Prepare for v0.31.0

[knqyf263]

The release note of v0.31.0

🚀 What's new? 🚀

☁️ AWS Scanning 🩻

You can now scan live AWS accounts for misconfigurations with the trivy aws command.

trivy aws --region us-east-1

All the misconfiguration rules built into Trivy for IaC scanning are the same rules being used to scan AWS. This means the rules are consistent across platforms and, as a bonus, can be used to find the causes of AWS issues when infrastructure is defined with Terraform or CloudFormation.

Authentication is done using all of the same mechanisms supported by the aws-cli, so you can likely get up and running simply by running the new trivy aws command.

⚠️ EXPERIMENTAL: This feature might change without preserving backwards compatibility.

🚢 SBOM generation without vulnerability scanning ⛓️

--format cyclonedx, --format spdx and --format json disables security checks by default so that you can just generate SBOM.

$ trivy image --format cyclonedx alpine:3.15
2022-08-15T11:45:30.527+0300    INFO    "--format cyclonedx" disables security checks. Specify "--security-checks vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.

📝 Support for attestation

You can create an SBOM attestation based on SBOM Trivy generates.

# The cyclonedx type is supported in Cosign v1.10.0 or later.
$ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>
$ COSIGN_EXPERIMENTAL=1 cosign attest --type cyclonedx --predicate sbom.cdx.json <IMAGE>

In addition, you can create a cosign vulnerability scan record attestation with --format cosign-vuln.

$ trivy image --format cosign-vuln -o vuln.json <IMAGE>
$ COSIGN_EXPERIMENTAL=1 cosign attest --type vuln --predicate vuln.json <IMAGE>

See here for more details.

🌀 Scan SBOM attestation for vulnerabilities 🧛

Trivy can take SBOM attestation as input and scan it for vulnerabilities.

$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE> > sbom.cdx.intoto.jsonl
$ trivy sbom ./sbom.cdx.intoto.jsonl

See here for more details.

🔐 Detect removed secrets in the intermediate layer 🙈

A file including hard-coded secrets can be modified or removed in the upper layer, but the hidden secrets can still be extracted from the intermediate layer. Trivy currently detects such secrets as well.

💉 Support external variable injection 📜

• Pass variables into Terraform scans using tfvar files

$ trivy config --tf-vars dev.terraform.tfvars <terraformCodeDir>

• Use the same external variable passing mechanism as helm install

$ trivy conf --helm-values overrides.yaml ./charts/mySql

See here for more details.

🦀 Scan Rust binaries 🦀

If a binary is built by cargo-auditable, Trivy will extract dependencies of the binary and scan it for vulnerabilities.

# Install the tooling
$ cargo install cargo-auditable rust-audit-info
# Open your Rust project
$ cd your_project
# Build your project with dependency lists embedded in the binaries
$ cargo auditable build --release
# Build your container image with the binary
$ docker build -t test-rust -f - . <<EOF
FROM scratch
COPY target/release/your_binary .
EOF
# Scan the image
$ trivy image --security-checks vuln test-rust
2022-08-15T11:32:03.923+0300    INFO    Vulnerability scanning is enabled
2022-08-15T11:32:05.031+0300    INFO    Number of language-specific files: 1
2022-08-15T11:32:05.032+0300    INFO    Detecting rust-binary vulnerabilities...

your_binary (rust-binary)
=========================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────────────┬─────────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│     Library     │    Vulnerability    │ Severity │ Installed Version │ Fixed Version │                       Title                       │
├─────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│    websocket    │    CVE-2022-35922   │ HIGH     │ 0.26.4            │ 0.26.5        │ Untrusted websocket connections can cause an      | 
│                 │                     │          │                   │               │ out-of-memory (OOM) process abort in a client     │
│                 │                     │          │                   │               │ or a server.                                      │
└─────────────────┴─────────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘

Thanks to @tofay

🏷️ Support git branch, commit and tag in repository scanning 🌮

• Pass a --branch argument with a valid branch name on the remote repository provided:

$ trivy repo --branch <branch-name> <repo-name>

• Pass a --commit argument with a valid commit hash on the remote repository provided:

$ trivy repo --commit <commit-hash> <repo-name>

• Pass a --tag argument with a valid tag on the remote repository provided:

$ trivy repo --tag <tag-name> <repo-name>

Thanks to @ShubhamPalriwala