From f6afc9d610c0af01173b897bbf2c35d78fdccd91 Mon Sep 17 00:00:00 2001 From: knqyf263 Date: Mon, 13 Nov 2023 10:43:08 +0900 Subject: [PATCH 1/4] feat: add aliases to '--scanners' Signed-off-by: knqyf263 --- pkg/flag/options.go | 8 ++++++-- pkg/flag/options_test.go | 2 +- pkg/flag/scan_flags.go | 9 +++++++++ pkg/flag/scan_flags_test.go | 2 +- pkg/flag/value.go | 35 ++++++++++++++++++++++++----------- pkg/types/target.go | 2 +- 6 files changed, 42 insertions(+), 16 deletions(-) diff --git a/pkg/flag/options.go b/pkg/flag/options.go index caf723fa5bb7..4d93e0383b79 100644 --- a/pkg/flag/options.go +++ b/pkg/flag/options.go @@ -42,6 +42,10 @@ type Flag struct { // It currently supports string flags and string slice flags only. Values []string + // ValueNormalize is a function to normalize the value. + // It can be used for aliases, etc. + ValueNormalize func(string) string + // Usage explains how to use the flag. Usage string @@ -191,13 +195,13 @@ func addFlag(cmd *cobra.Command, flag *Flag) { if len(flag.Values) > 0 { usage += fmt.Sprintf(" (%s)", strings.Join(flag.Values, ",")) } - flags.VarP(newCustomStringValue(v, flag.Values), flag.Name, flag.Shorthand, usage) + flags.VarP(newCustomStringValue(v, flag.Values, flag.ValueNormalize), flag.Name, flag.Shorthand, usage) case []string: usage := flag.Usage if len(flag.Values) > 0 { usage += fmt.Sprintf(" (%s)", strings.Join(flag.Values, ",")) } - flags.VarP(newCustomStringSliceValue(v, flag.Values), flag.Name, flag.Shorthand, usage) + flags.VarP(newCustomStringSliceValue(v, flag.Values, flag.ValueNormalize), flag.Name, flag.Shorthand, usage) case bool: flags.BoolP(flag.Name, flag.Shorthand, v, flag.Usage) case time.Duration: diff --git a/pkg/flag/options_test.go b/pkg/flag/options_test.go index 6c84ae7d9813..f3a76d177730 100644 --- a/pkg/flag/options_test.go +++ b/pkg/flag/options_test.go @@ -53,7 +53,7 @@ func Test_getStringSlice(t *testing.T) { flag: &ScannersFlag, env: env{ key: "TRIVY_SECURITY_CHECKS", - value: "rbac,config", + value: "rbac,misconfig", }, want: []string{ string(types.RBACScanner), diff --git a/pkg/flag/scan_flags.go b/pkg/flag/scan_flags.go index 66280ecb255e..07623a04fe70 100644 --- a/pkg/flag/scan_flags.go +++ b/pkg/flag/scan_flags.go @@ -37,6 +37,15 @@ var ( types.SecretScanner, types.LicenseScanner, }), + ValueNormalize: func(s string) string { + switch s { + case "vulnerability": + return string(types.VulnerabilityScanner) + case "config", "misconf", "misconfiguration": + return string(types.MisconfigScanner) + } + return s + }, Aliases: []Alias{ { Name: "security-checks", diff --git a/pkg/flag/scan_flags_test.go b/pkg/flag/scan_flags_test.go index 1490ea3bf42f..7c9d2ba42457 100644 --- a/pkg/flag/scan_flags_test.go +++ b/pkg/flag/scan_flags_test.go @@ -38,7 +38,7 @@ func TestScanFlagGroup_ToOptions(t *testing.T) { name: "happy path for configs", args: []string{"alpine:latest"}, fields: fields{ - scanners: "config", + scanners: "misconfig", }, want: flag.ScanOptions{ Target: "alpine:latest", diff --git a/pkg/flag/value.go b/pkg/flag/value.go index 47a8236dbbad..45108fe7f556 100644 --- a/pkg/flag/value.go +++ b/pkg/flag/value.go @@ -3,24 +3,32 @@ package flag import ( "strings" + "github.com/samber/lo" "golang.org/x/exp/slices" "golang.org/x/xerrors" ) +type ValueNormalizeFunc func(string) string + // -- string Value type customStringValue struct { - value *string - allowed []string + value *string + allowed []string + normalize ValueNormalizeFunc } -func newCustomStringValue(val string, allowed []string) *customStringValue { +func newCustomStringValue(val string, allowed []string, fn ValueNormalizeFunc) *customStringValue { return &customStringValue{ - value: &val, - allowed: allowed, + value: &val, + allowed: allowed, + normalize: fn, } } func (s *customStringValue) Set(val string) error { + if s.normalize != nil { + val = s.normalize(val) + } if len(s.allowed) > 0 && !slices.Contains(s.allowed, val) { return xerrors.Errorf("must be one of %q", s.allowed) } @@ -35,20 +43,25 @@ func (s *customStringValue) String() string { return *s.value } // -- stringSlice Value type customStringSliceValue struct { - value *[]string - allowed []string - changed bool + value *[]string + allowed []string + normalize ValueNormalizeFunc + changed bool } -func newCustomStringSliceValue(val, allowed []string) *customStringSliceValue { +func newCustomStringSliceValue(val, allowed []string, fn ValueNormalizeFunc) *customStringSliceValue { return &customStringSliceValue{ - value: &val, - allowed: allowed, + value: &val, + allowed: allowed, + normalize: fn, } } func (s *customStringSliceValue) Set(val string) error { values := strings.Split(val, ",") + if s.normalize != nil { + values = lo.Map(values, func(item string, _ int) string { return s.normalize(item) }) + } for _, v := range values { if len(s.allowed) > 0 && !slices.Contains(s.allowed, v) { return xerrors.Errorf("must be one of %q", s.allowed) diff --git a/pkg/types/target.go b/pkg/types/target.go index f302505bc1b6..134bded69cd7 100644 --- a/pkg/types/target.go +++ b/pkg/types/target.go @@ -33,7 +33,7 @@ const ( VulnerabilityScanner = Scanner("vuln") // MisconfigScanner is the scanner of misconfigurations - MisconfigScanner = Scanner("config") + MisconfigScanner = Scanner("misconfig") // SecretScanner is the scanner of secrets SecretScanner = Scanner("secret") From 19f9572411f4bd982b1d41152e1173723bc80385 Mon Sep 17 00:00:00 2001 From: knqyf263 Date: Mon, 13 Nov 2023 10:58:42 +0900 Subject: [PATCH 2/4] docs: update Signed-off-by: knqyf263 --- README.md | 2 +- docs/docs/configuration/others.md | 2 +- docs/docs/references/configuration/cli/trivy_aws.md | 6 +++--- docs/docs/references/configuration/cli/trivy_config.md | 2 +- .../references/configuration/cli/trivy_filesystem.md | 4 ++-- docs/docs/references/configuration/cli/trivy_image.md | 6 +++--- .../references/configuration/cli/trivy_kubernetes.md | 4 ++-- .../references/configuration/cli/trivy_repository.md | 4 ++-- docs/docs/references/configuration/cli/trivy_rootfs.md | 4 ++-- docs/docs/references/configuration/cli/trivy_vm.md | 4 ++-- docs/docs/references/configuration/config-file.md | 3 ++- docs/docs/scanner/misconfiguration/index.md | 10 +++++----- docs/docs/target/container_image.md | 4 ++-- docs/docs/target/filesystem.md | 4 ++-- docs/docs/target/repository.md | 4 ++-- docs/docs/target/vm.md | 4 ++-- docs/index.md | 2 +- docs/tutorials/integrations/gitlab-ci.md | 2 +- docs/tutorials/misconfiguration/terraform.md | 2 +- pkg/flag/misconf_flags.go | 2 +- 20 files changed, 38 insertions(+), 37 deletions(-) diff --git a/README.md b/README.md index 1db2353bb1fc..f02dd9c0cd9b 100644 --- a/README.md +++ b/README.md @@ -78,7 +78,7 @@ https://user-images.githubusercontent.com/1161307/171013513-95f18734-233d-45d3-a ```bash -trivy fs --scanners vuln,secret,config myproject/ +trivy fs --scanners vuln,secret,misconfig myproject/ ```
diff --git a/docs/docs/configuration/others.md b/docs/docs/configuration/others.md index 769959fa15dc..371350f07a96 100644 --- a/docs/docs/configuration/others.md +++ b/docs/docs/configuration/others.md @@ -6,7 +6,7 @@ You can enable/disable scanners with the `--scanners` flag. Supported values: - vuln -- config +- misconfig - secret - license diff --git a/docs/docs/references/configuration/cli/trivy_aws.md b/docs/docs/references/configuration/cli/trivy_aws.md index eb7e5a144ac1..d3cf843e6052 100644 --- a/docs/docs/references/configuration/cli/trivy_aws.md +++ b/docs/docs/references/configuration/cli/trivy_aws.md @@ -26,7 +26,6 @@ The following services are supported: - elb - emr - iam -- kinesis - kms - lambda - mq @@ -34,11 +33,12 @@ The following services are supported: - neptune - rds - redshift -- s3 - sns - sqs - ssm - workspaces +- kinesis +- s3 ``` @@ -81,7 +81,7 @@ trivy aws [flags] -h, --help help for aws --ignore-policy string specify the Rego file path to evaluate each vulnerability --ignorefile string specify .trivyignore file (default ".trivyignore") - --include-non-failures include successes and exceptions, available with '--scanners config' + --include-non-failures include successes and exceptions, available with '--scanners misconfig' --list-all-pkgs enabling the option will output all packages regardless of vulnerability --max-cache-age duration The maximum age of the cloud cache. Cached data will be requeried from the cloud provider if it is older than this. (default 24h0m0s) -o, --output string output file name diff --git a/docs/docs/references/configuration/cli/trivy_config.md b/docs/docs/references/configuration/cli/trivy_config.md index ced1b2c94788..e2c6110b13fa 100644 --- a/docs/docs/references/configuration/cli/trivy_config.md +++ b/docs/docs/references/configuration/cli/trivy_config.md @@ -26,7 +26,7 @@ trivy config [flags] DIR -h, --help help for config --ignore-policy string specify the Rego file path to evaluate each vulnerability --ignorefile string specify .trivyignore file (default ".trivyignore") - --include-non-failures include successes and exceptions, available with '--scanners config' + --include-non-failures include successes and exceptions, available with '--scanners misconfig' --k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0) --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") -o, --output string output file name diff --git a/docs/docs/references/configuration/cli/trivy_filesystem.md b/docs/docs/references/configuration/cli/trivy_filesystem.md index 2241d05de8a6..e32e6af4be53 100644 --- a/docs/docs/references/configuration/cli/trivy_filesystem.md +++ b/docs/docs/references/configuration/cli/trivy_filesystem.md @@ -45,7 +45,7 @@ trivy filesystem [flags] PATH --ignored-licenses strings specify a list of license to ignore --ignorefile string specify .trivyignore file (default ".trivyignore") --include-dev-deps include development dependencies in the report (supported: npm, yarn) - --include-non-failures include successes and exceptions, available with '--scanners config' + --include-non-failures include successes and exceptions, available with '--scanners misconfig' --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") --license-confidence-level float specify license classifier's confidence level (default 0.9) --license-full eagerly look for licenses in source code headers and license files @@ -67,7 +67,7 @@ trivy filesystem [flags] PATH --reset remove all caches and database --reset-policy-bundle remove policy bundle --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) - --scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret]) + --scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret]) --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") --server string server address in client mode -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) diff --git a/docs/docs/references/configuration/cli/trivy_image.md b/docs/docs/references/configuration/cli/trivy_image.md index 767d4152cf54..31daec770d61 100644 --- a/docs/docs/references/configuration/cli/trivy_image.md +++ b/docs/docs/references/configuration/cli/trivy_image.md @@ -61,9 +61,9 @@ trivy image [flags] IMAGE_NAME --ignore-unfixed display only fixed vulnerabilities --ignored-licenses strings specify a list of license to ignore --ignorefile string specify .trivyignore file (default ".trivyignore") - --image-config-scanners strings comma-separated list of what security issues to detect on container image configurations (config,secret) + --image-config-scanners strings comma-separated list of what security issues to detect on container image configurations (misconfig,secret) --image-src strings image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote]) - --include-non-failures include successes and exceptions, available with '--scanners config' + --include-non-failures include successes and exceptions, available with '--scanners misconfig' --input string input file path instead of image name --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") --license-confidence-level float specify license classifier's confidence level (default 0.9) @@ -88,7 +88,7 @@ trivy image [flags] IMAGE_NAME --reset remove all caches and database --reset-policy-bundle remove policy bundle --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) - --scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret]) + --scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret]) --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") --server string server address in client mode -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) diff --git a/docs/docs/references/configuration/cli/trivy_kubernetes.md b/docs/docs/references/configuration/cli/trivy_kubernetes.md index 47c61a5b2288..15d640812d95 100644 --- a/docs/docs/references/configuration/cli/trivy_kubernetes.md +++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md @@ -55,7 +55,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg: --ignore-unfixed display only fixed vulnerabilities --ignorefile string specify .trivyignore file (default ".trivyignore") --image-src strings image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote]) - --include-non-failures include successes and exceptions, available with '--scanners config' + --include-non-failures include successes and exceptions, available with '--scanners misconfig' --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") --k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0) --kubeconfig string specify the kubeconfig file path to use @@ -79,7 +79,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg: --reset remove all caches and database --reset-policy-bundle remove policy bundle --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) - --scanners string comma-separated list of what security issues to detect (vuln,config,secret,license) (default "vuln,config,secret,rbac") + --scanners string comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default "vuln,misconfig,secret,rbac") --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) --skip-db-update skip updating vulnerability database diff --git a/docs/docs/references/configuration/cli/trivy_repository.md b/docs/docs/references/configuration/cli/trivy_repository.md index 19d9a3429027..b57cfa56025c 100644 --- a/docs/docs/references/configuration/cli/trivy_repository.md +++ b/docs/docs/references/configuration/cli/trivy_repository.md @@ -45,7 +45,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL) --ignored-licenses strings specify a list of license to ignore --ignorefile string specify .trivyignore file (default ".trivyignore") --include-dev-deps include development dependencies in the report (supported: npm, yarn) - --include-non-failures include successes and exceptions, available with '--scanners config' + --include-non-failures include successes and exceptions, available with '--scanners misconfig' --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") --license-confidence-level float specify license classifier's confidence level (default 0.9) --license-full eagerly look for licenses in source code headers and license files @@ -66,7 +66,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL) --reset remove all caches and database --reset-policy-bundle remove policy bundle --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) - --scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret]) + --scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret]) --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") --server string server address in client mode -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) diff --git a/docs/docs/references/configuration/cli/trivy_rootfs.md b/docs/docs/references/configuration/cli/trivy_rootfs.md index 7bd2d06c2cb9..a5daaa47fce8 100644 --- a/docs/docs/references/configuration/cli/trivy_rootfs.md +++ b/docs/docs/references/configuration/cli/trivy_rootfs.md @@ -47,7 +47,7 @@ trivy rootfs [flags] ROOTDIR --ignore-unfixed display only fixed vulnerabilities --ignored-licenses strings specify a list of license to ignore --ignorefile string specify .trivyignore file (default ".trivyignore") - --include-non-failures include successes and exceptions, available with '--scanners config' + --include-non-failures include successes and exceptions, available with '--scanners misconfig' --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") --license-confidence-level float specify license classifier's confidence level (default 0.9) --license-full eagerly look for licenses in source code headers and license files @@ -68,7 +68,7 @@ trivy rootfs [flags] ROOTDIR --reset remove all caches and database --reset-policy-bundle remove policy bundle --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) - --scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret]) + --scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret]) --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") --server string server address in client mode -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) diff --git a/docs/docs/references/configuration/cli/trivy_vm.md b/docs/docs/references/configuration/cli/trivy_vm.md index 31a84b1fec8d..fd47dfda7647 100644 --- a/docs/docs/references/configuration/cli/trivy_vm.md +++ b/docs/docs/references/configuration/cli/trivy_vm.md @@ -44,7 +44,7 @@ trivy vm [flags] VM_IMAGE --ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life) --ignore-unfixed display only fixed vulnerabilities --ignorefile string specify .trivyignore file (default ".trivyignore") - --include-non-failures include successes and exceptions, available with '--scanners config' + --include-non-failures include successes and exceptions, available with '--scanners misconfig' --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") --list-all-pkgs enabling the option will output all packages regardless of vulnerability --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") @@ -60,7 +60,7 @@ trivy vm [flags] VM_IMAGE --reset remove all caches and database --reset-policy-bundle remove policy bundle --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) - --scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret]) + --scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret]) --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") --server string server address in client mode -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) diff --git a/docs/docs/references/configuration/config-file.md b/docs/docs/references/configuration/config-file.md index 08902fb82159..b85cfded4667 100644 --- a/docs/docs/references/configuration/config-file.md +++ b/docs/docs/references/configuration/config-file.md @@ -112,8 +112,9 @@ scan: # Default depends on subcommand scanners: - vuln - - config + - misconfig - secret + - license ``` ## Cache Options diff --git a/docs/docs/scanner/misconfiguration/index.md b/docs/docs/scanner/misconfiguration/index.md index 9371f6f65021..8a2606a31a4e 100644 --- a/docs/docs/scanner/misconfiguration/index.md +++ b/docs/docs/scanner/misconfiguration/index.md @@ -35,28 +35,28 @@ $ trivy config [YOUR_IaC_DIRECTORY] ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ``` -You can also enable misconfiguration detection in container image, filesystem and git repository scanning via `--scanners config`. +You can also enable misconfiguration detection in container image, filesystem and git repository scanning via `--scanners misconfig`. ```bash -$ trivy image --scanners config IMAGE_NAME +$ trivy image --scanners misconfig IMAGE_NAME ``` ```bash -$ trivy fs --scanners config /path/to/dir +$ trivy fs --scanners misconfig /path/to/dir ``` !!! note Misconfiguration detection is not enabled by default in `image`, `fs` and `repo` subcommands. Unlike the `config` subcommand, `image`, `fs` and `repo` subcommands can also scan for vulnerabilities and secrets at the same time. -You can specify `--scanners vuln,config,secret` to enable vulnerability and secret detection as well as misconfiguration detection. +You can specify `--scanners vuln,misconfig,secret` to enable vulnerability and secret detection as well as misconfiguration detection. !!! example ``` bash $ ls myapp/ Dockerfile Pipfile.lock - $ trivy fs --scanners vuln,config,secret --severity HIGH,CRITICAL myapp/ + $ trivy fs --scanners vuln,misconfig,secret --severity HIGH,CRITICAL myapp/ 2022-05-16T13:42:21.440+0100 INFO Number of language-specific files: 1 2022-05-16T13:42:21.440+0100 INFO Detecting pipenv vulnerabilities... 2022-05-16T13:42:21.440+0100 INFO Detected config files: 1 diff --git a/docs/docs/target/container_image.md b/docs/docs/target/container_image.md index 6b9556b8d5c5..5e86c76b3121 100644 --- a/docs/docs/target/container_image.md +++ b/docs/docs/target/container_image.md @@ -64,10 +64,10 @@ $ trivy image --scanners vuln [YOUR_IMAGE_NAME] ### Misconfigurations It is supported, but it is not useful in most cases. As mentioned [here](../scanner/misconfiguration/index.md), Trivy mainly supports Infrastructure as Code (IaC) files for misconfigurations. -If your container image includes IaC files such as Kubernetes YAML files or Terraform files, you should enable this feature with `--scanners config`. +If your container image includes IaC files such as Kubernetes YAML files or Terraform files, you should enable this feature with `--scanners misconfig`. ``` -$ trivy image --scanners config [YOUR_IMAGE_NAME] +$ trivy image --scanners misconfig [YOUR_IMAGE_NAME] ``` ### Secrets diff --git a/docs/docs/target/filesystem.md b/docs/docs/target/filesystem.md index cb1210dc42fd..72e47f0e0c5e 100644 --- a/docs/docs/target/filesystem.md +++ b/docs/docs/target/filesystem.md @@ -65,11 +65,11 @@ Total: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)
### Misconfigurations -It is disabled by default and can be enabled with `--scanners config`. +It is disabled by default and can be enabled with `--scanners misconfig`. See [here](../scanner/misconfiguration/index.md) for the detail. ```shell -$ trivy fs --scanners config /path/to/project +$ trivy fs --scanners misconfig /path/to/project ``` ### Secrets diff --git a/docs/docs/target/repository.md b/docs/docs/target/repository.md index 497bffc9e0db..a4385825e33f 100644 --- a/docs/docs/target/repository.md +++ b/docs/docs/target/repository.md @@ -82,11 +82,11 @@ Total: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0) ### Misconfigurations -It is disabled by default and can be enabled with `--scanners config`. +It is disabled by default and can be enabled with `--scanners misconfig`. See [here](../scanner/misconfiguration/index.md) for the detail. ```shell -$ trivy repo --scanners config (REPO_PATH | REPO_URL) +$ trivy repo --scanners misconfig (REPO_PATH | REPO_URL) ``` ### Secrets diff --git a/docs/docs/target/vm.md b/docs/docs/target/vm.md index 0bf616200104..b0dc23e9c507 100644 --- a/docs/docs/target/vm.md +++ b/docs/docs/target/vm.md @@ -153,10 +153,10 @@ $ trivy vm [YOUR_VM_IMAGE] ### Misconfigurations It is supported, but it is not useful in most cases. As mentioned [here](../scanner/misconfiguration/index.md), Trivy mainly supports Infrastructure as Code (IaC) files for misconfigurations. -If your VM image includes IaC files such as Kubernetes YAML files or Terraform files, you should enable this feature with `--scanners config`. +If your VM image includes IaC files such as Kubernetes YAML files or Terraform files, you should enable this feature with `--scanners misconfig`. ``` -$ trivy vm --scanners config [YOUR_VM_IMAGE] +$ trivy vm --scanners misconfig [YOUR_VM_IMAGE] ``` ### Secrets diff --git a/docs/index.md b/docs/index.md index 41711eaf20be..1fa90f8c65be 100644 --- a/docs/index.md +++ b/docs/index.md @@ -82,7 +82,7 @@ trivy image python:3.4-alpine ```bash -trivy fs --scanners vuln,secret,config myproject/ +trivy fs --scanners vuln,secret,misconfig myproject/ ```
diff --git a/docs/tutorials/integrations/gitlab-ci.md b/docs/tutorials/integrations/gitlab-ci.md index 1f0f57dbacf7..0cf1e93dbbe9 100644 --- a/docs/tutorials/integrations/gitlab-ci.md +++ b/docs/tutorials/integrations/gitlab-ci.md @@ -150,7 +150,7 @@ trivy: # Image report - ./trivy image --exit-code 0 --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate-image.json $IMAGE # Filesystem report - - ./trivy filesystem --scanners config,vuln --exit-code 0 --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate-fs.json . + - ./trivy filesystem --scanners misconfig,vuln --exit-code 0 --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate-fs.json . # Combine report - apk update && apk add jq - jq -s 'add' gl-codeclimate-image.json gl-codeclimate-fs.json > gl-codeclimate.json diff --git a/docs/tutorials/misconfiguration/terraform.md b/docs/tutorials/misconfiguration/terraform.md index 7950e6405fe0..49d5156a191e 100644 --- a/docs/tutorials/misconfiguration/terraform.md +++ b/docs/tutorials/misconfiguration/terraform.md @@ -97,7 +97,7 @@ We have lots of examples in the [documentation](https://aquasecurity.github.io/t The `trivy config` command does not perform secrete and vulnerability checks out of the box. However, you can specify as part of your `trivy fs` scan that you would like to scan you terraform files for exposed secrets and misconfiguraction through the following flags: ``` -trivy fs --scanners secret,config ./ +trivy fs --scanners secret,misconfig ./ ``` The `trivy config` command is a sub-command of the `trivy fs` command. You can learn more about this command in the [documentation.](https://aquasecurity.github.io/trivy/latest/docs/target/filesystem/) diff --git a/pkg/flag/misconf_flags.go b/pkg/flag/misconf_flags.go index 74e18113433d..3023ed48615a 100644 --- a/pkg/flag/misconf_flags.go +++ b/pkg/flag/misconf_flags.go @@ -23,7 +23,7 @@ var ( Name: "include-non-failures", ConfigName: "misconfiguration.include-non-failures", Default: false, - Usage: "include successes and exceptions, available with '--scanners config'", + Usage: "include successes and exceptions, available with '--scanners misconfig'", } HelmValuesFileFlag = Flag{ Name: "helm-values", From 886c019b5843917957bc778986028a4d11105fc9 Mon Sep 17 00:00:00 2001 From: knqyf263 Date: Fri, 10 Nov 2023 15:10:35 +0900 Subject: [PATCH 3/4] docs: sort aws services Signed-off-by: knqyf263 --- docs/docs/references/configuration/cli/trivy_aws.md | 4 ++-- pkg/commands/app.go | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/docs/references/configuration/cli/trivy_aws.md b/docs/docs/references/configuration/cli/trivy_aws.md index d3cf843e6052..13aed7ec8ab7 100644 --- a/docs/docs/references/configuration/cli/trivy_aws.md +++ b/docs/docs/references/configuration/cli/trivy_aws.md @@ -26,6 +26,7 @@ The following services are supported: - elb - emr - iam +- kinesis - kms - lambda - mq @@ -33,12 +34,11 @@ The following services are supported: - neptune - rds - redshift +- s3 - sns - sqs - ssm - workspaces -- kinesis -- s3 ``` diff --git a/pkg/commands/app.go b/pkg/commands/app.go index 36dc8be3d38a..4ed06963f851 100644 --- a/pkg/commands/app.go +++ b/pkg/commands/app.go @@ -6,6 +6,7 @@ import ( "fmt" "io" "os" + "sort" "strings" "time" @@ -971,6 +972,7 @@ func NewAWSCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { } services := awsScanner.AllSupportedServices() + sort.Strings(services) cmd := &cobra.Command{ Use: "aws [flags]", From 6a9343fbbd337d06f6aef5f52af4cf89d4f66e99 Mon Sep 17 00:00:00 2001 From: knqyf263 Date: Mon, 13 Nov 2023 14:40:55 +0900 Subject: [PATCH 4/4] test(integration): add a test for '--scanners config' Signed-off-by: knqyf263 --- integration/repo_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/integration/repo_test.go b/integration/repo_test.go index d0921cdd6740..03dac4293c30 100644 --- a/integration/repo_test.go +++ b/integration/repo_test.go @@ -360,10 +360,10 @@ func TestRepository(t *testing.T) { }, }, { - name: "dockerfile with fs subcommand", + name: "dockerfile with fs subcommand and an alias scanner", args: args{ command: "fs", - scanner: types.MisconfigScanner, + scanner: "config", // for backward compatibility policyPaths: []string{"testdata/fixtures/repo/custom-policy/policy"}, namespaces: []string{"user"}, input: "testdata/fixtures/repo/custom-policy",