Question: mapping result from Vulnerability- & ConfigAudit-Reports

Question

Question: mapping result from Vulnerability- & ConfigAudit-Reports

sudoleg opened this issue 10 months ago · 2 comments

Hey, I don't quite understand how the result (pass, skip, warn, error, or fail) is mapped from Vulnerability- & ConfigAudit-Reports.

Based on my observations, I guess that for VulnerabilityReports, if a CVE has a critical/high score, the result is fail. For low to medium scores it's warn.
And for ConfigAuditReport it's always fail if a resource doesn't pass the evaluation.

Is my understanding correct? Otherwise I would be very happy if someone could provide a brief explanation :)

Answer 1 · 2024-02-07T10:55:10.000Z

Hey,

correct, in case of VulnerabilityReport the result mapping is resolved by severity

https://github.com/fjogeleit/trivy-operator-polr-adapter/blob/main/pkg/adapters/shared/severity.go#L24

In case of ConfigAuditReports its based on the "success" flag

Success: false => fail Result
Success: true => pass Result

Answer 2 · 2024-02-07T13:38:14.000Z

ok, I understand. Thank you :)