nsa spec", specName: "k8s-nsa-1.0", wantSpecPath: "./k8s-nsa-1.0.yaml"},
+		{name: "k8s cis bench", specName: "k8s-cis-1.23", wantSpecPath: "./k8s-cis-1.23.yaml"},
+		{name: "k8s pss baseline", specName: "k8s-pss-baseline-0.1", wantSpecPath: "./k8s-pss-baseline-0.1.yaml"},
+		{name: "k8s pss restricted", specName: "k8s-pss-restricted-0.1", wantSpecPath: "./k8s-pss-restricted-0.1.yaml"},
+		{name: "awscis1.2", specName: "aws-cis-1.2", wantSpecPath: "./aws-cis-1.2.yaml"},
+		{name: "awscis1.4", specName: "aws-cis-1.4", wantSpecPath: "./aws-cis-1.4.yaml"},
+		{name: "docker cis bench", specName: "docker-cis-1.6.0", wantSpecPath: "./docker-cis-1.6.0.yaml"},
+		{name: "awscis1.2 by filepath", specName: "@./aws-cis-1.2.yaml", wantSpecPath: "./aws-cis-1.2.yaml"},
 		{name: "bogus spec", specName: "foobarbaz"},
 	}
 
@@ -30,7 +30,7 @@ func TestLoadSpecs(t *testing.T) {
 				wantSpecData, err := os.ReadFile(tt.wantSpecPath)
 				assert.NoError(t, err)
 				gotSpecData := GetSpec(tt.specName)
-				assert.Equal(t, gotSpecData, string(wantSpecData))
+				assert.Equal(t, string(wantSpecData), gotSpecData)
 			} else {
 				assert.Empty(t, GetSpec(tt.specName), tt.name)
 			}

diff --git a/pkg/specs/compliance/rke2-cis-1.24.yaml → pkg/specs/rke2-cis-1.24.yaml b/pkg/specs/compliance/rke2-cis-1.24.yaml → pkg/specs/rke2-cis-1.24.yaml