Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(misconf): Add support for deprecating a check #6664

Merged
merged 8 commits into from
May 16, 2024
Merged
Show file tree
Hide file tree
Changes from 6 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions docs/docs/advanced/air-gap.md
Original file line number Diff line number Diff line change
Expand Up @@ -129,8 +129,8 @@ $ trivy image --skip-db-update --skip-java-db-update --offline-scan alpine:3.12

No special measures are required to detect misconfigurations in an air-gapped environment.

### Run Trivy with `--skip-policy-update` option
In an air-gapped environment, specify `--skip-policy-update` so that Trivy doesn't attempt to download the latest misconfiguration policies.
### Run Trivy with `--skip-check-update` option
In an air-gapped environment, specify `--skip-check-update` so that Trivy doesn't attempt to download the latest misconfiguration checks.

```
$ trivy conf --skip-policy-update /path/to/conf
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/configuration/cache.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ The cache directory includes

- [Vulnerability Database][trivy-db][^1]
- [Java Index Database][trivy-java-db][^2]
- [Misconfiguration Policies][misconf-policies][^3]
- [Misconfiguration Checks][misconf-checks][^3]
- Cache of previous scans.

The cache option is common to all scanners.
Expand Down Expand Up @@ -70,7 +70,7 @@ $ trivy server --cache-backend redis://localhost:6379 \

[trivy-db]: ./db.md#vulnerability-database
[trivy-java-db]: ./db.md#java-index-database
[misconf-policies]: ../scanner/misconfiguration/check/builtin.md
[misconf-checks]: ../scanner/misconfiguration/check/builtin.md

[^1]: Downloaded when scanning for vulnerabilities
[^2]: Downloaded when scanning `jar/war/par/ear` files
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/configuration/filtering.md
Original file line number Diff line number Diff line change
Expand Up @@ -483,7 +483,7 @@ trivy image --ignore-policy contrib/example_policy/basic.rego centos:7
For more advanced use cases, there is a built-in Rego library with helper functions that you can import into your policy using: `import data.lib.trivy`.
More info about the helper functions are in the library [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go).

You can find more example policies [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go)
You can find more example checks [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go)

### By Vulnerability Exploitability Exchange (VEX)
| Scanner | Supported |
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/coverage/iac/helm.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ The following scanners are supported.
Trivy recursively searches directories and scans all found Helm files.

It evaluates variables, functions, and other elements within Helm templates and resolve the chart to Kubernetes manifests then run the Kubernetes checks.
See [here](../../scanner/misconfiguration/check/builtin.md) for more details on the built-in policies.
See [here](../../scanner/misconfiguration/check/builtin.md) for more details on the built-in checks.

### Value overrides
There are a number of options for overriding values in Helm charts.
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_aws.md
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ trivy aws [flags]
-h, --help help for aws
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-deprecated-checks include deprecated checks
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
--max-cache-age duration The maximum age of the cloud cache. Cached data will be required from the cloud provider if it is older than this. (default 24h0m0s)
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_config.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ trivy config [flags] DIR
-h, --help help for config
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-deprecated-checks include deprecated checks
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0)
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ trivy filesystem [flags] PATH
--ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-deprecated-checks include deprecated checks
--include-dev-deps include development dependencies in the report (supported: npm, yarn)
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_image.md
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ trivy image [flags] IMAGE_NAME
--ignorefile string specify .trivyignore file (default ".trivyignore")
--image-config-scanners strings comma-separated list of what security issues to detect on container image configurations (misconfig,secret)
--image-src strings image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
--include-deprecated-checks include deprecated checks
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--input string input file path instead of image name
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ trivy kubernetes [flags] [CONTEXT]
--ignore-unfixed display only fixed vulnerabilities
--ignorefile string specify .trivyignore file (default ".trivyignore")
--image-src strings image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
--include-deprecated-checks include deprecated checks
--include-kinds strings indicate the kinds included in scanning (example: node)
--include-namespaces strings indicate the namespaces included in scanning (example: kube-system)
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-deprecated-checks include deprecated checks
--include-dev-deps include development dependencies in the report (supported: npm, yarn)
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_rootfs.md
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ trivy rootfs [flags] ROOTDIR
--ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-deprecated-checks include deprecated checks
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
--license-confidence-level float specify license classifier's confidence level (default 0.9)
Expand Down
8 changes: 4 additions & 4 deletions docs/docs/scanner/misconfiguration/check/exceptions.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,10 @@ Exceptions let you specify cases where you allow policy violations.
Trivy supports two types of exceptions.

!!! info
Exceptions can be applied to built-in policies as well as custom policies.
Exceptions can be applied to built-in checks as well as custom checks.

## Namespace-based exceptions
There are some cases where you need to disable built-in policies partially or fully.
There are some cases where you need to disable built-in checks partially or fully.
Namespace-based exceptions lets you rough choose which individual packages to exempt.

To use namespace-based exceptions, create a Rego rule with the name `exception` that returns the package names to exempt.
Expand All @@ -26,7 +26,7 @@ The `exception` rule must be defined under `namespace.exceptions`.
}
```

This example exempts all built-in policies for Kubernetes.
This example exempts all built-in checks for Kubernetes.

## Rule-based exceptions
There are some cases where you need more flexibility and granularity in defining which cases to exempt.
Expand Down Expand Up @@ -73,7 +73,7 @@ The above would provide an exception from `deny_foo` and `deny_bar`.
}
```

If you want to apply rule-based exceptions to built-in policies, you have to define the exception under the same package.
If you want to apply rule-based exceptions to built-in checks, you have to define the exception under the same package.

!!! example
``` rego
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/scanner/misconfiguration/custom/data.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Custom Data

Custom policies may require additional data in order to determine an answer.
Custom checks may require additional data in order to determine an answer.

For example, an allowed list of resources that can be created.
Instead of hardcoding this information inside your policy, Trivy allows passing paths to data files with the `--data` flag.
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/scanner/misconfiguration/custom/debug.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
# Debugging policies
# Debugging checks
When working on more complex queries (or when learning Rego), it's useful to see exactly how the policy is applied.
For this purpose you can use the `--trace` flag.
This will output a large trace from Open Policy Agent like the following:

!!! tip
Only failed policies show traces. If you want to debug a passed policy, you need to make it fail on purpose.
Only failed checks show traces. If you want to debug a passed check, you need to make it fail on purpose.

```shell
$ trivy conf --trace configs/
Expand Down
9 changes: 5 additions & 4 deletions docs/docs/scanner/misconfiguration/custom/index.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
# Custom Policies
# Custom Checks

## Overview
You can write custom policies in [Rego][rego].
Once you finish writing custom policies, you can pass the policy files or the directory where those policies are stored with `--policy` option.
You can write custom checks in [Rego][rego].
Once you finish writing custom checks, you can pass the policy files or the directory where those policies are stored with `--policy` option.

``` bash
trivy conf --policy /path/to/policy.rego --policy /path/to/custom_policies --namespaces user /path/to/config_dir
Expand Down Expand Up @@ -120,7 +120,7 @@ Trivy supports extra fields in the `custom` section as described below.
```

All fields are optional. The `schemas` field should be used to enable policy validation using a built-in schema. The
schema that will be used is based on the input document type. It is recommended to use this to ensure your policies are
schema that will be used is based on the input document type. It is recommended to use this to ensure your checks are
correct and do not reference incorrect properties/values.

| Field name | Allowed values | Default value | In table | In JSON |
Expand All @@ -131,6 +131,7 @@ correct and do not reference incorrect properties/values.
| custom.id | Any characters | N/A | :material-check: | :material-check: |
| custom.severity | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL` | UNKNOWN | :material-check: | :material-check: |
| custom.recommended_actions | Any characters | | :material-close: | :material-check: |
| custom.deprecated | `true`, `false` | `false` | :material-close: | :material-check: |
| custom.input.selector.type | Any item(s) in [this list][source-types] | | :material-close: | :material-check: |
| url | Any characters | | :material-close: | :material-check: |

Expand Down
12 changes: 6 additions & 6 deletions docs/docs/scanner/misconfiguration/custom/schema.md
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ Currently, out of the box the following schemas are supported natively:
3. [Cloud](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/cloud.json)


## Custom Policies with Custom Schemas
## Custom Checks with Custom Schemas

You can also bring a custom policy that defines one or more custom schema.

Expand All @@ -71,21 +71,21 @@ You can also bring a custom policy that defines one or more custom schema.
}
```

The policies can be placed in a structure as follows
The checks can be placed in a structure as follows

!!! example
```
/Users/user/my-custom-policies
/Users/user/my-custom-checks
├── my_policy.rego
└── schemas
└── fooschema.json
└── barschema.json
```

To use such a policy with Trivy, use the `--config-policy` flag that points to the policy file or to the directory where the schemas and policies are contained.
To use such a policy with Trivy, use the `--config-policy` flag that points to the policy file or to the directory where the schemas and checks are contained.

```bash
$ trivy --config-policy=/Users/user/my-custom-policies <path/to/iac>
$ trivy --config-policy=/Users/user/my-custom-checks <path/to/iac>
```

For more details on how to define schemas within Rego policies, please see the [OPA guide](https://www.openpolicyagent.org/docs/latest/policy-language/#schema-annotations) that describes it in more detail.
For more details on how to define schemas within Rego checks, please see the [OPA guide](https://www.openpolicyagent.org/docs/latest/policy-language/#schema-annotations) that describes it in more detail.
12 changes: 6 additions & 6 deletions docs/docs/scanner/misconfiguration/custom/testing.md
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
# Testing
It is highly recommended to write tests for your custom policies.
It is highly recommended to write tests for your custom checks.

## Rego testing
To help you verify the correctness of your custom policies, OPA gives you a framework that you can use to write tests for your policies.
By writing tests for your custom policies you can speed up the development process of new rules and reduce the amount of time it takes to modify rules as requirements evolve.
To help you verify the correctness of your custom checks, OPA gives you a framework that you can use to write tests for your checks.
By writing tests for your custom checks you can speed up the development process of new rules and reduce the amount of time it takes to modify rules as requirements evolve.

For more details, see [Policy Testing][opa-testing].

Expand All @@ -22,12 +22,12 @@ For more details, see [Policy Testing][opa-testing].
}
```

To write tests for custom policies, you can refer to existing tests under [trivy-checks][trivy-checks].
To write tests for custom checks, you can refer to existing tests under [trivy-checks][trivy-checks].

## Go testing
[Fanal][fanal] which is a core library of Trivy can be imported as a Go library.
You can scan config files in Go and test your custom policies using Go's testing methods, such as [table-driven tests][table].
This allows you to use the actual configuration file as input, making it easy to prepare test data and ensure that your custom policies work in practice.
You can scan config files in Go and test your custom checks using Go's testing methods, such as [table-driven tests][table].
This allows you to use the actual configuration file as input, making it easy to prepare test data and ensure that your custom checks work in practice.

In particular, Dockerfile and HCL need to be converted to structural data as input, which may be different from the expected input format.

Expand Down
16 changes: 8 additions & 8 deletions docs/docs/scanner/misconfiguration/index.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Misconfiguration Scanning
Trivy provides built-in policies to detect configuration issues in popular Infrastructure as Code files, such as: Docker, Kubernetes, Terraform, CloudFormation, and more.
In addition to built-in policies, you can write your own custom policies, as you can see [here][custom].
Trivy provides built-in checks to detect configuration issues in popular Infrastructure as Code files, such as: Docker, Kubernetes, Terraform, CloudFormation, and more.
In addition to built-in checks, you can write your own custom checks, as you can see [here][custom].

## Quick start

Expand Down Expand Up @@ -94,7 +94,7 @@ In the above example, Trivy detected vulnerabilities of Python dependencies and

## Type detection
The specified directory can contain mixed types of IaC files.
Trivy automatically detects config types and applies relevant policies.
Trivy automatically detects config types and applies relevant checks.

For example, the following example holds IaC files for Terraform, CloudFormation, Kubernetes, Helm Charts, and Dockerfile in the same directory.

Expand Down Expand Up @@ -326,16 +326,16 @@ trivy config --misconfig-scanners=terraform,dockerfile .

Will only scan for misconfigurations that pertain to Terraform and Dockerfiles.

### Passing custom policies
You can pass policy files or directories including your custom policies through `--policy` option.
### Passing custom checks
You can pass policy files or directories including your custom checks through `--policy` option.
This can be repeated for specifying multiple files or directories.

```bash
cd examplex/misconf/
trivy conf --policy custom-policy/policy --policy combine/policy --policy policy.rego --namespaces user misconf/mixed
```

For more details, see [Custom Policies](./custom/index.md).
For more details, see [Custom Checks](./custom/index.md).

!!! tip
You also need to specify `--namespaces` option.
Expand All @@ -352,8 +352,8 @@ trivy conf --policy ./policy --data ./data --namespaces user ./configs
For more details, see [Custom Data](./custom/data.md).

### Passing namespaces
By default, Trivy evaluates policies defined in `builtin.*`.
If you want to evaluate custom policies in other packages, you have to specify package prefixes through `--namespaces` option.
By default, Trivy evaluates checks defined in `builtin.*`.
If you want to evaluate custom checks in other packages, you have to specify package prefixes through `--namespaces` option.
This can be repeated for specifying multiple packages.

``` bash
Expand Down
Loading