AVD-DS-0002 not detected against image

[candrews]

Description

Trivy's misconfiguration scanner doesn't detect "AVD-DS-0002 (HIGH): Last USER command in Dockerfile should not be 'root'" when run against images. It should detect that issue.

Desired Behavior

AVD-DS-0002 should be reported when running trivy image --scanners misconfig.

Actual Behavior

Trivy does not report AVD-DS-0002 when run against an image that runs as root.

Note that running a filesystem scan does report this finding as expected:

$ trivy filesystem --scanners misconfig .
2025-02-14T15:35:28-05:00	INFO	[misconfig] Misconfiguration scanning is enabled
2025-02-14T15:35:29-05:00	INFO	Detected config files	num=1

Dockerfile (dockerfile)

Tests: 28 (SUCCESSES: 26, FAILURES: 2)
Failures: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

AVD-DS-0002 (HIGH): Last USER command in Dockerfile should not be 'root'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Dockerfile:3
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   3 [ USER root
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


AVD-DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds026
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Reproduction Steps

1. mkdir x
2. cd x
3. Create `Dockerfile` with contents:

FROM ubuntu:24.04

USER root

4. `docker build --load -t abc1341384jsdjfsdjkl3jkl .`
5. `trivy image --scanners misconfig abc1341384jsdjfsdjkl3jkl`

Target

Container Image

Scanner

Misconfiguration

Output Format

None

Mode

Standalone

Debug Output

$ trivy image --scanners misconfig abc1341384jsdjfsdjkl3jkl --debug
2025-02-14T15:34:32-05:00	DEBUG	No plugins loaded
2025-02-14T15:34:32-05:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-02-14T15:34:32-05:00	DEBUG	Cache dir	dir="/home/candrews/.cache/trivy"
2025-02-14T15:34:32-05:00	DEBUG	Cache dir	dir="/home/candrews/.cache/trivy"
2025-02-14T15:34:32-05:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-02-14T15:34:32-05:00	DEBUG	Ignore statuses	statuses=[]
2025-02-14T15:34:32-05:00	INFO	[misconfig] Misconfiguration scanning is enabled
2025-02-14T15:34:32-05:00	DEBUG	[misconfig] Checks successfully loaded from disk
2025-02-14T15:34:32-05:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-02-14T15:34:32-05:00	DEBUG	Initializing scan cache...	type="fs"
2025-02-14T15:34:32-05:00	DEBUG	[image] Detected image ID	image_id="sha256:6d22438762acc30f63d552a5b2f73133849bc2a9b4598c90e4843c644c47408a"
2025-02-14T15:34:32-05:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:4b7c01ed0534d4f9be9cf97d068da1598c6c20b26cb6134fad066defdb6d541d]
2025-02-14T15:34:32-05:00	DEBUG	[image] Detected base layers	diff_ids=[]
2025-02-14T15:34:32-05:00	INFO	Detected config files	num=0
2025-02-14T15:34:32-05:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-02-14T15:34:32-05:00	DEBUG	[vex] VEX filtering is disabled

Operating System

Linux

Version

$ trivy --version
Version: 0.59.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-02-14 18:16:48.317231426 +0000 UTC
  NextUpdate: 2025-02-15 18:16:48.317231205 +0000 UTC
  DownloadedAt: 2025-02-14 20:22:49.843088266 +0000 UTC
Check Bundle:
  Digest: sha256:ac89e7d82ab5feeabc055a454066bc182f9248e96b8ecb1ca5810cd59c659800
  DownloadedAt: 2025-02-14 20:22:15.184798138 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[simar7]

hi @candrews thanks for the report - this looks like a bug to me.

[simar7]

Track #8406

[nikpivkin]

Hi @candrews !

Trivy supports 2 targets when scanning images: files inside the image and image metadata. The --image-config-scanners flag should be used to scan metadata. --scanners specifies the scanners for scanning files. See the documentation for more details.

❯ trivy clean --scan-cache
2025-02-17T11:35:13+06:00	INFO	Removing scan cache...
❯ trivy i test-img --image-config-scanners misconfig -q | grep AVD-DS-0002
AVD-DS-0002 (HIGH): Last USER command in Dockerfile should not be 'root'

[simar7]

Ah that's right, I missed that. Thanks @nikpivkin