trivy can scan dockerfile more than matching pattern Dockerfile*

[zdtsw]

Current version of trivy only support dockerfile with name starting with "Dockerfile".
Same as using as target, it only looks for "Dockerfile*"
Since docker support using -f <dockerfile>, trivy should have a similar feature . This is very useful with multiple dockerfiles,
some suggestions:

1. to allow user specify their dockerfile's name. e.g trivy fs --security-checks config --file dockerfile1, dockerfile2, ...
2. create a new type for --security-checks e.g --security-checks dockerfile and use along with --skip-files e.g trivy fs --security-checks dockerfile --skip-files some.txt .

see test log:

docker$ trivy --version
Version: 0.30.4
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-07-27 12:07:07.855242681 +0000 UTC
  NextUpdate: 2022-07-27 18:07:07.855242281 +0000 UTC
  DownloadedAt: 2022-07-27 13:25:19.565918 +0000 UTC

docker$ trivy fs --security-checks config dockerfile 
2022-07-27T18:46:38.004+0200	INFO	Misconfiguration scanning is enabled
2022-07-27T18:46:38.042+0200	INFO	Detected config files: 0

docker$ trivy fs --security-checks config .
2022-07-27T18:58:35.661+0200	INFO	Misconfiguration scanning is enabled
2022-07-27T18:58:35.699+0200	INFO	Detected config files: 0

after rename dockerfile to Dockerfile, it works

docker$ mv dockerfile Dockerfile
docker$ trivy fs --security-checks config Dockerfile 
2022-07-27T18:46:51.456+0200	INFO	Misconfiguration scanning is enabled
2022-07-27T18:46:51.557+0200	INFO	Detected config files: 1

Dockerfile (dockerfile)

Tests: 22 (SUCCESSES: 21, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


docker$ trivy fs --security-checks config .
2022-07-27T18:46:55.523+0200	INFO	Misconfiguration scanning is enabled
2022-07-27T18:46:55.624+0200	INFO	Detected config files: 1

Dockerfile (dockerfile)

Tests: 22 (SUCCESSES: 21, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────────────

[knqyf263]

Doesn't --file-pattern satisfy your requirement?
https://aquasecurity.github.io/trivy/v0.30.4/docs/misconfiguration/options/others/
https://github.com/aquasecurity/trivy/tree/f9c17bd2d87b9c02da1eebd21dd45ce1ccf97995/examples/misconf/file-patterns

[zdtsw]

Doesn't --file-pattern satisfy your requirement? https://aquasecurity.github.io/trivy/v0.30.4/docs/misconfiguration/options/others/ https://github.com/aquasecurity/trivy/tree/f9c17bd2d87b9c02da1eebd21dd45ce1ccf97995/examples/misconf/file-patterns

Thanks for the tips!
I've tried with --file-patterns but did not manage to get what I want:

docker$ mv Dockerfile dockerf
dockerf

docker$ head dockerf 
FROM alpine:3.12.4
.....

docker$ trivy conf --file-patterns "dockerfile:dockerf" .
2022-07-28T09:42:44.508+0200	INFO	Misconfiguration scanning is enabled
2022-07-28T09:42:44.545+0200	INFO	Detected config files: 0

docker$ trivy conf --file-patterns "dockerfile:.*dockerf" .
2022-07-28T09:43:18.807+0200	INFO	Misconfiguration scanning is enabled
2022-07-28T09:43:18.844+0200	INFO	Detected config files: 0

[zdtsw]

one more thing to confirm, using trivy config should be equal to trivy fs --security-checks config, right?

[knqyf263]

one more thing to confirm, using trivy config should be equal to trivy fs --security-checks config, right?

Yes.

@DmitriyLewen Could you take a look? --file-patterns should work.