incorrect reference ID in trivy k8s --compliance k8s-cis-1.23 --report summary #9656

sfozz · 2025-10-14T00:10:04Z

sfozz
Oct 14, 2025

Description

The reference IDs in the the summary report don't align with the same IDs in the CIS Benchmark. Looking at the output report the 5.6 group of references in the benchmark are reported as 5.7 in the trivy report

Desired Behavior

The last few items in the report should cross reference correctly with the benchmark

│ 5.4.2  │  MEDIUM  │ Consider external secret storage (Manual)                                                                       │   -    │   -    │
│ 5.5.1  │  MEDIUM  │ Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)                               │   -    │   -    │
│ 5.6.1  │  MEDIUM  │ Create administrative boundaries between resources using namespaces (Manual)                                    │   -    │   -    │
│ 5.6.2  │  MEDIUM  │ Ensure that the seccomp profile is set to docker/default in your pod definitions                                │  FAIL  │  182   │
│ 5.6.3  │   HIGH   │ Apply Security Context to Your Pods and Containers                                                              │  FAIL  │  744   │
│ 5.6.4  │  MEDIUM  │ The default namespace should not be used                                                                        │  PASS  │   0    │
└────────┴──────────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴────────┴────────┘

Actual Behavior

The appear like the following in the report

│ 5.5.1  │  MEDIUM  │ Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)                               │   -    │   -    │
│ 5.7.1  │  MEDIUM  │ Create administrative boundaries between resources using namespaces (Manual)                                    │   -    │   -    │
│ 5.7.2  │  MEDIUM  │ Ensure that the seccomp profile is set to docker/default in your pod definitions                                │  FAIL  │  182   │
│ 5.7.3  │   HIGH   │ Apply Security Context to Your Pods and Containers                                                              │  FAIL  │  744   │
│ 5.7.4  │  MEDIUM  │ The default namespace should not be used                                                                        │  PASS  │   0    │
└────────┴──────────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴────────┴────────┘

Reproduction Steps

Run trivy: trivy k8s --compliance k8s-cis-1.23 --report summary

Target

Kubernetes

Scanner

Misconfiguration

Output Format

Table

Mode

Standalone

Debug Output

trivy k8s --compliance k8s-cis-1.23 --report summary --debug
2025-10-14T13:04:57+13:00       DEBUG   No plugins loaded
2025-10-14T13:04:57+13:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-10-14T13:04:57+13:00       DEBUG   Cache dir       dir="/home/XXXX/.cache/trivy"
2025-10-14T13:04:57+13:00       DEBUG   Cache dir       dir="/home/XXXX/.cache/trivy"
2025-10-14T13:04:57+13:00       DEBUG   Compliance spec loaded from disk bundle spec="k8s-cis-1.23"
2025-10-14T13:04:57+13:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-10-14T13:04:57+13:00       DEBUG   Ignore statuses statuses=[]
2025-10-14T13:05:26+13:00       WARN    Unable to parse container       error="unable to parse digest \"\" for \"XXXXXXXXXX.dkr.ecr.ap-southeast-2.amazonaws.com/amazon-k8s-cni:XXXXX\""
2025-10-14T13:06:07+13:00       INFO    Node scanning is enabled
2025-10-14T13:06:07+13:00       INFO    If you want to disable Node scanning via an in-cluster Job, please try '--disable-node-collector' to disable the Node-Collector job.
2025-10-14T13:06:07+13:00       INFO    Scanning K8s... K8s="XXXXXXX"
2025-10-14T13:06:07+13:00       DEBUG   [notification] Running version check
2025-10-14T13:06:08+13:00       DEBUG   [notification] Version check completed  latest_version="0.67.2"

Summary Report for compliance: CIS Kubernetes Benchmarks v1.23
┌────────┬──────────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────┬────────┬────────┐
│   ID   │ Severity │                                                  Control Name                                                   │ Status │ Issues │
├────────┼──────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼────────┤
│ 1.1.1  │   HIGH   │ Ensure that the API server pod specification file permissions are set to 600 or more restrictive                │  PASS  │   0    │
│ 1.1.2  │   HIGH   │ Ensure that the API server pod specification file ownership is set to root:root                                 │  PASS  │   0    │
│ 1.1.3  │   HIGH   │ Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive        │  PASS  │   0    │
│ 1.1.4  │   HIGH   │ Ensure that the controller manager pod specification file ownership is set to root:root                         │  PASS  │   0    │
│ 1.1.5  │   HIGH   │ Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive                 │  PASS  │   0    │
│ 1.1.6  │   HIGH   │ Ensure that the scheduler pod specification file ownership is set to root:root                                  │  PASS  │   0    │
│ 1.1.7  │   HIGH   │ Ensure that the etcd pod specification file permissions are set to 600 or more restrictive                      │  PASS  │   0    │
│ 1.1.8  │   HIGH   │ Ensure that the etcd pod specification file ownership is set to root:root                                       │  PASS  │   0    │
│ 1.1.9  │   HIGH   │ Ensure that the Container Network Interface file permissions are set to 600 or more restrictive                 │  PASS  │   0    │
│ 1.1.10 │   HIGH   │ Ensure that the Container Network Interface file ownership is set to root:root                                  │  PASS  │   0    │
│ 1.1.11 │   HIGH   │ Ensure that the etcd data directory permissions are set to 700 or more restrictive                              │  PASS  │   0    │
│ 1.1.12 │   LOW    │ Ensure that the etcd data directory ownership is set to etcd:etcd                                               │  PASS  │   0    │
│ 1.1.13 │ CRITICAL │ Ensure that the admin.conf file permissions are set to 600                                                      │  PASS  │   0    │
│ 1.1.14 │ CRITICAL │ Ensure that the admin.conf file ownership is set to root:root                                                   │  PASS  │   0    │
│ 1.1.15 │   HIGH   │ Ensure that the scheduler.conf file permissions are set to 600 or more restrictive                              │  PASS  │   0    │
│ 1.1.16 │   HIGH   │ Ensure that the scheduler.conf file ownership is set to root:root                                               │  PASS  │   0    │
│ 1.1.17 │   HIGH   │ Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive                     │  PASS  │   0    │
│ 1.1.18 │   HIGH   │ Ensure that the controller-manager.conf file ownership is set to root:root                                      │  PASS  │   0    │
│ 1.1.19 │ CRITICAL │ Ensure that the Kubernetes PKI directory and file ownership is set to root:root                                 │  PASS  │   0    │
│ 1.1.20 │ CRITICAL │ Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive                  │  PASS  │   0    │
│ 1.1.21 │ CRITICAL │ Ensure that the Kubernetes PKI key file permissions are set to 600                                              │  PASS  │   0    │
│ 1.2.1  │  MEDIUM  │ Ensure that the --anonymous-auth argument is set to false                                                       │  PASS  │   0    │
│ 1.2.2  │   LOW    │ Ensure that the --token-auth-file parameter is not set                                                          │  PASS  │   0    │
│ 1.2.3  │   LOW    │ Ensure that the --DenyServiceExternalIPs is not set                                                             │  PASS  │   0    │
│ 1.2.4  │   LOW    │ Ensure that the --kubelet-https argument is set to true                                                         │  PASS  │   0    │
│ 1.2.5  │   HIGH   │ Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate          │  PASS  │   0    │
│ 1.2.6  │   HIGH   │ Ensure that the --kubelet-certificate-authority argument is set as appropriate                                  │  PASS  │   0    │
│ 1.2.7  │   LOW    │ Ensure that the --authorization-mode argument is not set to AlwaysAllow                                         │  PASS  │   0    │
│ 1.2.8  │   HIGH   │ Ensure that the --authorization-mode argument includes Node                                                     │  PASS  │   0    │
│ 1.2.9  │   HIGH   │ Ensure that the --authorization-mode argument includes RBAC                                                     │  PASS  │   0    │
│ 1.2.10 │   HIGH   │ Ensure that the admission control plugin EventRateLimit is set                                                  │  PASS  │   0    │
│ 1.2.11 │   LOW    │ Ensure that the admission control plugin AlwaysAdmit is not set                                                 │  PASS  │   0    │
│ 1.2.12 │  MEDIUM  │ Ensure that the admission control plugin AlwaysPullImages is set                                                │  PASS  │   0    │
│ 1.2.13 │  MEDIUM  │ Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used            │  PASS  │   0    │
│ 1.2.14 │   LOW    │ Ensure that the admission control plugin ServiceAccount is set                                                  │  PASS  │   0    │
│ 1.2.15 │   LOW    │ Ensure that the admission control plugin NamespaceLifecycle is set                                              │  PASS  │   0    │
│ 1.2.16 │   LOW    │ Ensure that the admission control plugin NodeRestriction is set                                                 │  PASS  │   0    │
│ 1.2.17 │   HIGH   │ Ensure that the --secure-port argument is not set to 0                                                          │  PASS  │   0    │
│ 1.2.18 │   LOW    │ Ensure that the --profiling argument is set to false                                                            │  PASS  │   0    │
│ 1.2.19 │   LOW    │ Ensure that the --audit-log-path argument is set                                                                │  PASS  │   0    │
│ 1.2.20 │   LOW    │ Ensure that the --audit-log-maxage argument is set to 30 or as appropriate                                      │  PASS  │   0    │
│ 1.2.21 │   LOW    │ Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate                                   │  PASS  │   0    │
│ 1.2.22 │   LOW    │ Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate                                    │  PASS  │   0    │
│ 1.2.24 │   LOW    │ Ensure that the --service-account-lookup argument is set to true                                                │  PASS  │   0    │
│ 1.2.25 │   LOW    │ Ensure that the --service-account-key-file argument is set as appropriate                                       │  PASS  │   0    │
│ 1.2.26 │   LOW    │ Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate                             │  PASS  │   0    │
│ 1.2.27 │  MEDIUM  │ Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                     │  PASS  │   0    │
│ 1.2.28 │   LOW    │ Ensure that the --client-ca-file argument is set appropriate                                                    │  PASS  │   0    │
│ 1.2.29 │   LOW    │ Ensure that the --etcd-cafile argument is set as appropriate                                                    │  PASS  │   0    │
│ 1.2.30 │   LOW    │ Ensure that the --encryption-provider-config argument is set as appropriate                                     │  PASS  │   0    │
│ 1.3.1  │  MEDIUM  │ Ensure that the --terminated-pod-gc-threshold argument is set as appropriate                                    │  PASS  │   0    │
│ 1.3.3  │  MEDIUM  │ Ensure that the --use-service-account-credentials argument is set to true                                       │  PASS  │   0    │
│ 1.3.4  │  MEDIUM  │ Ensure that the --service-account-private-key-file argument is set as appropriate                               │  PASS  │   0    │
│ 1.3.5  │  MEDIUM  │ Ensure that the --root-ca-file argument is set as appropriate                                                   │  PASS  │   0    │
│ 1.3.6  │  MEDIUM  │ Ensure that the RotateKubeletServerCertificate argument is set to true                                          │  PASS  │   0    │
│ 1.3.7  │   LOW    │ Ensure that the --bind-address argument is set to 127.0.0.1                                                     │  PASS  │   0    │
│ 1.4.1  │  MEDIUM  │ Ensure that the --profiling argument is set to false                                                            │  PASS  │   0    │
│ 1.4.2  │ CRITICAL │ Ensure that the --bind-address argument is set to 127.0.0.1                                                     │  PASS  │   0    │
│ 2.1    │  MEDIUM  │ Ensure that the --cert-file and --key-file arguments are set as appropriate                                     │  PASS  │   0    │
│ 2.2    │ CRITICAL │ Ensure that the --client-cert-auth argument is set to true                                                      │  PASS  │   0    │
│ 2.3    │ CRITICAL │ Ensure that the --auto-tls argument is not set to true                                                          │  PASS  │   0    │
│ 2.4    │ CRITICAL │ Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate                           │  PASS  │   0    │
│ 2.5    │ CRITICAL │ Ensure that the --peer-client-cert-auth argument is set to true                                                 │  PASS  │   0    │
│ 2.6    │   HIGH   │ Ensure that the --peer-auto-tls argument is not set to true                                                     │  PASS  │   0    │
│ 3.1.1  │   HIGH   │ Client certificate authentication should not be used for users (Manual)                                         │   -    │   -    │
│ 3.2.1  │   HIGH   │ Ensure that a minimal audit policy is created (Manual)                                                          │   -    │   -    │
│ 3.2.2  │   HIGH   │ Ensure that the audit policy covers key security concerns (Manual)                                              │   -    │   -    │
│ 4.1.1  │   HIGH   │ Ensure that the kubelet service file permissions are set to 600 or more restrictive                             │  FAIL  │   4    │
│ 4.1.2  │   HIGH   │ Ensure that the kubelet service file ownership is set to root:root                                              │  PASS  │   0    │
│ 4.1.3  │   HIGH   │ If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive                           │  PASS  │   0    │
│ 4.1.4  │   HIGH   │ If proxy kubeconfig file exists ensure ownership is set to root:root                                            │  PASS  │   0    │
│ 4.1.5  │   HIGH   │ Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive                   │  FAIL  │   4    │
│ 4.1.6  │   HIGH   │ Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root                                    │  PASS  │   0    │
│ 4.1.7  │ CRITICAL │ Ensure that the certificate authorities file permissions are set to 600 or more restrictive                     │  PASS  │   0    │
│ 4.1.8  │ CRITICAL │ Ensure that the client certificate authorities file ownership is set to root:root                               │  PASS  │   0    │
│ 4.1.9  │   HIGH   │ If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive │  FAIL  │   4    │
│ 4.1.10 │   HIGH   │ If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root         │  PASS  │   0    │
│ 4.2.1  │ CRITICAL │ Ensure that the --anonymous-auth argument is set to false                                                       │  PASS  │   0    │
│ 4.2.2  │ CRITICAL │ Ensure that the --authorization-mode argument is not set to AlwaysAllow                                         │  PASS  │   0    │
│ 4.2.3  │ CRITICAL │ Ensure that the --client-ca-file argument is set as appropriate                                                 │  PASS  │   0    │
│ 4.2.4  │   HIGH   │ Verify that the --read-only-port argument is set to 0                                                           │  PASS  │   0    │
│ 4.2.5  │   HIGH   │ Ensure that the --streaming-connection-idle-timeout argument is not set to 0                                    │  PASS  │   0    │
│ 4.2.6  │   HIGH   │ Ensure that the --protect-kernel-defaults argument is set to true                                               │  PASS  │   0    │
│ 4.2.7  │   HIGH   │ Ensure that the --make-iptables-util-chains argument is set to true                                             │  PASS  │   0    │
│ 4.2.8  │   HIGH   │ Ensure that the --hostname-override argument is not set                                                         │  FAIL  │   4    │
│ 4.2.9  │   HIGH   │ Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture             │  PASS  │   0    │
│ 4.2.10 │ CRITICAL │ Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                     │  PASS  │   0    │
│ 4.2.11 │ CRITICAL │ Ensure that the --rotate-certificates argument is not set to false                                              │  PASS  │   0    │
│ 4.2.12 │ CRITICAL │ Verify that the RotateKubeletServerCertificate argument is set to true                                          │  PASS  │   0    │
│ 4.2.13 │ CRITICAL │ Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers                                          │  PASS  │   0    │
│ 5.1.1  │   HIGH   │ Ensure that the cluster-admin role is only used where required                                                  │  FAIL  │   2    │
│ 5.1.2  │   HIGH   │ Minimize access to secrets                                                                                      │  FAIL  │   28   │
│ 5.1.3  │   HIGH   │ Minimize wildcard use in Roles and ClusterRoles                                                                 │  FAIL  │   32   │
│ 5.1.6  │   HIGH   │ Ensure that Service Account Tokens are only mounted where necessary                                             │  PASS  │   0    │
│ 5.1.8  │   HIGH   │ Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster                           │  PASS  │   0    │
│ 5.2.2  │   HIGH   │ Minimize the admission of privileged containers                                                                 │  FAIL  │   3    │
│ 5.2.3  │   HIGH   │ Minimize the admission of containers wishing to share the host process ID namespace                             │  PASS  │   0    │
│ 5.2.4  │   HIGH   │ Minimize the admission of containers wishing to share the host IPC namespace                                    │  PASS  │   0    │
│ 5.2.5  │   HIGH   │ Minimize the admission of containers wishing to share the host network namespace                                │  FAIL  │   4    │
│ 5.2.6  │   HIGH   │ Minimize the admission of containers with allowPrivilegeEscalation                                              │  FAIL  │  175   │
│ 5.2.7  │  MEDIUM  │ Minimize the admission of root containers                                                                       │  FAIL  │   70   │
│ 5.2.8  │  MEDIUM  │ Minimize the admission of containers with the NET_RAW capability                                                │  FAIL  │   3    │
│ 5.2.9  │   LOW    │ Minimize the admission of containers with added capabilities                                                    │  FAIL  │   70   │
│ 5.2.10 │   LOW    │ Minimize the admission of containers with capabilities assigned                                                 │  FAIL  │   70   │
│ 5.2.11 │  MEDIUM  │ Minimize the admission of containers with capabilities assigned                                                 │  PASS  │   0    │
│ 5.2.12 │  MEDIUM  │ Minimize the admission of HostPath volumes                                                                      │  FAIL  │   4    │
│ 5.2.13 │  MEDIUM  │ Minimize the admission of containers which use HostPorts                                                        │  FAIL  │   3    │
│ 5.3.1  │  MEDIUM  │ Ensure that the CNI in use supports Network Policies (Manual)                                                   │   -    │   -    │
│ 5.3.2  │  MEDIUM  │ Ensure that all Namespaces have Network Policies defined                                                        │  PASS  │   0    │
│ 5.4.1  │  MEDIUM  │ Prefer using secrets as files over secrets as environment variables (Manual)                                    │   -    │   -    │
│ 5.4.2  │  MEDIUM  │ Consider external secret storage (Manual)                                                                       │   -    │   -    │
│ 5.5.1  │  MEDIUM  │ Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)                               │   -    │   -    │
│ 5.7.1  │  MEDIUM  │ Create administrative boundaries between resources using namespaces (Manual)                                    │   -    │   -    │
│ 5.7.2  │  MEDIUM  │ Ensure that the seccomp profile is set to docker/default in your pod definitions                                │  FAIL  │  182   │
│ 5.7.3  │   HIGH   │ Apply Security Context to Your Pods and Containers                                                              │  FAIL  │  744   │
│ 5.7.4  │  MEDIUM  │ The default namespace should not be used                                                                        │  PASS  │   0    │
└────────┴──────────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴────────┴────────┘
2025-10-14T13:06:19+13:00       DEBUG   Cleaning up temp directory      path="/tmp/trivy-388530"

Operating System

Debian GNU/Linux 13 (trixie)

Version

Version: 0.67.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-10-02 00:34:27.440745569 +0000 UTC
  NextUpdate: 2025-10-03 00:34:27.440745299 +0000 UTC
  DownloadedAt: 2025-10-02 01:17:20.053031627 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-10-17 02:39:07.073868225 +0000 UTC
  NextUpdate: 2024-10-20 02:39:07.073868075 +0000 UTC
  DownloadedAt: 2024-10-17 10:20:57.015912195 +0000 UTC
Check Bundle:
  Digest: sha256:0491169789b867ae5a7353381220c1d4d97b3a0d6d9dfd84a25d06f0ba68aa93
  DownloadedAt: 2025-10-13 22:28:09.398415315 +0000 UTC

Checklist

Run trivy clean --all
Read the troubleshooting

simar7 · 2025-10-14T10:31:52Z

simar7
Oct 14, 2025
Maintainer

@afdesk could you take a look? We might have to update the IDs.

1 reply

afdesk Oct 14, 2025
Maintainer

sure, I'll take a look

afdesk · 2025-10-16T07:21:51Z

afdesk
Oct 16, 2025
Maintainer

@sfozz thanks for the report!
I took a look at the CIS Kubernetes V1.23 Benchmark v1.0.1, and at first glance the current IDs are correct:

where did you get this list?

│ 5.4.2  │  MEDIUM  │ Consider external secret storage (Manual)                                                                       │   -    │   -    │
│ 5.5.1  │  MEDIUM  │ Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)                               │   -    │   -    │
│ 5.6.1  │  MEDIUM  │ Create administrative boundaries between resources using namespaces (Manual)                                    │   -    │   -    │
│ 5.6.2  │  MEDIUM  │ Ensure that the seccomp profile is set to docker/default in your pod definitions                                │  FAIL  │  182   │
│ 5.6.3  │   HIGH   │ Apply Security Context to Your Pods and Containers                                                              │  FAIL  │  744   │
│ 5.6.4  │  MEDIUM  │ The default namespace should not be used                                                                        │  PASS  │   0    │
└────────┴──────────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴────────┴────────┘

maybe I missed something. thanks

0 replies

sfozz · 2025-10-16T08:52:35Z

sfozz
Oct 16, 2025
Author

Yeah so in your screen shot of the browser the ID matches with the one that I shared, but that doesn't match with the PDF of that benchmark or the one on browser from IBM (The screenshot that I shared)

Interesting that your trivy output is correct to the ID from the PDF from CIS CAT, and the screen shot that I shared.

I wonder if there are some sources that are off by one and some that are not???

Where do the IDs that trivy outputs coming from, and what is the point of truth?

6 replies

afdesk Oct 16, 2025
Maintainer

I found it https://cloud.ibm.com/docs/containers?topic=containers-cis-benchmark-123#cis-section-5-123

afdesk Oct 16, 2025
Maintainer

i think this benchmark (https://cloud.ibm.com/docs/containers?topic=containers-cis-benchmark-123) is a specific for IBM Cloud® Kubernetes Service clusters.

WDYT?

sfozz Oct 16, 2025
Author

it wasn't my trivy output, it was a list from your message

You have the desired and observed conflated there... the IDs should be in the 5.6 range and not 5.7... at least for the ones that I have highlighted.

oh, it seems I understood. you got the benchmark from IBM. ~~Unfortunatelly, I have no access there.~~

Originally I got the IDs form the CIS benchmark document. I'm not going to hared that document directly as it's potentially against the terms of use. I was sharing the content from IBM's site as it is publicly available and another source for me to validate.

as you can see in the docs (https://trivy.dev/latest/docs/target/kubernetes/#compliance), trivy supports CIS Benchmark for Kubernetes v1.23 my screenshot is made from the CIS workbench https://workbench.cisecurity.org/benchmarks/8973

and I believe that recommendation The default namespace should not be used should have ID 5.7.4, shouldn't it?

No, in the source PDF from CIS the IDs that I have highlighted as in correct should be 5.6 rather than 5.7

It looks like the workbench is also showing the wrong ID (ie 5.7). Is it not strange that 5.6 is missing in the workbench?

Here is a screen shot of the downloadable benchmark from CIS

afdesk Oct 16, 2025
Maintainer

your screen shot looks like CIS Kubernetes Benchmark v1.11.1: https://workbench.cisecurity.org/benchmarks/21709

sfozz Oct 16, 2025
Author

Good point!

I've created an account in the CIS Workbench and can confirm that you are correct that the IDs match between the benchmark and the output from Trivy.

I'm going to see if I can find out when and why the IDs have changed between the benchmark versions... It makes my skin crawl that the IDs jump from 5.5 to 5.7 without even a placeholder to say that 5.6 is no longer in use.

Thanks for you assistance and patience!

sfozz · 2025-10-16T08:56:07Z

sfozz
Oct 16, 2025
Author

0 replies

sfozz · 2025-10-16T19:40:56Z

sfozz
Oct 16, 2025
Author

I think I've figured where the confusion comes from.

CIS Kubernetes Benchmark v1.11.1 was published Apr 28th 2025 where as CIS Kubernetes V1.23 Benchmark v1.0.1 was published May 26th 2022

I think that historically there were versions of the benchmark that were created to match the k8s version. and looking at the intended audience in v1.11.1 it states that it is for k8s v1.29 to v1.32. But in v1.23 v1.0.1 it is specifically for k8s v1.23.

And there is a ticket for this in the CIS Workbench

5 replies

afdesk Oct 17, 2025
Maintainer

if the descriptions are right:

CIS Kubernetes Benchmark v1.11.1 provides prescriptive guidance for establishing a secure configuration posture for Kubernetes v1.29 - v1.32.
CIS Kubernetes V1.23 Benchmark v1.0.1 provides the same for Kubernetes V1.23.

And there is a ticket for this in the CIS Workbench

This ticked was closed for CIS-1.11 to fix the section numbering

sfozz Oct 21, 2025
Author

So my question now is: is the compliance benchmark that is in use in trivy using the correct version of the CIS Kubernetes benchmark?

afdesk Oct 22, 2025
Maintainer

Trivy contains checks based on CIS Kubernetes V1.23 Benchmark

sfozz Oct 22, 2025
Author

That doesn't answer my question... what would the process be for getting the benchmark changed from the version of the CIS Benchmark that targets the kubernetes v1.23, with a version of the CIS Kubernetes benchmark that targets versions v.129 -> v1.32 E.G. from using CIS Kubernetes v1.23 - v1.0.1 changed to CIS kubernetes v1.11.1?

These reason for this request is that kubernetes 1.23 is no longer supported, since the last 2y 10m - https://endoflife.date/kubernetes

afdesk Oct 22, 2025
Maintainer

Now Trivy support next built-in compliances:
- k8s-nsa-1.0
- k8s-cis-1.23
- eks-cis-1.4
- rke2-cis-1.24
- k8s-pss-baseline-0.1
- k8s-pss-restricted-0.1

i realize that some of them are deprecated now, but you can expand it by Custom Compliance https://trivy.dev/latest/docs/compliance/contrib-compliance/
we welcome new contributors!

so, your question looks like a new feature request, right?
if you create a new discuss with such subject, let's wait for a community opinion.

another option, you can use https://github.com/aquasecurity/kube-bench/ to check your clusters, it already has the benchmarks for modern k8s.

also, you can request Aqua's commercial product here https://trivy.dev/latest/commercial/compare/#kubernetes-scanning
it has much more features for k8s and high priority support.

incorrect reference ID in trivy k8s --compliance k8s-cis-1.23 --report summary #9656

Uh oh!

sfozz Oct 14, 2025

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 5 comments · 12 replies

Uh oh!

simar7 Oct 14, 2025 Maintainer

Uh oh!

afdesk Oct 14, 2025 Maintainer

Uh oh!

afdesk Oct 16, 2025 Maintainer

Uh oh!

sfozz Oct 16, 2025 Author

Uh oh!

afdesk Oct 16, 2025 Maintainer

Uh oh!

afdesk Oct 16, 2025 Maintainer

Uh oh!

sfozz Oct 16, 2025 Author

Uh oh!

afdesk Oct 16, 2025 Maintainer

Uh oh!

sfozz Oct 16, 2025 Author

Uh oh!

sfozz Oct 16, 2025 Author

Uh oh!

Uh oh!

sfozz Oct 16, 2025 Author

Uh oh!

afdesk Oct 17, 2025 Maintainer

Uh oh!

sfozz Oct 21, 2025 Author

Uh oh!

afdesk Oct 22, 2025 Maintainer

Uh oh!

Uh oh!

sfozz Oct 22, 2025 Author

Uh oh!

afdesk Oct 22, 2025 Maintainer

sfozz
Oct 14, 2025

Replies: 5 comments 12 replies

simar7
Oct 14, 2025
Maintainer

afdesk Oct 14, 2025
Maintainer

afdesk
Oct 16, 2025
Maintainer

sfozz
Oct 16, 2025
Author

afdesk Oct 16, 2025
Maintainer

afdesk Oct 16, 2025
Maintainer

sfozz Oct 16, 2025
Author

afdesk Oct 16, 2025
Maintainer

sfozz Oct 16, 2025
Author

sfozz
Oct 16, 2025
Author

sfozz
Oct 16, 2025
Author

afdesk Oct 17, 2025
Maintainer

sfozz Oct 21, 2025
Author

afdesk Oct 22, 2025
Maintainer

sfozz Oct 22, 2025
Author

afdesk Oct 22, 2025
Maintainer