feat: Improve Config/IaC Scanning #1820
liamg
started this conversation in
Development
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
This issue covers the design for config/IaC scanning functionality and its migration into into defsec.
Individual tasks will be tracked in this project.
Overview
Currently, Trivy scans configuration/IaC content using fanal, which in turn uses tfsec for Terraform scanning, defsec for CloudFormation scanning, and OPA for scanning k8s and Dockerfiles (both via the rego policies published by defsec.)
We would like to clearly divide and define responsibilities of each of these projects, and this issue will act as a discussion area for this.
The image below is my initial high-level suggestion. It is very much open to discussion and change.
Defsec has become the home of IaC policy definition and scanning for Aqua. At a very high level we would like to suggest that fanal continue to discover and surface files/filesystems for defsec to scan. Defsec should receive files/filesystems as input (along with rego policies if the defaults that ship with defsec should be modified/added to) and return results.
this document is in progress
Beta Was this translation helpful? Give feedback.
All reactions