The Trivy scanner needs access to read the $HOME/.kube folder and the $HOME/.aws folder in order to perform the k8s, aws, and aws ami scanning features. The permissions required are read-only.
Feature documentation:
Given that credentials are held in at least .aws/credentials, we must be careful that user is aware that these would be exposed to Trivy. I’d be in favor of a manual connection, but not an auto-connection.
Thanks @dclane 
AWS credentials being exposed to Trivy is listed in the documentation. I can add summaries of all scan options and features in the Snap description so users know. https://aquasecurity.github.io/trivy/v0.46/docs/target/aws/
The AWS section of the documentation, states the use of AWS CLI credentials.
Trivy uses the same authentication methods as the AWS CLI to configure and authenticate your access to the AWS platform.
You will need permissions configured to read all AWS resources - we recommend using a group/role with the
ReadOnlyAccesspolicy attached.
Kubernetes has a manual option to select your configuration using the --kubeconfig switch after specifying trivy k8s. AWS options do not. Since this code base is shared to build docker containers and binaries adding a switch to select your configuration will need to be a feature that is approved for another release.
Changing the snapcraft.yaml file from:
plugs:
configs:
interface: personal-files
read:
- $HOME/.kube
- $HOME/.aws
apps:
trivy:
command: trivy
plugs: [home, network, network-bind, configs]
To something like:
plugs:
aws:
interface: personal-files
read:
- $HOME/.aws
k8s:
interface: personal-files
read:
- $HOME/.kube
apps:
trivy:
command: trivy
plugs: [home, network, network-bind]
And add documentation to manually connect the plugs to run k8s or aws would work to be a manual connection by running:
sudo snap connect trivy:aws or sudo snap connect trivy:k8s
So, while testing, that doesn’t actually work. Classic confinement works. When attempting to plug these folders they aren’t actually available to the binary. I’m continuing to troubleshoot.
You have not added the plugs to the apps plug list… (append them after network-bind)
Thanks. :-). When testing I did that but it yielded non-functioning results. I will continúe to troubleshoot.
Thanks b34rd.
This will still need votes from other @reviewers before it can be approved, and then publisher vetting from @advocacy because personal-files is a super-privileged interface.
In the meantime, can you please rename the interface references to represent the path’s they’d be accessing (as outlined at the bottom of this page). You’ll want to use the names dot-aws and dot-kube instead of aws and k8s.
In the meantime, can you please rename the interface references to represent the path’s they’d be accessing (as outlined at the bottom of this page). You’ll want to use the names
dot-awsanddot-kubeinstead of aws and k8s.
Renamed. Still, while testing the snap this just doesn’t work correctly. I may just remove these features from the snap version or discontinue the snap altogether.
We build packages and maintain repos for binaries. Personally, I like the isolation of flatpak and snap. If all features are not possible, a slim version in snap makes sense for use within CI, homelab work, or even to run as an edge server.
I just bumped the release to 0.46.1 without these permissions. The only pieces that aren’t functional are aws pieces. Everything else works as expected. Kubernetes you need to manually specify the path to your kubeconfig.
There really isn’t one. It’s ok though, we are going to update to add option to specify credentials used for aws option therefore these permissions aren’t needed