bug(misconf): AVD-KSV-0013 containers should specify an image tag - false positive #9328
Description
Discussed in #9327
Originally posted by huornlmj August 8, 2025
IDs
AVD-KSV-0013
Description
A false positive is found by Trivy in misconfiguration scanning mode.
Trivy output:
AVD-KSV-0013 (MEDIUM): Container 'planner' of Pod 'planner' should specify an image tag
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version.
See https://avd.aquasec.com/misconfig/ksv013
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
artefacts/deploy/manifest.yaml:201-232
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
201 ┌ - name: planner
202 │ image: 127.0.0.1:5000/planner:0.4.0
203 │ ports:
204 │ - containerPort: 33333
205 │ imagePullPolicy: Always
206 │ args: [ "-config", "/config/defaults.json", "-v", "2" ]
207 │ securityContext:
208 │ capabilities:
209 └ drop: [ 'ALL' ]Reproduction Steps
1. Scan https://github.com/intel/intent-driven-orchestration/blob/9f37fe0552245f1c8b41285aed61696c3b375ceb/artefacts/deploy/manifest.yaml#L202
2. Observe that a pinned version is used.
3. Observe the false positive result from Trivy.Target
Kubernetes
Scanner
Misconfiguration
Target OS
N/A
Debug Output
$ trivy config . -d
2025-08-08T14:43:07+01:00 DEBUG Default config file "file_path=trivy.yaml" not found, using built in values
2025-08-08T14:43:07+01:00 DEBUG Cache dir dir="/home/user/.cache/trivy"
2025-08-08T14:43:07+01:00 DEBUG Cache dir dir="/home/user/.cache/trivy"
2025-08-08T14:43:07+01:00 DEBUG Parsed severities severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-08-08T14:43:07+01:00 INFO [misconfig] Misconfiguration scanning is enabled
2025-08-08T14:43:07+01:00 DEBUG [notification] Running version check
2025-08-08T14:43:07+01:00 DEBUG [misconfig] Checks successfully loaded from disk
2025-08-08T14:43:07+01:00 DEBUG [notification] Version check completed latest_version="0.65.0"
2025-08-08T14:43:07+01:00 DEBUG [rego] Overriding filesystem for checks
2025-08-08T14:43:07+01:00 DEBUG [rego] Embedded libraries are loaded count=17
2025-08-08T14:43:08+01:00 DEBUG [rego] Embedded checks are loaded count=519
2025-08-08T14:43:08+01:00 DEBUG [rego] Checks from disk are loaded count=536
2025-08-08T14:43:08+01:00 DEBUG [rego] Overriding filesystem for data
2025-08-08T14:43:08+01:00 DEBUG Enabling misconfiguration scanners scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-08-08T14:43:08+01:00 DEBUG Initializing scan cache... type="memory"
2025-08-08T14:43:08+01:00 DEBUG [fs] Analyzing... root="."
2025-08-08T14:43:08+01:00 DEBUG [fs] Using the latest commit hash for calculating cache key commit_hash="9f37fe0552245f1c8b41285aed61696c3b375ceb"
2025-08-08T14:43:08+01:00 DEBUG Skipping path path=".git"
2025-08-08T14:43:08+01:00 DEBUG [misconfig] Scanning files for misconfigurations... scanner="Kubernetes"
2025-08-08T14:43:08+01:00 DEBUG [kubernetes scanner] Scanning files... count=31
2025-08-08T14:43:08+01:00 DEBUG [rego] Scanning inputs count=31
2025-08-08T14:43:09+01:00 DEBUG [misconfig] Scanning files for misconfigurations... scanner="Dockerfile"
2025-08-08T14:43:09+01:00 DEBUG [dockerfile scanner] Scanning files... count=5
2025-08-08T14:43:09+01:00 DEBUG [rego] Scanning inputs count=5
2025-08-08T14:43:09+01:00 DEBUG [misconfig] Scanning files for misconfigurations... scanner="Helm"
2025-08-08T14:43:09+01:00 DEBUG OS is not detected.
2025-08-08T14:43:09+01:00 INFO Detected config files num=14
2025-08-08T14:43:09+01:00 DEBUG Scanned config file file_path="Dockerfile"
2025-08-08T14:43:09+01:00 DEBUG Scanned config file file_path="plugins/scale_out/scaleout-actuator-plugin.yaml"
2025-08-08T14:43:09+01:00 DEBUG Scanned config file file_path="plugins/scale_out/Dockerfile"
2025-08-08T14:43:09+01:00 DEBUG Scanned config file file_path="plugins/cpu_scale/Dockerfile"
2025-08-08T14:43:09+01:00 DEBUG Scanned config file file_path="plugins/cpu_scale/cpu-scale-actuator-plugin.yaml"
2025-08-08T14:43:09+01:00 DEBUG Scanned config file file_path="plugins/rdt/Dockerfile"
2025-08-08T14:43:09+01:00 DEBUG Scanned config file file_path="plugins/rdt/rdt-actuator-plugin.yaml"
2025-08-08T14:43:09+01:00 DEBUG Scanned config file file_path="plugins/rm_pod/Dockerfile"
2025-08-08T14:43:09+01:00 DEBUG Scanned config file file_path="plugins/rm_pod/rmpod-actuator-plugin.yaml"
2025-08-08T14:43:09+01:00 DEBUG Scanned config file file_path="artefacts/deploy/manifest.yaml"
2025-08-08T14:43:09+01:00 DEBUG Scanned config file file_path="artefacts/examples/default_profiles.yaml"
2025-08-08T14:43:09+01:00 DEBUG Scanned config file file_path="artefacts/examples/example_deployment.yaml"
2025-08-08T14:43:09+01:00 DEBUG Scanned config file file_path="artefacts/examples/example_intent.yaml"
2025-08-08T14:43:09+01:00 DEBUG Scanned config file file_path="artefacts/intents_crds_v1alpha1.yaml"
2025-08-08T14:43:09+01:00 DEBUG Specified ignore file does not exist file=".trivyignore"
2025-08-08T14:43:09+01:00 DEBUG [vex] VEX filtering is disabled
Report Summary
SNIP
artefacts/deploy/manifest.yaml (kubernetes)
Tests: 120 (SUCCESSES: 112, FAILURES: 8)
Failures: 8 (UNKNOWN: 0, LOW: 2, MEDIUM: 4, HIGH: 2, CRITICAL: 0)
AVD-KSV-0013 (MEDIUM): Container 'planner' of Pod 'planner' should specify an image tag
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version.
See https://avd.aquasec.com/misconfig/ksv013
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
artefacts/deploy/manifest.yaml:201-232
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
201 ┌ - name: planner
202 │ image: 127.0.0.1:5000/planner:0.3.0
203 │ ports:
204 │ - containerPort: 33333
205 │ imagePullPolicy: Always
206 │ args: [ "-config", "/config/defaults.json", "-v", "2" ]
207 │ securityContext:
208 │ capabilities:
209 └ drop: [ 'ALL' ]
...
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
SNIPVersion
$ trivy --version
Version: 0.64.1
Vulnerability DB:
Version: 2
UpdatedAt: 2025-08-07 06:28:58.287270346 +0000 UTC
NextUpdate: 2025-08-08 06:28:58.287270005 +0000 UTC
DownloadedAt: 2025-08-07 09:51:54.845313477 +0000 UTC
Java DB:
Version: 1
UpdatedAt: 2024-11-06 03:52:35.137443806 +0000 UTC
NextUpdate: 2024-11-09 03:52:35.137443696 +0000 UTC
DownloadedAt: 2024-11-06 12:34:58.556721347 +0000 UTC
Check Bundle:
Digest: sha256:a471e90b7c7335e914ec9075b74cf8f65e4c91e6cecfa7e39c587382808d2684
DownloadedAt: 2025-08-08 11:23:24.612747178 +0000 UTCChecklist
- Read the documentation regarding wrong detection
- Ran Trivy with
-f jsonthat shows data sources and confirmed that the security advisory in data sources was correct
Metadata
Metadata
Assignees
Type
Projects
Status