Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(misconf): Use updated terminology for misconfiguration checks #6476

Merged
merged 30 commits into from
May 2, 2024
Merged

feat(misconf): Use updated terminology for misconfiguration checks #6476

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
a553924
chore(misconf): Rename policies refs into checks
simar7 Apr 9, 2024
169af16
update magefile tgts
simar7 Apr 10, 2024
c2a960b
add new checks options
simar7 Apr 10, 2024
0bc1279
update docs
simar7 Apr 10, 2024
8e8e125
simplify with aliasing
simar7 Apr 11, 2024
f79554c
update schema URLs
simar7 Apr 11, 2024
60c196a
update more refs
simar7 Apr 18, 2024
d460621
update docs
simar7 Apr 18, 2024
0976887
Merge branch 'main' into check-bundle
simar7 Apr 18, 2024
8c55593
update more refs
simar7 Apr 22, 2024
a1d4094
Merge branch 'main' into check-bundle
simar7 Apr 23, 2024
01a0e8d
rebase and update refs
simar7 Apr 23, 2024
6899038
go mod update
simar7 Apr 23, 2024
87cee7f
rename pkg ref
simar7 Apr 23, 2024
c5606a6
fix tests
simar7 Apr 23, 2024
6b3d219
update tests
simar7 Apr 23, 2024
ab8f9a8
rename import
simar7 Apr 26, 2024
df442db
sort cloud results
simar7 Apr 26, 2024
55501b4
rename more refs
simar7 Apr 26, 2024
fc59844
rename more refs
simar7 Apr 26, 2024
1a1e7ad
remove debug print
simar7 Apr 26, 2024
d0ee633
fix tests
simar7 Apr 26, 2024
4f80b17
restore go mod version
simar7 Apr 28, 2024
8372bf7
use semvar for go release
simar7 Apr 28, 2024
8f1c5b5
Merge branch 'main' into check-bundle
simar7 Apr 28, 2024
08190fe
update go mod
simar7 Apr 28, 2024
78e0ca2
update trivy-checks
simar7 Apr 30, 2024
18054d7
Merge branch 'main' into check-bundle
simar7 May 2, 2024
196aaf3
go mod tidy
simar7 May 2, 2024
8314d26
update docs
simar7 May 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions docs/docs/references/configuration/cli/trivy_aws.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ trivy aws [flags]
--account string The AWS account to scan. It's useful to specify this when reviewing cached results for multiple accounts.
--arn string The AWS ARN to show results for. Useful to filter results once a scan is cached.
--cf-params strings specify paths to override the CloudFormation parameters files
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--compliance string compliance report to generate (aws-cis-1.2,aws-cis-1.4)
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files
Expand All @@ -91,11 +92,10 @@ trivy aws [flags]
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
-o, --output string output file name
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
--policy-namespaces strings Rego namespaces
--region string AWS Region to scan
--report string specify a report format for the output (all,summary) (default "all")
--reset-policy-bundle remove policy bundle
--reset-checks-bundle remove checks bundle
--service strings Only scan AWS Service(s) specified with this flag. Can specify multiple services using --service A --service B etc.
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--skip-policy-update skip fetching rego policy updates
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/references/configuration/cli/trivy_config.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ trivy config [flags] DIR
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--cf-params strings specify paths to override the CloudFormation parameters files
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--clear-cache clear image caches without scanning
--compliance string compliance report to generate
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
Expand All @@ -36,15 +37,14 @@ trivy config [flags] DIR
-o, --output string output file name
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
--policy-namespaces strings Rego namespaces
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--report string specify a compliance report format for the output (all,summary) (default "all")
--reset-policy-bundle remove policy bundle
--reset-checks-bundle remove checks bundle
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/references/configuration/cli/trivy_filesystem.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ trivy filesystem [flags] PATH
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--cf-params strings specify paths to override the CloudFormation parameters files
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--clear-cache clear image caches without scanning
--compliance string compliance report to generate
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
Expand Down Expand Up @@ -61,7 +62,6 @@ trivy filesystem [flags] PATH
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
--policy-namespaces strings Rego namespaces
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
Expand All @@ -71,7 +71,7 @@ trivy filesystem [flags] PATH
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--report string specify a compliance report format for the output (all,summary) (default "all")
--reset remove all caches and database
--reset-policy-bundle remove policy bundle
--reset-checks-bundle remove checks bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/references/configuration/cli/trivy_image.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ trivy image [flags] IMAGE_NAME
```
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--clear-cache clear image caches without scanning
--compliance string compliance report to generate (docker-cis)
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
Expand Down Expand Up @@ -81,7 +82,6 @@ trivy image [flags] IMAGE_NAME
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--platform string set platform in the form os/arch if image is multi-platform capable
--podman-host string unix podman socket path to use for podman scanning
--policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
--policy-namespaces strings Rego namespaces
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
Expand All @@ -92,7 +92,7 @@ trivy image [flags] IMAGE_NAME
--removed-pkgs detect vulnerabilities of removed packages (only for Alpine)
--report string specify a format for the compliance report. (all,summary) (default "summary")
--reset remove all caches and database
--reset-policy-bundle remove policy bundle
--reset-checks-bundle remove checks bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/references/configuration/cli/trivy_kubernetes.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
--burst int specify the maximum burst for throttle (default 10)
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--clear-cache clear image caches without scanning
--compliance string compliance report to generate (k8s-nsa,k8s-cis,k8s-pss-baseline,k8s-pss-restricted)
--components strings specify which components to scan (workload,infra) (default [workload,infra])
Expand Down Expand Up @@ -73,7 +74,6 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
--policy-namespaces strings Rego namespaces
--qps float specify the maximum QPS to the master from this client (default 5)
--redis-ca string redis ca file location, if using redis as cache backend
Expand All @@ -84,7 +84,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--report string specify a report format for the output (all,summary) (default "all")
--reset remove all caches and database
--reset-policy-bundle remove policy bundle
--reset-checks-bundle remove checks bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,rbac) (default [vuln,misconfig,secret,rbac])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/references/configuration/cli/trivy_repository.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--cf-params strings specify paths to override the CloudFormation parameters files
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--clear-cache clear image caches without scanning
--commit string pass the commit hash to be scanned
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
Expand Down Expand Up @@ -61,7 +62,6 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
--policy-namespaces strings Rego namespaces
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
Expand All @@ -70,7 +70,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--reset remove all caches and database
--reset-policy-bundle remove policy bundle
--reset-checks-bundle remove checks bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/references/configuration/cli/trivy_rootfs.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ trivy rootfs [flags] ROOTDIR
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--cf-params strings specify paths to override the CloudFormation parameters files
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--clear-cache clear image caches without scanning
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files
Expand Down Expand Up @@ -63,7 +64,6 @@ trivy rootfs [flags] ROOTDIR
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
--policy-namespaces strings Rego namespaces
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
Expand All @@ -72,7 +72,7 @@ trivy rootfs [flags] ROOTDIR
--registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--reset remove all caches and database
--reset-policy-bundle remove policy bundle
--reset-checks-bundle remove checks bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/references/configuration/cli/trivy_vm.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ trivy vm [flags] VM_IMAGE
--aws-region string AWS region to scan
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--clear-cache clear image caches without scanning
--compliance string compliance report to generate
--custom-headers strings custom headers in client mode
Expand Down Expand Up @@ -56,14 +57,13 @@ trivy vm [flags] VM_IMAGE
-o, --output string output file name
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--reset remove all caches and database
--reset-policy-bundle remove policy bundle
--reset-checks-bundle remove checks bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/scanner/misconfiguration/custom/testing.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,6 @@ The following example stores allowed and denied configuration files in a directo
`Dockerfile.allowed` has one successful result in `Successes`, while `Dockerfile.denied` has one failure result in `Failures`.

[opa-testing]: https://www.openpolicyagent.org/docs/latest/policy-testing/
[defsec]: https://github.com/aquasecurity/trivy-policies/tree/main
[defsec]: https://github.com/aquasecurity/trivy-checks/tree/main
[table]: https://github.com/golang/go/wiki/TableDrivenTests
[fanal]: https://github.com/aquasecurity/fanal
Loading
Loading