Skip to content

Commit

Permalink
feat(misconf): Add --misconfig-scanners option (#5670)
Browse files Browse the repository at this point in the history
  • Loading branch information
simar7 authored Nov 29, 2023
1 parent 075d8f6 commit b5874e3
Show file tree
Hide file tree
Showing 12 changed files with 55 additions and 0 deletions.
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_aws.md
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,7 @@ trivy aws [flags]
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
--max-cache-age duration The maximum age of the cloud cache. Cached data will be requeried from the cloud provider if it is older than this. (default 24h0m0s)
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan])
-o, --output string output file name
--policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
--policy-namespaces strings Rego namespaces
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_config.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ trivy config [flags] DIR
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0)
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan])
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
-o, --output string output file name
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_filesystem.md
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ trivy filesystem [flags] PATH
--license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan])
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_image.md
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ trivy image [flags] IMAGE_NAME
--license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan])
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_kubernetes.md
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
--k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0)
--kubeconfig string specify the kubeconfig file path to use
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan])
-n, --namespace string specify a namespace to scan
--no-progress suppress progress bar
--node-collector-namespace string specify the namespace in which the node-collector job should be deployed (default "trivy-temp")
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_repository.md
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan])
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_rootfs.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ trivy rootfs [flags] ROOTDIR
--license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan])
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_vm.md
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ trivy vm [flags] VM_IMAGE
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan])
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
Expand Down
6 changes: 6 additions & 0 deletions docs/docs/references/configuration/config-file.md
Original file line number Diff line number Diff line change
Expand Up @@ -266,6 +266,12 @@ misconfiguration:
# Same as '--include-non-failures'
# Default is false
include-non-failures: false

# Same as '--miconfig-scanners'
# Default is all scanners
scanners:
- dockerfile
- terraform

# helm value override configurations
# set individual values
Expand Down
9 changes: 9 additions & 0 deletions docs/docs/scanner/misconfiguration/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -315,6 +315,15 @@ Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)
This section describes misconfiguration-specific configuration.
Other common options are documented [here](../../configuration/index.md).

### Enabling a subset of misconfiguration scanners
It's possible to only enable certain misconfiguration scanners if you prefer. You can do so by passing the `--misconfig-scanners` option.
This flag takes a comma-separated list of configuration scanner types.
```bash
trivy config --misconfig-scanners=terraform,dockerfile .
```

Will only scan for misconfigurations that pertain to Terraform and Dockerfiles.

### Pass custom policies
You can pass policy files or directories including your custom policies through `--policy` option.
This can be repeated for specifying multiple files or directories.
Expand Down
19 changes: 19 additions & 0 deletions pkg/commands/artifact/run.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"fmt"

"github.com/hashicorp/go-multierror"
"github.com/samber/lo"
"github.com/spf13/viper"
"golang.org/x/exp/slices"
"golang.org/x/xerrors"
Expand Down Expand Up @@ -480,6 +481,14 @@ func disabledAnalyzers(opts flag.Options) []analyzer.Type {
analyzers = append(analyzers, analyzer.TypeSecret)
}

// Filter only enabled misconfiguration scanners
ma, err := filterMisconfigAnalyzers(opts.MisconfigScanners, analyzer.TypeConfigFiles)
if err != nil {
log.Logger.Errorf("Invalid misconfig scanners specified: %s defaulting to use all misconfig scanners", opts.MisconfigScanners)
} else {
analyzers = append(analyzers, ma...)
}

// Do not perform misconfiguration scanning when it is not specified.
if !opts.Scanners.AnyEnabled(types.MisconfigScanner, types.RBACScanner) {
analyzers = append(analyzers, analyzer.TypeConfigFiles...)
Expand Down Expand Up @@ -512,6 +521,16 @@ func disabledAnalyzers(opts flag.Options) []analyzer.Type {
return analyzers
}

func filterMisconfigAnalyzers(included, all []analyzer.Type) ([]analyzer.Type, error) {
_, missing := lo.Difference(all, included)
if len(missing) > 0 {
return nil, xerrors.Errorf("invalid misconfiguration scanner specified %s valid scanners: %s", missing, all)
}

log.Logger.Debugf("Enabling misconfiguration scanners: %s", included)
return lo.Without(all, included...), nil
}

func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfig, types.ScanOptions, error) {
target := opts.Target
if opts.Input != "" {
Expand Down
13 changes: 13 additions & 0 deletions pkg/flag/misconf_flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@ package flag
import (
"fmt"

"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
"github.com/aquasecurity/trivy/pkg/policy"
xstrings "github.com/aquasecurity/trivy/pkg/x/strings"
)

// e.g. config yaml:
Expand Down Expand Up @@ -73,6 +75,12 @@ var (
Default: fmt.Sprintf("%s:%d", policy.BundleRepository, policy.BundleVersion),
Usage: "OCI registry URL to retrieve policy bundle from",
}
MisconfigScannersFlag = Flag{
Name: "misconfig-scanners",
ConfigName: "misconfiguration.scanners",
Default: xstrings.ToStringSlice(analyzer.TypeConfigFiles),
Usage: "comma-separated list of misconfig scanners to use for misconfiguration scanning",
}
)

// MisconfFlagGroup composes common printer flag structs used for commands providing misconfiguration scanning.
Expand All @@ -89,6 +97,7 @@ type MisconfFlagGroup struct {
TerraformTFVars *Flag
CloudformationParamVars *Flag
TerraformExcludeDownloaded *Flag
MisconfigScanners *Flag
}

type MisconfOptions struct {
Expand All @@ -104,6 +113,7 @@ type MisconfOptions struct {
TerraformTFVars []string
CloudFormationParamVars []string
TfExcludeDownloaded bool
MisconfigScanners []analyzer.Type
}

func NewMisconfFlagGroup() *MisconfFlagGroup {
Expand All @@ -119,6 +129,7 @@ func NewMisconfFlagGroup() *MisconfFlagGroup {
TerraformTFVars: &TfVarsFlag,
CloudformationParamVars: &CfParamsFlag,
TerraformExcludeDownloaded: &TerraformExcludeDownloaded,
MisconfigScanners: &MisconfigScannersFlag,
}
}

Expand All @@ -138,6 +149,7 @@ func (f *MisconfFlagGroup) Flags() []*Flag {
f.TerraformTFVars,
f.TerraformExcludeDownloaded,
f.CloudformationParamVars,
f.MisconfigScanners,
}
}

Expand All @@ -153,5 +165,6 @@ func (f *MisconfFlagGroup) ToOptions() (MisconfOptions, error) {
TerraformTFVars: getStringSlice(f.TerraformTFVars),
CloudFormationParamVars: getStringSlice(f.CloudformationParamVars),
TfExcludeDownloaded: getBool(f.TerraformExcludeDownloaded),
MisconfigScanners: getUnderlyingStringSlice[analyzer.Type](f.MisconfigScanners),
}, nil
}

0 comments on commit b5874e3

Please sign in to comment.